GPE-1250: Created a mutating webhook to ensure daemonsets don't sched…

…ule on fargate nodes (#2577)

* GPE-1250: Created a mutating webhook to ensure daemonsets don't schedule on fargate

* GPE-1250: Created a mutating webhook to ensure daemonsets don't schedule on fargate

* GPE-1250: Created a mutating webhook to ensure daemonsets don't schedule on fargate

* Created a mutating webhook to ensure daemonsets don't schedule on fargate

* Created a mutating webhook to ensure daemonsets don't schedule on fargate

* feat(node-affinity-webhook): Updated webhook to work with certmanager

* Moved image config

* Update README.md

---------

Co-authored-by: Edward Malinowski <edwardmalinowski@Eds-MacBook-Pro.attlocal.net>

files/squid_whitelist/web_wildcard_whitelist

@@ -59,6 +59,7 @@
 .immport.org
 .jenkins.io
 .jenkins-ci.org
+.jetstack.io
 .k8s.io
 .kegg.jp
 .kidsfirstdrc.org

kube/services/node-affinity-daemonset/README.md

@@ -0,0 +1,5 @@
+# Prerequisites
+
+This service needs certmanager to work. Please install certmanager before deploying this service. Once certmanager is installed, you can deploy this service by applying the manifests in this directory.
+
+Code lives in https://github.com/uc-cdis/node-affinity-webhook/

kube/services/node-affinity-daemonset/deployment.yaml

@@ -0,0 +1,28 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: node-affinity-daemonset
+  namespace: kube-system
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: node-affinity-daemonset
+  template:
+    metadata:
+      labels:
+        app: node-affinity-daemonset
+    spec:
+      containers:
+        - name: node-affinity-daemonset
+          image: quay.io/cdis/node-affinity-daemonset:master
+          ports:
+            - containerPort: 8443
+          volumeMounts:
+            - name: webhook-certs
+              mountPath: /etc/webhook/certs
+              readOnly: true
+      volumes:
+        - name: webhook-certs
+          secret:
+            secretName: webhook-certs #pragma: allowlist secret

kube/services/node-affinity-daemonset/service.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: node-affinity-daemonset
+  namespace: kube-system
+spec:
+  ports:
+    - port: 443
+      targetPort: 8443
+  selector:
+    app: node-affinity-daemonset

kube/services/node-affinity-daemonset/webhook.yaml

@@ -0,0 +1,43 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: node-affinity-daemonset
+  cert-manager.io/inject-ca-from: kube-system/node-affinity-daemonset-cert
+webhooks:
+  - name: node-affinity-daemonset.k8s.io
+    clientConfig:
+      service:
+        name: node-affinity-daemonset
+        namespace: kube-system
+        path: "/mutate"
+    rules:
+      - operations: ["CREATE"]
+        apiGroups: ["apps"]
+        apiVersions: ["v1"]
+        resources: ["daemonsets"]
+    admissionReviewVersions: ["v1"]
+    sideEffects: None
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: node-affinity-daemonset-cert
+  namespace: kube-system
+spec:
+  secretName: webhook-certs #pragma: allowlist secret
+  dnsNames:
+  - node-affinity-daemonset.kube-system.svc
+  issuerRef:
+    name: selfsigned
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: selfsigned
+  namespace: kube-system
+spec:
+  selfSigned: {}