Skip to content

UPSTREAM 1726: Replace kustomize vars with replacements #272

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
openshift-ci merged 1 commit into from
Oct 16, 2023
Merged

UPSTREAM 1726: Replace kustomize vars with replacements #272

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions config/certmanager/certificate.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,11 +14,11 @@ metadata:
name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml
namespace: system
spec:
# $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize
# SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize
dnsNames:
- $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc
- $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local
- SERVICE_NAME.SERVICE_NAMESPACE.svc
- SERVICE_NAME.SERVICE_NAMESPACE.svc.cluster.local
issuerRef:
kind: Issuer
name: selfsigned-issuer
secretName: $(SERVICE_NAME)-cert # this secret will not be prefixed, since it's not managed by kustomize
secretName: SERVICE_NAME-cert # this secret will not be prefixed, since it's not managed by kustomize
8 changes: 0 additions & 8 deletions config/crd/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,14 +20,6 @@ patches:
- path: patches/webhook_in_openstackclustertemplates.yaml
# +kubebuilder:scaffold:crdkustomizewebhookpatch

# [CERTMANAGER] To enable webhook, uncomment all the sections with [CERTMANAGER] prefix.
# patches here are for enabling the CA injection for each CRD
- path: patches/cainjection_in_openstackclusters.yaml
- path: patches/cainjection_in_openstackmachines.yaml
- path: patches/cainjection_in_openstackmachinetemplates.yaml
- path: patches/cainjection_in_openstackclustertemplates.yaml
# +kubebuilder:scaffold:crdkustomizecainjectionpatch

# the following config is for teaching kustomize how to do kustomization for CRDs.
configurations:
- kustomizeconfig.yaml
8 changes: 0 additions & 8 deletions config/crd/patches/cainjection_in_openstackclusters.yaml
View file
Open in desktop

This file was deleted.

8 changes: 0 additions & 8 deletions config/crd/patches/cainjection_in_openstackclustertemplates.yaml
View file
Open in desktop

This file was deleted.

8 changes: 0 additions & 8 deletions config/crd/patches/cainjection_in_openstackmachines.yaml
View file
Open in desktop

This file was deleted.

8 changes: 0 additions & 8 deletions config/crd/patches/cainjection_in_openstackmachinetemplates.yaml
View file
Open in desktop

This file was deleted.

128 changes: 115 additions & 13 deletions config/default/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,33 +20,135 @@ patches:
# Enable webhook.
- path: manager_webhook_patch.yaml

vars:
- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR
objref:
replacements:
- source: # Add cert-manager annotation to ValidatingWebhookConfiguration, MutatingWebhookConfiguration and CRDs
kind: Certificate
group: cert-manager.io
version: v1
name: serving-cert # this name should match the one in certificate.yaml
fieldref:
fieldpath: metadata.namespace
- name: CERTIFICATE_NAME
objref:
fieldPath: .metadata.namespace # namespace of the certificate CR
targets:
- select:
kind: ValidatingWebhookConfiguration
fieldPaths:
- .metadata.annotations.[cert-manager.io/inject-ca-from]
options:
delimiter: '/'
index: 0
create: true
- select:
kind: MutatingWebhookConfiguration
fieldPaths:
- .metadata.annotations.[cert-manager.io/inject-ca-from]
options:
delimiter: '/'
index: 0
create: true
- select:
kind: CustomResourceDefinition
fieldPaths:
- .metadata.annotations.[cert-manager.io/inject-ca-from]
options:
delimiter: '/'
index: 0
create: true
- source:
kind: Certificate
group: cert-manager.io
version: v1
name: serving-cert # this name should match the one in certificate.yaml
- name: SERVICE_NAMESPACE # namespace of the service
objref:
fieldPath: .metadata.name
targets:
- select:
kind: ValidatingWebhookConfiguration
fieldPaths:
- .metadata.annotations.[cert-manager.io/inject-ca-from]
options:
delimiter: '/'
index: 1
create: true
- select:
kind: MutatingWebhookConfiguration
fieldPaths:
- .metadata.annotations.[cert-manager.io/inject-ca-from]
options:
delimiter: '/'
index: 1
create: true
- select:
kind: CustomResourceDefinition
fieldPaths:
- .metadata.annotations.[cert-manager.io/inject-ca-from]
options:
delimiter: '/'
index: 1
create: true
- source: # Add cert-manager annotation to the webhook Service
kind: Service
version: v1
name: webhook-service
fieldref:
fieldpath: metadata.namespace
- name: SERVICE_NAME
objref:
fieldPath: .metadata.name # namespace of the service
targets:
- select:
kind: Certificate
group: cert-manager.io
version: v1
name: serving-cert
fieldPaths:
- .spec.dnsNames.0
- .spec.dnsNames.1
options:
delimiter: '.'
index: 0
create: false
- source:
kind: Service
version: v1
name: webhook-service
fieldPath: .metadata.namespace # namespace of the service
targets:
- select:
kind: Certificate
group: cert-manager.io
version: v1
name: serving-cert
fieldPaths:
- .spec.dnsNames.0
- .spec.dnsNames.1
options:
delimiter: '.'
index: 1
create: false
- source: # Prefix the certificate secret name with the name of service
kind: Service
version: v1
name: webhook-service
fieldPath: .metadata.name # namespace of the service
targets:
- select:
kind: Certificate
group: cert-manager.io
version: v1
fieldPaths:
- .spec.secretName
options:
delimiter: '-'
index: 0
create: false
- source: # Certificate secret name
kind: Certificate
group: cert-manager.io
version: v1
name: serving-cert
fieldPath: .spec.secretName
targets:
- select:
kind: Deployment
group: apps
version: v1
name: controller-manager
fieldPaths:
- .spec.template.spec.volumes.[name=cert].secret.secretName

configurations:
- kustomizeconfig.yaml
3 changes: 2 additions & 1 deletion config/default/manager_webhook_patch.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,4 +20,5 @@ spec:
- name: cert
secret:
defaultMode: 420
secretName: $(SERVICE_NAME)-cert
# kustomize will populate this from the Certificate secretName
secretName: CERT_SECRET_NAME
3 changes: 0 additions & 3 deletions config/webhook/cainjection_patch.yaml
View file
Open in desktop

This file was deleted.

8 changes: 0 additions & 8 deletions config/webhook/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,3 @@ resources:

configurations:
- kustomizeconfig.yaml

patches:
# Inject certificate in the webhook definition.
- target:
group: admissionregistration.k8s.io
version: v1
name: mutating-webhook-configuration|validating-webhook-configuration
path: cainjection_patch.yaml