From 3a25bbbf24bfa209943fdee247552314e8229105 Mon Sep 17 00:00:00 2001
From: Edward Cheng <edward@cheng.sydney>
Date: Wed, 28 Aug 2024 01:40:59 +1000
Subject: [PATCH] add validating admission controller for argo events

---
 .../base/cluster-role-binding.yaml            | 13 ++++
 .../argo-events/base/cluster-role.yaml        | 64 ++++++++++++++++++-
 .../argo-events/base/deployment.yaml          | 32 +++++++++-
 .../argo-events/base/kustomization.yaml       |  3 +-
 .../argo-events/base/service-account.yaml     |  6 ++
 infrastructures/argo-events/base/service.yaml | 12 ++++
 6 files changed, 127 insertions(+), 3 deletions(-)
 create mode 100644 infrastructures/argo-events/base/service.yaml

diff --git a/infrastructures/argo-events/base/cluster-role-binding.yaml b/infrastructures/argo-events/base/cluster-role-binding.yaml
index 7fcf96f..0c0a419 100644
--- a/infrastructures/argo-events/base/cluster-role-binding.yaml
+++ b/infrastructures/argo-events/base/cluster-role-binding.yaml
@@ -10,4 +10,17 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: argo-events-sa
+    namespace: argo-events
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: argo-events-webhook-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: argo-events-webhook
+subjects:
+  - kind: ServiceAccount
+    name: argo-events-webhook-sa
     namespace: argo-events
\ No newline at end of file
diff --git a/infrastructures/argo-events/base/cluster-role.yaml b/infrastructures/argo-events/base/cluster-role.yaml
index 4eed5c1..58be392 100644
--- a/infrastructures/argo-events/base/cluster-role.yaml
+++ b/infrastructures/argo-events/base/cluster-role.yaml
@@ -165,4 +165,66 @@ rules:
       - watch
       - update
       - patch
-      - delete
\ No newline at end of file
+      - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: argo-events-webhook
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+      - create
+      - update
+      - delete
+      - patch
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - apps
+    resources:
+      - deployments
+    verbs:
+      - get
+      - list
+  - apiGroups:
+      - admissionregistration.k8s.io
+    resources:
+      - validatingwebhookconfigurations
+    verbs:
+      - get
+      - list
+      - create
+      - update
+      - delete
+      - patch
+      - watch
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - eventbus
+      - eventsources
+      - sensors
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - rbac.authorization.k8s.io
+    resources:
+      - clusterroles
+    verbs:
+      - get
+      - list
\ No newline at end of file
diff --git a/infrastructures/argo-events/base/deployment.yaml b/infrastructures/argo-events/base/deployment.yaml
index 514eae0..9bc32d9 100644
--- a/infrastructures/argo-events/base/deployment.yaml
+++ b/infrastructures/argo-events/base/deployment.yaml
@@ -49,4 +49,34 @@ spec:
       volumes:
         - configMap:
             name: argo-events-controller-config
-          name: controller-config-volume
\ No newline at end of file
+          name: controller-config-volume
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: events-webhook
+  namespace: argo-events
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: events-webhook
+  template:
+    metadata:
+      labels:
+        app: events-webhook
+    spec:
+      containers:
+        - args:
+            - webhook-service
+          env:
+            - name: NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: PORT
+              value: "443"
+          image: quay.io/argoproj/argo-events:v1.9.2
+          imagePullPolicy: Always
+          name: webhook
+      serviceAccountName: argo-events-webhook-sa
diff --git a/infrastructures/argo-events/base/kustomization.yaml b/infrastructures/argo-events/base/kustomization.yaml
index 6dd6323..345521a 100644
--- a/infrastructures/argo-events/base/kustomization.yaml
+++ b/infrastructures/argo-events/base/kustomization.yaml
@@ -6,4 +6,5 @@ resources:
   - ./cluster-role.yaml
   - ./cluster-role-binding.yaml
   - ./configmap.yaml
-  - ./deployment.yaml
\ No newline at end of file
+  - ./deployment.yaml
+  - ./service.yaml
\ No newline at end of file
diff --git a/infrastructures/argo-events/base/service-account.yaml b/infrastructures/argo-events/base/service-account.yaml
index 4bf05e7..cf25468 100644
--- a/infrastructures/argo-events/base/service-account.yaml
+++ b/infrastructures/argo-events/base/service-account.yaml
@@ -3,4 +3,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: argo-events-sa
+  namespace: argo-events
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: argo-events-webhook-sa
   namespace: argo-events
\ No newline at end of file
diff --git a/infrastructures/argo-events/base/service.yaml b/infrastructures/argo-events/base/service.yaml
new file mode 100644
index 0000000..f1a7f7a
--- /dev/null
+++ b/infrastructures/argo-events/base/service.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: events-webhook
+  namespace: argo-events
+spec:
+  ports:
+    - port: 443
+      targetPort: 443
+  selector:
+    app: events-webhook
\ No newline at end of file