release: update manifests for v0.1.0 (#47)

Signed-off-by: Anish Ramasekar <[email protected]>
Azure · May 28, 2021 · b8e06ef · b8e06ef
1 parent e6288dc
commit b8e06ef
Show file tree

Hide file tree

Showing 5 changed files with 167 additions and 6 deletions.
diff --git a/Makefile b/Makefile
@@ -1,4 +1,4 @@
-REGISTRY ?= docker.pkg.github.com/azure/aad-pod-managed-identity
+REGISTRY ?= mcr.microsoft.com/oss/azure/aad-pod-managed-identity
 PROXY_IMAGE_NAME := proxy
 INIT_IMAGE_NAME := proxy-init
 WEBHOOK_IMAGE_NAME := webhook

diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml
@@ -4,8 +4,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 images:
 - name: manager
-  newName: docker.pkg.github.com/azure/aad-pod-managed-identity/webhook
-  newTag: latest
+  newName: mcr.microsoft.com/oss/azure/aad-pod-managed-identity/webhook
+  newTag: v0.1.0
 configMapGenerator:
 - literals:
   - AZURE_TENANT_ID="${AZURE_TENANT_ID}"

diff --git a/deploy/aad-pi-webhook.yaml b/deploy/aad-pi-webhook.yaml
@@ -0,0 +1,161 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    control-plane: controller-manager
+  name: aad-pi-webhook-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: aad-pi-webhook-manager-role
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts
+  verbs:
+  - create
+  - get
+  - list
+  - patch
+  - update
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: aad-pi-webhook-manager-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: aad-pi-webhook-manager-role
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: aad-pi-webhook-system
+---
+apiVersion: v1
+data:
+  AZURE_ENVIRONMENT: <replace with Azure Environment Name>
+  AZURE_TENANT_ID: <replace with Azure Tenant ID>
+kind: ConfigMap
+metadata:
+  name: aad-pi-webhook-config
+  namespace: aad-pi-webhook-system
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: aad-pi-webhook-webhook-service
+  namespace: aad-pi-webhook-system
+spec:
+  ports:
+  - port: 443
+    targetPort: 9443
+  selector:
+    control-plane: controller-manager
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    control-plane: controller-manager
+  name: aad-pi-webhook-controller-manager
+  namespace: aad-pi-webhook-system
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      control-plane: controller-manager
+  template:
+    metadata:
+      labels:
+        control-plane: controller-manager
+    spec:
+      containers:
+      - args:
+        - -arc-cluster=false
+        command:
+        - /manager
+        envFrom:
+        - configMapRef:
+            name: aad-pi-webhook-config
+        image: mcr.microsoft.com/oss/azure/aad-pod-managed-identity/webhook:v0.1.0
+        imagePullPolicy: IfNotPresent
+        name: manager
+        ports:
+        - containerPort: 9443
+          name: webhook-server
+          protocol: TCP
+        resources:
+          limits:
+            cpu: 100m
+            memory: 30Mi
+          requests:
+            cpu: 100m
+            memory: 20Mi
+        volumeMounts:
+        - mountPath: /tmp/k8s-webhook-server/serving-certs
+          name: cert
+          readOnly: true
+      nodeSelector:
+        kubernetes.io/os: linux
+      volumes:
+      - name: cert
+        secret:
+          defaultMode: 420
+          secretName: webhook-server-cert
+---
+apiVersion: cert-manager.io/v1alpha2
+kind: Certificate
+metadata:
+  name: aad-pi-webhook-serving-cert
+  namespace: aad-pi-webhook-system
+spec:
+  dnsNames:
+  - aad-pi-webhook-webhook-service.aad-pi-webhook-system.svc
+  - aad-pi-webhook-webhook-service.aad-pi-webhook-system.svc.cluster.local
+  issuerRef:
+    kind: Issuer
+    name: aad-pi-webhook-selfsigned-issuer
+  secretName: webhook-server-cert
+---
+apiVersion: cert-manager.io/v1alpha2
+kind: Issuer
+metadata:
+  name: aad-pi-webhook-selfsigned-issuer
+  namespace: aad-pi-webhook-system
+spec:
+  selfSigned: {}
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: aad-pi-webhook-system/aad-pi-webhook-serving-cert
+  name: aad-pi-webhook-mutating-webhook-configuration
+webhooks:
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: aad-pi-webhook-webhook-service
+      namespace: aad-pi-webhook-system
+      path: /mutate-v1-pod
+  failurePolicy: Ignore
+  matchPolicy: Equivalent
+  name: mpod.aad-pod-identity.io
+  rules:
+  - apiGroups:
+    - ""
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - pods
+  sideEffects: None
diff --git a/examples/pod-with-init-container.yml b/examples/pod-with-init-container.yml
@@ -8,7 +8,7 @@ spec:
   serviceAccountName: old-sa
   initContainers:
   - name: init-networking
-    image: docker.pkg.github.com/azure/aad-pod-managed-identity/proxy-init:latest
+    image: mcr.microsoft.com/oss/azure/aad-pod-managed-identity/proxy-init:v0.1.0
     imagePullPolicy: Always
     securityContext:
       capabilities:
@@ -21,7 +21,7 @@ spec:
     ports:
     - containerPort: 80
   - name: proxy
-    image: docker.pkg.github.com/azure/aad-pod-managed-identity/proxy:latest
+    image: mcr.microsoft.com/oss/azure/aad-pod-managed-identity/proxy:v0.1.0
     imagePullPolicy: Always
     ports:
     - containerPort: 8000
diff --git a/manifest_staging/deploy/aad-pi-webhook.yaml b/manifest_staging/deploy/aad-pi-webhook.yaml
@@ -82,7 +82,7 @@ spec:
         envFrom:
         - configMapRef:
             name: aad-pi-webhook-config
-        image: docker.pkg.github.com/azure/aad-pod-managed-identity/webhook:latest
+        image: mcr.microsoft.com/oss/azure/aad-pod-managed-identity/webhook:v0.1.0
         imagePullPolicy: IfNotPresent
         name: manager
         ports: