weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

Default webhook to use the dynamic secret source

Browse Source 
Signed-off-by: James Munnelly <james@munnelly.eu>
This commit is contained in:
James Munnelly 2020-03-25 14:11:33 +00:00
parent 5036693fcf
commit 1700833601
15 changed files with 78 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
deploy/charts/cert-manager/README.template.md
View File

@ -130,6 +130,7 @@ The following table lists the configurable parameters of the cert-manager chart
| `no_proxy` | Value of the `NO_PROXY` environment variable in the cert-manager pod | |
| `webhook.replicaCount` | Number of cert-manager webhook replicas | `1` |
| `webhook.serviceName` | The name of the Service resource deployed for the webhook pod | `cert-manager-webhook` |
| `webhook.rootCASecretName` | The name of the Secret resource that will be used to store the webhook's root CA certificate | `cert-manager-webhook-ca` |
| `webhook.podAnnotations` | Annotations to add to the webhook pods | `{}` |
| `webhook.deploymentAnnotations` | Annotations to add to the webhook deployment | `{}` |
| `webhook.extraArgs` | Optional flags for cert-manager webhook component | `[]` |
@ -140,7 +141,6 @@ The following table lists the configurable parameters of the cert-manager chart
| `webhook.image.repository` | Webhook image repository | `quay.io/jetstack/cert-manager-webhook` |
| `webhook.image.tag` | Webhook image tag | `{{RELEASE_VERSION}}` |
| `webhook.image.pullPolicy` | Webhook image pull policy | `IfNotPresent` |
| `webhook.injectAPIServerCA` | if true, the apiserver's CABundle will be automatically injected into the ValidatingWebhookConfiguration resource | `true` |
| `webhook.securePort` | The port that the webhook should listen on for requests. | `10250` |
| `webhook.securityContext` | Security context for webhook pod assignment | `{}` |
| `cainjector.enabled` | Toggles whether the cainjector component should be installed (required for the webhook component to work) | `true` |

2
deploy/charts/cert-manager/crds/certificaterequests.yaml
View File

@ -3,7 +3,7 @@ kind: CustomResourceDefinition
metadata:
name: certificaterequests.cert-manager.io
annotations:
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-tls
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
spec:
additionalPrinterColumns:
- JSONPath: .status.conditions[?(@.type=="Ready")].status

2
deploy/charts/cert-manager/crds/certificates.yaml
View File

@ -3,7 +3,7 @@ kind: CustomResourceDefinition
metadata:
name: certificates.cert-manager.io
annotations:
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-tls
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
spec:
additionalPrinterColumns:
- JSONPath: .status.conditions[?(@.type=="Ready")].status

2
deploy/charts/cert-manager/crds/challenges.yaml
View File

@ -3,7 +3,7 @@ kind: CustomResourceDefinition
metadata:
name: challenges.acme.cert-manager.io
annotations:
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-tls
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
spec:
additionalPrinterColumns:
- JSONPath: .status.state

2
deploy/charts/cert-manager/crds/clusterissuers.yaml
View File

@ -3,7 +3,7 @@ kind: CustomResourceDefinition
metadata:
name: clusterissuers.cert-manager.io
annotations:
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-tls
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
spec:
additionalPrinterColumns:
- JSONPath: .status.conditions[?(@.type=="Ready")].status

2
deploy/charts/cert-manager/crds/issuers.yaml
View File

@ -3,7 +3,7 @@ kind: CustomResourceDefinition
metadata:
name: issuers.cert-manager.io
annotations:
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-tls
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
spec:
additionalPrinterColumns:
- JSONPath: .status.conditions[?(@.type=="Ready")].status

2
deploy/charts/cert-manager/crds/orders.yaml
View File

@ -3,7 +3,7 @@ kind: CustomResourceDefinition
metadata:
name: orders.acme.cert-manager.io
annotations:
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-tls
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
spec:
additionalPrinterColumns:
- JSONPath: .status.state

20
deploy/charts/cert-manager/templates/_helpers.tpl
View File

@ -71,26 +71,6 @@ Create chart name and version as used by the chart label.
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- define "webhook.selfSignedIssuer" -}}
{{- $trimmedName := printf "%s" (include "cert-manager.fullname" .) | trunc 46 | trimSuffix "-" -}}
{{ printf "%s-webhook-selfsign" $trimmedName }}
{{- end -}}
{{- define "webhook.rootCAIssuer" -}}
{{- $trimmedName := printf "%s" (include "cert-manager.fullname" .) | trunc 52 | trimSuffix "-" -}}
{{ printf "%s-webhook-ca" $trimmedName }}
{{- end -}}
{{- define "webhook.rootCACertificate" -}}
{{- $trimmedName := printf "%s" (include "cert-manager.fullname" .) | trunc 52 | trimSuffix "-" -}}
{{ printf "%s-webhook-ca" $trimmedName }}
{{- end -}}
{{- define "webhook.servingCertificate" -}}
{{- $trimmedName := printf "%s" (include "cert-manager.fullname" .) | trunc 51 | trimSuffix "-" -}}
{{ printf "%s-webhook-tls" $trimmedName }}
{{- end -}}
{{/*
cainjector templates
*/}}

4
deploy/charts/cert-manager/templates/deployment.yaml
View File

@ -99,10 +99,6 @@ spec:
- --default-issuer-group={{ .defaultIssuerGroup }}
{{- end }}
{{- end }}
- --webhook-namespace=$(POD_NAMESPACE)
- --webhook-ca-secret={{ include "webhook.rootCACertificate" . }}
- --webhook-serving-secret={{ include "webhook.servingCertificate" . }}
- --webhook-dns-names={{ .Values.webhook.serviceName }},{{ .Values.webhook.serviceName }}.{{ .Release.Namespace }},{{ .Values.webhook.serviceName }}.{{ .Release.Namespace }}.svc
ports:
- containerPort: 9402
protocol: TCP

16
deploy/charts/cert-manager/templates/webhook-deployment.yaml
View File

@ -56,8 +56,9 @@ spec:
- --v={{ .Values.global.logLevel }}
{{- end }}
- --secure-port={{ .Values.webhook.securePort }}
- --tls-cert-file=/certs/tls.crt
- --tls-private-key-file=/certs/tls.key
- --dynamic-serving-ca-secret-namespace={{ .Release.Namespace }}
- --dynamic-serving-ca-secret-name={{ .Values.webhook.rootCASecretName }}
- --dynamic-serving-dns-names={{ .Values.webhook.serviceName }},{{ .Values.webhook.serviceName }}.{{ .Release.Namespace }},{{ .Values.webhook.serviceName }}.{{ .Release.Namespace }}.svc
{{- if .Values.webhook.extraArgs }}
{{ toYaml .Values.webhook.extraArgs | indent 10 }}
{{- end }}
@ -66,11 +67,15 @@ spec:
path: /livez
port: 6080
scheme: HTTP
initialDelaySeconds: 60
periodSeconds: 10
readinessProbe:
httpGet:
path: /healthz
port: 6080
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 5
env:
- name: POD_NAMESPACE
valueFrom:
@ -78,13 +83,6 @@ spec:
fieldPath: metadata.namespace
resources:
{{ toYaml .Values.webhook.resources | indent 12 }}
volumeMounts:
- name: certs
mountPath: /certs
volumes:
- name: certs
secret:
secretName: {{ include "webhook.servingCertificate" . }}
{{- with .Values.webhook.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 8 }}

2
deploy/charts/cert-manager/templates/webhook-mutating-webhook.yaml
View File

@ -10,7 +10,7 @@ metadata:
app.kubernetes.io/component: "webhook"
helm.sh/chart: {{ include "webhook.chart" . }}
annotations:
cert-manager.io/inject-ca-from-secret: "{{ .Release.Namespace }}/{{ include "webhook.servingCertificate" . }}"
cert-manager.io/inject-ca-from-secret: "{{ .Release.Namespace }}/{{ .Values.webhook.rootCASecretName }}"
webhooks:
- name: webhook.cert-manager.io
rules:

47
deploy/charts/cert-manager/templates/webhook-rbac.yaml Normal file
View File

@ -0,0 +1,47 @@
{{- if .Values.global.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: {{ template "webhook.fullname" . }}:dynamic-serving
labels:
app: {{ include "webhook.name" . }}
app.kubernetes.io/name: {{ include "webhook.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/component: "webhook"
helm.sh/chart: {{ include "webhook.chart" . }}
rules:
- apiGroups: [""]
resources: ["secrets"]
resourceNames:
- '{{ .Values.webhook.rootCASecretName }}'
verbs: ["get", "list", "watch", "update"]
# It's not possible to grant CREATE permission on a single resourceName.
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: {{ template "webhook.fullname" . }}:dynamic-serving
labels:
app: {{ include "webhook.name" . }}
app.kubernetes.io/name: {{ include "webhook.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/component: "webhook"
helm.sh/chart: {{ include "webhook.chart" . }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "webhook.fullname" . }}:dynamic-serving
subjects:
- apiGroup: ""
kind: ServiceAccount
name: {{ include "webhook.fullname" . }}
namespace: {{ .Release.Namespace }}
{{- end -}}

2
deploy/charts/cert-manager/templates/webhook-validating-webhook.yaml
View File

@ -10,7 +10,7 @@ metadata:
app.kubernetes.io/component: "webhook"
helm.sh/chart: {{ include "webhook.chart" . }}
annotations:
cert-manager.io/inject-ca-from-secret: "{{ .Release.Namespace }}/{{ include "webhook.servingCertificate" . }}"
cert-manager.io/inject-ca-from-secret: "{{ .Release.Namespace }}/{{ .Values.webhook.rootCASecretName }}"
webhooks:
- name: webhook.cert-manager.io
namespaceSelector:

17
deploy/charts/cert-manager/values.yaml
View File

@ -159,8 +159,16 @@ webhook:
# conversion webhook configuration.
# If you change this value, you must also manually update the
# `spec.conversion.webhookClientConfig.service.name` field on all
# cert-manager CRD resources as well.
# cert-manager CRD resources.
serviceName: cert-manager-webhook
# The name of the Secret resource that will be created and used to store the
# root CA used to sign serving certificates for the webhook.
# This will be automatically injected into the Mutating, Validating and CRD
# resources by the cainjector component.
# If you change this value, you must also manually update the
# `cert-manager.io/inject-ca-from-secret` value on all cert-manager CRD
# resources.
rootCASecretName: cert-manager-webhook-ca
strategy: {}
# type: RollingUpdate
@ -195,13 +203,6 @@ webhook:
# tag: canary
pullPolicy: IfNotPresent
# If true, the apiserver's cabundle will be automatically injected into the
# webhook's ValidatingWebhookConfiguration resource by the CA injector.
# in future this will default to false, as the apiserver can use the loopback
# configuration caBundle to talk to itself in kubernetes 1.11+
# see https://github.com/kubernetes/kubernetes/pull/62649
injectAPIServerCA: true
# The port that the webhook should listen on for requests.
# In GKE private clusters, by default kubernetes apiservers are allowed to
# talk to the cluster nodes only on 443 and 10250. so configuring

12
deploy/manifests/00-crds.yaml
View File

@ -3,7 +3,7 @@ kind: CustomResourceDefinition
metadata:
name: certificaterequests.cert-manager.io
annotations:
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-tls
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
spec:
additionalPrinterColumns:
- JSONPath: .status.conditions[?(@.type=="Ready")].status
@ -209,7 +209,7 @@ kind: CustomResourceDefinition
metadata:
name: certificates.cert-manager.io
annotations:
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-tls
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
spec:
additionalPrinterColumns:
- JSONPath: .status.conditions[?(@.type=="Ready")].status
@ -758,7 +758,7 @@ kind: CustomResourceDefinition
metadata:
name: challenges.acme.cert-manager.io
annotations:
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-tls
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
spec:
additionalPrinterColumns:
- JSONPath: .status.state
@ -2193,7 +2193,7 @@ kind: CustomResourceDefinition
metadata:
name: clusterissuers.cert-manager.io
annotations:
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-tls
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
spec:
additionalPrinterColumns:
- JSONPath: .status.conditions[?(@.type=="Ready")].status
@ -3992,7 +3992,7 @@ kind: CustomResourceDefinition
metadata:
name: issuers.cert-manager.io
annotations:
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-tls
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
spec:
additionalPrinterColumns:
- JSONPath: .status.conditions[?(@.type=="Ready")].status
@ -5791,7 +5791,7 @@ kind: CustomResourceDefinition
metadata:
name: orders.acme.cert-manager.io
annotations:
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-tls
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
spec:
additionalPrinterColumns:
- JSONPath: .status.state