Add secure deployment

Author: sttts

artifacts/deployment-secure/.gitignore

@@ -0,0 +1,4 @@
+tls.crt
+tls.key
+*-apiservice.yaml
+serving-cert-secret.yaml

artifacts/deployment-secure/Makefile

@@ -0,0 +1,14 @@
+SHELL = bash
+
+OUTPUT := serving-cert-secret.yaml v1alpha1-apiservice.yaml v1beta1-apiservice.yaml
+
+all: tls.key tls.crt $(OUTPUT)
+
+tls.key tls.crt:
+		openssl req -new -x509 -subj "/CN=webhook.pizza-crd.svc" -nodes -newkey rsa:4096 -keyout tls.key -out tls.crt -days 365
+
+$(OUTPUT): tls.key tls.crt
+		sed 's,CERT,$(shell base64 tls.crt),;s,KEY,$(shell base64 tls.key),' $@.template > $@
+
+clean:
+		rm -f tls.key tls.crt $(OUTPUT)

artifacts/deployment-secure/auth-delegator.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: custom-apiserver:system:auth-delegator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+- kind: ServiceAccount
+  name: apiserver
+  namespace: custom-apiserver

artifacts/deployment-secure/auth-reader.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: custom-apiserver-auth-reader
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: extension-apiserver-authentication-reader
+subjects:
+- kind: ServiceAccount
+  name: apiserver
+  namespace: custom-apiserver

artifacts/deployment-secure/deployment.yaml

@@ -0,0 +1,42 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: custom-server
+  namespace: custom-apiserver
+  labels:
+    apiserver: "true"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      apiserver: "true"
+  template:
+    metadata:
+      labels:
+        apiserver: "true"
+        version: "2"
+    spec:
+      serviceAccountName: apiserver
+      containers:
+      - name: apiserver
+        image: quay.io/programming-kubernetes/custom-apiserver:latest
+        imagePullPolicy: Always
+        command: ["/custom-apiserver"]
+        args:
+        - --etcd-servers=http://localhost:2379
+        - --cert-dir=/tmp/certs
+        - --secure-port=8443
+        - --tls-cert-file=/var/run/apiserver/serving-cert/tls.crt
+        - --tls-private-key-file=/var/run/apiserver/serving-cert/tls.key
+        - --v=4
+        volumeMounts:
+        - name: serving-cert
+          readOnly: true
+          mountPath: /var/run/apiserver/serving-cert
+      - name: etcd
+        image: quay.io/coreos/etcd:v3.2.24
+        workingDir: /tmp
+      volumes:
+      - name: serving-cert
+        secret:
+          secretName: serving-cert

artifacts/deployment-secure/ns.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: custom-apiserver
+spec: {}

artifacts/deployment-secure/rbac-bind.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: custom-apiserver-clusterrolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: aggregated-apiserver-clusterrole
+subjects:
+- kind: ServiceAccount
+  name: apiserver
+  namespace: custom-apiserver

artifacts/deployment-secure/rbac.yaml

@@ -0,0 +1,11 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: aggregated-apiserver-clusterrole
+rules:
+- apiGroups: [""]
+  resources: ["namespaces"]
+  verbs: ["get", "watch", "list"]
+- apiGroups: ["admissionregistration.k8s.io"]
+  resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
+  verbs: ["get", "watch", "list"]

artifacts/deployment-secure/sa.yaml

@@ -0,0 +1,5 @@
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: apiserver
+  namespace: custom-apiserver

artifacts/deployment-secure/service.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: api
+  namespace: custom-apiserver
+spec:
+  ports:
+  - port: 443
+    protocol: TCP
+    targetPort: 8443
+  selector:
+    apiserver: "true"