Add Admission webhook to lokomotive

Makefile

@@ -8,6 +8,8 @@ DOCS_DIR ?= docs/cli
 
 ALL_BUILD_TAGS := "aws,packet,aks,e2e,baremetal,disruptivee2e,poste2e"
 
+ADMISSION_WEBHOOK_SERVER := "quay.io/kinvolk/lokomotive-admission-webhook-server"
+
 ## Adds a '-dirty' suffix to version string if there are uncommitted changes
 changes := $(shell git status --porcelain)
 ifeq ($(changes),)
@@ -160,3 +162,15 @@ codespell: CODESPELL_BIN := codespell
 codespell:
 	which $(CODESPELL_BIN) >/dev/null 2>&1 || (echo "$(CODESPELL_BIN) binary not found, skipping spell checking"; exit 0)
 	$(CODESPELL_BIN) --skip $(CODESPELL_SKIP) --ignore-words .codespell.ignorewords --check-filenames --check-hidden
+
+.PHONY: build-webhook
+build-webhook:
+	CGO_ENABLED=0 GO111MODULE=on go build \
+		-o=admission-webhook-server \
+		-mod=$(MOD) \
+		-ldflags $(LDFLAGS) \
+		./cmd/admission-webhook-server
+
+.PHONY: docker-build-webhook
+docker-build-webhook:
+	docker build -f cmd/admission-webhook-server/Dockerfile -t $(ADMISSION_WEBHOOK_SERVER) .

assets/lokomotive-kubernetes/aws/flatcar-linux/kubernetes/cl/controller.yaml.tmpl

@@ -156,7 +156,7 @@ storage:
             --volume bootstrap,kind=host,source=/etc/kubernetes \
             --mount volume=bootstrap,target=/etc/kubernetes \
             $${RKT_OPTS} \
-            docker://quay.io/kinvolk/bootkube:v0.14.0-helm-7047a87-amd64 \
+            docker://quay.io/kinvolk/bootkube:v0.14.0-helm-ec64535-amd64 \
             --insecure-options=image \
             --net=host \
             --dns=host \

assets/lokomotive-kubernetes/aws/flatcar-linux/kubernetes/outputs.tf

@@ -62,3 +62,7 @@ output "kubelet_values" {
 output "calico_values" {
   value = module.bootkube.calico_values
 }
+
+output "lokomotive_values" {
+  value = module.bootkube.lokomotive_values
+}

assets/lokomotive-kubernetes/azure/flatcar-linux/kubernetes/cl/controller.yaml.tmpl

@@ -156,7 +156,7 @@ storage:
             --volume bootstrap,kind=host,source=/etc/kubernetes \
             --mount volume=bootstrap,target=/etc/kubernetes \
             $${RKT_OPTS} \
-            docker://quay.io/kinvolk/bootkube:v0.14.0-helm-7047a87-amd64 \
+            docker://quay.io/kinvolk/bootkube:v0.14.0-helm-ec64535-amd64 \
             --insecure-options=image \
             --net=host \
             --dns=host \

assets/lokomotive-kubernetes/azure/flatcar-linux/kubernetes/outputs.tf

@@ -74,3 +74,7 @@ output "kubelet_values" {
 output "calico_values" {
   value = module.bootkube.calico_values
 }
+
+output "lokomotive_values" {
+  value = module.bootkube.lokomotive_values
+}

assets/lokomotive-kubernetes/bare-metal/flatcar-linux/kubernetes/cl/controller.yaml.tmpl

@@ -171,7 +171,7 @@ storage:
             --volume bootstrap,kind=host,source=/etc/kubernetes \
             --mount volume=bootstrap,target=/etc/kubernetes \
             $${RKT_OPTS} \
-            docker://quay.io/kinvolk/bootkube:v0.14.0-helm-7047a87-amd64 \
+            docker://quay.io/kinvolk/bootkube:v0.14.0-helm-ec64535-amd64 \
             --insecure-options=image \
             --net=host \
             --dns=host \

assets/lokomotive-kubernetes/bare-metal/flatcar-linux/kubernetes/outputs.tf

@@ -22,3 +22,7 @@ output "kubelet_values" {
 output "calico_values" {
   value = module.bootkube.calico_values
 }
+
+output "lokomotive_values" {
+  value = module.bootkube.lokomotive_values
+}

assets/lokomotive-kubernetes/bootkube/assets.tf

@@ -68,7 +68,7 @@ resource "template_dir" "kubernetes" {
 # Populate kubernetes chart values file named kubernetes.yaml.
 resource "local_file" "kubernetes" {
   filename = "${var.asset_dir}/charts/kube-system/kubernetes.yaml"
-  content  = templatefile("${path.module}/resources/charts/kubernetes.yaml", {
+  content = templatefile("${path.module}/resources/charts/kubernetes.yaml", {
     kube_controller_manager_image = var.container_images["kube_controller_manager"]
     kube_scheduler_image          = var.container_images["kube_scheduler"]
     kube_proxy_image              = var.container_images["kube_proxy"]
@@ -172,3 +172,9 @@ data "template_file" "kubeconfig-admin" {
     server       = format("https://%s:%s", local.api_servers_external[0], var.external_apiserver_port)
   }
 }
+
+# Add Lokomotive chart.
+resource "template_dir" "lokomotive" {
+  source_dir      = "${replace(path.module, path.cwd, ".")}/resources/charts/lokomotive"
+  destination_dir = "${var.asset_dir}/charts/lokomotive-system/lokomotive"
+}

assets/lokomotive-kubernetes/bootkube/outputs.tf

@@ -86,3 +86,7 @@ output "kubelet_values" {
 output "calico_values" {
   value = join("", local_file.calico.*.content)
 }
+
+output "lokomotive_values" {
+  value = join("", local_file.lokomotive.*.content)
+}

assets/lokomotive-kubernetes/bootkube/resources/charts/lokomotive.yaml

@@ -0,0 +1,3 @@
+webhook:
+  servingKey: ${serving_key}
+  servingCert: ${serving_cert}

assets/lokomotive-kubernetes/bootkube/resources/charts/lokomotive/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

assets/lokomotive-kubernetes/bootkube/resources/charts/lokomotive/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: lokomotive
+description: A Helm chart providing Lokomotive-specific system workloads like admission webhook server.
+type: application
+
+version: 0.1.0

assets/lokomotive-kubernetes/bootkube/resources/charts/lokomotive/templates/00-common.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: admission-webhook-server
+automountServiceAccountToken: false

assets/lokomotive-kubernetes/bootkube/resources/charts/lokomotive/templates/01-secrets.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: admission-webhook-server
+type: Opaque
+data:
+  key.pem: "{{ .Values.webhook.servingKey }}"
+  cert.pem: "{{ .Values.webhook.servingCert }}"

assets/lokomotive-kubernetes/bootkube/resources/charts/lokomotive/templates/02-service.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: admission-webhook-server
+  labels:
+    k8s-app: admission-webhook-server
+spec:
+  ports:
+    - port: 443
+      targetPort: 8080
+      name: admission-webhook-server
+  selector:
+    k8s-app: admission-webhook-server

assets/lokomotive-kubernetes/bootkube/resources/charts/lokomotive/templates/03-deployment.yaml

@@ -0,0 +1,48 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: admission-webhook-server
+  labels:
+    k8s-app: admission-webhook-server
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      k8s-app: admission-webhook-server
+  template:
+    metadata:
+      labels:
+        k8s-app: admission-webhook-server
+    spec:
+      tolerations:
+        - key: node-role.kubernetes.io/master
+          effect: NoSchedule
+      containers:
+        - name: admission-webhook-server
+          securityContext:
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 65534
+            runAsGroup: 65534
+          image: "quay.io/kinvolk/lokomotive-admission-webhook-server:v0.1.0"
+          imagePullPolicy: IfNotPresent
+          args:
+            - -logtostderr=true
+            - -stderrthreshold=WARNING
+            - -v=2
+          volumeMounts:
+            - name: admission-webhook-server
+              mountPath: /etc/certs
+              readOnly: true
+          resources:
+            limits:
+              cpu: 300m
+              memory: 50Mi
+            requests:
+              cpu: 300m
+              memory: 50Mi
+      serviceAccountName: admission-webhook-server
+      volumes:
+        - name: admission-webhook-server
+          secret:
+            secretName: admission-webhook-server

assets/lokomotive-kubernetes/bootkube/resources/charts/lokomotive/templates/04-mutating-webhook.yaml

@@ -0,0 +1,22 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: admission-webhook-server
+  labels:
+    k8s-app: admission-webhook-server
+webhooks:
+  - name: mutating.kinvolk.io
+    clientConfig:
+      caBundle: "{{ .Values.webhook.servingCert }}"
+      service:
+        name: admission-webhook-server
+        namespace: lokomotive-system
+        path: /mutate
+    rules:
+      - operations: ["CREATE"]
+        apiGroups: [""]
+        apiVersions: ["v1"]
+        resources: ["serviceaccounts"]
+    sideEffects: None
+    failurePolicy: Ignore
+    admissionReviewVersions: ["v1"]

assets/lokomotive-kubernetes/bootkube/resources/charts/lokomotive/values.yaml

@@ -0,0 +1,3 @@
+webhook:
+  servingKey:
+  servingCert:

assets/lokomotive-kubernetes/bootkube/tls-admission-webhook.tf

@@ -0,0 +1,46 @@
+resource "tls_private_key" "admission-webhook-server" {
+  algorithm = "RSA"
+  rsa_bits  = "2048"
+}
+
+resource "tls_cert_request" "admission-webhook-server" {
+  key_algorithm   = tls_private_key.admission-webhook-server.algorithm
+  private_key_pem = tls_private_key.admission-webhook-server.private_key_pem
+
+  subject {
+    common_name  = "admission-webhook-server"
+    organization = "kinvolk"
+  }
+
+  dns_names = [
+    "admission-webhook-server",
+    "admission-webhook-server.lokomotive-system",
+    "admission-webhook-server.lokomotive-system.svc",
+    "admission-webhook-server.lokomotive-system.svc.cluster",
+    "admission-webhook-server.lokomotive-system.svc.cluster.local",
+  ]
+}
+
+resource "tls_locally_signed_cert" "admission-webhook-server" {
+  cert_request_pem = tls_cert_request.admission-webhook-server.cert_request_pem
+
+  ca_key_algorithm   = tls_self_signed_cert.kube-ca.key_algorithm
+  ca_private_key_pem = tls_private_key.kube-ca.private_key_pem
+  ca_cert_pem        = tls_self_signed_cert.kube-ca.cert_pem
+
+  validity_period_hours = var.certs_validity_period_hours
+
+  allowed_uses = [
+    "key_encipherment",
+    "digital_signature",
+    "server_auth",
+  ]
+}
+
+resource "local_file" "lokomotive" {
+  filename = "${var.asset_dir}/charts/lokomotive-system/lokomotive.yaml"
+  content = templatefile("${path.module}/resources/charts/lokomotive.yaml", {
+    serving_key  = base64encode(tls_private_key.admission-webhook-server.private_key_pem)
+    serving_cert = base64encode(tls_locally_signed_cert.admission-webhook-server.cert_pem)
+  })
+}

assets/lokomotive-kubernetes/bootkube/variables.tf

@@ -28,8 +28,8 @@ variable "etcd_servers" {
 
 variable "etcd_endpoints" {
   description = "List of Private IPv4 addresses of the controller nodes running etcd."
-  type = list(string)
-  default = []
+  type        = list(string)
+  default     = []
 }
 
 variable "asset_dir" {

assets/lokomotive-kubernetes/google-cloud/flatcar-linux/kubernetes/cl/controller.yaml.tmpl

@@ -157,7 +157,7 @@ storage:
             --volume bootstrap,kind=host,source=/etc/kubernetes \
             --mount volume=bootstrap,target=/etc/kubernetes \
             $${RKT_OPTS} \
-            docker://quay.io/kinvolk/bootkube:v0.14.0-helm-7047a87-amd64 \
+            docker://quay.io/kinvolk/bootkube:v0.14.0-helm-ec64535-amd64 \
             --insecure-options=image \
             --net=host \
             --dns=host \

assets/lokomotive-kubernetes/google-cloud/flatcar-linux/kubernetes/outputs.tf

@@ -62,3 +62,7 @@ output "kubelet_values" {
 output "calico_values" {
   value = module.bootkube.calico_values
 }
+
+output "lokomotive_values" {
+  value = module.bootkube.lokomotive_values
+}

assets/lokomotive-kubernetes/kvm-libvirt/flatcar-linux/kubernetes/cl/controller.yaml.tmpl

@@ -167,7 +167,7 @@ storage:
             --volume bootstrap,kind=host,source=/etc/kubernetes \
             --mount volume=bootstrap,target=/etc/kubernetes \
             $${RKT_OPTS} \
-            docker://quay.io/kinvolk/bootkube:v0.14.0-helm-7047a87-amd64 \
+            docker://quay.io/kinvolk/bootkube:v0.14.0-helm-ec64535-amd64 \
             --insecure-options=image \
             --net=host \
             --dns=host \

assets/lokomotive-kubernetes/kvm-libvirt/flatcar-linux/kubernetes/outputs.tf

@@ -46,3 +46,7 @@ output "kubelet_values" {
 output "calico_values" {
   value = module.bootkube.calico_values
 }
+
+output "lokomotive_values" {
+  value = module.bootkube.lokomotive_values
+}

assets/lokomotive-kubernetes/packet/flatcar-linux/kubernetes/cl/controller.yaml.tmpl

@@ -206,7 +206,7 @@ storage:
             --volume bootstrap,kind=host,source=/etc/kubernetes \
             --mount volume=bootstrap,target=/etc/kubernetes \
             $${RKT_OPTS} \
-            docker://quay.io/kinvolk/bootkube:v0.14.0-helm-7047a87-${os_arch} \
+            docker://quay.io/kinvolk/bootkube:v0.14.0-helm-ec64535-${os_arch} \
             --insecure-options=image \
             --net=host \
             --dns=host \

assets/lokomotive-kubernetes/packet/flatcar-linux/kubernetes/outputs.tf

@@ -27,6 +27,10 @@ output "calico_values" {
   value = module.bootkube.calico_values
 }
 
+output "lokomotive_values" {
+  value = module.bootkube.lokomotive_values
+}
+
 # Dummy output used to create dependencies only
 # Not guaranteed that won't change
 output "device_ids" {

cli/cmd/cluster-apply.go

@@ -106,14 +106,28 @@ func runClusterApply(cmd *cobra.Command, args []string) {
 			ex:         *ex,
 		}
 
-		releases := []string{"pod-checkpointer", "kube-apiserver", "kubernetes", "calico"}
+		releases := []struct {
+			Namespace string
+			Component []string
+		}{
+			{
+				Namespace: "kube-system",
+				Component: []string{"pod-checkpointer", "kube-apiserver", "kubernetes", "calico"},
+			},
+			{
+				Namespace: "lokomotive-system",
+				Component: []string{"lokomotive"},
+			},
+		}
 
 		if upgradeKubelets {
-			releases = append(releases, "kubelet")
+			releases[0].Component = append(releases[0].Component, "kubelet")
 		}
 
-		for _, c := range releases {
-			cu.upgradeComponent(c)
+		for _, val := range releases {
+			for _, component := range val.Component {
+				cu.upgradeComponent(component, val.Namespace)
+			}
 		}
 	}