Skip to content
This repository has been archived by the owner on Apr 25, 2023. It is now read-only.

Commit

Permalink
enable cert-manager
Browse files Browse the repository at this point in the history
Signed-off-by: alejandroEsc <[email protected]>
  • Loading branch information
alejandroEsc committed Aug 16, 2020
1 parent c4616b6 commit 2d92596
Show file tree
Hide file tree
Showing 4 changed files with 78 additions and 6 deletions.
2 changes: 1 addition & 1 deletion charts/kubefed/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,4 +6,4 @@ dependencies:
- name: controllermanager
version: 0.0.3
repository: "https://localhost/" # Required but unused.
condition: controllermanager.enabled
condition: controllermanager.enabled
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,10 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
kubefed-control-plane: controller-manager
{{- if .Values.controller.annotations }}
annotations:
{{ toYaml .Values.controller.annotations | indent 4 }}
{{- end }}
spec:
replicas: {{ .Values.controller.replicaCount }}
selector:
Expand Down Expand Up @@ -60,6 +64,10 @@ metadata:
name: kubefed-admission-webhook
labels:
kubefed-admission-webhook: "true"
{{- if .Values.webhook.annotations }}
annotations:
{{ toYaml .Values.webhook.annotations | indent 4 }}
{{- end }}
spec:
replicas: 1
selector:
Expand Down
69 changes: 64 additions & 5 deletions charts/kubefed/charts/controllermanager/templates/webhook.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,17 +10,23 @@ metadata:
# using the namespace.
{{- if and .Values.global.scope (eq .Values.global.scope "Namespaced") }}
name: validations.core.kubefed.io-{{ .Release.Namespace }}
{{ else }}
{{- else }}
name: validations.core.kubefed.io
{{ end }}
{{- end }}
annotations:
{{- if .Values.certManager.enabled }}
certmanager.k8s.io/inject-ca-from: {{ printf "%s/%s%s" .Release.Namespace .Release.Name "-root-certificate" | quote }}
{{- end }}
webhooks:
- name: federatedtypeconfigs.core.kubefed.io
clientConfig:
service:
namespace: {{ .Release.Namespace | quote }}
name: kubefed-admission-webhook
path: /validate-federatedtypeconfigs
{{- if not .Values.certManager.enabled }}
caBundle: {{ b64enc $ca.Cert | quote }}
{{- end }}
rules:
- operations:
- CREATE
Expand Down Expand Up @@ -50,7 +56,9 @@ webhooks:
namespace: {{ .Release.Namespace | quote }}
name: kubefed-admission-webhook
path: /validate-kubefedcluster
{{- if not .Values.certManager.enabled }}
caBundle: {{ b64enc $ca.Cert | quote }}
{{- end }}
rules:
- operations:
- CREATE
Expand All @@ -75,7 +83,9 @@ webhooks:
namespace: {{ .Release.Namespace | quote }}
name: kubefed-admission-webhook
path: /validate-kubefedconfig
{{- if not .Values.certManager.enabled }}
caBundle: {{ b64enc $ca.Cert | quote }}
{{- end }}
rules:
- operations:
- CREATE
Expand All @@ -92,7 +102,7 @@ webhooks:
namespaceSelector:
matchLabels:
name: {{ .Release.Namespace }}
{{ end }}
{{- end }}
---
# The same comments for ValidatingWebhookConfiguration apply here to
# MutatingWebhookConfiguration.
Expand All @@ -101,17 +111,19 @@ kind: MutatingWebhookConfiguration
metadata:
{{- if and .Values.global.scope (eq .Values.global.scope "Namespaced") }}
name: mutation.core.kubefed.io-{{ .Release.Namespace }}
{{ else }}
{{- else }}
name: mutation.core.kubefed.io
{{ end }}
{{- end }}
webhooks:
- name: kubefedconfigs.core.kubefed.io
clientConfig:
service:
namespace: {{ .Release.Namespace | quote }}
name: kubefed-admission-webhook
path: /default-kubefedconfig
{{- if not .Values.certManager.enabled }}
caBundle: {{ b64enc $ca.Cert | quote }}
{{- end }}
rules:
- operations:
- CREATE
Expand All @@ -127,6 +139,7 @@ webhooks:
matchLabels:
name: {{ .Release.Namespace }}
{{ end }}
{{- if not .Values.certManager.enabled }}
---
apiVersion: v1
kind: Secret
Expand All @@ -137,3 +150,49 @@ type: kubernetes.io/tls
stringData:
tls.crt: {{ $cert.Cert | quote }}
tls.key: {{ $cert.Key | quote }}
{{- else }}
---
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
name: {{ .Release.Name }}-ca-issuer
spec:
selfSigned: {}
---
# Generate a CA Certificate used to sign certificates for the webhook
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: {{ .Release.Name}}-root-certificate
spec:
secretName: {{ .Release.Name }}-root-ca
duration: 8760h # 1y
issuerRef:
name: {{ .Release.Name }}-ca-issuer
commonName: "ca.webhook.kubefed"
isCA: true
---
# Create an Issuer that uses the above generated CA certificate to issue certs
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
name: {{ .Release.Name }}-issuer
spec:
ca:
secretName: {{ .Release.Name}}-root-ca
---
# Finally, generate a serving certificate for the webhook to use
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: {{ .Release.Name }}-certificate
spec:
secretName: kubefed-admission-webhook-serving-cert
duration: 8760h # 1y
issuerRef:
name: {{ .Release.Name }}-issuer
dnsNames:
- kubefed-admission-webhook
- {{ $altName1 }}
- {{ $altName2 }}
{{- end }}
5 changes: 5 additions & 0 deletions charts/kubefed/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ controllermanager:
FederatedIngress:

controller:
annotations: {}
replicaCount: 2
repository: quay.io/kubernetes-multicluster
image: kubefed
Expand All @@ -43,6 +44,7 @@ controllermanager:
cpu: 100m
memory: 64Mi
webhook:
annotations: {}
repository: quay.io/kubernetes-multicluster
image: kubefed
tag: canary
Expand All @@ -58,6 +60,9 @@ controllermanager:
cpu: 100m
memory: 64Mi

certManager:
enabled: false


## Configuration global values for all charts
##
Expand Down

0 comments on commit 2d92596

Please sign in to comment.