Skip to content

Add class label webhook for prod #30

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
IsaiahStapleton merged 1 commit into from
Jan 22, 2026
Merged

Add class label webhook for prod #30

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions webhooks/assign-class-label-prod/certificate.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: assign-class-label-tls
spec:
secretName: assign-class-label-tls
issuerRef:
name: assign-class-label-issuer
kind: Issuer
commonName: "rhods-notebooks.svc"
dnsNames:
- assign-class-label-webhook.rhods-notebooks.svc
40 changes: 40 additions & 0 deletions webhooks/assign-class-label-prod/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
kind: Deployment
apiVersion: apps/v1
metadata:
name: assign-class-label-webhook
spec:
replicas: 2
template:
metadata:
labels:
app: assign-class-label-webhook
webhook: "true"
spec:
containers:
- name: assign-class-label
image: quay.io/rh-ee-istaplet/ope-webhooks:assign-class-label-webhook
imagePullPolicy: Always
ports:
- containerPort: 443
volumeMounts:
- name: tls
mountPath: /certs/webhook.crt
subPath: tls.crt
readOnly: true
- name: tls
mountPath: /certs/webhook.key
subPath: tls.key
readOnly: true
resources:
limits:
cpu: 500m
memory: 512Mi
env:
# EDIT VALUE HERE BEFORE RUNNING, must be comma separated
- name: RHOAI_CLASS_GROUPS
value: "cs210,ds100"
serviceAccountName: webhook-sa
volumes:
- name: tls
secret:
secretName: assign-class-label-tls
6 changes: 6 additions & 0 deletions webhooks/assign-class-label-prod/issuer.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: assign-class-label-issuer
spec:
selfSigned: {}
15 changes: 15 additions & 0 deletions webhooks/assign-class-label-prod/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: rhods-notebooks
commonLabels:
app: assign-class-label-webhook

resources:
- issuer.yaml
- certificate.yaml
- deployment.yaml
- service.yaml
- webhook-config.yaml
- serviceaccount.yaml
- role.yaml
- rolebinding.yaml
8 changes: 8 additions & 0 deletions webhooks/assign-class-label-prod/role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ope-webhook-role
rules:
- apiGroups: ["user.openshift.io"]
resources: ["pods", "groups"]
verbs: ["get", "list", "watch", "patch"]
12 changes: 12 additions & 0 deletions webhooks/assign-class-label-prod/rolebinding.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: ope-webhook-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ope-webhook-role
subjects:
- kind: ServiceAccount
name: webhook-sa
namespace: rhods-notebooks
10 changes: 10 additions & 0 deletions webhooks/assign-class-label-prod/service.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
apiVersion: v1
kind: Service
metadata:
name: assign-class-label-webhook
spec:
ports:
- name: https
protocol: TCP
port: 443
targetPort: 5000
5 changes: 5 additions & 0 deletions webhooks/assign-class-label-prod/serviceaccount.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: webhook-sa
namespace: rhods-notebooks
32 changes: 32 additions & 0 deletions webhooks/assign-class-label-prod/webhook-config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: assign-class-label-webhook
annotations:
cert-manager.io/inject-ca-from: rhods-notebooks/assign-class-label-tls
webhooks:
- name: assign-class-label-webhook.rhods-notebooks.svc
clientConfig:
service:
namespace: rhods-notebooks
name: assign-class-label-webhook
path: /mutate
rules:
- operations: ["CREATE"]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
namespaceSelector:
matchExpressions:
- key: kubernetes.io/metadata.name
operator: In
values:
- rhods-notebooks
objectSelector:
matchExpressions:
- key: webhook
operator: NotIn
values:
- "true"
sideEffects: None
admissionReviewVersions: ["v1"]