Merge pull request #1 from RedisLabs/master

aaa

Author: yuvallevy2

README.md

@@ -0,0 +1,157 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: redis-enterprise-admission
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: redis-enterprise-admission
+rules:
+  - apiGroups: ["certificates.k8s.io"]
+    resources: ["certificatesigningrequests"]
+    verbs: ["create", "watch"]
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: redis-enterprise-admission
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["*"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: redis-enterprise-admission
+subjects:
+- kind: ServiceAccount
+  name: redis-enterprise-admission
+roleRef:
+  kind: Role
+  name: redis-enterprise-admission
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: redis-enterprise-admission
+subjects:
+- kind: ServiceAccount
+  namespace: NAMESPACE_OF_SERVICE_ACCOUNT
+  name: redis-enterprise-admission
+roleRef:
+  kind: ClusterRole
+  name: redis-enterprise-admission
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: admission
+spec:
+  ports:
+  - port: 443
+    protocol: TCP
+    targetPort: 8443
+  selector:
+    app: redb-admission
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: admission-deploy
+spec:
+  selector:
+    matchLabels:
+      app: redb-admission
+  template:
+    metadata:
+      labels:
+        app: redb-admission
+    spec:
+      serviceAccountName: redis-enterprise-admission
+      containers:
+      - name: admin
+        image: redislabs/operator:6.0.6-11
+        command:
+        - /usr/local/bin/admission
+        args:
+        - '-v=0'
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 443
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        resources:
+          limits:
+            cpu: 100m
+            memory: 512Mi
+          requests:
+            cpu: 25m
+            memory: 256Mi
+        readinessProbe:
+          failureThreshold: 3
+          successThreshold: 1
+          periodSeconds: 30
+          timeoutSeconds: 10
+          httpGet:
+            path: /healthz
+            port: 8443
+            scheme: HTTPS
+      initContainers:
+      - name: admin-init
+        image: redislabs/operator:6.0.6-11
+        command:
+        - /usr/local/bin/admission
+        args:
+        - '-generate-tls'
+        - '-v=1'
+        imagePullPolicy: Always
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+                fieldPath: metadata.namespace
+        - name: POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        resources:
+          limits:
+            cpu: 2000m
+            memory: 256Mi
+          requests:
+            cpu: 100m
+            memory: 256Mi
+
+---
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: redb-admission
+webhooks:
+- name: redb.admission.redislabs
+  failurePolicy: Fail
+  rules:
+  - apiGroups:   ["app.redislabs.com"]
+    apiVersions: ["v1alpha1"]
+    operations:  ["*"]
+    resources:   ["redisenterprisedatabases"]
+  clientConfig:
+    service:
+      namespace: NAMESPACE_OF_SERVICE_ACCOUNT
+      name: admission
+      path: /admission
+    caBundle: "" # Fill in with BASE64 encoded signed cert
+  admissionReviewVersions: ["v1beta1"]
+---

admission.bundle.yaml

@@ -0,0 +1,157 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: redis-enterprise-admission
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: redis-enterprise-admission
+rules:
+  - apiGroups: ["certificates.k8s.io"]
+    resources: ["certificatesigningrequests"]
+    verbs: ["create", "watch"]
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: redis-enterprise-admission
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["*"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: redis-enterprise-admission
+subjects:
+- kind: ServiceAccount
+  name: redis-enterprise-admission
+roleRef:
+  kind: Role
+  name: redis-enterprise-admission
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: redis-enterprise-admission
+subjects:
+- kind: ServiceAccount
+  namespace: NAMESPACE_OF_SERVICE_ACCOUNT
+  name: redis-enterprise-admission
+roleRef:
+  kind: ClusterRole
+  name: redis-enterprise-admission
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: admission
+spec:
+  ports:
+  - port: 443
+    protocol: TCP
+    targetPort: 8443
+  selector:
+    app: redb-admission
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: admission-deploy
+spec:
+  selector:
+    matchLabels:
+      app: redb-admission
+  template:
+    metadata:
+      labels:
+        app: redb-admission
+    spec:
+      serviceAccountName: redis-enterprise-admission
+      containers:
+      - name: admin
+        image: redislabs/operator:6.0.6-11.rhel7
+        command:
+        - /usr/local/bin/admission
+        args:
+        - '-v=0'
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 443
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        resources:
+          limits:
+            cpu: 100m
+            memory: 512Mi
+          requests:
+            cpu: 25m
+            memory: 256Mi
+        readinessProbe:
+          failureThreshold: 3
+          successThreshold: 1
+          periodSeconds: 30
+          timeoutSeconds: 10
+          httpGet:
+            path: /healthz
+            port: 8443
+            scheme: HTTPS
+      initContainers:
+      - name: admin-init
+        image: redislabs/operator:6.0.6-11.rhel7
+        command:
+        - /usr/local/bin/admission
+        args:
+        - '-generate-tls'
+        - '-v=1'
+        imagePullPolicy: Always
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+                fieldPath: metadata.namespace
+        - name: POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        resources:
+          limits:
+            cpu: 2000m
+            memory: 256Mi
+          requests:
+            cpu: 100m
+            memory: 256Mi
+
+---
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: redb-admission
+webhooks:
+- name: redb.admission.redislabs
+  failurePolicy: Fail
+  rules:
+  - apiGroups:   ["app.redislabs.com"]
+    apiVersions: ["v1alpha1"]
+    operations:  ["*"]
+    resources:   ["redisenterprisedatabases"]
+  clientConfig:
+    service:
+      namespace: NAMESPACE_OF_SERVICE_ACCOUNT
+      name: admission
+      path: /admission
+    caBundle: "" # Fill in with BASE64 encoded signed cert
+  admissionReviewVersions: ["v1beta1"]
+---