spectrocloud · AmitSahastra · May 22, 2025
diff --git a/spectro/generated/core-global.yaml b/spectro/generated/core-global.yaml
diff --git a/spectro/global/aso/kustomization.yaml b/spectro/global/aso/kustomization.yaml
@@ -0,0 +1,176 @@
+namespace: capi-webhook-system
+
+#namePrefix: capz-
+
+# Labels to add to all resources and selectors.
+commonLabels:
+  cluster.x-k8s.io/provider: aso-infrastructure-azure
+
+components:
+- ../../../config/aso
+
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+labels:
+- includeSelectors: true
+  pairs:
+    cluster.x-k8s.io/provider: aso-infrastructure-azure
+
+patches:
+- path: ../patch_namespace.yaml
+  target:
+    kind: Namespace
+    name: system
+    version: v1
+- path: ../patch_cluster_role.yaml
+  target:
+    group: rbac.authorization.k8s.io
+    kind: ClusterRole
+    name: capz-aad-pod-id-nmi-role
+    version: v1
+- path: ../patch_namespace.yaml
+  target:
+    kind: Namespace
+    name: system
+    version: v1
+- path: ../patch_service_account.yaml
+  target:
+    group: apps
+    kind: Deployment
+    name: controller-manager
+    namespace: system
+    version: v1
+- path: ../patch_service_account.yaml
+  target:
+    group: apps
+    kind: DaemonSet
+    name: capz-nmi
+    namespace: capi-webhook-system
+    version: v1
+- path: ../patch_crd_webhook_namespace.yaml
+  target:
+    group: apiextensions.k8s.io
+    kind: CustomResourceDefinition
+    name: azureclusteridentities.infrastructure.cluster.x-k8s.io
+    version: v1
+- path: ../patch_crd_webhook_namespace.yaml
+  target:
+    group: apiextensions.k8s.io
+    kind: CustomResourceDefinition
+    name: azureclusters.infrastructure.cluster.x-k8s.io
+    version: v1
+- path: ../patch_crd_webhook_namespace.yaml
+  target:
+    group: apiextensions.k8s.io
+    kind: CustomResourceDefinition
+    name: azuremachines.infrastructure.cluster.x-k8s.io
+    version: v1
+- path: ../patch_crd_webhook_namespace.yaml
+  target:
+    group: apiextensions.k8s.io
+    kind: CustomResourceDefinition
+    name: azuremachinetemplates.infrastructure.cluster.x-k8s.io
+    version: v1
+- path: ../patch_crd_webhook_namespace.yaml
+  target:
+    group: apiextensions.k8s.io
+    kind: CustomResourceDefinition
+    name: azuremachinepools.infrastructure.cluster.x-k8s.io
+    version: v1
+- path: ../patch_crd_webhook_namespace.yaml
+  target:
+    group: apiextensions.k8s.io
+    kind: CustomResourceDefinition
+    name: azuremachinepoolmachines.infrastructure.cluster.x-k8s.io
+    version: v1
+- path: ../patch_crd_webhook_namespace.yaml
+  target:
+    group: apiextensions.k8s.io
+    kind: CustomResourceDefinition
+    name: azuremanagedclusters.infrastructure.cluster.x-k8s.io
+    version: v1
+- path: ../patch_crd_webhook_namespace.yaml
+  target:
+    group: apiextensions.k8s.io
+    kind: CustomResourceDefinition
+    name: azuremanagedcontrolplanes.infrastructure.cluster.x-k8s.io
+    version: v1
+- path: ../patch_crd_webhook_namespace.yaml
+  target:
+    group: apiextensions.k8s.io
+    kind: CustomResourceDefinition
+    name: azuremanagedmachinepools.infrastructure.cluster.x-k8s.io
+    version: v1
+- path: ../patch_nmi_cluster_role_binding.yaml
+  target:
+    group: rbac.authorization.k8s.io
+    kind: ClusterRoleBinding
+    name: capz-aad-pod-id-nmi-binding
+    version: v1
+- path: ../../../config/default/manager_image_patch.yaml
+  target:
+    group: apps
+    kind: Deployment
+    name: controller-manager
+    version: v1
+- path: ../../../config/default/manager_pull_policy.yaml
+  target:
+    group: apps
+    kind: Deployment
+    name: controller-manager
+    version: v1
+- path: ../../../config/default/manager_webhook_patch.yaml
+  target:
+    group: apps
+    kind: Deployment
+    name: controller-manager
+    version: v1
+- path: ../../../config/default/mutatingwebhookcainjection_patch.yaml
+  target:
+    group: admissionregistration.k8s.io
+    kind: MutatingWebhookConfiguration
+    name: mutating-webhook-configuration
+    version: v1
+- path: ../../../config/default/validatingwebhookcainjection_patch.yaml
+  target:
+    group: admissionregistration.k8s.io
+    kind: ValidatingWebhookConfiguration
+    name: validating-webhook-configuration
+    version: v1
+
+
+replacements:
+#- source:
+#    fieldPath: metadata.namespace
+#    kind: Certificate
+#    name: serving-cert
+#  targets:
+#  - fieldPaths:
+#    - metadata.annotations."cert-manager.io/inject-ca-from"
+#    options:
+#      delimiter: /
+#    select:
+#      kind: MutatingWebhookConfiguration
+#      name: webhook
+#- source:
+#    kind: Certificate
+#    name: serving-cert
+#  targets:
+#  - fieldPaths:
+#    - metadata.annotations."cert-manager.io/inject-ca-from"
+#    options:
+#      delimiter: /
+#      index: 1
+#    select:
+#      kind: MutatingWebhookConfiguration
+#      name: webhook
+#- source:
+#    fieldPath: metadata.namespace
+#    kind: Service
+#    name: webhook-service
+#  targets:
+#  - fieldPaths:
+#    - metadata.annotations."cert-manager.io/inject-ca-from"
+#    select:
+#      kind: MutatingWebhookConfiguration
+#      name: webhook
diff --git a/spectro/global/aso/patch_aso_webhook_config.yaml b/spectro/global/aso/patch_aso_webhook_config.yaml
@@ -0,0 +1,45 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: aso-mutating-webhook-configuration
+  labels:
+    cluster.x-k8s.io/provider: aso-infrastructure-azure
+webhooks:
+- name: default.azureasomanagedcluster.infrastructure.cluster.x-k8s.io
+  clientConfig:
+    service:
+      name: aso-webhook-service
+      namespace: capi-webhook-system
+- name: default.azureasomanagedcontrolplane.infrastructure.cluster.x-k8s.io
+  clientConfig:
+    service:
+      name: aso-webhook-service
+      namespace: capi-webhook-system
+- name: default.azureasomanagedmachinepool.infrastructure.cluster.x-k8s.io
+  clientConfig:
+    service:
+      name: aso-webhook-service
+      namespace: capi-webhook-system
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: aso-validating-webhook-configuration
+  labels:
+    cluster.x-k8s.io/provider: aso-infrastructure-azure
+webhooks:
+- name: validation.azureasomanagedcluster.infrastructure.cluster.x-k8s.io
+  clientConfig:
+    service:
+      name: aso-webhook-service
+      namespace: capi-webhook-system
+- name: validation.azureasomanagedcontrolplane.infrastructure.cluster.x-k8s.io
+  clientConfig:
+    service:
+      name: aso-webhook-service
+      namespace: capi-webhook-system
+- name: validation.azureasomanagedmachinepool.infrastructure.cluster.x-k8s.io
+  clientConfig:
+    service:
+      name: aso-webhook-service
+      namespace: capi-webhook-system 
diff --git a/spectro/global/aso/patch_aso_webhook_service.yaml b/spectro/global/aso/patch_aso_webhook_service.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: aso-webhook-service
+  namespace: capi-webhook-system
+  labels:
+    cluster.x-k8s.io/provider: aso-infrastructure-azure
+spec:
+  selector:
+    cluster.x-k8s.io/provider: aso-infrastructure-azure 
diff --git a/spectro/global/kustomization.yaml b/spectro/global/kustomization.yaml
@@ -9,10 +9,7 @@ resources:
 - ../../config/webhook
 - ../../config/manager
 - ../../config/certmanager
-
-
-components:
-- ../../config/aso
+- ./aso
 
 configurations:
 - ../../config/default/kustomizeconfig.yaml
@@ -103,12 +100,6 @@ patches:
     kind: CustomResourceDefinition
     name: azuremanagedmachinepools.infrastructure.cluster.x-k8s.io
     version: v1
-- path: patch_nmi_cluster_role_binding.yaml
-  target:
-    group: rbac.authorization.k8s.io
-    kind: ClusterRoleBinding
-    name: capz-aad-pod-id-nmi-binding
-    version: v1
 - path: ../../config/default/manager_image_patch.yaml
   target:
     group: apps
@@ -139,7 +130,16 @@ patches:
     kind: ValidatingWebhookConfiguration
     name: validating-webhook-configuration
     version: v1
-
+- path: patch_namespace_object.yaml
+  target:
+    kind: Namespace
+    name: capi-webhook-system
+- path: patch_nmi_cluster_role_binding.yaml
+  target:
+    group: rbac.authorization.k8s.io
+    kind: ClusterRoleBinding
+    name: capz-aad-pod-id-nmi-binding
+    version: v1
 
 replacements:
 - source:

diff --git a/spectro/global/patch_namespace_object.yaml b/spectro/global/patch_namespace_object.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: capi-webhook-system
+  labels:
+    spectrocloud.com/imageswap: enabled
diff --git a/spectro/global/patch_nmi_cluster_role_binding.yaml b/spectro/global/patch_nmi_cluster_role_binding.yaml
@@ -1,6 +1,8 @@
-- op: replace
-  path: "/subjects/0/namespace"
-  value: capi-webhook-system
-- op: replace
-  path: "/subjects/0/name"
-  value: default
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: capz-aad-pod-id-nmi-binding
+subjects:
+  - kind: ServiceAccount
+    name: default
+    namespace: capi-webhook-system
diff --git a/spectro/run.sh b/spectro/run.sh
@@ -1,6 +1,7 @@
 #!/bin/bash
 
-rm generated/*
+rm -rf generated/*
+mkdir -p generated
 
 kustomize build --load-restrictor LoadRestrictionsNone global > ./generated/core-global.yaml
 kustomize build --load-restrictor LoadRestrictionsNone base > ./generated/core-base.yaml