diff --git a/cmd/deploy.go b/cmd/deploy.go index 6b01988..3020e31 100644 --- a/cmd/deploy.go +++ b/cmd/deploy.go @@ -17,10 +17,6 @@ import ( "go.uber.org/zap" ) -func init() { - rootCmd.AddCommand(deoplyCmd) -} - //go:embed deploy.yaml var template string @@ -54,7 +50,7 @@ var deoplyCmd = &cobra.Command{ Type: "CERTIFICATE", Bytes: cert, }))) - template = strings.ReplaceAll(template, "KEY", base64.StdEncoding.EncodeToString(pem.EncodeToMemory(&pem.Block{ + template = strings.ReplaceAll(template, "KEY_PEM", base64.StdEncoding.EncodeToString(pem.EncodeToMemory(&pem.Block{ Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(key), }))) diff --git a/cmd/deploy.yaml b/cmd/deploy.yaml index 347332a..07ac0c8 100644 --- a/cmd/deploy.yaml +++ b/cmd/deploy.yaml @@ -17,7 +17,7 @@ spec: spec: containers: - name: APP - image: gitlab.yoshino-s.xyz/yoshino-s/cilium-envoy-hook:latest + image: registry.yoshino-s.xyz/yoshino-s/cilium-envoy-hook:latest imagePullPolicy: Always args: - --tls-cert-file-path=/etc/webhook/certs/cert.pem diff --git a/deploy.yml b/deploy.yml new file mode 100644 index 0000000..969762f --- /dev/null +++ b/deploy.yml @@ -0,0 +1,89 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: default + namespace: default + labels: + app: default +spec: + replicas: 1 + selector: + matchLabels: + app: default + template: + metadata: + labels: + app: default + spec: + containers: + - name: default + image: gitlab.yoshino-s.xyz/yoshino-s/cilium-envoy-hook:latest + imagePullPolicy: Always + args: + - --tls-cert-file-path=/etc/webhook/certs/cert.pem + - --tls-key-file-path=/etc/webhook/certs/key.pem + ports: + - name: http + containerPort: 8080 + protocol: TCP + volumeMounts: + - name: webhook-certs + mountPath: /etc/webhook/certs + readOnly: true + volumes: + - name: webhook-certs + secret: + secretName: default-certs +--- +apiVersion: v1 +kind: Service +metadata: + name: default + namespace: default + labels: + app: default +spec: + ports: + - name: http + port: 443 + targetPort: 8080 + - name: metrics + port: 8081 + targetPort: 8081 + selector: + app: default +--- +# File autogenerated by ./scripts/gen-certs.sh +apiVersion: v1 +data: + cert.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURMakNDQWhhZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBREFlTVJ3d0dnWURWUVFERXhOa1pXWmgKZFd4MExtUmxabUYxYkhRdWMzWmpNQjRYRFRJek1EY3lNakEzTWpBek4xb1hEVEkwTURjeU1UQTNNakF6TjFvdwpIakVjTUJvR0ExVUVBeE1UWkdWbVlYVnNkQzVrWldaaGRXeDBMbk4yWXpDQ0FTSXdEUVlKS29aSWh2Y05BUUVCCkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU1iT0RMQnVSdXhPMWRYQm5uVU9EcFFMTXUxd0lKejk5ZTFvOWR1UHVEYzAKSlR3c0MySFM4VWZ0RGZmL01WdEFiYldxVS9USE9mTjV5VjBTNnFBZVIva0k0KytXZjV6bWxIdXpFdzZCbU5WegpuV1BpNlEwN1REUDIvcGJ6R1lQY2VYR3BpSjB1WWlKbW0rRmxBeG5nLytNMzFUdEMwYkJ5VW5STnUyZnRFQ3gxClBDUkM5VTVpUGNKMTZDcUN5aittREVuMm1XREZyTzMrdU9NQVI1emZaYlN4OVp2ZzVNVCtFbmhkdTZlOGtNWGUKTk12UEorazNOMXR5SDlZVUswSVJLNWxZdEJIOVFNVlFsTU9nVEZvdEZVZFlaWm9JaDN3OEFjdVlkZ1pHdGVaWAp1REFNckdHYmdxTnFDRDJNcnVYbVdZM0Qxemh6a3dvaXlQOWc0WUYwR0U4Q0F3RUFBYU4zTUhVd0RnWURWUjBQCkFRSC9CQVFEQWdLRU1CTUdBMVVkSlFRTU1Bb0dDQ3NHQVFVRkJ3TUJNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHcKSFFZRFZSME9CQllFRkZvMnpweGdqK051Tng4WGxHdDJCcWU3TUhERU1CNEdBMVVkRVFRWE1CV0NFMlJsWm1GMQpiSFF1WkdWbVlYVnNkQzV6ZG1Nd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFFY0NTWUR2QkxvTWZ0L1Z5Rk1zCmp0aWtJUmRPQlBuUFpFaFlsZU9iYjgwTmRIRUxSNEE2N1o0MzF0ZXBDQzZ1c1pDTE5zS3o4QnNrN2VtK0pCc2YKclZ2WWJGNkpjWnN5bjhMRXNKWWtLTHB4SHdzUGZNM3YrRUNFSXR3UjZEcVBqWHNIdnNlZk93cDN3ZkgrWjZrNQpmSHVNVitqaUpNa3BrQWdwMjlSUzhSdkpDbkpHay9BdWRNdzB6RWZqUlZOcU1FWUtBVXhFcVRVMWhvYWExV2xyCmxpMC9tQVVjbkdqK2JGcFl0S251REhFRGlwVjJSY1U4TmxtM1VydE1lMUJGTG5MRjEzbEtEZTUzYTF2aHZQcHcKS0dLczUyY3NPMWdFZlovUDlzbmJnZFMzNWpJZjVZMVFQSHp1Zkppd3U2VlpxTENPeVBXSkpnWXdxM0wwL203SgpYVG89Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + key.pem: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBeHM0TXNHNUc3RTdWMWNHZWRRNE9sQXN5N1hBZ25QMzE3V2oxMjQrNE56UWxQQ3dMCllkTHhSKzBOOS84eFcwQnR0YXBUOU1jNTgzbkpYUkxxb0I1SCtRamo3NVovbk9hVWU3TVREb0dZMVhPZFkrTHAKRFR0TU0vYitsdk1aZzl4NWNhbUluUzVpSW1hYjRXVURHZUQvNHpmVk8wTFJzSEpTZEUyN1orMFFMSFU4SkVMMQpUbUk5d25Yb0tvTEtQNllNU2ZhWllNV3M3ZjY0NHdCSG5OOWx0TEgxbStEa3hQNFNlRjI3cDd5UXhkNDB5ODhuCjZUYzNXM0lmMWhRclFoRXJtVmkwRWYxQXhWQ1V3NkJNV2kwVlIxaGxtZ2lIZkR3Qnk1aDJCa2ExNWxlNE1BeXMKWVp1Q28yb0lQWXl1NWVaWmpjUFhPSE9UQ2lMSS8yRGhnWFFZVHdJREFRQUJBb0lCQUV2SGZQUy9oRTlOR1p0YQpLMkZwRTB1QkhVOStYeUFZZWVhZURLRTlualdFcmZES3hTZnJ0VWI2YUVtd3Y0cU4rNE8wd2ozYXR3OUV5K21yCmJUM05iUmZUT0xjNXdiajM5MzlUV2g4OGJScG44SVdEbDl3UVQxSzdnbjNkZWt0Vi9nRENZNjJ1WVgvRlp3TzYKY2owcUU3L3pwMWJvZUc5dWxGbDZ5OFdvaW5LM0xLSHVMYWJmUEtoN0dPZDJNSXNMYXVac1MwcXd4Q2VSVUlybgpRRkp5N0VsK043UUxraWZyVTNGZUV3bU9yNVZYeWphanBWaXUvNjB4c3J4VC9SMkgrNzN4Tm1JcTF0dzh3VllLCjEwQzNVeHJuZVhMcEpiL21UY0VlWkhMUFA0UGZZdlVuNGxWSnY4UmtqZ3lVRFlzLzdRcnRrclp4ZDMvK2pSQysKRmNHT2xvRUNnWUVBOXJQaCtvUVhwNHRnNlNua0QzSGtvT2s4SVRBcVhwcXVkRW5iQXFaTmdjOUYrWmMwdFVOWAp3RmMwK1V2SGxKam9HMHp1RjN5dnFqd3h1N2dKV1ovK0tvSVZmenk5Zi9DSTUzZHNFWE1hOHJoSlErZVZaTE5qCjg5Ylhka2t1MkJ4RmNFc3hac0dyaVFrMHhMVUo0MVBBc3IyMkgwSWZhc0Y4Vi95MldFdy9yOEVDZ1lFQXprd1EKQnNKVWVIQWZxNXhGMGVFZE1GOXFLUlpjaWpNcFUwSzFKV0h1OXAxWURPeW1JeWNnUkFxOTg5NjdXWjFhOFQrSApYWXVneEhLcUtNTUxjeDluVnp3SzFIZ2F4MmpTejNkRGIwM1pxVWkrTzJKalRuaHJOTC8zVG5Nb2xtR3Evci84CmtvQjhjTjFieDl5UDduNEQvckJoc1ZKTkFVYW12TzdxeU5ScnpBOENnWUVBNG53R0xEejBrbVpNMUFJWFUyNlcKSEh2RExoelA2UVpNdm9uSFBNbDhRbjRObWJRTk9aUFhqY2NCNVJTQzU1THhFNDh1emZVME9DOEc0WFYxY0FpSQpDSEpnVmUxbmMzdFoxRlk0cWxSb0d3akFpa3lqUkUzRXAybEhhVnFLWFBDbmR3NHhEa3NpdGEzeitkclNkeGErCnc5bVN4Mk9uQUJVZG1KRnl2ZUZTWG9FQ2dZQThLZkN1bC9RY244Nk10T21qMlB3elJGQm9wUzNkM0NmY01XTTEKQU1lNVFwQVFUTi95OXBFeFp0U1pEOGNoem9OY1FrUFBJMDZDbkZKRnl3UkcwY3pJb3lraFo5bWZlRkdxMGNSbgo3Sk5qREdUMldxNU5qMDdzdG1PQWpKTTBzRTAzT0hTSG9WTXBjMVUyQjN3dWVLL2ZrajhiZ0w0V2RpMWdnbWtVCm91YkJQd0tCZ1FEdFFSN1Y4bUk1MGZJSTlPYnh1QmhLVlpvVFhQSDQ1blhjdGlnQTlkbWRmSS9HZnJTZTJRMWIKUlV1UmdxazE3M05IV3pjb1JObXRaY1RRakVxTkVySzEzNG5MYWVtODZEV2R3N1BjdUNPUGkxRjJpa1RRWmF5RgpPNm8wdWs3aE1PV2dXWkxCYmg3VlI2ZHdqSko5Z285R0t5bE14NWs2Y1c0NExOMVlnZUdYMnc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=_PEM +kind: Secret +metadata: + creationTimestamp: null + name: default-certs + namespace: default +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: default + labels: + app: default + kind: mutator +webhooks: + - name: mutator.default.io + admissionReviewVersions: ["v1"] + sideEffects: None + clientConfig: + service: + name: default + namespace: default + path: / + caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURMakNDQWhhZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBREFlTVJ3d0dnWURWUVFERXhOa1pXWmgKZFd4MExtUmxabUYxYkhRdWMzWmpNQjRYRFRJek1EY3lNakEzTWpBek4xb1hEVEkwTURjeU1UQTNNakF6TjFvdwpIakVjTUJvR0ExVUVBeE1UWkdWbVlYVnNkQzVrWldaaGRXeDBMbk4yWXpDQ0FTSXdEUVlKS29aSWh2Y05BUUVCCkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU1iT0RMQnVSdXhPMWRYQm5uVU9EcFFMTXUxd0lKejk5ZTFvOWR1UHVEYzAKSlR3c0MySFM4VWZ0RGZmL01WdEFiYldxVS9USE9mTjV5VjBTNnFBZVIva0k0KytXZjV6bWxIdXpFdzZCbU5WegpuV1BpNlEwN1REUDIvcGJ6R1lQY2VYR3BpSjB1WWlKbW0rRmxBeG5nLytNMzFUdEMwYkJ5VW5STnUyZnRFQ3gxClBDUkM5VTVpUGNKMTZDcUN5aittREVuMm1XREZyTzMrdU9NQVI1emZaYlN4OVp2ZzVNVCtFbmhkdTZlOGtNWGUKTk12UEorazNOMXR5SDlZVUswSVJLNWxZdEJIOVFNVlFsTU9nVEZvdEZVZFlaWm9JaDN3OEFjdVlkZ1pHdGVaWAp1REFNckdHYmdxTnFDRDJNcnVYbVdZM0Qxemh6a3dvaXlQOWc0WUYwR0U4Q0F3RUFBYU4zTUhVd0RnWURWUjBQCkFRSC9CQVFEQWdLRU1CTUdBMVVkSlFRTU1Bb0dDQ3NHQVFVRkJ3TUJNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHcKSFFZRFZSME9CQllFRkZvMnpweGdqK051Tng4WGxHdDJCcWU3TUhERU1CNEdBMVVkRVFRWE1CV0NFMlJsWm1GMQpiSFF1WkdWbVlYVnNkQzV6ZG1Nd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFFY0NTWUR2QkxvTWZ0L1Z5Rk1zCmp0aWtJUmRPQlBuUFpFaFlsZU9iYjgwTmRIRUxSNEE2N1o0MzF0ZXBDQzZ1c1pDTE5zS3o4QnNrN2VtK0pCc2YKclZ2WWJGNkpjWnN5bjhMRXNKWWtLTHB4SHdzUGZNM3YrRUNFSXR3UjZEcVBqWHNIdnNlZk93cDN3ZkgrWjZrNQpmSHVNVitqaUpNa3BrQWdwMjlSUzhSdkpDbkpHay9BdWRNdzB6RWZqUlZOcU1FWUtBVXhFcVRVMWhvYWExV2xyCmxpMC9tQVVjbkdqK2JGcFl0S251REhFRGlwVjJSY1U4TmxtM1VydE1lMUJGTG5MRjEzbEtEZTUzYTF2aHZQcHcKS0dLczUyY3NPMWdFZlovUDlzbmJnZFMzNWpJZjVZMVFQSHp1Zkppd3U2VlpxTENPeVBXSkpnWXdxM0wwL203SgpYVG89Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["*"] + apiVersions: ["*"] + resources: ["CiliumEnvoyConfig"] +