This repository has been archived by the owner on Jul 18, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 5
/
tls.yaml
167 lines (167 loc) · 7.27 KB
/
tls.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
---
# Application
apiVersion: apps/v1
kind: Deployment
metadata:
name: label-rules-webhook
labels:
app: label-rules-webhook
spec:
replicas: 1
selector:
matchLabels:
app: label-rules-webhook
template:
metadata:
labels:
app: label-rules-webhook
spec:
containers:
- name: label-rules-webhook
image: circa10a/k8s-label-rules-webhook
env:
- name: TLS_ENABLED
value: "true"
- name: TLS_CERT
value: "/domain.crt"
- name: TLS_KEY
value: "/domain.key"
volumeMounts:
- name: webhook-config
mountPath: /rules.yaml
subPath: rules.yaml
- name: webhook-config
mountPath: /domain.crt
subPath: domain.crt
- name: webhook-config
mountPath: /domain.key
subPath: domain.key
readinessProbe:
httpGet:
scheme: HTTPS
path: /rules
port: gin-port
initialDelaySeconds: 5
periodSeconds: 15
livenessProbe:
httpGet:
scheme: HTTPS
path: /rules
port: gin-port
initialDelaySeconds: 5
periodSeconds: 15
ports:
- name: gin-port
containerPort: 8443
volumes:
- name: webhook-config
configMap:
name: webhook-config
---
apiVersion: v1
kind: ConfigMap
metadata:
name: webhook-config
data:
rules.yaml: |
rules:
- name: require-phone-number
key: phone-number
value:
regex: "[0-9]{3}-[0-9]{3}-[0-9]{4}"
- name: require-number
key: number
value:
regex: "[0-1]{1}"
domain.crt: |
-----BEGIN CERTIFICATE-----
MIIDoTCCAomgAwIBAgIUMqO3QXM/IwLRjP0c1CUPfyUg+DIwDQYJKoZIhvcNAQEL
BQAwFTETMBEGA1UEAxMKa3ViZXJuZXRlczAeFw0yMDA1MDMxNjM1MDBaFw0yMTA1
MDMxNjM1MDBaMDIxMDAuBgNVBAMTJ2xhYmVsLXJ1bGVzLXdlYmhvb2stc2Vydmlj
ZS5kZWZhdWx0LnN2YzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMPD
o58SQtO5Hn5OdSqUE9bp/ESHbKw+6OH9xEzBzrdYn+ApFEh4mTIlT5k9KNacSA8f
DFqsECJocVs/QMr5e+y3cB8gGw9dLADzeK4qwlXz6tnE7ONhu41WJTh7np/8isV4
an6ZvhZE8diBMUA+bdfEf9YhiFLqVmX6O1u6lXh4u/LeR4Gw3lpxJlQhUTKbrnt1
+i3Irfpg/XAkEy74/q1kR1eWLxHNgc/Gm6w91Vs/nOvA0bzq9WUKEKr0kfQpw83q
O0shDJUVyR5QURwahWNvP164YDFur+QsjhteZ4mRRMdEXer10XECIl+sYKK1kTrE
Cp0V3bcaQ4ClhgjIrj0CAwEAAaOByzCByDAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0l
BAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUkZpJ33xE3zBR
K4bRXCgFeCx7hjswdAYDVR0RBG0wa4IbbGFiZWwtcnVsZXMtd2ViaG9vay1zZXJ2
aWNlgiNsYWJlbC1ydWxlcy13ZWJob29rLXNlcnZpY2UuZGVmYXVsdIInbGFiZWwt
cnVsZXMtd2ViaG9vay1zZXJ2aWNlLmRlZmF1bHQuc3ZjMA0GCSqGSIb3DQEBCwUA
A4IBAQCRSart/C14G0g2tM2I2kdI2wVBgYmZnbEHlXOtTcT39ASnk+pCV5vrc0go
HFj4ThTIWaPlKQU2cNgogcR37g2f+/1CKcMYgehY6flMFLavJTm4k+nDCwXRQWzG
l8GF7WZ5mEuaYwS/2NN0tqc3vgk7PYpXIuWl+v1j/z8reD1Qf5Xe8F5Ic0FIxm1x
wgV80oMsAzvlieilWUmetUiWRmp0pec5kTQcSAEeCh7euSng9faKmqK5u5vTq10i
DNpR4O83nm7Bv2a53ciJeoQNuBCYgJiNUaYRlffMToYgBSmZ87YF8PBsOanSLCBL
7lgZIMamKQe5Uuta143ZauN64KEO
-----END CERTIFICATE-----
domain.key: |
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAw8OjnxJC07kefk51KpQT1un8RIdsrD7o4f3ETMHOt1if4CkU
SHiZMiVPmT0o1pxIDx8MWqwQImhxWz9Ayvl77LdwHyAbD10sAPN4rirCVfPq2cTs
42G7jVYlOHuen/yKxXhqfpm+FkTx2IExQD5t18R/1iGIUupWZfo7W7qVeHi78t5H
gbDeWnEmVCFRMpuue3X6Lcit+mD9cCQTLvj+rWRHV5YvEc2Bz8abrD3VWz+c68DR
vOr1ZQoQqvSR9CnDzeo7SyEMlRXJHlBRHBqFY28/XrhgMW6v5CyOG15niZFEx0Rd
6vXRcQIiX6xgorWROsQKnRXdtxpDgKWGCMiuPQIDAQABAoIBAQC552POf+zuWvHW
SHODx7M/eFyUR3av694EHpT3v2SrQIIywU/9smjo8f2xLB9IDolvsrBsutFnm39q
g5roJhvFJD5ZkIeiA3zyOkP0Qa7jKQtxWk0LcZhGE/SsuthcXdr6w+t95kpZo4d3
bthyhdaR/IzZsGZhNyBtH0CXT4z6JSH3mCPaacjxa7mKpqJKJc+hrQyAutHHldJk
vNtYUZ3un6V95JoQfBwfwD6pKx/UGkAT1HiJBbItpCZOZDesSi1gIakEAqCXthj+
cwK1OLj9/tI2lv49WifcAZGVq/UjJdkyqwjMvdc9dhYeyQ96gF4bsLdijyOno4E+
FcV3PYgBAoGBAPh13VxvBMmzuFwhcN7mNNBn8bHNp5uYKCTLTqyTZ+Pt9EMA66v+
NSEIeX/Ce9Tw3jc8ELJhxO8ZMORlcEQps4h82DVyESURoR+27btvfc2UsWe7jW74
uJdgg7BRg7t9iODY00nTW0SJ1X0IRFYt4geuu8rMLn61JqJJ9mbEVXu9AoGBAMm0
aQnMLbylDqo4FdQ+L4K2SdS3byqPeIeVWpumIEHS6XnorqiR0UnG8A34n9tESDTH
Jf5tLCHTYfexMdBhVTPi++eVQjuuE16Jxdw+DAiEbABz5FIIUefJXgNKBUZq28Rc
/ef7NeeIIi7jnCw0S9v2XAz+gKSPxJGxAOGlFeSBAoGAcCF5YoL0DTefx2yMLPyF
71xJ1u2ya+UykNB0VCw+Yb59U1PyCHA0eBEEDGWwTzzZfOINwwOexi1/RESHcyvC
y6FUTmKJXEplhhOfnMzHYOVvXxpkzSVQ4Xh8VjGjmxUfliIk0RejA/6Uq9X0SVRx
wvfX5sFZZnPI2Ms6ecy3q50CgYABazh17i7ALfUNc3mL1agl5jxct7GbfgjeA0nw
4FlHvUERL3bTDruHJlQX9RDCzRco7+GviXsO/dqpkGCGU7jytX0KIv2lR9MxDg0L
QJB7GttboXUQsqhI1hzILyQcW7ISDolmsViuuUFsTQOTOAb0lCYPnVawUaaTU8hq
zet6gQKBgQD0Y1G2gkRhCN/6H2wYou1g8eqfJp/e1Aeoo45Fe4IeBcTzg8uCx/PP
rWP7g4rowD9+r7BTV4XVgcvVljG3XxcKhBe+k4x3Hq/4Ji6htYCgKUSus8qwlz1V
D7Bh+rBrPBgSBsPwrYL2MFVtMbWxzgohfGjcttx6eqTZAyO/RtHLaA==
-----END RSA PRIVATE KEY-----
# Service
---
apiVersion: v1
kind: Service
metadata:
name: label-rules-webhook-service
spec:
selector:
app: label-rules-webhook
ports:
- protocol: TCP
port: 8443
targetPort: gin-port
type: NodePort
# Webhook
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
name: label-rules-webhook
webhooks:
- name: my.application.domain
clientConfig:
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURvVENDQW9tZ0F3SUJBZ0lVTXFPM1FYTS9Jd0xSalAwYzFDVVBmeVVnK0RJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZURVRNQkVHQTFVRUF4TUthM1ZpWlhKdVpYUmxjekFlRncweU1EQTFNRE14TmpNMU1EQmFGdzB5TVRBMQpNRE14TmpNMU1EQmFNREl4TURBdUJnTlZCQU1USjJ4aFltVnNMWEoxYkdWekxYZGxZbWh2YjJzdGMyVnlkbWxqClpTNWtaV1poZFd4MExuTjJZekNDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFNUEQKbzU4U1F0TzVIbjVPZFNxVUU5YnAvRVNIYkt3KzZPSDl4RXpCenJkWW4rQXBGRWg0bVRJbFQ1azlLTmFjU0E4ZgpERnFzRUNKb2NWcy9RTXI1ZSt5M2NCOGdHdzlkTEFEemVLNHF3bFh6NnRuRTdPTmh1NDFXSlRoN25wLzhpc1Y0CmFuNlp2aFpFOGRpQk1VQStiZGZFZjlZaGlGTHFWbVg2TzF1NmxYaDR1L0xlUjRHdzNscHhKbFFoVVRLYnJudDEKK2kzSXJmcGcvWEFrRXk3NC9xMWtSMWVXTHhITmdjL0dtNnc5MVZzL25PdkEwYnpxOVdVS0VLcjBrZlFwdzgzcQpPMHNoREpVVnlSNVFVUndhaFdOdlAxNjRZREZ1citRc2podGVaNG1SUk1kRVhlcjEwWEVDSWwrc1lLSzFrVHJFCkNwMFYzYmNhUTRDbGhnaklyajBDQXdFQUFhT0J5ekNCeURBT0JnTlZIUThCQWY4RUJBTUNCYUF3RXdZRFZSMGwKQkF3d0NnWUlLd1lCQlFVSEF3RXdEQVlEVlIwVEFRSC9CQUl3QURBZEJnTlZIUTRFRmdRVWtacEozM3hFM3pCUgpLNGJSWENnRmVDeDdoanN3ZEFZRFZSMFJCRzB3YTRJYmJHRmlaV3d0Y25Wc1pYTXRkMlZpYUc5dmF5MXpaWEoyCmFXTmxnaU5zWVdKbGJDMXlkV3hsY3kxM1pXSm9iMjlyTFhObGNuWnBZMlV1WkdWbVlYVnNkSUluYkdGaVpXd3QKY25Wc1pYTXRkMlZpYUc5dmF5MXpaWEoyYVdObExtUmxabUYxYkhRdWMzWmpNQTBHQ1NxR1NJYjNEUUVCQ3dVQQpBNElCQVFDUlNhcnQvQzE0RzBnMnRNMkkya2RJMndWQmdZbVpuYkVIbFhPdFRjVDM5QVNuaytwQ1Y1dnJjMGdvCkhGajRUaFRJV2FQbEtRVTJjTmdvZ2NSMzdnMmYrLzFDS2NNWWdlaFk2ZmxNRkxhdkpUbTRrK25EQ3dYUlFXekcKbDhHRjdXWjVtRXVhWXdTLzJOTjB0cWMzdmdrN1BZcFhJdVdsK3Yxai96OHJlRDFRZjVYZThGNUljMEZJeG0xeAp3Z1Y4MG9Nc0F6dmxpZWlsV1VtZXRVaVdSbXAwcGVjNWtUUWNTQUVlQ2g3ZXVTbmc5ZmFLbXFLNXU1dlRxMTBpCkROcFI0Tzgzbm03QnYyYTUzY2lKZW9RTnVCQ1lnSmlOVWFZUmxmZk1Ub1lnQlNtWjg3WUY4UEJzT2FuU0xDQkwKN2xnWklNYW1LUWU1VXV0YTE0M1phdU42NEtFTwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
service:
namespace: "default"
name: "label-rules-webhook-service"
port: 8443
rules:
- operations:
- "CREATE"
- "UPDATE"
apiGroups:
- "apps"
apiVersions:
- "v1"
- "v1beta1"
resources:
- "deployments"
- "replicasets"
failurePolicy: Fail