update Dockerfile and pod for k8s-keystone-auth

Author: dims

cluster/images/webhook/Dockerfile

@@ -17,5 +17,5 @@ RUN apk add --no-cache ca-certificates
 ADD k8s-keystone-auth /bin/
 
 EXPOSE 8443
-CMD ./bin/k8s-keystone-auth --tls-cert-file ${API_SERVER_CERT} --tls-private-key-file ${API_SERVER_KEY} --keystone-url ${OPENSTACK_KEYSTONE_URL}
 
+CMD ["/bin/k8s-keystone-auth"]

manifests/webhook/k8s-keystone-auth.yaml

@@ -1,55 +1,51 @@
----
 apiVersion: v1
 kind: Pod
 metadata:
   annotations:
     scheduler.alpha.kubernetes.io/critical-pod: ""
-  creationTimestamp: null
   labels:
-    component: k8s-keystone-auth
+    component: kube-controller-manager
     tier: control-plane
   name: k8s-keystone-auth
   namespace: kube-system
 spec:
   containers:
-  - command:
-    - ./bin/k8s-keystone-auth
-    - --tls-cert-file
-    - /etc/kubernetes/pki/apiserver.crt
-    - --tls-private-key-file
-    - /etc/kubernetes/pki/apiserver.key
-    - --keystone-url
-    - https://mykeystone.com:5000/v3
-    image: k8s-keystone-auth
-    imagePullPolicy: Always
-    #livenessProbe:
-    #  failureThreshold: 8
-    #  httpGet:
-    #    host: 127.0.0.1
-    #    path: /healthz
-    #    port: 6443
-    #    scheme: HTTPS
-    #  initialDelaySeconds: 15
-    #  timeoutSeconds: 15
-    name: k8s-keystone-auth
-    resources:
-      requests:
-        cpu: 250m
-    volumeMounts:
-    - mountPath: /etc/kubernetes/pki
-      name: k8s-certs
-      readOnly: true
-    - mountPath: /etc/ssl/certs
-      name: ca-certs
-      readOnly: true
+    - name: k8s-keystone-auth
+      image: dims/k8s-keystone-auth:0.1.0
+      args:
+        - /bin/k8s-keystone-auth
+        - --v=10
+        - --tls-cert-file
+        - /etc/kubernetes/pki/apiserver.crt
+        - --tls-private-key-file
+        - /etc/kubernetes/pki/apiserver.key
+        - --keystone-policy-file
+        - /etc/kubernetes/webhook/policy.json
+        - --keystone-url=http://ctl:5000/v3
+      volumeMounts:
+        - mountPath: /etc/kubernetes/pki
+          name: k8s-certs
+          readOnly: true
+        - mountPath: /etc/kubernetes/webhook
+          name: k8s-webhook
+          readOnly: true
+        - mountPath: /etc/ssl/certs
+          name: ca-certs
+          readOnly: true
+      resources:
+        requests:
+          cpu: 200m
   hostNetwork: true
   volumes:
   - hostPath:
       path: /etc/kubernetes/pki
       type: DirectoryOrCreate
     name: k8s-certs
+  - hostPath:
+      path: /etc/kubernetes/webhook
+      type: DirectoryOrCreate
+    name: k8s-webhook
   - hostPath:
       path: /etc/ssl/certs
       type: DirectoryOrCreate
-    name: ca-certs
-status: {}
+    name: ca-certs