cluster/kube: deploy admitomatic webhook
This has been (succesfully) tested on prod and then rolled back.
Change-Id: I22657f66b4aeaa8a0ae452035ba18a79f4549b14
diff --git a/cluster/kube/k0-admitomatic.jsonnet b/cluster/kube/k0-admitomatic.jsonnet
new file mode 100644
index 0000000..efff661
--- /dev/null
+++ b/cluster/kube/k0-admitomatic.jsonnet
@@ -0,0 +1,7 @@
+// Only the admitomatic instance in k0.
+
+local k0 = (import "k0.libsonnet").k0;
+
+{
+ admitomatic: k0.admitomatic,
+}
diff --git a/cluster/kube/lib/admitomatic.libsonnet b/cluster/kube/lib/admitomatic.libsonnet
index 36ea5ef..ab44bfb 100644
--- a/cluster/kube/lib/admitomatic.libsonnet
+++ b/cluster/kube/lib/admitomatic.libsonnet
@@ -90,5 +90,35 @@
svc: ns.Contain(kube.Service("admitomatic")) {
target_pod:: env.daemonset.spec.template,
},
+
+ webhook: kube.ValidatingWebhookConfiguration("admitomatic") {
+ webhooks_: {
+ "admitomatic.hswaw.net": {
+ rules: [
+ {
+ apiGroups: ["networking.k8s.io"],
+ apiVersions: ["v1", "v1beta1"],
+ operations: ["CREATE", "UPDATE"],
+ resources: ["ingresses"],
+ scope: "Namespaced",
+ }
+ ],
+ clientConfig: {
+ service: {
+ namespace: env.svc.metadata.namespace,
+ name: env.svc.metadata.name,
+ port: 8443,
+ path: "/webhook",
+ },
+ caBundle: std.base64(importstr "../../certs/ca-admitomatic.crt"),
+ },
+ failurePolicy: "Ignore",
+ matchPolicy: "Equivalent",
+ admissionReviewVersions: ["v1", "v1beta1"],
+ sideEffects: "None",
+ timeoutSeconds: 5,
+ },
+ },
+ },
},
}