redis-enterprise-k8s-docs/admission.openshift.bundle.yaml at master · UnityTech/redis-enterprise-k8s-docs · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: redis-enterprise-admission
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: redis-enterprise-admission
rules:
  - apiGroups: ["certificates.k8s.io"]
    resources: ["certificatesigningrequests"]
    verbs: ["create", "watch"]
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: redis-enterprise-admission
rules:
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["*"]
  - apiGroups: ["app.redislabs.com"]
    resources: ["*"]
    verbs: ["*"]

---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: redis-enterprise-admission
subjects:
- kind: ServiceAccount
  name: redis-enterprise-admission
roleRef:
  kind: Role
  name: redis-enterprise-admission
  apiGroup: rbac.authorization.k8s.io
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: redis-enterprise-admission
subjects:
- kind: ServiceAccount
  namespace: NAMESPACE_OF_SERVICE_ACCOUNT
  name: redis-enterprise-admission
roleRef:
  kind: ClusterRole
  name: redis-enterprise-admission
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: Service
metadata:
  name: admission
spec:
  ports:
  - port: 443
    protocol: TCP
    targetPort: 8443
  selector:
    app: redb-admission
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: admission-deploy
spec:
  selector:
    matchLabels:
      app: redb-admission
  template:
    metadata:
      labels:
        app: redb-admission
    spec:
      serviceAccountName: redis-enterprise-admission
      containers:
      - name: admin
        image: redislabs/operator:6.0.6-24
        command:
        - /usr/local/bin/admission
        args:
        - '-v=0'
        imagePullPolicy: Always
        ports:
        - containerPort: 443
        env:
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        resources:
          limits:
            cpu: 100m
            memory: 512Mi
          requests:
            cpu: 25m
            memory: 256Mi
        readinessProbe:
          failureThreshold: 3
          successThreshold: 1
          periodSeconds: 30
          timeoutSeconds: 10
          httpGet:
            path: /healthz
            port: 8443
            scheme: HTTPS
      initContainers:
      - name: admin-init
        image: redislabs/operator:6.0.6-24
        command:
        - /usr/local/bin/admission
        args:
        - '-generate-tls'
        - '-v=1'
        imagePullPolicy: Always
        env:
        - name: POD_NAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
                fieldPath: metadata.namespace
        - name: POD_IP
          valueFrom:
            fieldRef:
              fieldPath: status.podIP
        resources:
          limits:
            cpu: 2000m
            memory: 256Mi
          requests:
            cpu: 100m
            memory: 256Mi

---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
  name: redb-admission
webhooks:
- name: redb.admission.redislabs
  failurePolicy: Fail
  rules:
  - apiGroups:   ["app.redislabs.com"]
    apiVersions: ["v1alpha1"]
    operations:  ["*"]
    resources:   ["redisenterprisedatabases"]
  clientConfig:
    service:
      namespace: NAMESPACE_OF_SERVICE_ACCOUNT
      name: admission
      path: /admission
    caBundle: "" # Fill in with BASE64 encoded signed cert
  admissionReviewVersions: ["v1beta1"]
---