dazwilkin / akri-webhook Goto Github PK
View Code? Open in Web Editor NEWAkri: ValidatingWebhook
Akri: ValidatingWebhook
/cc: @bfjelds
The new de|reserialization loses the solution to part of the original problem: project-akri/akri#180
Namely, that the omission of .brokerPodSpec.containers[*].resources
creates Instances without environment variables.
With the ValidatingAdmissionWebhookController applied:
apiVersion: akri.sh/v0
kind: Configuration
metadata:
name: zeroconf
spec:
protocol:
zeroconf:
kind: "_rust._tcp"
port: 8888
txtRecords:
project: akri
protocol: zeroconf
component: avahi-publish
capacity: 1
brokerPodSpec:
imagePullSecrets: # Container Registry secret
- name: ghcr
containers:
- name: zeroconf-broker
image: ghcr.io/dazwilkin/zeroconf-broker@sha256:993e5b8d....
# resources:
# limits:
# "{{PLACEHOLDER}}": "1"
Applying the above, creates 1 Instance:
kubectl get instances
NAME CONFIG SHARED NODES AGE
webthings-8bcaf2 webthings true ["akri"] 2s
But, the Pod will not work correctly and won't include environment variables:
INSTANCE=$(kubectl get instances --output=jsonpath="{.items[*].metadata.name}")
kubectl get pod/akri-${INSTANCE}-pod \
--output=jsonpath="{.spec.containers[*].resources}" | jq .
yields:
{}
Whereas, including the resources
section and reapplying:
{
"limits": {
"akri.sh/webthings-8bcaf2": "1"
},
"requests": {
"akri.sh/webthings-8bcaf2": "1"
}
}
Struggling with certificates.k8s.io/v1
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: ${SERVICE}.${NAMESPACE}
spec:
groups:
- system:authenticated
request: $(cat ${FILENAME}.csr | base64 | tr -d '\n')
signerName: kubernetes.io/legacy-unknown
usages:
- digital signature
- key encipherment
- server auth
Without signerName
, it errors:
error: error validating "STDIN":
error validating data: ValidationError(CertificateSigningRequest.spec):
missing required field "signerName" in io.k8s.api.certificates.v1.CertificateSigningRequestSpec;
if you choose to ignore these errors, turn validation off with --validate=false
So, it's clear where the signerName
goes and I was hoping to use kubernetes.io/kubelet-serving
(see docs) because, this one includes:
Permitted key usages - exactly ["key encipherment", "digital signature", "server auth"].
Which matches the spec above (particularly server auth
) but it doesn't work:
kubectl certificate approve ${SERVICE}.${NAMESPACE}
certificatesigningrequest.certificates.k8s.io/feriton.akri approved
kubectl get csr ${SERVICE}.${NAMESPACE}
NAME AGE SIGNERNAME REQUESTOR CONDITION
feriton.akri 2m32s kubernetes.io/kubelet-serving admin Approved,Failed
So, have reverted to v1beta1
for the time being.
Suggestion by @bjfelds to consider using JSONPath to validate against CRD schema.
Should provide some|more dynamism than using code and matches nicely with kubectl's use of JSONPath.
See: Kubernetes' JSONPath
Akri is written in Rust although Kubernetes is written in Golang.
The Webhook examples were all written in Golang and the libraries and types (e.g. AdmissionReview
) are available in Golang.
The majority of the effort has been in the configuration and this does not change rewriting in Rust.
.... Once it's working!
Would it be possible to generalize the use of JSONPath such that multiple filters could be provided?
The challenge is that JSONPath is a filter mechanism but does not (!?) contain predicates.
We can do e.g.:
{.spec.brokerPodSpec.containers[*].resources.limits}
{.spec.brokerPodSpec.protocol}
...
But would want e.g.:
Perhaps providing the filters as configuration to the Deployment too:
- name: webhook
image: ghcr.io/dazwilkin/akri-webhook@...
imagePullPolicy: Always
args:
- --filter="{.spec.brokerPodSpec.containers[*].resources.limits}"
- --filter="{.spec.protocol.zeroconfg}"
- --tls-crt-file=/secrets/tls.crt
- --tls-key-file=/secrets/tls.key
- --port=8443
- --logtostderr
- -v=2
volumeMounts:
- name: secrets
mountPath: /secrets
readOnly: true
volumes:
- name: secrets
secret:
secretName: SERVICE
Certificate generation should (!) be namespace friendly:
DIR=${PWD}/secrets
SERVICE="wednesday"
NAMESPACE="default"
FILENAME="${DIR}/${SERVICE}.${NAMESPACE}"
But confirm that this is so by using a ${NAMESPACE}
other than default
.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.