fix ca injection - wip

.github/workflows/test-e2e-samples.yml

@@ -41,7 +41,9 @@ jobs:
         run: |
           KUSTOMIZATION_FILE_PATH="testdata/project-v4/config/default/kustomization.yaml"
           sed -i '25s/^#//' $KUSTOMIZATION_FILE_PATH
-          sed -i '50,177s/^#//' $KUSTOMIZATION_FILE_PATH
+          # Uncomment all cert-manager injections
+          sed -i '50,172s/^#//' $KUSTOMIZATION_FILE_PATH
+          sed -i '174,198s/^#//' $KUSTOMIZATION_FILE_PATH
           cd testdata/project-v4/
           go mod tidy
 
@@ -81,9 +83,12 @@ jobs:
           KUSTOMIZATION_FILE_PATH="testdata/project-v4-with-plugins/config/default/kustomization.yaml"
           sed -i '25s/^#//' $KUSTOMIZATION_FILE_PATH
           # Uncomment only ValidatingWebhookConfiguration
-          # from cert-manager replaces
-          sed -i '50,116s/^#//' $KUSTOMIZATION_FILE_PATH
-          sed -i '148,177s/^#//' $KUSTOMIZATION_FILE_PATH
+          # from cert-manager replaces; we are leaving defaulting uncommented
+          # since this sample has no defaulting webhooks
+          sed -i '50,155s/^#//' $KUSTOMIZATION_FILE_PATH
+          # Uncomment only --conversion webhooks CA injection
+          sed -i '144,163s/^#//' $KUSTOMIZATION_FILE_PATH
+          sed -i '165,180s/^#//' $KUSTOMIZATION_FILE_PATH
           cd testdata/project-v4-with-plugins/
           go mod tidy
 

docs/book/src/cronjob-tutorial/testdata/project/config/crd/kustomization.yaml

@@ -6,14 +6,10 @@ resources:
 # +kubebuilder:scaffold:crdkustomizeresource
 
 patches:
-# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix.
+# [WEBHOOK] To enable the webhooks, uncomment all the sections with [WEBHOOK] prefix.
 # patches here are for enabling the conversion webhook for each CRD
 # +kubebuilder:scaffold:crdkustomizewebhookpatch
 
-# [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix.
-# patches here are for enabling the CA injection for each CRD
-# +kubebuilder:scaffold:crdkustomizecainjectionpatch
-
 # [WEBHOOK] To enable webhook, uncomment the following section
 # the following config is for teaching kustomize how to do kustomization for CRDs.
 #configurations:

docs/book/src/cronjob-tutorial/testdata/project/config/default/kustomization.yaml

@@ -151,27 +151,13 @@ replacements:
 #     version: v1
 #     name: serving-cert # This name should match the one in certificate.yaml
 #     fieldPath: .metadata.namespace # Namespace of the certificate CR
-#   targets:
-#     - select:
-#         kind: CustomResourceDefinition
-#       fieldPaths:
-#         - .metadata.annotations.[cert-manager.io/inject-ca-from]
-#       options:
-#         delimiter: '/'
-#         index: 0
-#         create: true
+#   targets: # Do not remove or uncomment the following scaffold marker; required to generate code for target CRD.
+# +kubebuilder:scaffold:crdkustomizecainjectionns
 # - source:
 #     kind: Certificate
 #     group: cert-manager.io
 #     version: v1
 #     name: serving-cert # This name should match the one in certificate.yaml
 #     fieldPath: .metadata.name
-#   targets:
-#     - select:
-#         kind: CustomResourceDefinition
-#       fieldPaths:
-#         - .metadata.annotations.[cert-manager.io/inject-ca-from]
-#       options:
-#         delimiter: '/'
-#         index: 1
-#         create: true
+#   targets: # Do not remove or uncomment the following scaffold marker; required to generate code for target CRD.
+# +kubebuilder:scaffold:crdkustomizecainjectionname

docs/book/src/getting-started/testdata/project/config/crd/kustomization.yaml

@@ -6,14 +6,10 @@ resources:
 # +kubebuilder:scaffold:crdkustomizeresource
 
 patches:
-# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix.
+# [WEBHOOK] To enable the webhooks, uncomment all the sections with [WEBHOOK] prefix.
 # patches here are for enabling the conversion webhook for each CRD
 # +kubebuilder:scaffold:crdkustomizewebhookpatch
 
-# [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix.
-# patches here are for enabling the CA injection for each CRD
-# +kubebuilder:scaffold:crdkustomizecainjectionpatch
-
 # [WEBHOOK] To enable webhook, uncomment the following section
 # the following config is for teaching kustomize how to do kustomization for CRDs.
 #configurations:

docs/book/src/getting-started/testdata/project/config/default/kustomization.yaml

@@ -151,27 +151,13 @@ patches:
 #     version: v1
 #     name: serving-cert # This name should match the one in certificate.yaml
 #     fieldPath: .metadata.namespace # Namespace of the certificate CR
-#   targets:
-#     - select:
-#         kind: CustomResourceDefinition
-#       fieldPaths:
-#         - .metadata.annotations.[cert-manager.io/inject-ca-from]
-#       options:
-#         delimiter: '/'
-#         index: 0
-#         create: true
+#   targets: # Do not remove or uncomment the following scaffold marker; required to generate code for target CRD.
+# +kubebuilder:scaffold:crdkustomizecainjectionns
 # - source:
 #     kind: Certificate
 #     group: cert-manager.io
 #     version: v1
 #     name: serving-cert # This name should match the one in certificate.yaml
 #     fieldPath: .metadata.name
-#   targets:
-#     - select:
-#         kind: CustomResourceDefinition
-#       fieldPaths:
-#         - .metadata.annotations.[cert-manager.io/inject-ca-from]
-#       options:
-#         delimiter: '/'
-#         index: 1
-#         create: true
+#   targets: # Do not remove or uncomment the following scaffold marker; required to generate code for target CRD.
+# +kubebuilder:scaffold:crdkustomizecainjectionname

docs/book/src/multiversion-tutorial/testdata/project/config/crd/kustomization.yaml

@@ -6,16 +6,11 @@ resources:
 # +kubebuilder:scaffold:crdkustomizeresource
 
 patches:
-# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix.
+# [WEBHOOK] To enable the webhooks, uncomment all the sections with [WEBHOOK] prefix.
 # patches here are for enabling the conversion webhook for each CRD
 - path: patches/webhook_in_cronjobs.yaml
 # +kubebuilder:scaffold:crdkustomizewebhookpatch
 
-# [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix.
-# patches here are for enabling the CA injection for each CRD
-#- path: patches/cainjection_in_cronjobs.yaml
-# +kubebuilder:scaffold:crdkustomizecainjectionpatch
-
 # [WEBHOOK] To enable webhook, uncomment the following section
 # the following config is for teaching kustomize how to do kustomization for CRDs.
 configurations:

docs/book/src/multiversion-tutorial/testdata/project/config/default/kustomization.yaml

@@ -144,34 +144,38 @@ replacements:
          delimiter: '/'
          index: 1
          create: true
-
+#
  - source: # Uncomment the following block if you have a ConversionWebhook (--conversion)
      kind: Certificate
      group: cert-manager.io
      version: v1
      name: serving-cert # This name should match the one in certificate.yaml
      fieldPath: .metadata.namespace # Namespace of the certificate CR
-   targets:
+   targets: # Do not remove or uncomment the following scaffold marker; required to generate code for target CRD.
      - select:
          kind: CustomResourceDefinition
+         name: cronjobs.batch.tutorial.kubebuilder.io
        fieldPaths:
          - .metadata.annotations.[cert-manager.io/inject-ca-from]
        options:
          delimiter: '/'
          index: 0
          create: true
+# +kubebuilder:scaffold:crdkustomizecainjectionns
  - source:
      kind: Certificate
      group: cert-manager.io
      version: v1
      name: serving-cert # This name should match the one in certificate.yaml
      fieldPath: .metadata.name
-   targets:
+   targets: # Do not remove or uncomment the following scaffold marker; required to generate code for target CRD.
      - select:
          kind: CustomResourceDefinition
+         name: cronjobs.batch.tutorial.kubebuilder.io
        fieldPaths:
          - .metadata.annotations.[cert-manager.io/inject-ca-from]
        options:
          delimiter: '/'
          index: 1
          create: true
+# +kubebuilder:scaffold:crdkustomizecainjectionname

docs/book/src/reference/markers/scaffold.md

@@ -95,17 +95,76 @@ properly registered with the manager, so that the controller can reconcile the r
 
 ## List of `+kubebuilder:scaffold` Markers
 
-| Marker                                     | Usual Location               | Function                                                                        |
-|--------------------------------------------|------------------------------|---------------------------------------------------------------------------------|
-| `+kubebuilder:scaffold:imports`            | `main.go`                    | Marks where imports for new controllers, webhooks, or APIs should be injected.   |
-| `+kubebuilder:scaffold:scheme`             | `init()` in `main.go`         | Used to add API versions to the scheme for runtime.                             |
-| `+kubebuilder:scaffold:builder`            | `main.go`                    | Marks where new controllers should be registered with the manager.              |
-| `+kubebuilder:scaffold:webhook`            | `webhooks suite tests` files  | Marks where webhook setup functions are added.                                  |
-| `+kubebuilder:scaffold:crdkustomizeresource`| `config/crd`                 | Marks where CRD custom resource patches are added.                              |
-| `+kubebuilder:scaffold:crdkustomizewebhookpatch` | `config/crd`              | Marks where CRD webhook patches are added.                                      |
-| `+kubebuilder:scaffold:crdkustomizecainjectionpatch` | `config/crd`           | Marks where CA injection patches are added for the webhook.                     |
-| `+kubebuilder:scaffold:manifestskustomizesamples` | `config/samples`           | Marks where Kustomize sample manifests are injected.                            |
-| `+kubebuilder:scaffold:e2e-webhooks-checks` | `test/e2e`                   | Adds e2e checks for webhooks depending on the types of webhooks scaffolded.      |
+| Marker                                                                         | Usual Location               | Function                                                                                                                                                                               |
+|--------------------------------------------------------------------------------|------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `+kubebuilder:scaffold:imports`                                                | `main.go`                    | Marks where imports for new controllers, webhooks, or APIs should be injected.                                                                                                         |
+| `+kubebuilder:scaffold:scheme`                                                 | `init()` in `main.go`        | Used to add API versions to the scheme for runtime.                                                                                                                                    |
+| `+kubebuilder:scaffold:builder`                                                | `main.go`                    | Marks where new controllers should be registered with the manager.                                                                                                                     |
+| `+kubebuilder:scaffold:webhook`                                                | `webhooks suite tests` files | Marks where webhook setup functions are added.                                                                                                                                         |
+| `+kubebuilder:scaffold:crdkustomizeresource`                                   | `config/crd`                 | Marks where CRD custom resource patches are added.                                                                                                                                     |
+| `+kubebuilder:scaffold:crdkustomizewebhookpatch`                               | `config/crd`                 | Marks where CRD webhook patches are added.                                                                                                                                             |
+| `+kubebuilder:scaffold:crdkustomizecainjectionns`                            | `config/default`             | Marks where CA injection patches are added for the conversion webhooks.                                                                                                                |
+| `+kubebuilder:scaffold:crdkustomizecainjectioname`                           | `config/default`             | Marks where CA injection patches are added for the conversion webhooks.                                                                                                                |
+| `+kubebuilder:scaffold:manifestskustomizesamples`                              | `config/samples`             | Marks where Kustomize sample manifests are injected.                                                                                                                                   |
+| `+kubebuilder:scaffold:e2e-webhooks-checks`                                    | `test/e2e`                   | Adds e2e checks for webhooks depending on the types of webhooks scaffolded.                                                                                                            |
+| **(No longer supported)** `+kubebuilder:scaffold:crdkustomizecainjectionpatch` | `config/crd`                 | Marks where CA injection patches are added for the webhooks. Replaced by `+kubebuilder:scaffold:crdkustomizecainjectionns` and `+kubebuilder:scaffold:crdkustomizecainjectioname`  |
+
+<aside class="note warning">
+<h1> **(No longer supported)** `+kubebuilder:scaffold:crdkustomizecainjectionpatch` </h1>
+
+The CA patch injection never worked for go/v4 (release : `3.5.0`) since
+we need to replace vars with replacements since vars is not supported
+for kustomize versions >= v4
+
+However, since webhook --conversion was an uncompleted feature
+until the kubebuilder release v4.4.0 users did not check it out
+or were fixing the scaffold manually.
+
+Please, ensure that:
+
+- Remove from config/crd/kustomization.yaml the CERTMANAGER section
+  such as:
+
+```yaml
+# [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix.
+# patches here are for enabling the CA injection for each CRD
+#- path: patches/cainjection_in_firstmates.yaml
+# +kubebuilder:scaffold:crdkustomizecainjectionpatch
+```
+
+- 2. Ensure that config/default/kustomization.yaml under the [CERTMANAGER]
+     replacement has the following code for your CA injection be properly generated:
+
+**NOTE** You must ensure that the code contains the target markers:
+- '+kubebuilder:scaffold:crdkustomizecainjectionns'
+- '+kubebuilder:scaffold:crdkustomizecainjectioname'
+
+```yaml
+# - source: # Uncomment the following block if you have a ConversionWebhook (--conversion)
+#     kind: Certificate
+#     group: cert-manager.io
+#     version: v1
+#     name: serving-cert # This name should match the one in certificate.yaml
+#     fieldPath: .metadata.namespace # Namespace of the certificate CR
+#   targets: # Do not remove or uncomment the following scaffold marker; required to generate code for target CRD.
+# +kubebuilder:scaffold:crdkustomizecainjectionns
+# - source:
+#     kind: Certificate
+#     group: cert-manager.io
+#     version: v1
+#     name: serving-cert # This name should match the one in certificate.yaml
+#     fieldPath: .metadata.name
+#   targets: # Do not remove or uncomment the following scaffold marker; required to generate code for target CRD.
+# +kubebuilder:scaffold:crdkustomizecainjectioname
+```
+
+**NOTE** You can check the examples under testdata/ directory
+in Kubebuilder repository to fix your project.
+
+
+
+</aside>
+
 
 <aside class="note">
 <h1>Creating Your Own Markers</h1>

hack/docs/internal/multiversion-tutorial/generate_multiversion.go

@@ -87,7 +87,13 @@ func (sp *Sample) updateDefaultKustomize() {
 	// Enable CA for Conversion Webhook
 	err := pluginutil.UncommentCode(
 		filepath.Join(sp.ctx.Dir, "config/default/kustomization.yaml"),
-		caConversionCRDDefaultKustomize, `#`)
+		caInjectionNamespace, `#`)
+	hackutils.CheckError("fixing default/kustomization", err)
+
+	// Enable CA for Conversion Webhook
+	err = pluginutil.UncommentCode(
+		filepath.Join(sp.ctx.Dir, "config/default/kustomization.yaml"),
+		caInjectionCert, `#`)
 	hackutils.CheckError("fixing default/kustomization", err)
 }
 

hack/docs/internal/multiversion-tutorial/kustomize.go

@@ -16,31 +16,33 @@ limitations under the License.
 
 package multiversion
 
-const caConversionCRDDefaultKustomize = `#
-# - source: # Uncomment the following block if you have a ConversionWebhook (--conversion)
+const caInjectionNamespace = `# - source: # Uncomment the following block if you have a ConversionWebhook (--conversion)
 #     kind: Certificate
 #     group: cert-manager.io
 #     version: v1
 #     name: serving-cert # This name should match the one in certificate.yaml
 #     fieldPath: .metadata.namespace # Namespace of the certificate CR
-#   targets:
+#   targets: # Do not remove or uncomment the following scaffold marker; required to generate code for target CRD.
 #     - select:
 #         kind: CustomResourceDefinition
+#         name: cronjobs.batch.tutorial.kubebuilder.io
 #       fieldPaths:
 #         - .metadata.annotations.[cert-manager.io/inject-ca-from]
 #       options:
 #         delimiter: '/'
 #         index: 0
-#         create: true
-# - source:
+#         create: true`
+
+const caInjectionCert = `# - source:
 #     kind: Certificate
 #     group: cert-manager.io
 #     version: v1
 #     name: serving-cert # This name should match the one in certificate.yaml
 #     fieldPath: .metadata.name
-#   targets:
+#   targets: # Do not remove or uncomment the following scaffold marker; required to generate code for target CRD.
 #     - select:
 #         kind: CustomResourceDefinition
+#         name: cronjobs.batch.tutorial.kubebuilder.io
 #       fieldPaths:
 #         - .metadata.annotations.[cert-manager.io/inject-ca-from]
 #       options:

pkg/plugins/common/kustomize/v2/scaffolds/api.go

@@ -90,6 +90,7 @@ func (s *apiScaffolder) Scaffold() error {
 			}
 		}
 
+		// nolint:goconst
 		kustomizeFilePath := "config/default/kustomization.yaml"
 		err := pluginutil.UncommentCode(kustomizeFilePath, "#- ../crd", `#`)
 		if err != nil {