Ajay tripathy multins support (kubecost#1999)

* commit removal of budget controller file

* fix namespace scoping issue, use unexpiring cert

* add NS rules back

* add script for multi namespace support

cost-analyzer/scripts/create-admission-controller-tls.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+
+namespace=$1
+if [ "$namespace" == "" ]; then
+  namespace=kubecost
+fi
+
+DIRECTORY=$(cd `dirname $0` && pwd)
+
+echo "Creating certificates"
+mkdir certs
+openssl genrsa -out certs/tls.key 2048
+openssl req -new -key certs/tls.key -out certs/tls.csr -subj "/CN=webhook-server.$namespace.svc"
+openssl x509 -req -days 500 -extfile <(printf "subjectAltName=DNS:webhook-server.$namespace.svc") -in certs/tls.csr -signkey certs/tls.key -out certs/tls.crt
+
+echo "Creating Webhook Server TLS Secret"
+kubectl create secret tls webhook-server-tls \
+    --cert "certs/tls.crt" \
+    --key "certs/tls.key" -n $namespace
+
+
+echo "Updating values.yaml"
+ENCODED_CA=$(cat certs/tls.crt | base64 | tr -d '\n')
+sed -i 's@${CA_BUNDLE}@'"$ENCODED_CA"'@g' ../values.yaml

cost-analyzer/templates/cost-analyzer-deployment-template.yaml

@@ -192,6 +192,20 @@ spec:
               path: kc.key
         {{- end }}
         {{- end }}
+        {{- if .Values.kubecostAdmissionController }}
+        {{- if .Values.kubecostAdmissionController.enabled }}
+        {{- if .Values.kubecostAdmissionController.secretName }}
+        - name: webhook-server-tls
+          secret:
+            secretName: {{ .Values.kubecostAdmissionController.secretName }}
+            items:
+            - key: tls.crt
+              path: tls.crt
+            - key: tls.key
+              path: tls.key
+        {{- end }}
+        {{- end }}
+        {{- end }}
         {{- if .Values.saml }}
         {{- if .Values.saml.enabled }}
         {{- if .Values.saml.secretName }}
@@ -404,6 +418,14 @@ spec:
               mountPath: /var/configs/etl/federated
               readOnly: true
             {{- end }}
+            {{- if .Values.kubecostAdmissionController }}
+            {{- if .Values.kubecostAdmissionController.enabled }}
+            {{- if .Values.kubecostAdmissionController.secretName }}
+            - name: {{ .Values.kubecostAdmissionController.secretName }}
+              mountPath: /certs
+            {{- end }}
+            {{- end }}
+            {{- end }}
             {{- if .Values.federatedETL }}
             {{- if .Values.federatedETL.federator.enabled }}
             - name: federator-config

cost-analyzer/templates/kubecost-admission-controller-service-template.yaml

@@ -4,7 +4,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: webhook-server
-  namespace: kubecost
+  namespace: {{.Release.Namespace}}
 spec:
   selector:
     {{ include "cost-analyzer.selectorLabels" . | nindent 4 }}

cost-analyzer/templates/kubecost-admission-controller-template.yaml

@@ -7,11 +7,6 @@ metadata:
 webhooks:
   - name: "kubecost-deployment-validation.kubecost.svc"
     failurePolicy: Ignore
-    namespaceSelector:
-      matchExpressions:
-        - key: kubernetes.io/metadata.name
-          operator: In
-          values: [ "kubecost" ]
     rules:
       - operations: [ "CREATE", "UPDATE" ]
         apiGroups: [ "apps" ]
@@ -20,10 +15,14 @@ webhooks:
         scope: "*"
     clientConfig:
       service:
-        namespace: kubecost
+        namespace: {{.Release.Namespace}}
         name: webhook-server
         path: "/validate"
+    {{- if .Values.kubecostAdmissionController.caBundle }}
+      caBundle: {{ .Values.kubecostAdmissionController.caBundle }}
+    {{- else }}
       caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCRENDQWV5Z0F3SUJBZ0lVR3E2YkdOaEowVjRsb0NiWHhUa0pocWkwUnB3d0RRWUpLb1pJaHZjTkFRRUwKQlFBd0pqRWtNQ0lHQTFVRUF3d2JkMlZpYUc5dmF5MXpaWEoyWlhJdWEzVmlaV052YzNRdWMzWmpNQjRYRFRJegpNREl3T1RFNU1UVTFNbG9YRFRJME1EWXlNekU1TVRVMU1sb3dKakVrTUNJR0ExVUVBd3diZDJWaWFHOXZheTF6ClpYSjJaWEl1YTNWaVpXTnZjM1F1YzNaak1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0MKQVFFQXpvU2JBejBhZFJTdEN3eVRPSGd2S2VuQ29GbWE2OC9nYTFHZjVST2dXeGJhamhQRTZKbEtBcENwK1pzKwo2bHJzL2J3bkx5SDdoMUFJa1NmZ25EYlNadDJjdHRFSmhSd25vKy90WElMYk84WndRQTErYXpUQzVtSkluZVF3CktRMkErYy9CUnk3N3B0SnZIRStkTEllcWhRelV2M25nWUwvSDZaMUZPa20xUCtlR0FwSWxyVHVPV1ozUVhRYkMKemhOQXppRWNjL3o3RERBdlFBMlpIQ1I2OGl1V0ptd0RYZEdjWmEwenNVb1hDbGIvWXdiWFgvMlp2dklIbkdtawp5VTlZdEhxNVpscFZjT0V5MTVBWFVEOFZVUU1jVXQ5NkJvVThMMXJKbTZJK0E0YmFySEs5QjlxcjdzRmFaY2wvCnBncHZGd0NBaHZHYUM2VzA5UnM3T0NrdXh3SURBUUFCb3lvd0tEQW1CZ05WSFJFRUh6QWRnaHQzWldKb2IyOXIKTFhObGNuWmxjaTVyZFdKbFkyOXpkQzV6ZG1Nd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFDdVhNcUgzYmhsVApGKzlRUFplS2xiUTZlWSs0NlhMVGtEdlZzenAyZysweWhlMVNRRHZRUTVad1l6MnMwODNqb2loTXVzeFZ1TmFGCk1LdE9vbGY2bitsaUZFcEw4OU9XZ1VjdzJRdFdqVWUraU1zby91dWN0eGVPTzZLam9JcUVrUlg5YXh1cGxxVm0KakZRaGZtNlRYZ2pxWmttUVNsbHdLVkcxSFJZTkRveFpFa0JHK1l6RWF5QmdQdXl4bW5iTDdlck5IOVJQSVZtbAoxaWFnS1NVVG5vN0hJY3IwdHYzT3JEWDZRN3VJUGdWanBRSHMzNXBZSWlBYjVNR0RjWFZvY050SEZ0YnluREhzCi80WGhYMjFhOXdnSVF6dUF3ck0zQ0VDRnVocHJzWlZmQjBKQ1dBOG1aVEZneTVBL0tLUjJmTXRMRWRQS1ZsSXUKZjc1MjB3T3JzME09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+    {{- end }}
     admissionReviewVersions: ["v1"]
     sideEffects: None
     timeoutSeconds: 5

cost-analyzer/values.yaml

@@ -956,3 +956,8 @@ kubecostAdmissionController:
 #    mountPath: "/some/custom/path/productkey.json" # (use instead of secretname) declare the path at which the product key file is mounted (eg. by a secrets provisioner). The file must be of format { "key": "kc-b1325234" }
 #  cloudIntegrationSecret: "cloud-integration"
 #  ingestPodUID: false # Enables using UIDs to uniquely ID pods. This requires either Kubecost's replicated KSM metrics, or KSM v2.1.0+. This may impact performance, and changes the default cost-model allocation behavior.
+
+#kubecostAdmissionController:
+#  enabled: true
+#  secretName: webhook-server-tls
+#  caBundle: ${CA_BUNDLE}