## This file contains a CronJob that runs every 24h to automatically update the ## caBundle set on the APIService and ValidatingWebhookConfiguration resource. ## This allows us to store the CA bundle in a Secret resource which is ## generated by cert-manager's 'selfsigned' Issuer. apiVersion: batch/v1beta1 kind: CronJob metadata: name: {{ include "webhook.fullname" . }}-ca-sync namespace: {{ .Release.Namespace | quote }} labels: app: {{ include "webhook.name" . }} chart: {{ include "webhook.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} spec: schedule: "* * */24 * *" jobTemplate: spec: template: metadata: labels: app: ca-helper spec: serviceAccountName: {{ include "webhook.fullname" . }}-ca-sync restartPolicy: OnFailure containers: - name: ca-helper image: {{ .Values.caSyncImage.repository }}:{{ .Values.caSyncImage.tag }} imagePullPolicy: {{ .Values.caSyncImage.pullPolicy }} args: - -config=/config/config volumeMounts: - name: config mountPath: /config resources: requests: cpu: 10m memory: 32Mi limits: cpu: 100m memory: 128Mi volumes: - name: config configMap: name: {{ include "webhook.fullname" . }}-ca-sync --- apiVersion: batch/v1 kind: Job metadata: name: {{ include "webhook.fullname" . }}-ca-sync namespace: {{ .Release.Namespace | quote }} labels: app: {{ include "webhook.name" . }} chart: {{ include "webhook.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} spec: template: metadata: labels: app: ca-helper spec: serviceAccountName: {{ include "webhook.fullname" . }}-ca-sync restartPolicy: OnFailure containers: - name: ca-helper image: {{ .Values.caSyncImage.repository }}:{{ .Values.caSyncImage.tag }} imagePullPolicy: {{ .Values.caSyncImage.pullPolicy }} args: - -config=/config/config volumeMounts: - name: config mountPath: /config resources: requests: cpu: 10m memory: 32Mi limits: cpu: 100m memory: 128Mi volumes: - name: config configMap: name: {{ include "webhook.fullname" . }}-ca-sync --- apiVersion: v1 kind: ConfigMap metadata: name: {{ include "webhook.fullname" . }}-ca-sync namespace: {{ .Release.Namespace | quote }} labels: app: {{ include "webhook.name" . }} chart: {{ include "webhook.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} data: config: |- { "apiServices": [ { "name": "v1beta1.admission.certmanager.k8s.io", "secret": { "name": "{{ include "webhook.rootCACertificate" . }}", "namespace": "{{ .Release.Namespace }}", "key": "tls.crt" } } ], "validatingWebhookConfigurations": [ { "name": "{{ include "webhook.fullname" . }}", "file": { "path": "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" } } ] } --- apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "webhook.fullname" . }}-ca-sync namespace: {{ .Release.Namespace | quote }} labels: app: {{ include "webhook.name" . }} chart: {{ include "webhook.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: {{ include "webhook.fullname" . }}-ca-sync labels: app: {{ include "webhook.name" . }} chart: {{ include "webhook.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} rules: - apiGroups: [""] resources: ["secrets"] verbs: ["get"] resourceNames: - {{ include "webhook.rootCACertificate" . }} - apiGroups: ["admissionregistration.k8s.io"] resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"] verbs: ["get", "update"] resourceNames: - {{ include "webhook.fullname" . }} - apiGroups: ["apiregistration.k8s.io"] resources: ["apiservices"] verbs: ["get", "update"] resourceNames: - v1beta1.admission.certmanager.k8s.io --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: {{ include "webhook.fullname" . }}-ca-sync labels: app: {{ include "webhook.name" . }} chart: {{ include "webhook.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: {{ include "webhook.fullname" . }}-ca-sync subjects: - name: {{ include "webhook.fullname" . }}-ca-sync namespace: {{ .Release.Namespace }} kind: ServiceAccount