Add a daemonset for keystone webhook

Author: dims

manifests/webhook/k8s-keystone-auth-ds.yaml

@@ -0,0 +1,70 @@
+apiVersion: extensions/v1beta1
+kind: DaemonSet
+metadata:
+  name: k8s-keystone-auth
+  namespace: kube-system
+  labels:
+    k8s-app: k8s-keystone-auth
+spec:
+  selector:
+    matchLabels:
+      k8s-app: k8s-keystone-auth
+  updateStrategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        k8s-app: k8s-keystone-auth
+    spec:
+      hostNetwork: true
+      tolerations:
+      - key: node.cloudprovider.kubernetes.io/uninitialized
+        value: "true"
+        effect: NoSchedule
+      - key: node-role.kubernetes.io/master
+        effect: NoSchedule
+      containers:
+        - name: k8s-keystone-auth
+          image: dims/k8s-keystone-auth:0.1.0
+          args:
+            - /bin/k8s-keystone-auth
+            - --v=10
+            - --tls-cert-file
+            - /etc/kubernetes/pki/apiserver.crt
+            - --tls-private-key-file
+            - /etc/kubernetes/pki/apiserver.key
+            - --keystone-policy-file
+            - /etc/kubernetes/webhook/policy.json
+            - --keystone-url=http://ctl:5000/v3
+          volumeMounts:
+            - mountPath: /etc/kubernetes/pki
+              name: k8s-certs
+              readOnly: true
+            - mountPath: /etc/kubernetes/webhook
+              name: k8s-webhook
+              readOnly: true
+            - mountPath: /etc/ssl/certs
+              name: ca-certs
+              readOnly: true
+          resources:
+            requests:
+              cpu: 200m
+          ports:
+            - containerPort: 8443
+              hostPort: 8443
+              name: https
+              protocol: TCP
+      hostNetwork: true
+      volumes:
+      - hostPath:
+          path: /etc/kubernetes/pki
+          type: DirectoryOrCreate
+        name: k8s-certs
+      - hostPath:
+          path: /etc/kubernetes/webhook
+          type: DirectoryOrCreate
+        name: k8s-webhook
+      - hostPath:
+          path: /etc/ssl/certs
+          type: DirectoryOrCreate
+        name: ca-certs

manifests/webhook/k8s-keystone-auth.yaml …fests/webhook/k8s-keystone-auth-pod.yamlmanifests/webhook/k8s-keystone-auth.yaml renamed to manifests/webhook/k8s-keystone-auth-pod.yaml manifests/webhook/k8s-keystone-auth.yaml renamed to manifests/webhook/k8s-keystone-auth-pod.yaml

@@ -4,7 +4,7 @@ metadata:
   annotations:
     scheduler.alpha.kubernetes.io/critical-pod: ""
   labels:
-    component: kube-controller-manager
+    component: k8s-keystone-auth
     tier: control-plane
   name: k8s-keystone-auth
   namespace: kube-system