Skip to content

Commit

Permalink
Run vsphere-csi-node DaemonSet pod with hostNetwork true (#1222)
Browse files Browse the repository at this point in the history
  • Loading branch information
chethanv28 authored Aug 10, 2021
1 parent 98ca466 commit c547988
Show file tree
Hide file tree
Showing 7 changed files with 776 additions and 0 deletions.
56 changes: 56 additions & 0 deletions manifests/v2.2.2-rc.1/deploy/create-validation-webhook.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
#!/bin/bash
# Copyright 2021 The Kubernetes Authors.

# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at

# http://www.apache.org/licenses/LICENSE-2.0

# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -e

if [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
cat <<EOF
Usage: Patch validatingwebhook.yaml with CA_BUNDLE retrieved from Kubernetes API server
and create ValidatingWebhookConfiguration and vsphere-webhook-svc service using patched yaml file
usage: ${0} [OPTIONS]
The following flags are required.
--namespace Namespace where webhook service and secret reside.
EOF
exit 1
fi

while [[ $# -gt 0 ]]; do
case ${1} in
--namespace)
namespace="$2"
shift
;;
*)
usage
;;
esac
shift
done

[ -z "${namespace}" ] && namespace=kube-system

CA_BUNDLE=$(kubectl get configmap -n kube-system extension-apiserver-authentication -o=jsonpath='{.data.client-ca-file}' | base64 | tr -d '\n')

# clean-up previously created service and validatingwebhookconfiguration. Ignore errors if not present.

kubectl delete service vsphere-webhook-svc --namespace "${namespace}" 2>/dev/null || true
kubectl delete validatingwebhookconfiguration.admissionregistration.k8s.io validation.csi.vsphere.vmware.com --namespace "${namespace}" 2>/dev/null || true
kubectl delete serviceaccount vsphere-csi-webhook --namespace "${namespace}" 2>/dev/null || true
kubectl delete clusterrole.rbac.authorization.k8s.io vsphere-csi-webhook-role 2>/dev/null || true
kubectl delete clusterrolebinding.rbac.authorization.k8s.io vsphere-csi-webhook-role-binding --namespace "${namespace}" 2>/dev/null || true
kubectl delete deployment vsphere-csi-webhook --namespace "${namespace}" || true

# patch validatingwebhook.yaml with CA_BUNDLE and create service and validatingwebhookconfiguration
sed "s/caBundle: .*$/caBundle: ${CA_BUNDLE}/g" validatingwebhook.yaml | kubectl apply -f -
148 changes: 148 additions & 0 deletions manifests/v2.2.2-rc.1/deploy/generate-signed-webhook-certs.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,148 @@
#!/bin/bash
# Copyright 2021 The Kubernetes Authors.

# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at

# http://www.apache.org/licenses/LICENSE-2.0

# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# File originally from https://github.com/istio/istio/blob/release-0.7/install/kubernetes/webhook-create-signed-cert.sh
set -e

if [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
cat <<EOF
Usage: Generate certificate suitable for use with an webhook service.
This script uses k8s' CertificateSigningRequest API to a generate a
certificate signed by k8s CA suitable for use with sidecar-injector webhook
services. This requires permissions to create and approve CSR. See
https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster for
detailed explanation and additional instructions.
usage: ${0} [OPTIONS]
The following flags are required.
--namespace Namespace where webhook service and secret reside.
EOF
exit 1
fi

while [[ $# -gt 0 ]]; do
case ${1} in
--namespace)
namespace="$2"
shift
;;
*)
usage
;;
esac
shift
done

[ -z "${namespace}" ] && namespace=kube-system

service=vsphere-webhook-svc
secret=vsphere-webhook-certs


if [ ! -x "$(command -v openssl)" ]; then
echo "openssl not found"
exit 1
fi

if [ ! -x "$(command -v kubectl)" ]; then
echo "kubectl not found"
exit 1
fi

csrName=${service}.${namespace}
tmpdir=$(mktemp -d)
echo "creating certs in tmpdir ${tmpdir} "

cat <<EOF >> "${tmpdir}"/csr.conf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = ${service}
DNS.2 = ${service}.${namespace}
DNS.3 = ${service}.${namespace}.svc
EOF

openssl genrsa -out "${tmpdir}"/server-key.pem 2048
openssl req -new -key "${tmpdir}"/server-key.pem -subj "/O=C=US/ST=CA/L=Palo Alto/O=VMware/OU=CNS" -out "${tmpdir}"/server.csr -config "${tmpdir}"/csr.conf


# clean-up any previously created CSR for our service. Ignore errors if not present.
kubectl delete csr ${csrName} 2>/dev/null || true

# create server cert/key CSR and send to k8s API
cat <<EOF | kubectl create -f -
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: ${csrName}
spec:
groups:
- system:authenticated
request: $(base64 "${tmpdir}"/server.csr | tr -d '\n')
usages:
- digital signature
- key encipherment
- server auth
EOF

# verify CSR has been created
while true; do
if kubectl get csr "${csrName}"; then
break
fi
echo "waiting for CertificateSigningRequest: ${csrName} to be available"
sleep 1
done

# approve and fetch the signed certificate
kubectl certificate approve ${csrName}
# verify certificate has been signed
for _ in $(seq 10); do
serverCert=$(kubectl get csr ${csrName} -o jsonpath='{.status.certificate}')
if [[ ${serverCert} != '' ]]; then
break
fi
echo "waiting for certificate request to complete"
sleep 1
done
if [[ ${serverCert} == '' ]]; then
echo "ERROR: After approving csr ${csrName}, the signed certificate did not appear on the resource. Giving up after 10 attempts." >&2
exit 1
fi
echo "${serverCert}" | openssl base64 -d -A -out "${tmpdir}"/server-cert.pem

cat <<eof >"${tmpdir}"/webhook.config
[WebHookConfig]
port = "8443"
cert-file = "/etc/webhook/cert.pem"
key-file = "/etc/webhook/key.pem"
eof


# create the secret with CA cert and server cert/key
kubectl create secret generic "${secret}" \
--from-file=key.pem="${tmpdir}"/server-key.pem \
--from-file=cert.pem="${tmpdir}"/server-cert.pem \
--from-file=webhook.config="${tmpdir}"/webhook.config \
--dry-run=client -o yaml |
kubectl -n "${namespace}" apply -f -
126 changes: 126 additions & 0 deletions manifests/v2.2.2-rc.1/deploy/validatingwebhook.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,126 @@
apiVersion: v1
kind: Service
metadata:
name: vsphere-webhook-svc
namespace: kube-system
labels:
app: vsphere-csi-webhook
spec:
ports:
- port: 443
targetPort: 8443
selector:
app: vsphere-csi-webhook
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: validation.csi.vsphere.vmware.com
webhooks:
- name: validation.csi.vsphere.vmware.com
clientConfig:
service:
name: vsphere-webhook-svc
namespace: kube-system
path: "/validate"
caBundle: ${CA_BUNDLE}
rules:
- apiGroups: ["storage.k8s.io"]
apiVersions: ["v1", "v1beta1"]
operations: ["CREATE", "UPDATE"]
resources: ["storageclasses"]
sideEffects: None
admissionReviewVersions: ["v1"]
failurePolicy: Fail
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: vsphere-csi-webhook
namespace: kube-system
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: vsphere-csi-webhook-role
namespace: kube-system
rules:
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "list", "watch"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: vsphere-csi-webhook-role-binding
namespace: kube-system
subjects:
- kind: ServiceAccount
name: vsphere-csi-webhook
namespace: kube-system
roleRef:
kind: Role
name: vsphere-csi-webhook-role
apiGroup: rbac.authorization.k8s.io
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: vsphere-csi-webhook
namespace: kube-system
spec:
replicas: 1
selector:
matchLabels:
app: vsphere-csi-webhook
template:
metadata:
labels:
app: vsphere-csi-webhook
role: vsphere-csi-webhook
spec:
serviceAccountName: vsphere-csi-webhook
nodeSelector:
node-role.kubernetes.io/master: ""
tolerations:
- key: node-role.kubernetes.io/master
operator: Exists
effect: NoSchedule
# uncomment below toleration if you need an aggressive pod eviction in case when
# node becomes not-ready or unreachable. Default is 300 seconds if not specified.
#- key: node.kubernetes.io/not-ready
# operator: Exists
# effect: NoExecute
# tolerationSeconds: 30
#- key: node.kubernetes.io/unreachable
# operator: Exists
# effect: NoExecute
# tolerationSeconds: 30
dnsPolicy: "Default"
containers:
- name: vsphere-webhook
image: gcr.io/cloud-provider-vsphere/csi/release/syncer:v2.2.2-rc.1
args:
- "--operation-mode=WEBHOOK_SERVER"
- "--fss-name=internal-feature-states.csi.vsphere.vmware.com"
- "--fss-namespace=$(CSI_NAMESPACE)"
imagePullPolicy: "Always"
env:
- name: WEBHOOK_CONFIG_PATH
value: "/etc/webhook/webhook.config"
- name: LOGGER_LEVEL
value: "PRODUCTION" # Options: DEVELOPMENT, PRODUCTION
- name: CSI_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
volumeMounts:
- mountPath: /etc/webhook
name: webhook-certs
readOnly: true
volumes:
- name: socket-dir
emptyDir: {}
- name: webhook-certs
secret:
secretName: vsphere-webhook-certs
Loading

0 comments on commit c547988

Please sign in to comment.