AliyunContainerService · l1b0k · Nov 24, 2021 · Nov 16, 2021 · Nov 18, 2021 · Nov 19, 2021
diff --git a/Dockerfile.controlplane b/Dockerfile.controlplane
@@ -16,4 +16,6 @@ FROM ubuntu:20.04
 RUN apt-get update && apt-get install -y curl jq && \
     apt-get purge --auto-remove && apt-get clean && rm -rf /var/lib/apt/lists/*
 COPY --from=builder /go/src/github.com/AliyunContainerService/terway/terway-controlplane /usr/bin/terway-controlplane
-ENTRYPOINT ["/usr/bin/terway-controlplane"]
+RUN useradd -U -u 1000 nonroot
+USER 1000
+ENTRYPOINT ["/usr/bin/terway-controlplane"]
diff --git a/charts/terway-controlplane/Chart.yaml b/charts/terway-controlplane/Chart.yaml
@@ -3,4 +3,4 @@ name: terway-controlplane
 description: Terway ControlPlane
 type: application
 version: 0.1.0
-appVersion: "1.16.0"
+appVersion: "0.1.0"
diff --git a/charts/terway-controlplane/templates/_helpers.tpl b/charts/terway-controlplane/templates/_helpers.tpl
@@ -48,7 +48,3 @@ Selector labels
 {{- define "terway-controlplane.selectorLabels" -}}
 app.kubernetes.io/name: {{ include "terway-controlplane.name" . }}
 {{- end }}
-
-{{- define "terway-controlplane.serviceAccountName" -}}
-{{- default .Chart.Name }}
-{{- end }}
diff --git a/charts/terway-controlplane/templates/clusterrole.yaml b/charts/terway-controlplane/templates/clusterrole.yaml
@@ -1,7 +1,7 @@
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: {{ .Chart.Name }}
+  name: {{ .Release.Name }}
 rules:
   - apiGroups: [ "" ]
     resources:
@@ -50,4 +50,4 @@ rules:
       - patch
       - get
     resourceNames:
-      - {{ .Chart.Name }}
+      - {{ .Release.Name }}
diff --git a/charts/terway-controlplane/templates/clusterrolebinding.yaml b/charts/terway-controlplane/templates/clusterrolebinding.yaml
@@ -1,12 +1,12 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: {{ .Chart.Name }}
+  name: {{ .Release.Name }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: {{ .Chart.Name }}
+  name: {{ .Release.Name }}
 subjects:
   - kind: ServiceAccount
-    name: {{ .Chart.Name }}
+    name: {{ .Release.Name }}
     namespace: {{ .Release.Namespace }}
diff --git a/charts/terway-controlplane/templates/configmap.yaml b/charts/terway-controlplane/templates/configmap.yaml
@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Release.Name }}
+  labels:
+  {{- include "terway-controlplane.labels" . | nindent 4 }}
+data:
+  ctrl-config.yaml: |
+    leaseLockName: "terway-controller-lock"
+    leaseLockNamespace: "kube-system"
+    controllerNamespace: "kube-system"
+    controllerName: "{{ .Release.Name }}"
+    healthzBindAddress: "0.0.0.0:8080"
+    clusterDomain: "cluster.local"
+    leaderElection: true
+    webhookPort: 4443
+    certDir: "/var/run/webhook-cert"
+    regionID: "{{ .Values.regionID }}"
+    clusterID: "{{ .Values.clusterID }}"
+    vpcID: "{{ .Values.vpcID }}"
+    ipStack: "{{ .Values.ipStack }}"
diff --git a/charts/terway-controlplane/templates/deployment.yaml b/charts/terway-controlplane/templates/deployment.yaml
@@ -1,35 +1,32 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: {{ .Chart.Name }}
+  name: {{ .Release.Name }}
   labels:
-    {{- include "terway-controlplane.labels" . | nindent 4 }}
+  {{- include "terway-controlplane.labels" . | nindent 4 }}
 spec:
   replicas: {{ .Values.replicaCount }}
   selector:
     matchLabels:
-      {{- include "terway-controlplane.selectorLabels" . | nindent 6 }}
+  {{- include "terway-controlplane.selectorLabels" . | nindent 6 }}
   template:
     metadata:
       {{- with .Values.podAnnotations }}
       annotations:
-        {{- toYaml . | nindent 8 }}
+      {{- toYaml . | nindent 8 }}
       {{- end }}
       labels:
-        {{- include "terway-controlplane.selectorLabels" . | nindent 8 }}
+    {{- include "terway-controlplane.selectorLabels" . | nindent 8 }}
     spec:
-      serviceAccountName: {{ include "terway-controlplane.serviceAccountName" . }}
-      securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      serviceAccountName: {{ .Release.Name }}
       containers:
         - name: terway-controlplane
-          securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
-          envFrom:
-          - secretRef:
-              name: {{ .Chart.Name }}-credential
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsUser: 1000
           env:
             - name: K8S_POD_NAME
               valueFrom:
@@ -40,30 +37,55 @@ spec:
                 fieldRef:
                   apiVersion: v1
                   fieldPath: spec.nodeName
+            - name: MY_POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
           livenessProbe:
             periodSeconds: 10
             timeoutSeconds: 5
             httpGet:
               path: /healthz
-              port: 80
+              port: 8080
           readinessProbe:
             initialDelaySeconds: 10
             periodSeconds: 10
             timeoutSeconds: 5
             httpGet:
               path: /readyz
-              port: 80
+              port: 8080
           resources:
-            {{- toYaml .Values.resources | nindent 12 }}
+          {{- toYaml .Values.resources | nindent 12 }}
+          volumeMounts:
+            - name: config-vol
+              mountPath: /etc/config
+              readOnly: true
+            - name: secret-vol
+              mountPath: /etc/credential
+              readOnly: true
+            - name: webhook-vol
+              mountPath: /var/run/webhook-cert
+      volumes:
+        - name: config-vol
+          configMap:
+            name: {{ .Release.Name }}
+            items:
+              - key: ctrl-config.yaml
+                path: ctrl-config.yaml
+        - name: secret-vol
+          secret:
+            secretName: {{ .Release.Name }}-credential
+        - name: webhook-vol
+          emptyDir: {}
       {{- with .Values.nodeSelector }}
       nodeSelector:
-        {{- toYaml . | nindent 8 }}
+      {{- toYaml . | nindent 8 }}
       {{- end }}
       {{- with .Values.affinity }}
       affinity:
-        {{- toYaml . | nindent 8 }}
+      {{- toYaml . | nindent 8 }}
       {{- end }}
       {{- with .Values.tolerations }}
       tolerations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
+      {{- toYaml . | nindent 8 }}
+  {{- end }}
diff --git a/charts/terway-controlplane/templates/role.yaml b/charts/terway-controlplane/templates/role.yaml
@@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: {{ .Chart.Name }}
+  name: {{ .Release.Name }}
 rules:
   - apiGroups: [ "" ]
     resources:
@@ -17,7 +17,7 @@ rules:
       - patch
       - watch
     resourceNames:
-      - {{ .Chart.Name }}
+      - {{ .Release.Name }}-webhook-cert
   - apiGroups:
       - coordination.k8s.io
     resources:

diff --git a/charts/terway-controlplane/templates/rolebinding.yaml b/charts/terway-controlplane/templates/rolebinding.yaml
@@ -1,12 +1,12 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: {{ .Chart.Name }}
+  name: {{ .Release.Name }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: {{ .Chart.Name }}
+  name: {{ .Release.Name }}
 subjects:
   - kind: ServiceAccount
-    name: {{ .Chart.Name }}
+    name: {{ .Release.Name }}
     namespace: {{ .Release.Namespace }}
diff --git a/charts/terway-controlplane/templates/secret.yaml b/charts/terway-controlplane/templates/secret.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-credential
+  labels:
+  {{- include "terway-controlplane.labels" . | nindent 4 }}
+stringData:
+  ctrl-secret.yaml: |
+    accessKey: "{{ .Values.accessKey }}"
+    accessSecret: "{{ .Values.accessSecret }}"
diff --git a/charts/terway-controlplane/templates/service.yaml b/charts/terway-controlplane/templates/service.yaml
@@ -1,15 +1,15 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ .Chart.Name }}
+  name: {{ .Release.Name }}
   labels:
     {{- include "terway-controlplane.labels" . | nindent 4 }}
 spec:
   type: {{ .Values.service.type }}
   ports:
     - port: {{ .Values.service.port }}
-      targetPort: 443
+      targetPort: 4443
       protocol: TCP
-      name: http
+      name: https
   selector:
     {{- include "terway-controlplane.selectorLabels" . | nindent 4 }}
diff --git a/charts/terway-controlplane/templates/serviceaccount.yaml b/charts/terway-controlplane/templates/serviceaccount.yaml
@@ -1,6 +1,6 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ include "terway-controlplane.serviceAccountName" . }}
+  name: {{ .Release.Name }}
   labels:
     {{- include "terway-controlplane.labels" . | nindent 4 }}
diff --git a/charts/terway-controlplane/templates/webhook.yaml b/charts/terway-controlplane/templates/webhook.yaml
@@ -1,11 +1,16 @@
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
-  name: {{ .Chart.Name }}
+  name: {{ .Release.Name }}
   labels:
     {{- include "terway-controlplane.labels" . | nindent 4 }}
 webhooks:
   - name: {{ .Chart.Name }}.mutating.k8s.io
+    namespaceSelector:
+      matchExpressions:
+        - key: k8s.aliyun.com/pod-eni
+          operator: NotIn
+          values: ["false"]
     rules:
       - apiGroups:   [""]
         apiVersions: ["v1"]
@@ -20,17 +25,17 @@ webhooks:
     clientConfig:
       service:
         namespace: {{ .Release.Namespace }}
-        name: {{ .Chart.Name }}
+        name: {{ .Release.Name }}
         path: /mutating
     admissionReviewVersions: ["v1", "v1beta1"]
     sideEffects: None
-    timeoutSeconds: 10
-    failurePolicy: Ignore
+    timeoutSeconds: {{ .Values.webhookTimeoutSeconds }}
+    failurePolicy: {{ .Values.webhookFailurePolicy }}
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
-  name: {{ .Chart.Name }}
+  name: {{ .Release.Name }}
   labels:
   {{- include "terway-controlplane.labels" . | nindent 4 }}
 webhooks:
@@ -44,9 +49,9 @@ webhooks:
     clientConfig:
       service:
         namespace: {{ .Release.Namespace }}
-        name: {{ .Chart.Name }}
+        name: {{ .Release.Name }}
         path: /validate
     admissionReviewVersions: ["v1", "v1beta1"]
     sideEffects: None
-    timeoutSeconds: 10
+    timeoutSeconds: {{ .Values.webhookTimeoutSeconds }}
     failurePolicy: Fail
diff --git a/charts/terway-controlplane/values.yaml b/charts/terway-controlplane/values.yaml
@@ -7,25 +7,13 @@ replicaCount: 2
 image:
   repository: l1b0k/terway-controlplane
   pullPolicy: Always
-  # Overrides the image tag whose default is the chart appVersion.
   tag: "latest"
 
 nameOverride: ""
 fullnameOverride: ""
 
 podAnnotations: {}
 
-podSecurityContext: {}
-  # fsGroup: 2000
-
-securityContext: {}
-#   capabilities:
-#     drop:
-#     - ALL
-#   readOnlyRootFilesystem: true
-#   runAsNonRoot: true
-#   runAsUser: 1000
-
 service:
   type: ClusterIP
   port: 443
@@ -40,3 +28,17 @@ nodeSelector: {}
 tolerations: []
 
 affinity: {}
+
+webhookFailurePolicy: Ignore
+webhookTimeoutSeconds: 10
+
+# configmap
+regionID: ch-hangzhou
+clusterID: ""
+vpcID: ""
+
+ipStack: ipv4
+
+# secrets
+accessKey: ""
+accessSecret: ""