fix: README.md, gen_cert.sh, deployment.yaml (#35)

PokIsemaine · web-flow · commit 5f56a68d5036 · 2023-02-10T20:18:09.000+08:00
* fix: README.md, gen_cert.sh, deployment.yaml

* fix: README.md, gen_cert.sh, deployment.yaml

* fix: README.md, gen_cert.sh, deployment.yaml
diff --git a/README.md b/README.md
@@ -33,16 +33,26 @@ Before proceeding, make sure to have the following-
 ```
 ./gen_cert.sh
 ```
+- Export environment variable `CA_BUNDLE`
+```
+export CA_BUNDLE=$(cat certs/ca.crt | base64 | tr -d '\n')
+```
+- Use `envsubst` to pass environment variables to `deployment.yaml.template`, generating `deployment.yaml`
+```
+cat manifests/deployment.yaml.template | envsubst > manifests/deployment.yaml
+```
+
+
 - Build the docker image from the [Dockerfile](https://github.com/casbin/k8s-authz/blob/master/Dockerfile) manually by running the following command and then change the build version here and at the deployment [file](https://github.com/casbin/k8s-authz/blob/718f58c46e3dbf79063b5b1c18348c2fee5de9e9/manifests/deployment.yaml#L18), as per the builds. 
 ```
- docker build -t casbin/k8s_authz:0.1 .
+docker build -t casbin/k8s_authz:latest .
 ```
 - Define the casbin policies in the [model.conf](https://github.com/casbin/k8s-authz/blob/master/config/model.conf) and [policy.csv](https://github.com/casbin/k8s-authz/blob/master/config/policy.csv). You can refer the [docs](https://casbin.org/docs/how-it-works) to get to know more about the working of these policies.
 
 - Before deploying, you can change the ports in [main.go](https://github.com/casbin/k8s-authz/blob/master/main.go) and also in the validation webhook configuration [file](https://github.com/casbin/k8s-authz/blob/master/manifests/deployment.yaml) depending on your usage.
 - Deploy the validation controller and the webhook on k8s cluster by running:-
 ```
-kubectl apply -f deployment.yaml
+kubectl apply -f manifests/deployment.yaml
 ```
 - For a production server, we need to create a k8s `secret` to place the certificates for security purposes. 
 ```
diff --git a/gen_cert.sh b/gen_cert.sh
@@ -12,7 +12,4 @@ openssl genrsa -out certs/casbin-key.pem 2048
 
 openssl req -new -key certs/casbin-key.pem -subj "/CN=casbin.default.svc" -out casbin.csr 
 
-openssl x509 -req -in casbin.csr -CA certs/ca.crt -CAkey certs/ca.key -CAcreateserial -out certs/casbin-crt.pem
-
-export CA_BUNDLE=$(cat certs/ca.crt | base64 | tr -d '\n')
-cat deployment.yaml | envsubst > deployment.yaml 
+openssl x509 -req -in casbin.csr -CA certs/ca.crt -CAkey certs/ca.key -CAcreateserial -out certs/casbin-crt.pem
diff --git a/manifests/deployment.yaml.template b/manifests/deployment.yaml.template
@@ -48,17 +48,17 @@ spec:
     port: 443
     targetPort: 8080
   selector:
-    name: casbin 
+    name: casbin
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   name: casbin
 webhooks:
-  - name: casbin.org
+  - name: webhook.casbin.org
     clientConfig:
       service:
-        name: server
+        name: casbin
         namespace: default
         path: "/validate"
       caBundle: "${CA_BUNDLE}"
@@ -68,3 +68,5 @@ webhooks:
         apiVersions: ["v1"]
         resources: ["*/*"]
     failurePolicy: Fail
+    admissionReviewVersions: ["v1"]
+    sideEffects: None
