Initial aggregated API server (#15)

Add initial aggregated API server (squashed from a bunch of commits).

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
Signed-off-by: Aram Price <pricear@vmware.com>
Signed-off-by: Ryan Richard <richardry@vmware.com>

deploy/deployment.yaml

@@ -23,11 +23,14 @@ metadata:
     app: #@ data.values.app_name
 data:
   #@yaml/text-templated-strings
-  placeholder-config.yaml: |
+  placeholder-name.yaml: |
     webhook:
       url: (@= data.values.webhook_url @)
       caBundle: (@= data.values.webhook_ca_bundle @)
 ---
+#! TODO set up healthy, ready, etc. probes correctly for our deployment
+#! TODO set the priority-critical-urgent on our deployment to ask kube to never let it die
+#! TODO set resource minimums (e.g. 512MB RAM) on the deployment to make sure we get scheduled onto a reasonable node
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -36,7 +39,7 @@ metadata:
   labels:
     app: #@ data.values.app_name
 spec:
-  replicas: 1
+  replicas: 1 #! TODO more than one replica for high availability, and share the same serving certificate among them (maybe using client-go leader election)
   selector:
     matchLabels:
       app: #@ data.values.app_name
@@ -57,7 +60,7 @@ spec:
           command:
             - ./placeholder-name
           args:
-            - --config=/etc/config/placeholder-config.yaml
+            - --config=/etc/config/placeholder-name.yaml
             - --downward-api-path=/etc/podinfo
           volumeMounts:
             - name: config-volume

deploy/rbac.yaml

@@ -12,6 +12,9 @@ rules:
   - apiGroups: [apiregistration.k8s.io]
     resources: [apiservices]
     verbs: [create, get, list, patch, update, watch]
+  - apiGroups: [admissionregistration.k8s.io]
+    resources: [validatingwebhookconfigurations, mutatingwebhookconfigurations]
+    verbs: [get, list, watch]
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
@@ -49,3 +52,59 @@ roleRef:
   kind: Role
   name: #@ data.values.app_name + "-aggregated-api-server-role"
   apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: #@ data.values.app_name + "-loginrequests-cluster-role"
+rules:
+  - apiGroups: [placeholder.suzerain-io.github.io]
+    resources: [loginrequests]
+    verbs: [create]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: #@ data.values.app_name + "-loginrequests-cluster-role-binding"
+subjects:
+  #! both authenticated and unauthenticated requests (i.e. all requests) should be allowed
+  - kind: Group
+    name: system:authenticated
+    apiGroup: rbac.authorization.k8s.io
+  - kind: Group
+    name: system:unauthenticated
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: #@ data.values.app_name + "-loginrequests-cluster-role"
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: #@ data.values.app_name + "-service-account-cluster-role-binding"
+  namespace: #@ data.values.namespace
+subjects:
+  - kind: ServiceAccount
+    name: #@ data.values.app_name + "-service-account"
+    namespace: #@ data.values.namespace
+roleRef:
+  kind: ClusterRole
+  #! give permissions for subjectaccessreviews, tokenreview that is needed by aggregated api servers
+  name: system:auth-delegator
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: #@ data.values.app_name + "-extension-apiserver-authentication-reader-role-binding"
+  namespace: kube-system
+subjects:
+  - kind: ServiceAccount
+    name: #@ data.values.app_name + "-service-account"
+    namespace: #@ data.values.namespace
+roleRef:
+  kind: Role
+  #! give permissions for a special configmap of CA bundles that is needed by aggregated api servers
+  name: extension-apiserver-authentication-reader
+  apiGroup: rbac.authorization.k8s.io