kubernetesValidation

Kubernetes Integration is still experimental.

To create the CustomResourceDefinitions, apply kubernetes-config.yaml from core/target/classes/com/predic8/membrane/core/config/kubernetes/ or a part (e.g. the 'serviceproxies' CRD) of the file.

Create a key and certificate for TLS for https://membrane-validator.membrane-soa.svc:444/ and setup Membrane to serve this address. The configuration shown below configures Membrane on a fixed IP address outside of the Kubernetes cluster, but this is no requirement.

Embed the following serviceProxy and adjust the 'resources' attribute to a comma-separated list of CRDs that you applied. Note that while the CRDs have plural names, here you need to use the corresponding singular. Configure the "ssl" section using your key and certificate.


    >serviceProxy port="444">
      >ssl>
        >key>
          >private>
            -----BEGIN RSA PRIVATE KEY-----
            ...
            -----END RSA PRIVATE KEY-----
          >/private>
          >certificate>
            -----BEGIN CERTIFICATE-----
            ...
            -----END CERTIFICATE-----
          >/certificate>
        >/key>
      >/ssl>
      >kubernetesValidation resources="serviceproxy" />
    >/serviceProxy>

Now register a Webhook to validate the new CRDs. (A note to the experts: Membrane's validation schemas are too complex to fit into the CRD, because they are highly nestable and self-referencing. We therefore use webhooks.)


 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   name: membrane
 webhooks:
   - name: membrane.membrane-soa.org
     admissionReviewVersions: ["v1", "v1beta1"]
     failurePolicy: Fail
     rules:
       - operations: [ "*" ]
         apiGroups: [ "membrane-soa.org" ]
         apiVersions: [ "v1", "v1beta1" ]
         resources: [ "*" ]
         scope: "*"
     clientConfig:
       service:
         name: membrane-validator
         namespace: membrane-soa
         port: 444
       caBundle: LS0t...LQ0K        # base64 encoded, PEM-formatted CA certificate
     sideEffects: None
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
   name: membrane-soa
 ---
 apiVersion: v1
 kind: Service
 metadata:
   namespace: membrane-soa
   name: membrane-validator
 spec:
   ports:
     - port: 444
 ---
 apiVersion: v1
 kind: Endpoints
 metadata:
   namespace: membrane-soa
   name: membrane-validator
 subsets:
   - addresses:
       - ip: 192.168.0.1   # Membrane's IP
     ports:
       - port: 444

Once this setup is complete, you can enable serviceProxies like this:


 apiVersion: membrane-soa.org/v1beta1
 kind: serviceproxy
 metadata:
   name: demo
   namespace: membrane-soa
 spec:
   host: demo.predic8.de
   path:
     value: /some-path/
   interceptors:
     - response:
         interceptors:
         - groovy:
             src: |
               println "Hello!"
   target:
     host: thomas-bayer.com

Name	Required	Default	Description	Example
resources	false	-	The resources (CustomResourceDefinition Kinds, singular) to watch in the Kubernetes API, comma separated.	serviceproxy,ssl
namespaces	false	membrane-soa	The list of namespaces to watch, comma separated. A single '*' means "watch all namespaces".	*

Can be used in:

Attributes