Add stackit-pod-identity-webhook image and configuration#53
Add stackit-pod-identity-webhook image and configuration#53
Conversation
|
Skipping CI for Draft Pull Request. |
ske-prow
bot
added
kind/enhancement
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
ske-prow
bot
added
the
size/L
jastBytes
force-pushed
the
feat/STACKITSKE-6021-pod-identity-webhook
branch
2 times, most recently
from
fb04800 to
6d649ce
Compare
ske-prow
bot
removed
the
do-not-merge/work-in-progress
ske-prow
bot
added
the
do-not-merge/work-in-progress
|
Oops, accidentally marked this PR as ready for review, sorry about that. |
timebertt
left a comment
timebertt
left a comment
There was a problem hiding this comment.
Thanks for the PR, looking forward to this feature :)
charts/internal/seed-controlplane/charts/stackit-pod-identity-webhook/templates/deployment.yaml
Outdated
Show resolved
Hide resolved
charts/internal/seed-controlplane/charts/stackit-pod-identity-webhook/templates/deployment.yaml
Outdated
Show resolved
Hide resolved
charts/internal/seed-controlplane/charts/stackit-pod-identity-webhook/templates/deployment.yaml
Outdated
Show resolved
Hide resolved
charts/internal/seed-controlplane/charts/stackit-pod-identity-webhook/templates/deployment.yaml
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Pull request overview
This PR introduces a new STACKIT Pod Identity Webhook component and wires it into the extension’s seed control-plane and shoot system components charts/values so that workload identity can be enforced via a mutating admission webhook.
Changes:
- Add a new
stackit-pod-identity-webhookimage entry and image name constant. - Add new Helm charts for the webhook (seed-controlplane: Deployment/Service/RBAC/PDB; shoot-system-components: MutatingWebhookConfiguration).
- Extend the controlplane values provider and tests to generate TLS/CA-related chart values and required secrets.
Reviewed changes
Copilot reviewed 16 out of 16 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/stackit/types.go | Adds a constant for the webhook name. |
| pkg/controller/controlplane/valuesprovider.go | Generates webhook TLS secret config and passes chart values for seed + shoot charts. |
| pkg/controller/controlplane/valuesprovider_test.go | Extends expected chart values and fake secrets for the new component. |
| imagevector/images.yaml | Adds the webhook image (repo/tag+digest). |
| imagevector/images.go | Adds ImageNameStackitPodIdentityWebhook. |
| charts/internal/shoot-system-components/charts/stackit-pod-identity-webhook/* | New shoot chart for MutatingWebhookConfiguration. |
| charts/internal/seed-controlplane/charts/stackit-pod-identity-webhook/* | New seed chart for webhook runtime resources (Deployment/Service/RBAC/PDB). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
charts/internal/seed-controlplane/charts/stackit-pod-identity-webhook/templates/rbac.yaml
Outdated
Show resolved
Hide resolved
...m-components/charts/stackit-pod-identity-webhook/templates/mutatingwebhookconfiguration.yaml
Outdated
Show resolved
Hide resolved
...m-components/charts/stackit-pod-identity-webhook/templates/mutatingwebhookconfiguration.yaml
Outdated
Show resolved
Hide resolved
...m-components/charts/stackit-pod-identity-webhook/templates/mutatingwebhookconfiguration.yaml
Outdated
Show resolved
Hide resolved
charts/internal/seed-controlplane/charts/stackit-pod-identity-webhook/templates/service.yaml
Outdated
Show resolved
Hide resolved
charts/internal/seed-controlplane/charts/stackit-pod-identity-webhook/values.yaml
Outdated
Show resolved
Hide resolved
jastBytes
force-pushed
the
feat/STACKITSKE-6021-pod-identity-webhook
branch
2 times, most recently
from
8e62bb2 to
6ad65f7
Compare
|
Post review changes implemented and tested via ondemand. All working now. One question open from my point of view. See comment in code. |
jastBytes
force-pushed
the
feat/STACKITSKE-6021-pod-identity-webhook
branch
from
3b068dc to
c9b9220
Compare
...m-components/charts/stackit-pod-identity-webhook/templates/mutatingwebhookconfiguration.yaml
Outdated
Show resolved
Hide resolved
…ate `EnableSTACKITWorkloadIdentity`
ske-prow
bot
removed
the
do-not-merge/work-in-progress
jastBytes
force-pushed
the
feat/STACKITSKE-6021-pod-identity-webhook
branch
from
92c143b to
cfbe8a2
Compare
|
This is finally finished. It is hidden behind a feature flag. The feature is disabled by default. Behavior of the webhook and the featureflag has been tested in an ondemand. |
charts/internal/seed-controlplane/charts/stackit-pod-identity-webhook/templates/deployment.yaml
Outdated
Show resolved
Hide resolved
...m-components/charts/stackit-pod-identity-webhook/templates/mutatingwebhookconfiguration.yaml
Outdated
Show resolved
Hide resolved
… since this is automatically added by gardener
timebertt
left a comment
timebertt
left a comment
There was a problem hiding this comment.
Awesome, this looks great. Thanks for addressing my suggestions!
charts/internal/seed-controlplane/charts/stackit-pod-identity-webhook/templates/vpa.yaml
Outdated
Show resolved
Hide resolved
charts/internal/seed-controlplane/charts/stackit-pod-identity-webhook/templates/vpa.yaml
Outdated
Show resolved
Hide resolved
charts/internal/seed-controlplane/charts/stackit-pod-identity-webhook/templates/vpa.yaml
Outdated
Show resolved
Hide resolved
charts/internal/seed-controlplane/charts/stackit-pod-identity-webhook/templates/deployment.yaml
Show resolved
Hide resolved
charts/internal/seed-controlplane/charts/stackit-pod-identity-webhook/templates/deployment.yaml
Show resolved
Hide resolved
…webhook/templates/vpa.yaml Co-authored-by: Tim Ebert <timebertt@gmail.com>
… configurations for the pod identity webhook across multiple chart components. This refinement includes several operational improvements: - Exposes an additional metrics port on the service definition. - Configures resource requests using VPA definitions, enforcing usage policies for the webhook pod. - Updates the mutating webhook configuration with a timeout and refined namespace selectivity.
…abels Adds Prometheus scraping labels and configurations for the pod identity webhook, allowing metrics exposition via standard Kubernetes service definitions..
Sets the stackit-pod-identity-webhook to permanently disabled in the values files for the seed-controlplane and the shoot-system-components.
| cpu: {{ .Values.vpa.resourcePolicy.maxAllowed.cpu }} | ||
| memory: {{ .Values.vpa.resourcePolicy.maxAllowed.memory }} | ||
| controlledValues: RequestsOnly | ||
| controlledValues: RequestsAndLimits |
There was a problem hiding this comment.
You don't set limits in the deployment 👀
| prometheus.io/scrape: "true" | ||
| prometheus.io/port: {{ .Values.metrics.port | quote }} | ||
| prometheus.io/name: "{{ .Release.Name }}" |
There was a problem hiding this comment.
I don't believe this works. Reading the code, it would need to be an annotation: https://github.com/gardener/gardener/blob/60a86001eca7145ff54b6555bcd17acea90d2933/pkg/component/observability/monitoring/prometheus/shoot/scrapeconfigs.go#L71-L138
I suggest making use of ServiceMonitor objects: https://github.com/gardener/gardener/blob/7c2403c7ed756245486d8ebbcdb6e17366f567ee/docs/extensions/logging-and-monitoring.md#servicemonitor
How to categorize this PR?
/kind enhancement
What this PR does / why we need it:
The changes introduce a new Pod Identity Webhook component for STACKIT cloud provider, adding a new chart for the webhook and its associated resources (Deployment, Service, RBAC, MutatingWebhookConfiguration). The webhook is configured to validate pod identities and enforce workload identity. The changes are integrated into the control plane and shoot system components, with proper configuration and error handling.
Special notes for your reviewer:
Breaking changes:
No breaking changes.