fix: Inject custom ca and certificates

cmd/build/helmify/kustomize-for-helm.yaml

@@ -65,6 +65,7 @@ spec:
             - --exempt-namespace={{ .Release.Namespace }}
             - --operation=webhook
             - --enable-mutation={{ .Values.experimentalEnableMutation}}
+            - --disable-cert-rotation={{ not .Values.certificates.generate }}
             - HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_DISABLED_BUILTIN
           imagePullPolicy: "{{ .Values.image.pullPolicy }}"
           image: "{{ .Values.image.repository }}:{{ .Values.image.release }}"
@@ -80,6 +81,10 @@ spec:
         HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_IMAGE_PULL_SECRETS: ""
       hostNetwork: HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_HOST_NETWORK
       priorityClassName: HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_PRIORITY_CLASS_NAME
+      volumes:
+        - name: cert
+          secret:
+            secretName: "{{ .Values.certificates.secretName }}"
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -133,29 +138,31 @@ metadata:
   labels:
     gatekeeper.sh/system: "yes"
   name: gatekeeper-validating-webhook-configuration
+  annotations:
+    HELMSUBST_VALIDATING_WEBHOOK_ANNOTATIONS: ""
 webhooks:
-- clientConfig:
-    service:
-      name: gatekeeper-webhook-service
-      namespace: gatekeeper-system
-      path: /v1/admit
-  name: validation.gatekeeper.sh
-  timeoutSeconds: HELMSUBST_VALIDATING_WEBHOOK_TIMEOUT
-  rules:
-  - apiGroups:
-    - "*"
-    apiVersions:
-    - '*'
-    operations: HELMSUBST_VALIDATING_WEBHOOK_OPERATION_RULES
-    resources:
-    - '*'
-- clientConfig:
-    service:
-      name: gatekeeper-webhook-service
-      namespace: gatekeeper-system
-      path: /v1/admitlabel
-  name: check-ignore-label.gatekeeper.sh
-  timeoutSeconds: HELMSUBST_VALIDATING_WEBHOOK_TIMEOUT
+  - clientConfig:
+      service:
+        name: gatekeeper-webhook-service
+        namespace: gatekeeper-system
+        path: /v1/admit
+    name: validation.gatekeeper.sh
+    timeoutSeconds: HELMSUBST_VALIDATING_WEBHOOK_TIMEOUT
+    rules:
+      - apiGroups:
+          - "*"
+        apiVersions:
+          - "*"
+        operations: HELMSUBST_VALIDATING_WEBHOOK_OPERATION_RULES
+        resources:
+          - "*"
+  - clientConfig:
+      service:
+        name: gatekeeper-webhook-service
+        namespace: gatekeeper-system
+        path: /v1/admitlabel
+    name: check-ignore-label.gatekeeper.sh
+    timeoutSeconds: HELMSUBST_VALIDATING_WEBHOOK_TIMEOUT
 ---
 apiVersion: policy/v1beta1
 kind: PodDisruptionBudget
@@ -180,8 +187,8 @@ spec:
     pods: HELMSUBST_RESOURCEQUOTA_POD_LIMIT
   scopeSelector:
     matchExpressions:
-    - operator: In
-      scopeName: PriorityClass
-      values:
-      - HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_PRIORITY_CLASS_NAME
-      - HELMSUBST_DEPLOYMENT_AUDIT_PRIORITY_CLASS_NAME
+      - operator: In
+        scopeName: PriorityClass
+        values:
+          - HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_PRIORITY_CLASS_NAME
+          - HELMSUBST_DEPLOYMENT_AUDIT_PRIORITY_CLASS_NAME

cmd/build/helmify/main.go

@@ -101,6 +101,10 @@ func (ks *kindSet) Write() error {
 				obj = "{{- if .Values.experimentalEnableMutation }}\n" + obj + "{{- end }}\n"
 			}
 
+			if name == "gatekeeper-webhook-server-cert" && kind == "Secret" {
+				obj = "{{- if .Values.controllerManager.generateCertificate }}\n" + obj + "{{- end }}\n"
+			}
+
 			if kind == "Deployment" {
 				obj = strings.Replace(obj, "      labels:", "      labels:\n{{- include \"gatekeeper.podLabels\" . }}", 1)
 			}

cmd/build/helmify/replacements.go

@@ -37,6 +37,10 @@ var replacements = map[string]string{
 
 	"HELMSUBST_VALIDATING_WEBHOOK_TIMEOUT": `{{ .Values.validatingWebhookTimeoutSeconds }}`,
 
+	`HELMSUBST_VALIDATING_WEBHOOK_ANNOTATIONS: ""`: `{{- toYaml .Values.validatingWebhookAnnotations | trim | nindent 4 }}`,
+
+	`HELMSUBST_MUTATING_WEBHOOK_ANNOTATIONS: ""`: `{{- toYaml .Values.mutatingWebhookAnnotations | trim | nindent 4 }}`,
+
 	"HELMSUBST_RESOURCEQUOTA_POD_LIMIT": `{{ .Values.podCountLimit }}`,
 
 	"HELMSUBST_VALIDATING_WEBHOOK_OPERATION_RULES": `

cmd/build/helmify/static/values.yaml

@@ -5,8 +5,10 @@ constraintViolationsLimit: 20
 auditFromCache: false
 disableValidatingWebhook: false
 validatingWebhookTimeoutSeconds: 3
+validatingWebhookAnnotations: {}
 enableDeleteOperations: false
 experimentalEnableMutation: false
+mutatingWebhookAnnotations: {}
 auditChunkSize: 0
 logLevel: INFO
 logDenies: false
@@ -30,6 +32,9 @@ podAnnotations:
 podLabels: {}
 podCountLimit: 100
 secretAnnotations: {}
+certificates:
+  generate: true
+  secretName: gatekeeper-webhook-server-cert
 controllerManager:
   hostNetwork: false
   priorityClassName: system-cluster-critical

config/overlays/mutation_webhook/kustomization.yaml

@@ -1,6 +1,6 @@
 # TODO: this is a temporary kustomization for the mutation webhook
 # It is kept separate until the mutation feature is stable enough,
-# when the mutation webhook should be moved to config/webhooks/manifests.yaml  
+# when the mutation webhook should be moved to config/webhooks/manifests.yaml
 
 namespace: gatekeeper-system
 
@@ -12,11 +12,10 @@ resources:
   - mutations.gatekeeper.sh_assign.yaml
   - mutations.gatekeeper.sh_assignmetadata.yaml
 
-
 patchesJson6902:
-- target:
-    group: rbac.authorization.k8s.io
-    version: v1
-    kind: ClusterRole
-    name: manager-role
-  path: webhook_permissions_patch.yaml
+  - target:
+      group: rbac.authorization.k8s.io
+      version: v1
+      kind: ClusterRole
+      name: manager-role
+    path: webhook_permissions_patch.yaml

config/overlays/mutation_webhook/webhook.yaml

@@ -7,26 +7,28 @@ kind: MutatingWebhookConfiguration
 metadata:
   creationTimestamp: null
   name: gatekeeper-mutating-webhook-configuration
+  annotations:
+    HELMSUBST_MUTATING_WEBHOOK_ANNOTATIONS: ""
 webhooks:
-- admissionReviewVersions:
-  - v1
-  - v1beta1
-  clientConfig:
-    service:
-      name: webhook-service
-      namespace: system
-      path: /v1/mutate
-  failurePolicy: Ignore
-  name: mutation.gatekeeper.sh
-  matchPolicy: Exact
-  rules:
-  - apiGroups:
-    - '*'
-    apiVersions:
-    - '*'
-    operations:
-    - CREATE
-    - UPDATE
-    resources:
-    - '*'
-  sideEffects: None
+  - admissionReviewVersions:
+      - v1
+      - v1beta1
+    clientConfig:
+      service:
+        name: webhook-service
+        namespace: system
+        path: /v1/mutate
+    failurePolicy: Ignore
+    name: mutation.gatekeeper.sh
+    matchPolicy: Exact
+    rules:
+      - apiGroups:
+          - "*"
+        apiVersions:
+          - "*"
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - "*"
+    sideEffects: None