Add Helm-managed webhook with kube-webhook-certgen

Signed-off-by: Omer Aplatony <[email protected]>

Author: omerap12

vertical-pod-autoscaler/charts/vertical-pod-autoscaler/README.md

@@ -18,23 +18,87 @@ The Vertical Pod Autoscaler (VPA) automatically adjusts the CPU and memory resou
 | adrianmoisey | <[email protected]> |  |
 | omerap12 | <[email protected]> |  |
 
+## Webhook Management
+The admission controller requires a `MutatingWebhookConfiguration` and TLS certificates. This chart supports two mutually exclusive modes:
+
+### Helm-managed (default)
+```yaml
+admissionController:
+  registerWebhook: false
+  certGen:
+    enabled: true
+```
+In this mode:
+- Helm creates the MutatingWebhookConfiguration
+- The kube-webhook-certgen job generates TLS certificates and stores them in a Secret
+- The certificates are automatically injected into the webhook configuration
+
+### Application-managed
+```yaml
+admissionController:
+  registerWebhook: true
+  certGen:
+    enabled: false
+```
+In this mode:
+- The VPA admission controller creates and manages the webhook itself
+- The application handles its own certificate generation
+
+## Migration Guides
+
+### Migrating from vpa-up.sh script
+TBD
+
+### Migrating from Application-managed to Helm-managed webhook
+If you previously deployed with registerWebhook: true and want to switch to Helm-managed:
+- Delete the existing webhook:
+```bash
+kubectl delete mutatingwebhookconfiguration vpa-webhook-config
+```
+- Delete the existing secret (to allow certgen to create new certificates):
+```bash
+kubectl delete secret -n <namespace> vpa-tls-certs
+```
+- Upgrade with the new values:
+```bash
+helm upgrade <release-name> <chart> \
+  --set admissionController.registerWebhook=false \
+  --set admissionController.certGen.enabled=true
+```
 ## Values
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | admissionController.affinity | object | `{}` |  |
+| admissionController.certGen.affinity | object | `{}` |  |
+| admissionController.certGen.enabled | bool | `true` |  |
+| admissionController.certGen.env | object | `{}` | Additional environment variables to be added to the certgen container. Format is KEY: Value format |
+| admissionController.certGen.image.pullPolicy | string | `"IfNotPresent"` | The pull policy for the certgen image. Recommend not changing this |
+| admissionController.certGen.image.repository | string | `"registry.k8s.io/ingress-nginx/kube-webhook-certgen"` | An image that contains certgen for creating certificates. Only used if admissionController.generateCertificate is true |
+| admissionController.certGen.image.tag | string | `"v20231011-8b53cabe0"` | An image tag for the admissionController.certGen.image.repository image. Only used if admissionController.generateCertificate is true |
+| admissionController.certGen.nodeSelector | object | `{}` |  |
+| admissionController.certGen.podSecurityContext | object | `{"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | The securityContext block for the certgen pod(s) |
+| admissionController.certGen.resources | object | `{}` | The resources block for the certgen pod |
+| admissionController.certGen.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true}` | The securityContext block for the certgen container(s) |
+| admissionController.certGen.tolerations | list | `[]` |  |
 | admissionController.enabled | bool | `true` |  |
 | admissionController.extraArgs | list | `[]` |  |
 | admissionController.extraEnv | list | `[]` |  |
 | admissionController.image.pullPolicy | string | `"IfNotPresent"` |  |
 | admissionController.image.repository | string | `"registry.k8s.io/autoscaling/vpa-admission-controller"` |  |
 | admissionController.image.tag | string | `nil` |  |
+| admissionController.mutatingWebhookConfiguration.annotations | object | `{}` | Additional annotations for the MutatingWebhookConfiguration |
+| admissionController.mutatingWebhookConfiguration.failurePolicy | string | `"Ignore"` | The failurePolicy for the mutating webhook. Allowed values are: Ignore, Fail |
+| admissionController.mutatingWebhookConfiguration.namespaceSelector | object | `{}` | The namespaceSelector controls which namespaces are affected by the webhook |
+| admissionController.mutatingWebhookConfiguration.objectSelector | object | `{}` | The objectSelector can filter objects on e.g. labels |
+| admissionController.mutatingWebhookConfiguration.timeoutSeconds | int | `5` | Sets the amount of time the API server will wait on a response from the webhook service |
 | admissionController.nodeSelector | object | `{}` |  |
 | admissionController.podAnnotations | object | `{}` |  |
 | admissionController.podDisruptionBudget.enabled | bool | `true` |  |
 | admissionController.podDisruptionBudget.maxUnavailable | int or string | `nil` | Maximum number/percentage of pods that can be unavailable after the eviction. IMPORTANT: You can specify either 'minAvailable' or 'maxUnavailable', but not both. |
 | admissionController.podDisruptionBudget.minAvailable | int or string | `1` | Minimum number/percentage of pods that must be available after the eviction. IMPORTANT: You can specify either 'minAvailable' or 'maxUnavailable', but not both. |
 | admissionController.podLabels | object | `{}` |  |
+| admissionController.registerWebhook | bool | `false` |  |
 | admissionController.replicas | int | `2` |  |
 | admissionController.resources.limits.cpu | string | `"200m"` |  |
 | admissionController.resources.limits.memory | string | `"500Mi"` |  |
@@ -48,17 +112,19 @@ The Vertical Pod Autoscaler (VPA) automatically adjusts the CPU and memory resou
 | admissionController.serviceAccount.annotations | object | `{}` |  |
 | admissionController.serviceAccount.create | bool | `true` |  |
 | admissionController.serviceAccount.labels | object | `{}` |  |
-| admissionController.tls.caCert | string | `""` |  |
-| admissionController.tls.cert | string | `""` |  |
-| admissionController.tls.existingSecret | string | `""` |  |
-| admissionController.tls.key | string | `""` |  |
 | admissionController.tls.secretName | string | `"vpa-tls-certs"` |  |
 | admissionController.tolerations | list | `[]` |  |
 | admissionController.volumeMounts[0].mountPath | string | `"/etc/tls-certs"` |  |
 | admissionController.volumeMounts[0].name | string | `"tls-certs"` |  |
 | admissionController.volumeMounts[0].readOnly | bool | `true` |  |
 | admissionController.volumes[0].name | string | `"tls-certs"` |  |
 | admissionController.volumes[0].secret.defaultMode | int | `420` |  |
+| admissionController.volumes[0].secret.items[0].key | string | `"ca"` |  |
+| admissionController.volumes[0].secret.items[0].path | string | `"caCert.pem"` |  |
+| admissionController.volumes[0].secret.items[1].key | string | `"cert"` |  |
+| admissionController.volumes[0].secret.items[1].path | string | `"serverCert.pem"` |  |
+| admissionController.volumes[0].secret.items[2].key | string | `"key"` |  |
+| admissionController.volumes[0].secret.items[2].path | string | `"serverKey.pem"` |  |
 | admissionController.volumes[0].secret.secretName | string | `"vpa-tls-certs"` |  |
 | commonLabels | object | `{}` |  |
 | containerSecurityContext | object | `{}` |  |

vertical-pod-autoscaler/charts/vertical-pod-autoscaler/README.md.gotmpl

@@ -15,4 +15,51 @@ The Vertical Pod Autoscaler (VPA) automatically adjusts the CPU and memory resou
 
 {{ template "chart.requirementsSection" . }}
 
+## Webhook Management
+The admission controller requires a `MutatingWebhookConfiguration` and TLS certificates. This chart supports two mutually exclusive modes:
+
+### Helm-managed (default)
+```yaml
+admissionController:
+  registerWebhook: false
+  certGen:
+    enabled: true
+```
+In this mode:
+- Helm creates the MutatingWebhookConfiguration
+- The kube-webhook-certgen job generates TLS certificates and stores them in a Secret
+- The certificates are automatically injected into the webhook configuration
+
+### Application-managed
+```yaml
+admissionController:
+  registerWebhook: true
+  certGen:
+    enabled: false
+```
+In this mode:
+- The VPA admission controller creates and manages the webhook itself
+- The application handles its own certificate generation
+
+## Migration Guides
+
+### Migrating from vpa-up.sh script
+TBD
+
+### Migrating from Application-managed to Helm-managed webhook
+If you previously deployed with registerWebhook: true and want to switch to Helm-managed:
+- Delete the existing webhook:
+```bash
+kubectl delete mutatingwebhookconfiguration vpa-webhook-config
+```
+- Delete the existing secret (to allow certgen to create new certificates):
+```bash
+kubectl delete secret -n <namespace> vpa-tls-certs
+```
+- Upgrade with the new values:
+```bash
+helm upgrade <release-name> <chart> \
+  --set admissionController.registerWebhook=false \
+  --set admissionController.certGen.enabled=true
+```
 {{ template "chart.valuesSection" . }}

vertical-pod-autoscaler/charts/vertical-pod-autoscaler/templates/_helpers.tpl

@@ -66,13 +66,33 @@ app.kubernetes.io/component: admission-controller
 Create the name of the tls secret to use
 */}}
 {{- define "vertical-pod-autoscaler.admissionController.tls.secretName" -}}
-{{- if .Values.admissionController.tls.existingSecret -}}
-    {{ .Values.admissionController.tls.existingSecret }}
+{{- if .Values.admissionController.tls.secretName -}}
+    {{ .Values.admissionController.tls.secretName }}
 {{- else -}}
     {{- printf "%s-%s" (include "vertical-pod-autoscaler.admissionController.fullname" .) "tls" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 {{- end -}}
 
+{{/*
+admissionController webhook
+*/}}
+
+{{- define "vertical-pod-autoscaler.admissionController.webhook.configName" -}}
+{{ include "vertical-pod-autoscaler.fullname" . }}-webhook-config
+{{- end }}
+
+{{/*
+admissionController certGen
+*/}}
+{{- define "vertical-pod-autoscaler.admissionController.certGen.fullname" -}}
+{{ include "vertical-pod-autoscaler.fullname" . }}-admission-certgen
+{{- end }}
+
+{{- define "vertical-pod-autoscaler.admissionController.certGen.labels" -}}
+{{ include "vertical-pod-autoscaler.labels" . }}
+app.kubernetes.io/component: admission-certgen
+{{- end }}
+
 
 {{/*
 updater

vertical-pod-autoscaler/charts/vertical-pod-autoscaler/templates/admission-controller-certgen-clusterrole.yaml

@@ -0,0 +1,21 @@
+{{- if and .Values.admissionController.enabled .Values.admissionController.certGen.enabled -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "vertical-pod-autoscaler.admissionController.certGen.fullname" . }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+    "helm.sh/hook-weight": "-10"
+  labels:
+    {{- include "vertical-pod-autoscaler.admissionController.certGen.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - admissionregistration.k8s.io
+    resources:
+      - mutatingwebhookconfigurations
+    verbs:
+      - get
+      - update
+      - patch
+{{- end -}}

vertical-pod-autoscaler/charts/vertical-pod-autoscaler/templates/admission-controller-certgen-clusterrolebinding.yaml

@@ -0,0 +1,20 @@
+{{- if and .Values.admissionController.enabled .Values.admissionController.certGen.enabled -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "vertical-pod-autoscaler.admissionController.certGen.fullname" . }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+    "helm.sh/hook-weight": "-10"
+  labels:
+    {{- include "vertical-pod-autoscaler.admissionController.certGen.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "vertical-pod-autoscaler.admissionController.certGen.fullname" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "vertical-pod-autoscaler.admissionController.certGen.fullname" . }}
+    namespace: {{ .Release.Namespace }}
+{{- end -}}

vertical-pod-autoscaler/charts/vertical-pod-autoscaler/templates/admission-controller-certgen-patch.yaml

@@ -0,0 +1,70 @@
+{{- if and .Values.admissionController.enabled .Values.admissionController.certGen.enabled -}}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "vertical-pod-autoscaler.admissionController.certGen.fullname" . }}-patch
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  labels:
+    {{- include "vertical-pod-autoscaler.admissionController.certGen.labels" . | nindent 4 }}
+spec:
+  ttlSecondsAfterFinished: 300
+  template:
+    metadata:
+      name: {{ include "vertical-pod-autoscaler.admissionController.certGen.fullname" . }}-patch
+      labels:
+        {{- include "vertical-pod-autoscaler.admissionController.certGen.labels" . | nindent 8 }}
+    spec:
+      restartPolicy: OnFailure
+      serviceAccountName: {{ include "vertical-pod-autoscaler.admissionController.certGen.fullname" . }}
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.priorityClassName }}
+      priorityClassName: {{ . }}
+      {{- end }}
+      containers:
+        - name: patch
+          image: {{ printf "%s:%s" .Values.admissionController.certGen.image.repository .Values.admissionController.certGen.image.tag }}
+          imagePullPolicy: {{ .Values.admissionController.certGen.image.pullPolicy }}
+          args:
+            - patch
+            - --webhook-name={{ include "vertical-pod-autoscaler.admissionController.webhook.configName" . }}
+            - --namespace={{ .Release.Namespace }}
+            - --secret-name={{ include "vertical-pod-autoscaler.admissionController.tls.secretName" . }}
+            - --patch-validating=false
+          {{- with .Values.admissionController.certGen.env }}
+          env:
+            {{- range $key, $value := . }}
+            - name: {{ $key }}
+              value: {{ $value | quote }}
+            {{- end }}
+          {{- end }}
+          {{- with .Values.admissionController.certGen.resources }}
+          resources:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.admissionController.certGen.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+      {{- with .Values.admissionController.certGen.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.admissionController.certGen.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.admissionController.certGen.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.admissionController.certGen.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+{{- end -}}

vertical-pod-autoscaler/charts/vertical-pod-autoscaler/templates/admission-controller-certgen-role.yaml

@@ -0,0 +1,21 @@
+{{- if and .Values.admissionController.enabled .Values.admissionController.certGen.enabled -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "vertical-pod-autoscaler.admissionController.certGen.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+    "helm.sh/hook-weight": "-10"
+  labels:
+    {{- include "vertical-pod-autoscaler.admissionController.certGen.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - create
+{{- end -}}

vertical-pod-autoscaler/charts/vertical-pod-autoscaler/templates/admission-controller-certgen-rolebinding.yaml

@@ -0,0 +1,21 @@
+{{- if and .Values.admissionController.enabled .Values.admissionController.certGen.enabled -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "vertical-pod-autoscaler.admissionController.certGen.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+    "helm.sh/hook-weight": "-10"
+  labels:
+    {{- include "vertical-pod-autoscaler.admissionController.certGen.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "vertical-pod-autoscaler.admissionController.certGen.fullname" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "vertical-pod-autoscaler.admissionController.certGen.fullname" . }}
+    namespace: {{ .Release.Namespace }}
+{{- end -}}

vertical-pod-autoscaler/charts/vertical-pod-autoscaler/templates/admission-controller-certgen-serviceaccount.yaml

@@ -0,0 +1,13 @@
+{{- if and .Values.admissionController.enabled .Values.admissionController.certGen.enabled -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "vertical-pod-autoscaler.admissionController.certGen.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+    "helm.sh/hook-weight": "-10"
+  labels:
+    {{- include "vertical-pod-autoscaler.admissionController.certGen.labels" . | nindent 4 }}
+{{- end -}}