ops-center · tamalsaha · Apr 19, 2018 · Apr 19, 2018
diff --git a/chart/searchlight/README.md b/chart/searchlight/README.md
@@ -15,16 +15,14 @@ This chart bootstraps a [Searchlight controller](https://github.com/appscode/sea
 
 ## Prerequisites
 
-- Kubernetes 1.7+
+- Kubernetes 1.8+
 
 ## Installing the Chart
 To install the chart with the release name `my-release`:
-
 ```console
-$ helm install --name my-release appscode/searchlight
+$ helm install appscode/searchlight --name my-release
 ```
-
-The command deploys Searchlight controller on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation.
+The command deploys Searchlight operator on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation.
 
 > **Tip**: List all releases using `helm list`
 
@@ -43,24 +41,29 @@ The command removes all the Kubernetes components associated with the chart and
 The following table lists the configurable parameters of the Searchlight chart and their default values.
 
 
-| Parameter                 | Description                                                       | Default                |
-|---------------------------|-------------------------------------------------------------------|------------------------|
-| `operator.image`          | operator container image                                          | `appscode/searchlight` |
-| `operator.tag`            | operator image tag                                                | `6.0.0-alpha.0`        |
-| `icinga.image`            | icinga container image                                            | `appscode/icinga`      |
-| `icinga.tag`              | icinga container image tag                                        | `6.0.0-alpha.0-k8s`    |
-| `ido.image`               | ido container image                                               | `appscode/postgress`   |
-| `ido.tag`                 | ido container image tag                                           | `9.5-alpine`           |
-| `imagePullSecrets`        | Specify image pull secrets                                        | `nil` (does not add image pull secrets to deployed pods) |
-| `imagePullPolicy`         | Image pull policy                                                 | `IfNotPresent`         |
-| `criticalAddon`           | If true, installs Searchlight operator as critical addon          | `false`                |
-| `logLevel`                | Log level for operator                                            | `3`                    |
-| `nodeSelector`            | Node labels for pod assignment                                    | `{}`                   |
-| `rbac.create`             | If `true`, create and use RBAC resources                          | `true`                 |
-| `serviceAccount.create`   | If `true`, create a new service account                           | `true`                 |
-| `serviceAccount.name`     | Service account to be used. If not set and `serviceAccount.create` is `true`, a name is generated using the fullname template | `` |
-| `enableAnalytics`         | Send usage events to Google Analytics                             | `true`                 |
-
+| Parameter                           | Description                                                             | Default            |
+| ----------------------------------- | -----------------------------------------------------------------       | ------------------ |
+| `replicaCount`                      | Number of searchlight Operator replicas to create (only 1 is supported) | `1`                |
+| `operator.registry`                 | Docker registry used to pull Operator image                             | `appscode`         |
+| `operator.repository`               | Operator container image                                                | `searchlight`      |
+| `operator.tag`                      | Operator image tag                                                      | `6.0.0-alpha.0`    |
+| `icinga.registry`                   | Docker registry used to pull Icinga image                               | `appscode`         |
+| `icinga.repository`                 | Icinga container image                                                  | `icinga`           |
+| `icinga.tag`                        | icinga container image tag                                              | `6.0.0-alpha.0-k8s`|
+| `ido.registry`                      | Docker registry used to pull PostgreSQL image                           | `appscode`         |
+| `ido.repository`                    | PostgreSQL container image                                              | `postgress`        |
+| `ido.tag`                           | ido container image tag                                                 | `9.5-alpine`       |
+| `imagePullSecrets`                  | Specify image pull secrets                                              | `nil` (does not add image pull secrets to deployed pods) |
+| `imagePullPolicy`                   | Image pull policy                                                       | `IfNotPresent`     |
+| `criticalAddon`                     | If true, installs Searchlight operator as critical addon                | `false`            |
+| `rbac.create`                       | If `true`, create and use RBAC resources                                | `true`             |
+| `serviceAccount.create`             | If `true`, create a new service account                                 | `true`             |
+| `serviceAccount.name`               | Service account to be used. If not set and `serviceAccount.create` is `true`, a name is generated using the fullname template | `` |
+| `apiserver.groupPriorityMinimum`    | The minimum priority the group should have.                             | 10000              |
+| `apiserver.versionPriority`         | The ordering of this API inside of the group.                           | 15                 |
+| `apiserver.enableValidatingWebhook` | Enable validating webhooks for Searchlight CRDs                         | false              |
+| `apiserver.ca`                      | CA certificate used by main Kubernetes api server                       | ``                 |
+| `enableAnalytics`                   | Send usage events to Google Analytics                                   | `true`             |
 
 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example:
 
@@ -80,7 +83,7 @@ By default the chart will not install the recommended RBAC roles and rolebinding
 
 You need to have the flag `--authorization-mode=RBAC` on the api server. See the following document for how to enable [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/).
 
-To determine if your cluster supports RBAC, run the the following command:
+To determine if your cluster supports RBAC, run the following command:
 
 ```console
 $ kubectl api-versions | grep rbac

diff --git a/chart/searchlight/templates/deployment.yaml b/chart/searchlight/templates/deployment.yaml
@@ -22,7 +22,7 @@ spec:
       serviceAccountName: {{ template "searchlight.serviceAccountName" . }}
       containers:
       - name: operator
-        image: {{ .Values.operator.image }}:{{ .Values.operator.tag }}
+        image: {{ .Values.operator.registry }}/{{ .Values.operator.repository }}:{{ .Values.operator.tag }}
         imagePullPolicy: {{ .Values.imagePullPolicy }}
         {{- if .Values.imagePullSecrets }}
         imagePullSecrets:
@@ -53,7 +53,7 @@ spec:
             port: 8443
             scheme: HTTPS
       - name: icinga
-        image: {{ .Values.icinga.image }}:{{ .Values.icinga.tag }}
+        image: {{ .Values.icinga.registry }}/{{ .Values.icinga.repository }}:{{ .Values.icinga.tag }}
         imagePullPolicy: {{ .Values.imagePullPolicy }}
         {{- if .Values.imagePullSecrets }}
         imagePullSecrets:
@@ -79,7 +79,7 @@ spec:
         - name: data
           mountPath: /srv
       - name: ido
-        image: {{ .Values.ido.image }}:{{ .Values.ido.tag }}
+        image: {{ .Values.ido.registry }}/{{ .Values.ido.repository }}:{{ .Values.ido.tag }}
         imagePullPolicy: {{ .Values.imagePullPolicy }}
         {{- if .Values.imagePullSecrets }}
         imagePullSecrets:

diff --git a/chart/searchlight/templates/validating-webhook-configuration.yaml b/chart/searchlight/templates/validating-webhook-configuration.yaml
@@ -0,0 +1,30 @@
+{{- if .Values.apiserver.enableValidatingWebhook }}
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: admission.monitoring.appscode.com
+  labels:
+    app: "{{ template "searchlight.name" . }}"
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+webhooks:
+- name: admission.monitoring.appscode.com
+  clientConfig:
+    service:
+      namespace: default
+      name: kubernetes
+      path: /apis/admission.monitoring.appscode.com/v1alpha1/admissionreviews
+    caBundle: ${KUBE_CA}
+  rules:
+  - operations:
+    - CREATE
+    - UPDATE
+    apiGroups:
+    - monitoring.appscode.com
+    apiVersions:
+    - "*"
+    resources:
+    - "*"
+  failurePolicy: Fail
+{{ end }}
diff --git a/chart/searchlight/values.yaml b/chart/searchlight/values.yaml
@@ -3,15 +3,18 @@
 # Declare variables to be passed into your templates.
 
 operator:
-  image: appscode/searchlight
+  registry: appscode
+  repository: searchlight
   tag: 6.0.0-alpha.0
 
 ido:
-  image: appscode/postgres
+  registry: appscode
+  repository: postgres
   tag: 9.5-alpine
 
 icinga:
-  image: appscode/icinga
+  registry: appscode
+  repository: icinga
   tag: 6.0.0-alpha.0-k8s
 
 ## Optionally specify an array of imagePullSecrets.
@@ -82,5 +85,19 @@ serviceAccount:
   # If not set and create is true, a name is generated using the fullname template
   name:
 
+apiserver:
+  # groupPriorityMinimum is the minimum priority the group should have. Please see
+  # https://github.com/kubernetes/kube-aggregator/blob/release-1.9/pkg/apis/apiregistration/v1beta1/types.go#L58-L64
+  # for more information on proper values of this field.
+  groupPriorityMinimum: 10000
+  # versionPriority is the ordering of this API inside of the group. Please see
+  # https://github.com/kubernetes/kube-aggregator/blob/release-1.9/pkg/apis/apiregistration/v1beta1/types.go#L66-L70
+  # for more information on proper values of this field
+  versionPriority: 15
+  # enableValidatingWebhook is used to configure apiserver as ValidationWebhook for Voyager CRDs
+  enableValidatingWebhook: false
+  # CA certificate used by main Kubernetes api server
+  ca:
+
 # Send usage events to Google Analytics
 enableAnalytics: true
diff --git a/docs/setup/install.md b/docs/setup/install.md
@@ -51,7 +51,7 @@ options:
     --docker-registry              docker registry used to pull searchlight images (default: appscode)
     --image-pull-secret            name of secret used to pull searchlight operator images
     --run-on-master                run searchlight operator on master
-    --enable-admission-webhook     configure admission webhook for searchlight CRDs
+    --enable-validating-webhook    enable/disable validating webhooks for Searchlight CRD
     --enable-analytics             send usage events to Google Analytics (default: true)
     --uninstall                    uninstall searchlight
     --purge                        purges searchlight crd objects and crds
@@ -86,22 +86,46 @@ $ curl -fsSL https://raw.githubusercontent.com/appscode/searchlight/6.0.0-alpha.
     | bash -s -- --docker-registry=MY_REGISTRY [--image-pull-secret=SECRET_NAME] [--rbac]
 ```
 
-Searchlight implements a [validating admission webhook](https://kubernetes.io/docs/admin/admission-controllers/#validatingadmissionwebhook-alpha-in-18-beta-in-19) to validate Searchlight CRDs. This is enabled by default for Kubernetes 1.9.0 or later releases. To disable this feature, pass the `--enable-admission-webhook=false` flag.
+Searchlight implements a [validating admission webhook](https://kubernetes.io/docs/admin/admission-controllers/#validatingadmissionwebhook-alpha-in-18-beta-in-19) to validate Searchlight CRDs. This is enabled by default for Kubernetes 1.9.0 or later releases. To disable this feature, pass the `--enable-validating-webhook=false` flag.
 
 ```console
 $ curl -fsSL https://raw.githubusercontent.com/appscode/searchlight/6.0.0-alpha.0/hack/deploy/searchlight.sh \
-    | bash -s -- --enable-admission-webhook [--rbac]
+    | bash -s -- --enable-validating-webhook [--rbac]
 ```
 
 
 ## Using Helm
 Searchlight can be installed via [Helm](https://helm.sh/) using the [chart](https://github.com/appscode/searchlight/blob/master/chart/searchlight) from [AppsCode Charts Repository](https://github.com/appscode/charts). To install the chart with the release name `my-release`:
 
 ```console
+# Mac OSX amd64:
+curl -fsSL -o onessl https://github.com/kubepack/onessl/releases/download/0.1.0/onessl-darwin-amd64 \
+  && chmod +x onessl \
+  && sudo mv onessl /usr/local/bin/
+
+# Linux amd64:
+curl -fsSL -o onessl https://github.com/kubepack/onessl/releases/download/0.1.0/onessl-linux-amd64 \
+  && chmod +x onessl \
+  && sudo mv onessl /usr/local/bin/
+
+# Linux arm64:
+curl -fsSL -o onessl https://github.com/kubepack/onessl/releases/download/0.1.0/onessl-linux-arm64 \
+  && chmod +x onessl \
+  && sudo mv onessl /usr/local/bin/
+
+# Kubernetes 1.8.x
 $ helm repo add appscode https://charts.appscode.com/stable/
 $ helm repo update
 $ helm install appscode/searchlight --name my-release
+
+# Kubernetes 1.9.0 or later
+$ helm repo add appscode https://charts.appscode.com/stable/
+$ helm repo update
+$ helm install appscode/searchlight --name my-release \
+  --set apiserver.ca="$(onessl get kube-ca)" \
+  --set apiserver.enableValidatingWebhook=true
 ```
+
 To see the detailed configuration options, visit [here](https://github.com/appscode/searchlight/tree/master/chart/searchlight).
 
 ### Installing in GKE Cluster

diff --git a/hack/deploy/searchlight.sh b/hack/deploy/searchlight.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 set -eou pipefail
 
-crds=(clusteralerts nodealerts podalerts incidents)
+crds=(clusteralerts nodealerts podalerts incidents searchlightplugins)
 apiversions=(v1alpha1.admission v1alpha1.incidents)
 
 echo "checking kubeconfig context"
@@ -51,7 +51,7 @@ export SEARCHLIGHT_NAMESPACE=kube-system
 export SEARCHLIGHT_SERVICE_ACCOUNT=searchlight-operator
 export SEARCHLIGHT_ENABLE_RBAC=true
 export SEARCHLIGHT_RUN_ON_MASTER=0
-export SEARCHLIGHT_ENABLE_ADMISSION_WEBHOOK=false
+export SEARCHLIGHT_ENABLE_VALIDATING_WEBHOOK=false
 export SEARCHLIGHT_DOCKER_REGISTRY=appscode
 export SEARCHLIGHT_IMAGE_PULL_SECRET=
 export SEARCHLIGHT_UNINSTALL=0
@@ -65,7 +65,7 @@ if [ "$APPSCODE_ENV" = "dev" ]; then
 fi
 
 KUBE_APISERVER_VERSION=$(kubectl version -o=json | $ONESSL jsonpath '{.serverVersion.gitVersion}')
-$ONESSL semver --check='<1.9.0' $KUBE_APISERVER_VERSION || { export SEARCHLIGHT_ENABLE_ADMISSION_WEBHOOK=true; }
+$ONESSL semver --check='<1.9.0' $KUBE_APISERVER_VERSION || { export SEARCHLIGHT_ENABLE_VALIDATING_WEBHOOK=true; }
 
 show_help() {
     echo "searchlight.sh - install searchlight operator"
@@ -79,7 +79,7 @@ show_help() {
     echo "    --docker-registry              docker registry used to pull searchlight images (default: appscode)"
     echo "    --image-pull-secret            name of secret used to pull searchlight operator images"
     echo "    --run-on-master                run searchlight operator on master"
-    echo "    --enable-admission-webhook     configure admission webhook for searchlight CRDs"
+    echo "    --enable-validating-webhook    enable/disable validating webhooks for Searchlight CRDs"
     echo "    --enable-analytics             send usage events to Google Analytics (default: true)"
     echo "    --uninstall                    uninstall searchlight"
     echo "    --purge                        purges searchlight crd objects and crds"
@@ -114,10 +114,10 @@ while test $# -gt 0; do
             export SEARCHLIGHT_IMAGE_PULL_SECRET="name: '$secret'"
             shift
             ;;
-        --enable-admission-webhook*)
+        --enable-validating-webhook*)
             val=`echo $1 | sed -e 's/^[^=]*=//g'`
             if [ "$val" = "false" ]; then
-                export SEARCHLIGHT_ENABLE_ADMISSION_WEBHOOK=false
+                export SEARCHLIGHT_ENABLE_VALIDATING_WEBHOOK=false
             fi
             shift
             ;;
@@ -242,8 +242,8 @@ if [ "$SEARCHLIGHT_RUN_ON_MASTER" -eq 1 ]; then
       --patch="$(${SCRIPT_LOCATION}hack/deploy/run-on-master.yaml)"
 fi
 
-if [ "$SEARCHLIGHT_ENABLE_ADMISSION_WEBHOOK" = true ]; then
-    ${SCRIPT_LOCATION}hack/deploy/admission.yaml | $ONESSL envsubst | kubectl apply -f -
+if [ "$SEARCHLIGHT_ENABLE_VALIDATING_WEBHOOK" = true ]; then
+    ${SCRIPT_LOCATION}hack/deploy/validating-webhook-configuration.yaml | $ONESSL envsubst | kubectl apply -f -
 fi
 
 echo

diff --git a/hack/deploy/admission.yaml → ...loy/validating-webhook-configuration.yaml b/hack/deploy/admission.yaml → ...loy/validating-webhook-configuration.yaml