No more deployments in friday

Author: Razikus

itsfriday/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

itsfriday/Chart.yaml

@@ -0,0 +1,24 @@
+apiVersion: v2
+name: itsfriday
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.16.0"

itsfriday/templates/NOTES.txt

@@ -0,0 +1 @@
+ITS FRIDAY ENABLED - NO MORE DEPLOYMENTS IN FRIDAY!

itsfriday/templates/_helpers.tpl

@@ -0,0 +1,84 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "itsfriday.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+
+{{- define "k8s-version-minor" -}}
+{{- trimSuffix "." (trimPrefix "v1." (regexFind "v\\d\\.\\d{1,2}\\." .Capabilities.KubeVersion.Version)) -}}
+{{- end -}}
+
+
+{{- define "getInstalledTLSCert" -}}
+{{- $data := (lookup "v1" "Secret" .Release.Namespace (printf "%s-tls" .Chart.Name)).data -}}
+{{- if $data -}}
+    {{ get $data "tls.crt" }}
+{{- end -}}
+{{- end -}}
+
+{{- define "getInstalledTLSKey" -}}
+{{- $data := (lookup "v1" "Secret" .Release.Namespace (printf "%s-tls" .Chart.Name)).data -}}
+{{- if $data -}}
+    {{ get $data "tls.key" }}
+{{- end -}}
+{{- end -}}
+
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "itsfriday.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "itsfriday.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+
+{{/*
+Common labels
+*/}}
+{{- define "itsfriday.labels" -}}
+helm.sh/chart: {{ include "itsfriday.chart" . }}
+{{ include "itsfriday.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "itsfriday.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "itsfriday.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "itsfriday.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "itsfriday.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

itsfriday/templates/certwebhook.yaml

@@ -0,0 +1,104 @@
+{{- $k8sMinor := (include "k8s-version-minor" .) -}}
+{{- $altNames := list -}}
+{{- $altNames = append $altNames (printf "%s-svc" .Chart.Name) -}}
+{{- $altNames = append $altNames (printf "%s-svc.%s" .Chart.Name .Release.Namespace) -}}
+{{- $altNames = append $altNames (printf "%s-svc.%s.svc" .Chart.Name .Release.Namespace) -}}
+{{- $altNames = append $altNames (printf "%s-svc.%s.svc.cluster.local" .Chart.Name .Release.Namespace) -}}
+{{- $certs := genSelfSignedCert (printf "%s-svc.%s.svc" .Chart.Name .Release.Namespace) nil $altNames 36500 -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Chart.Name }}-tls
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "itsfriday.labels" . | nindent 4 }}
+type: Opaque
+data:
+  tls.crt: {{ default ($certs.Cert | b64enc) (include "getInstalledTLSCert" .) }}
+  tls.key: {{ default ($certs.Key | b64enc) (include "getInstalledTLSKey" .) }}
+---
+{{ if lt ($k8sMinor | int) 17 }}
+apiVersion: admissionregistration.k8s.io/v1beta1
+{{ else }}
+apiVersion: admissionregistration.k8s.io/v1
+{{ end }}
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: {{ .Chart.Name }}-webhook
+  labels:
+    {{- include "itsfriday.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": post-delete
+    "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed
+webhooks:
+  - name: {{ .Chart.Name }}-svc.{{ .Release.Namespace }}.svc
+    failurePolicy: Ignore
+    clientConfig:
+      service:
+        name: {{ .Chart.Name }}-svc
+        namespace: {{ .Release.Namespace }}
+        path: /validate
+      caBundle: {{ default ($certs.Cert | b64enc) (include "getInstalledTLSCert" .) }}
+    rules: []
+    sideEffects: None
+    {{- if lt ($k8sMinor | int) 17 }}
+    admissionReviewVersions: ["v1beta1"]
+    {{- else }}
+    admissionReviewVersions: ["v1"]
+    {{- end }}
+---
+{{ if lt ($k8sMinor | int) 17 -}}
+apiVersion: admissionregistration.k8s.io/v1beta1
+{{ else -}}
+apiVersion: admissionregistration.k8s.io/v1
+{{ end -}}
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: {{ .Chart.Name }}-webhook
+  labels:
+    {{- include "itsfriday.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": post-install, post-upgrade, post-rollback
+webhooks:
+  - name: {{ .Chart.Name }}-svc.{{ .Release.Namespace }}.svc
+    failurePolicy: {{ .Values.failurePolicy | default "Fail" }}
+    clientConfig:
+      service:
+        name: {{ .Chart.Name }}-svc
+        namespace: {{ .Release.Namespace }}
+        path: /validate
+      caBundle: {{ default ($certs.Cert | b64enc) (include "getInstalledTLSCert" .) }}
+    rules:
+      - operations: ["CREATE", "UPDATE"]
+        apiGroups: ["*"]
+        apiVersions: ["*"]
+        resources: ["pods", "deployments", "replicationcontrollers", "replicasets", "daemonsets", "statefulsets", "jobs", "cronjobs"]
+    sideEffects: None
+    {{- if gt ($k8sMinor | int) 13 }}
+    timeoutSeconds: 30
+    {{- end }}
+    {{- if lt ($k8sMinor | int) 17 }}
+    admissionReviewVersions: ["v1beta1"]
+    {{- else }}
+    admissionReviewVersions: ["v1"]
+    {{- end }}
+    {{- if .Values.namespacedValidation }}
+    {{- if .Values.namespacedValidation.enabled }}
+    namespaceSelector:
+      matchExpressions:
+      - key: itsfriday/webhookenabled
+    {{- if not .Values.onlyMarkedNamespaces.mode}}
+        operator: NotIn
+        values:
+          - ignore
+    {{- else if eq .Values.onlyMarkedNamespaces.mode "ignore"}}
+        operator: NotIn
+        values:
+          - ignore
+    {{- else if eq .Values.onlyMarkedNamespaces.mode "validate"}}
+        operator: In
+        values:
+          - validate
+   {{- end }}
+   {{- end }}
+   {{- end }}

itsfriday/templates/deployment.yaml

@@ -0,0 +1,56 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    {{- include "itsfriday.labels" . | nindent 4 }}
+  name: {{ .Chart.Name }}-deployment
+  namespace: "{{$.Release.Namespace}}"
+spec:
+  replicas: {{ .Values.replicasCount }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "itsfriday.name" . }}
+      app.kubernetes.io/instance: {{ .Chart.Name }}
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: {{ include "itsfriday.name" . }}
+        app.kubernetes.io/instance: {{ .Chart.Name }}
+    spec:
+      serviceAccountName: {{ .Chart.Name }}-serviceaccount
+      containers:
+        - env:
+            - name: APP_POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+          image: {{$.Values.images.itsfriday }}
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: 443
+              scheme: HTTPS
+            initialDelaySeconds: 3
+            periodSeconds: 5
+          readinessProbe:
+            httpGet:
+              path: /ready
+              port: 443
+              scheme: HTTPS
+            initialDelaySeconds: 2
+            periodSeconds: 5
+          imagePullPolicy: Always
+          name: {{ .Chart.Name }}
+          resources: {}
+          volumeMounts:
+            - name: {{ .Chart.Name }}-certs
+              mountPath: /app/certs
+              readOnly: true
+      restartPolicy: Always
+      volumes:
+        - name: {{ .Chart.Name }}-certs
+          secret:
+            secretName: {{ .Chart.Name }}-tls
+status: {}

itsfriday/templates/service.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Chart.Name }}-svc
+  namespace: "{{$.Release.Namespace}}"
+spec:
+  ports:
+  - name: https
+    port: {{ .Values.service.port }}
+    protocol: TCP
+    targetPort: 443
+  selector:
+    app.kubernetes.io/name: {{ include "itsfriday.name" . }}
+    app.kubernetes.io/instance: {{ .Chart.Name }}

itsfriday/templates/serviceaccount.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Chart.Name }}-serviceaccount
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "itsfriday.name" . }}
+    app.kubernetes.io/instance: {{ .Chart.Name }}

itsfriday/values.yaml

@@ -0,0 +1,11 @@
+failurePolicy: "Fail"
+onlyMarkedNamespaces: # Only namespaces with itsfriday/webhookenabled label set to validate would be checked
+  enabled: false
+  mode: "validate" # validate or ignore
+                   # if validate - only namespaces with itsfriday/webhookenabled=validate would be checked
+                   # if ingnore - only namespaces with itsfriday/webhookenabled=ignore would be ignored
+replicasCount: 3
+images:
+  itsfriday: razikus/its-friday-k8s-admission-controller:1.0.0
+service:
+  port: 443

source/Dockerfile

@@ -0,0 +1,9 @@
+FROM python:3.11
+COPY requirements.txt /requirements.txt
+RUN pip3 install -r /requirements.txt
+RUN mkdir /certs
+COPY app /app/app
+
+WORKDIR /app
+
+ENTRYPOINT ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--ssl-keyfile", "/app/certs/tls.key", "--ssl-certfile", "/app/certs/tls.crt", "--port", "443"]