kubernetesValidation

Kubernetes Integration is still experimental.

To create the CustomResourceDefinitions, apply kubernetes-config.yaml from core/target/classes/com/predic8/membrane/core/config/kubernetes/ or a part (e.g. the 'serviceproxies' CRD) of the file.

Create a key and certificate for TLS for https://membrane-validator.membrane-soa.svc:444/ and setup Membrane to serve this address. The configuration shown below configures Membrane on a fixed IP address outside of the Kubernetes cluster, but this is no requirement.

Embed the following serviceProxy and adjust the 'resources' attribute to a comma-separated list of CRDs that you applied. Note that while the CRDs have plural names, here you need to use the corresponding singular. Configure the "ssl" section using your key and certificate.

>serviceProxy port="444"> >ssl> >key> >private> -----BEGIN RSA PRIVATE KEY----- ... -----END RSA PRIVATE KEY----- >/private> >certificate> -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- >/certificate> >/key> >/ssl> >kubernetesValidation resources="serviceproxy" /> >/serviceProxy>

Now register a Webhook to validate the new CRDs. (A note to the experts: Membrane's validation schemas are too complex to fit into the CRD, because they are highly nestable and self-referencing. We therefore use webhooks.)

apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: name: membrane webhooks: - name: membrane.membrane-soa.org admissionReviewVersions: ["v1", "v1beta1"] failurePolicy: Fail rules: - operations: [ "*" ] apiGroups: [ "membrane-soa.org" ] apiVersions: [ "v1", "v1beta1" ] resources: [ "*" ] scope: "*" clientConfig: service: name: membrane-validator namespace: membrane-soa port: 444 caBundle: LS0t...LQ0K # base64 encoded, PEM-formatted CA certificate sideEffects: None --- apiVersion: v1 kind: Namespace metadata: name: membrane-soa --- apiVersion: v1 kind: Service metadata: namespace: membrane-soa name: membrane-validator spec: ports: - port: 444 --- apiVersion: v1 kind: Endpoints metadata: namespace: membrane-soa name: membrane-validator subsets: - addresses: - ip: 192.168.0.1 # Membrane's IP ports: - port: 444

Once this setup is complete, you can enable serviceProxies like this:

apiVersion: membrane-api.io/v1beta2 kind: serviceproxy metadata: name: demo namespace: membrane-soa spec: host: demo.predic8.de path: value: /some-path/ interceptors: - response: interceptors: - groovy: src: | println "Hello!" target: host: thomas-bayer.com

Can be used in:

serviceProxy, api, proxy, global, chainDef, for, stompProxy, if, registration, wsStompReassembler, internal, interceptor, chain, bean, transport and soapProxy

Attributes

NameRequiredDefaultDescriptionExamples
resources false - The resources (CustomResourceDefinition Kinds, singular) to watch in the Kubernetes API, comma separated.
serviceproxy, ssl
namespaces false membrane-soa
 The list of namespaces to watch, comma separated. A single '*' means "watch all namespaces".
*