fix gcpauth and olm for k8s v1.22+

prezha · prezha · commit de9704160288 · 2021-08-24T02:42:22.000+01:00
diff --git a/deploy/addons/gcp-auth/gcp-auth-webhook.yaml.tmpl b/deploy/addons/gcp-auth/gcp-auth-webhook.yaml.tmpl
@@ -0,0 +1,186 @@
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: minikube-gcp-auth-certs
+  namespace: gcp-auth
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: minikube-gcp-auth-certs
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - secrets
+    verbs:
+      - list
+      - get
+      - create
+  - apiGroups:
+      - admissionregistration.k8s.io
+    resources:
+      - mutatingwebhookconfigurations
+    verbs:
+      - get
+      - update
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: minikube-gcp-auth-certs
+  namespace: metadata
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: minikube-gcp-auth-certs
+subjects:
+  - kind: ServiceAccount
+    name: minikube-gcp-auth-certs
+    namespace: gcp-auth
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: gcp-auth-certs-create
+  namespace: gcp-auth
+spec:
+  template:
+    metadata:
+      name: gcp-auth-certs-create
+    spec:
+      serviceAccountName: minikube-gcp-auth-certs
+      containers:
+        - name: create
+          image: {{.CustomRegistries.KubeWebhookCertgen | default .ImageRepository | default .Registries.KubeWebhookCertgen}}{{.Images.KubeWebhookCertgen}}
+          imagePullPolicy: IfNotPresent
+          args:
+            - create
+            - --host=gcp-auth,gcp-auth.gcp-auth,gcp-auth.gcp-auth.svc
+            - --namespace=gcp-auth
+            - --secret-name=gcp-auth-certs
+      restartPolicy: OnFailure
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: gcp-auth
+  namespace: gcp-auth
+spec:
+  selector:
+    matchLabels:
+      app: gcp-auth
+  template:
+    metadata:
+      labels:
+        app: gcp-auth
+        kubernetes.io/minikube-addons: gcp-auth
+    spec:
+      containers:
+        - name: gcp-auth
+          image: {{.CustomRegistries.GCPAuthWebhook | default .ImageRepository | default .Registries.GCPAuthWebhook}}{{.Images.GCPAuthWebhook}}
+          imagePullPolicy: IfNotPresent
+          ports:
+            - containerPort: 8443
+          volumeMounts:
+          - name: webhook-certs
+            mountPath: /etc/webhook/certs
+            readOnly: true
+          - name: gcp-project
+            mountPath: /var/lib/minikube/google_cloud_project
+            readOnly: true
+      volumes:
+      - name: webhook-certs
+        secret:
+          secretName: gcp-auth-certs
+      - name: gcp-project
+        hostPath:
+          path: /var/lib/minikube/google_cloud_project
+          type: File
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: gcp-auth-certs-patch
+  namespace: gcp-auth
+spec:
+  template:
+    metadata:
+      name: gcp-auth-certs-patch
+    spec:
+      serviceAccountName: minikube-gcp-auth-certs
+      containers:
+        - name: patch
+          image: {{.CustomRegistries.KubeWebhookCertgen | default .ImageRepository | default .Registries.KubeWebhookCertgen}}{{.Images.KubeWebhookCertgen}}
+          imagePullPolicy: IfNotPresent
+          args:
+            - patch
+            - --secret-name=gcp-auth-certs
+            - --namespace=gcp-auth
+            - --patch-validating=false
+            - --webhook-name=gcp-auth-webhook-cfg
+      restartPolicy: OnFailure
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: gcp-auth-webhook-cfg
+  labels:
+    app: gcp-auth
+webhooks:
+- name: gcp-auth-mutate.k8s.io
+  failurePolicy: Ignore
+  objectSelector:
+    matchExpressions:
+      - key: gcp-auth-skip-secret
+        operator: DoesNotExist
+  namespaceSelector:
+    matchExpressions:
+      - key: name
+        operator: NotIn
+        values:
+        - kube-system
+  sideEffects: None
+  admissionReviewVersions: ["v1","v1beta1"]
+  clientConfig:
+    service:
+      name: gcp-auth
+      namespace: gcp-auth
+      path: "/mutate"
+  rules:
+  - operations: ["CREATE"]
+    apiGroups: ["*"]
+    apiVersions: ["*"]
+    resources: ["pods"]
+    scope: "*"
+- name: gcp-auth-mutate-sa.k8s.io
+  failurePolicy: Ignore
+  sideEffects: None
+  admissionReviewVersions: ["v1","v1beta1"]
+  clientConfig:
+    service:
+      name: gcp-auth
+      namespace: gcp-auth
+      path: "/mutate/sa"
+  rules:
+  - operations: ["CREATE"]
+    apiGroups: ["*"]
+    apiVersions: ["*"]
+    resources: ["serviceaccounts"]
+    scope: "*"
