diff --git a/config/certmanager/certificate.yaml b/config/certmanager/certificate.yaml index abf6713a78..0faab7505e 100644 --- a/config/certmanager/certificate.yaml +++ b/config/certmanager/certificate.yaml @@ -14,11 +14,11 @@ metadata: name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml namespace: system spec: - # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize + # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize dnsNames: - - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc - - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local + - SERVICE_NAME.SERVICE_NAMESPACE.svc + - SERVICE_NAME.SERVICE_NAMESPACE.svc.cluster.local issuerRef: kind: Issuer name: selfsigned-issuer - secretName: $(SERVICE_NAME)-cert # this secret will not be prefixed, since it's not managed by kustomize + secretName: SERVICE_NAME-cert # this secret will not be prefixed, since it's not managed by kustomize diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml index 4becb40676..f26fa8c3b8 100644 --- a/config/crd/kustomization.yaml +++ b/config/crd/kustomization.yaml @@ -20,14 +20,6 @@ patches: - path: patches/webhook_in_openstackclustertemplates.yaml # +kubebuilder:scaffold:crdkustomizewebhookpatch -# [CERTMANAGER] To enable webhook, uncomment all the sections with [CERTMANAGER] prefix. -# patches here are for enabling the CA injection for each CRD -- path: patches/cainjection_in_openstackclusters.yaml -- path: patches/cainjection_in_openstackmachines.yaml -- path: patches/cainjection_in_openstackmachinetemplates.yaml -- path: patches/cainjection_in_openstackclustertemplates.yaml -# +kubebuilder:scaffold:crdkustomizecainjectionpatch - # the following config is for teaching kustomize how to do kustomization for CRDs. configurations: - kustomizeconfig.yaml diff --git a/config/crd/patches/cainjection_in_openstackclusters.yaml b/config/crd/patches/cainjection_in_openstackclusters.yaml deleted file mode 100644 index fc4d7b75cf..0000000000 --- a/config/crd/patches/cainjection_in_openstackclusters.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# The following patch adds a directive for certmanager to inject CA into the CRD -# CRD conversion requires k8s 1.13 or later. -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) - name: openstackclusters.infrastructure.cluster.x-k8s.io diff --git a/config/crd/patches/cainjection_in_openstackclustertemplates.yaml b/config/crd/patches/cainjection_in_openstackclustertemplates.yaml deleted file mode 100644 index f7bc3a1156..0000000000 --- a/config/crd/patches/cainjection_in_openstackclustertemplates.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# The following patch adds a directive for certmanager to inject CA into the CRD -# CRD conversion requires k8s 1.13 or later. -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) - name: openstackclustertemplates.infrastructure.cluster.x-k8s.io diff --git a/config/crd/patches/cainjection_in_openstackmachines.yaml b/config/crd/patches/cainjection_in_openstackmachines.yaml deleted file mode 100644 index 48c5a6c247..0000000000 --- a/config/crd/patches/cainjection_in_openstackmachines.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# The following patch adds a directive for certmanager to inject CA into the CRD -# CRD conversion requires k8s 1.13 or later. -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) - name: openstackmachines.infrastructure.cluster.x-k8s.io diff --git a/config/crd/patches/cainjection_in_openstackmachinetemplates.yaml b/config/crd/patches/cainjection_in_openstackmachinetemplates.yaml deleted file mode 100644 index e48fbbb23a..0000000000 --- a/config/crd/patches/cainjection_in_openstackmachinetemplates.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# The following patch adds a directive for certmanager to inject CA into the CRD -# CRD conversion requires k8s 1.13 or later. -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) - name: openstackmachinetemplates.infrastructure.cluster.x-k8s.io diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index 758f21ef30..720fff6c07 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -20,33 +20,135 @@ patches: # Enable webhook. - path: manager_webhook_patch.yaml -vars: - - name: CERTIFICATE_NAMESPACE # namespace of the certificate CR - objref: +replacements: + - source: # Add cert-manager annotation to ValidatingWebhookConfiguration, MutatingWebhookConfiguration and CRDs kind: Certificate group: cert-manager.io version: v1 name: serving-cert # this name should match the one in certificate.yaml - fieldref: - fieldpath: metadata.namespace - - name: CERTIFICATE_NAME - objref: + fieldPath: .metadata.namespace # namespace of the certificate CR + targets: + - select: + kind: ValidatingWebhookConfiguration + fieldPaths: + - .metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: '/' + index: 0 + create: true + - select: + kind: MutatingWebhookConfiguration + fieldPaths: + - .metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: '/' + index: 0 + create: true + - select: + kind: CustomResourceDefinition + fieldPaths: + - .metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: '/' + index: 0 + create: true + - source: kind: Certificate group: cert-manager.io version: v1 name: serving-cert # this name should match the one in certificate.yaml - - name: SERVICE_NAMESPACE # namespace of the service - objref: + fieldPath: .metadata.name + targets: + - select: + kind: ValidatingWebhookConfiguration + fieldPaths: + - .metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: '/' + index: 1 + create: true + - select: + kind: MutatingWebhookConfiguration + fieldPaths: + - .metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: '/' + index: 1 + create: true + - select: + kind: CustomResourceDefinition + fieldPaths: + - .metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: '/' + index: 1 + create: true + - source: # Add cert-manager annotation to the webhook Service kind: Service version: v1 name: webhook-service - fieldref: - fieldpath: metadata.namespace - - name: SERVICE_NAME - objref: + fieldPath: .metadata.name # namespace of the service + targets: + - select: + kind: Certificate + group: cert-manager.io + version: v1 + name: serving-cert + fieldPaths: + - .spec.dnsNames.0 + - .spec.dnsNames.1 + options: + delimiter: '.' + index: 0 + create: false + - source: kind: Service version: v1 name: webhook-service + fieldPath: .metadata.namespace # namespace of the service + targets: + - select: + kind: Certificate + group: cert-manager.io + version: v1 + name: serving-cert + fieldPaths: + - .spec.dnsNames.0 + - .spec.dnsNames.1 + options: + delimiter: '.' + index: 1 + create: false + - source: # Prefix the certificate secret name with the name of service + kind: Service + version: v1 + name: webhook-service + fieldPath: .metadata.name # namespace of the service + targets: + - select: + kind: Certificate + group: cert-manager.io + version: v1 + fieldPaths: + - .spec.secretName + options: + delimiter: '-' + index: 0 + create: false + - source: # Certificate secret name + kind: Certificate + group: cert-manager.io + version: v1 + name: serving-cert + fieldPath: .spec.secretName + targets: + - select: + kind: Deployment + group: apps + version: v1 + name: controller-manager + fieldPaths: + - .spec.template.spec.volumes.[name=cert].secret.secretName configurations: - kustomizeconfig.yaml diff --git a/config/default/manager_webhook_patch.yaml b/config/default/manager_webhook_patch.yaml index b387eb0eae..1e474e3b21 100644 --- a/config/default/manager_webhook_patch.yaml +++ b/config/default/manager_webhook_patch.yaml @@ -20,4 +20,5 @@ spec: - name: cert secret: defaultMode: 420 - secretName: $(SERVICE_NAME)-cert + # kustomize will populate this from the Certificate secretName + secretName: CERT_SECRET_NAME diff --git a/config/webhook/cainjection_patch.yaml b/config/webhook/cainjection_patch.yaml deleted file mode 100644 index 0e0f5506fc..0000000000 --- a/config/webhook/cainjection_patch.yaml +++ /dev/null @@ -1,3 +0,0 @@ -- op: add - path: "/metadata/annotations/cert-manager.io~1inject-ca-from" - value: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) diff --git a/config/webhook/kustomization.yaml b/config/webhook/kustomization.yaml index eb9bf3d616..9cf26134e4 100644 --- a/config/webhook/kustomization.yaml +++ b/config/webhook/kustomization.yaml @@ -4,11 +4,3 @@ resources: configurations: - kustomizeconfig.yaml - -patches: -# Inject certificate in the webhook definition. -- target: - group: admissionregistration.k8s.io - version: v1 - name: mutating-webhook-configuration|validating-webhook-configuration - path: cainjection_patch.yaml