{"id":17946569,"url":"https://github.com/centeredge/shawarma-webhook","last_synced_at":"2025-08-16T01:32:22.415Z","repository":{"id":38817987,"uuid":"199515933","full_name":"CenterEdge/shawarma-webhook","owner":"CenterEdge","description":"A Kubernetes Mutating Admission Webhook which will automatically apply the Shawarma sidecar when requested via annotations.","archived":false,"fork":false,"pushed_at":"2023-10-11T23:39:52.000Z","size":315,"stargazers_count":2,"open_issues_count":1,"forks_count":3,"subscribers_count":4,"default_branch":"main","last_synced_at":"2024-10-29T07:06:17.284Z","etag":null,"topics":["bluegreen-deployment","kubernetes"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/CenterEdge.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-07-29T19:36:50.000Z","updated_at":"2023-07-25T23:22:28.000Z","dependencies_parsed_at":"2024-06-19T11:27:31.556Z","dependency_job_id":"e81eb746-c307-4672-98c2-b11c3e57a877","html_url":"https://github.com/CenterEdge/shawarma-webhook","commit_stats":{"total_commits":27,"total_committers":2,"mean_commits":13.5,"dds":0.03703703703703709,"last_synced_commit":"cd1ca9224b6309d135a8570724e76cf9b72dea32"},"previous_names":[],"tags_count":7,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CenterEdge%2Fshawarma-webhook","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CenterEdge%2Fshawarma-webhook/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CenterEdge%2Fshawarma-webhook/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CenterEdge%2Fshawarma-webhook/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/CenterEdge","download_url":"https://codeload.github.com/CenterEdge/shawarma-webhook/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":222004787,"owners_count":16914877,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bluegreen-deployment","kubernetes"],"created_at":"2024-10-29T07:06:23.557Z","updated_at":"2024-10-29T07:06:24.268Z","avatar_url":"https://github.com/CenterEdge.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Shawarma Webhook\n\n[![ci](https://github.com/CenterEdge/shawarma-webhook/actions/workflows/docker-image.yml/badge.svg)](https://github.com/CenterEdge/shawarma-webhook/actions/workflows/docker-image.yml)\n\nA Kubernetes Mutating Admision Webhook which will automatically apply the Shawarma sidecar when requested via annotations.\n\n## Deploying\n\nThe webhook is typically deployed to the kube-system namespace. An example deployment can be\n[found in the main Shawarma repository](https://github.com/CenterEdge/shawarma/tree/master/example/injected).\n\nNote that the example assumes that [cert-manager](https://cert-manager.io/) has been installed on\nyour cluster to manage TLS between the API server and the webhook.\n\n## RBAC Rights\n\n### Legacy Approach\n\nIf using `SHAWARMA_SERVICE_ACCT_NAME`, the webhook needs the following RBAC rights bound to the webhook's service account.\n\n```yaml\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n  name: shawarma-webhook\nrules:\n- apiGroups: [\"\"]\n  resources: [\"serviceaccounts\"]\n  verbs: [\"get\", \"watch\", \"list\"]\n```\n\nAdditionally, the service referenced by `SHAWARMA_SERVICE_ACCT_NAME` must have a legacy `Secret` linked to it.\n\n### Modern Approach\n\nThe modern approach is to grant rights to the `serviceAccountName` used by the pod. This is more secure and provides token rotation, etc.\nThe rights may be granted to the `default` service account for a namespace, if desired.\n\n```yaml\n# Create the role that has the required rights for the Shawarma sidecar\napiVersion: rbac.authorization.k8s.io/v1\nkind: Role\nmetadata:\n  name: shawarma\n  namespace: default\nrules:\n- apiGroups: [\"\"]\n  resources: [\"endpoints\"]\n  verbs: [\"get\", \"watch\", \"list\"]\n---\n# Grant these rights to the default service account for a namespace\napiVersion: rbac.authorization.k8s.io/v1\nkind: RoleBinding\nmetadata:\n  name: shawarma-default\n  namespace: default\nsubjects:\n- kind: ServiceAccount\n  name: default\nroleRef:\n  kind: Role\n  name: shawarma\n  apiGroup: rbac.authorization.k8s.io\n```\n\n## Environment Variables\n\nThe following environment variables may be used to customize behaviors of the webhook.\n\n| Name                       | Default                              | Description |\n| -------------------------- | ------------------------------------ | ----------- |\n| LOG_LEVEL                  | warn                                 | Log level for the admission webhook |\n| WEBHOOK_PORT               | 8443                                 | Port used by the admission webhook |\n| CERT_FILE                  | /etc/shawarma-webhook/certs/tls.crt  | Certificate file used for TLS by the admission webhook |\n| KEY_FILE                   | /etc/shawarma-webhook/certs/tls.key  | Key file used for TLS by the admission webhook |\n| SWAWARMA_IMAGE             | centeredge/shawarma:1.0.0            | Default Shawarma image |\n| SHAWARMA_SERVICE_ACCT_NAME |                                      | Name of the service account which should be used for sidecars (requires a legacy token secret linked to the service account) |\n| SHAWARMA_SECRET_TOKEN_NAME |                                      | Name of the secret containing the Kubernetes token for Shawarma, overrides SHAWARMA_SERVICE_ACCT_NAME |\n\n## Annotations\n\nThe following annotations may be applied to alter behaviors on a specific pod.\n\n| Name                                    | Required         | Description |\n| --------------------------------------- | ---------------- | ----------- |\n| `shawarma.centeredge.io/service-name`   | Y (if no labels) | Name of the K8S service to be monitored, the sidecar is not injected if this annotation is not present |\n| `shawarma.centeredge.io/service-labels` | Y (if no name)   | K8S service labels to monitor, comma-delimited ex. `label1=value1,label2=value2` |\n| `shawarma.centeredge.io/image`          | N                | Override the image used for Shawarma |\n| `shawarma.centeredge.io/log-level`      | N                | Override the log level used by Shawarma |\n| `shawarma.centeredge.io/state-url`      | N                | Override the URL which receives Shawarma application state (default `http://localhost/applicationstate`) |\n| `shawarma.centeredge.io/listen-port`    | N                | Override the port on which the Shawarma sidecar listens for state requests, (default `8099`) |\n\n## Customizing The Sidecar\n\nThe sidecar is configured via the `./sidecar.yaml` file which is included in the Docker image. It may\nadd volumes and containers to pods which have the Shawarma annotations.\n\nThis file may be replaced with a custom version using a volume mount. The `--config /path/to/sidecar.yaml`\ncommand line argument configures the location of the custom file. This can be used to change the resource\nallocations or other details of the sidecar.\n\n| Replacement Token     | Description |\n| -----------------     | ----------- |\n| `SHAWARMA_IMAGE`      | Must be in a container `image`, replaced with the configured Shawarma image |\n| `SHAWARMA_TOKEN_NAME` | Must be in a volume `secretName`, replaced with the name of the secret containing the Shawarma token for K8S API access |\n\n\u003e For an example SIDECAR_CONFIG file, see [sidecar.yaml](./sidecar.yaml).\n\nThe example contains two different sidecar definitions `shawarma` and `shawarma-withtoken`. The default is `shawarma`, but `shawarma-withtoken`\nis used if the `SHAWARMA_SERVICE_ACCT_NAME` OR `SHAWARMA_SECRET_TOKEN_NAME` environment variables (or equivalent command line arguments) are used\nto provide legacy API authentication via a `Secret`.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcenteredge%2Fshawarma-webhook","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcenteredge%2Fshawarma-webhook","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcenteredge%2Fshawarma-webhook/lists"}