add webhook - fixes #10 (#13)

* handle webhook with helm. Closes #10

Signed-off-by: David J. M. Karlsen <[email protected]>

* bump chart version

Signed-off-by: David J. M. Karlsen <[email protected]>

stable/anchore-admission-controller/Chart.yaml

@@ -2,7 +2,7 @@ name: anchore-admission-controller
 description: A kubernetes admission controller for validating and mutating webhooks that operates against Anchore Engine to make access decisions and annotations
 apiVersion: v1
 appVersion: 0.2.2
-version: 0.2.7
+version: 0.2.8
 home: https://github.com/anchore/kubernetes-admission-controller
 maintainers:
   - name: zhill

stable/anchore-admission-controller/templates/NOTES.txt

@@ -1,43 +1 @@
 Anchore admission controller is now installed.
-
-Create a validating webhook resources to start enforcement using the included script:
-
-./files/get_validating_webhook_config.sh <releasename>
-kubectl apply -f validating-webhook.yaml
-
-
-KUBE_CA=$(kubectl config view --minify=true --flatten -o json | jq '.clusters[0].cluster."certificate-authority-data"' -r)
-cat > validating-webhook.yaml <<EOF
-apiVersion: admissionregistration.k8s.io/v1beta1
-kind: ValidatingWebhookConfiguration
-metadata:
-  name: {{ template "anchore-admission-controller.fullname" . }}.admission.anchore.io
-webhooks:
-- name: {{ template "anchore-admission-controller.fullname" . }}.admission.anchore.io
-  clientConfig:
-    service:
-      namespace: default
-      name: kubernetes
-      path: /apis/admission.anchore.io/v1beta1/imagechecks
-    caBundle: $KUBE_CA
-  rules:
-  - operations:
-    - CREATE
-    apiGroups:
-    - ""
-    apiVersions:
-    - "*"
-    resources:
-    - pods
-  failurePolicy: Fail
-# Uncomment this and customize to exclude specific namespaces from the validation requirement
-#  namespaceSelector:
-#    matchExpressions:
-#      - key: exclude.admission.anchore.io
-#        operator: NotIn
-#        values: ["true"]
-EOF
-
-
-
-

stable/anchore-admission-controller/templates/webhook.yaml

@@ -0,0 +1,28 @@
+{{- if .Values.apiService.webhook.enabled }}
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: {{ template "anchore-admission-controller.name" . }}-admission.anchore.io
+labels: {{- include "anchore-admission-controller.labels" . | nindent 4 }}
+webhooks:
+- name: {{ template "anchore-admission-controller.name" . }}-admission.anchore.io
+  clientConfig:
+    service:
+      namespace: default
+      name: kubernetes
+      path: /apis/{{ .Values.apiService.group }}/v1beta1/imagechecks
+    {{- with .Values.apiService.webhook.caBundle }}
+    caBundle: {{ . | b64enc }}
+    {{- end }}
+  rules:
+  - operations:
+    - CREATE
+    apiGroups:
+    - ""
+    apiVersions:
+    - "*"
+    resources:
+    - pods
+  failurePolicy: {{ .Values.apiService.webhook.failurePolicy }}
+  namespaceSelector: {{- toYaml .Values.apiService.namespaceSelector | nindent 4 }}
+{{- end }}

stable/anchore-admission-controller/values.yaml

@@ -15,8 +15,18 @@ service:
   externalPort: 443
 
 apiService:
+  webhook:
+    enabled: true
+    failurePolicy: Ignore
+    # caBundle value can be obtained with: kubectl config view --raw --minify --flatten -o jsonpath='{.clusters[].cluster.certificate-authority-data}'
+    # caBundle:
   group: admission.anchore.io
   version: v1beta1
+  namespaceSelector:
+    matchExpressions:
+      - key: exclude.admission.anchore.io
+        operator: NotIn
+        values: ["true"]
 
 anchoreEndpoint: ""
 policySelectors: