enable cert-manager

Signed-off-by: alejandroEsc <[email protected]>

Author: alejandroEsc

charts/kubefed/Chart.yaml

@@ -6,4 +6,4 @@ dependencies:
 - name: controllermanager
   version: 0.0.3
   repository: "https://localhost/" # Required but unused.
-  condition: controllermanager.enabled
+  condition: controllermanager.enabled

charts/kubefed/charts/controllermanager/templates/deployments.yaml

@@ -5,6 +5,10 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     kubefed-control-plane: controller-manager
+{{- if .Values.controller.annotations }}
+  annotations:
+{{ toYaml .Values.controller.annotations | indent 4 }}
+{{- end }}
 spec:
   replicas: {{ .Values.controller.replicaCount }}
   selector:
@@ -60,6 +64,10 @@ metadata:
   name: kubefed-admission-webhook
   labels:
     kubefed-admission-webhook: "true"
+{{- if .Values.webhook.annotations }}
+  annotations:
+{{ toYaml .Values.webhook.annotations | indent 4 }}
+{{- end }}
 spec:
   replicas: 1
   selector:

charts/kubefed/charts/controllermanager/templates/webhook.yaml

@@ -10,17 +10,23 @@ metadata:
 # using the namespace.
 {{- if and .Values.global.scope (eq .Values.global.scope "Namespaced") }}
   name: validations.core.kubefed.io-{{ .Release.Namespace }}
-{{ else }}
+{{- else }}
   name: validations.core.kubefed.io
-{{ end }}
+{{- end }}
+  annotations:
+  {{- if .Values.certManager.enabled }}
+    certmanager.k8s.io/inject-ca-from: {{ printf "%s/%s%s" .Release.Namespace .Release.Name "-root-certificate" | quote }}
+  {{- end }}
 webhooks:
 - name: federatedtypeconfigs.core.kubefed.io
   clientConfig:
     service:
       namespace: {{ .Release.Namespace | quote }}
       name: kubefed-admission-webhook
       path: /validate-federatedtypeconfigs
+    {{- if not .Values.certManager.enabled }}
     caBundle: {{ b64enc $ca.Cert | quote }}
+    {{- end }}
   rules:
   - operations:
     - CREATE
@@ -50,7 +56,9 @@ webhooks:
       namespace: {{ .Release.Namespace | quote }}
       name: kubefed-admission-webhook
       path: /validate-kubefedcluster
+    {{- if not .Values.certManager.enabled }}
     caBundle: {{ b64enc $ca.Cert | quote }}
+    {{- end }}
   rules:
   - operations:
     - CREATE
@@ -75,7 +83,9 @@ webhooks:
       namespace: {{ .Release.Namespace | quote }}
       name: kubefed-admission-webhook
       path: /validate-kubefedconfig
+    {{- if not .Values.certManager.enabled }}
     caBundle: {{ b64enc $ca.Cert | quote }}
+    {{- end }}
   rules:
   - operations:
     - CREATE
@@ -92,7 +102,7 @@ webhooks:
   namespaceSelector:
     matchLabels:
       name: {{ .Release.Namespace }}
-{{ end }}
+{{- end }}
 ---
 # The same comments for ValidatingWebhookConfiguration apply here to
 # MutatingWebhookConfiguration.
@@ -101,17 +111,19 @@ kind: MutatingWebhookConfiguration
 metadata:
 {{- if and .Values.global.scope (eq .Values.global.scope "Namespaced") }}
   name: mutation.core.kubefed.io-{{ .Release.Namespace }}
-{{ else }}
+{{- else }}
   name: mutation.core.kubefed.io
-{{ end }}
+{{- end }}
 webhooks:
 - name: kubefedconfigs.core.kubefed.io
   clientConfig:
     service:
       namespace: {{ .Release.Namespace | quote }}
       name: kubefed-admission-webhook
       path: /default-kubefedconfig
+    {{- if not .Values.certManager.enabled }}
     caBundle: {{ b64enc $ca.Cert | quote }}
+    {{- end }}
   rules:
   - operations:
     - CREATE
@@ -127,6 +139,7 @@ webhooks:
     matchLabels:
       name: {{ .Release.Namespace }}
 {{ end }}
+{{- if not .Values.certManager.enabled }}
 ---
 apiVersion: v1
 kind: Secret
@@ -137,3 +150,49 @@ type: kubernetes.io/tls
 stringData:
   tls.crt: {{ $cert.Cert | quote }}
   tls.key: {{ $cert.Key | quote }}
+{{- else }}
+---
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: Issuer
+metadata:
+  name: {{ .Release.Name }}-ca-issuer
+spec:
+  selfSigned: {}
+---
+# Generate a CA Certificate used to sign certificates for the webhook
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: Certificate
+metadata:
+  name: {{ .Release.Name}}-root-certificate
+spec:
+  secretName: {{ .Release.Name }}-root-ca
+  duration: 8760h # 1y
+  issuerRef:
+    name: {{ .Release.Name }}-ca-issuer
+  commonName: "ca.webhook.kubefed"
+  isCA: true
+---
+# Create an Issuer that uses the above generated CA certificate to issue certs
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: Issuer
+metadata:
+  name: {{ .Release.Name }}-issuer
+spec:
+  ca:
+    secretName: {{ .Release.Name}}-root-ca
+---
+# Finally, generate a serving certificate for the webhook to use
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: Certificate
+metadata:
+  name: {{ .Release.Name }}-certificate
+spec:
+  secretName: kubefed-admission-webhook-serving-cert
+  duration: 8760h # 1y
+  issuerRef:
+    name: {{ .Release.Name }}-issuer
+  dnsNames:
+    - kubefed-admission-webhook
+    - {{ $altName1 }}
+    - {{ $altName2 }}
+{{- end }}

charts/kubefed/values.yaml

@@ -27,6 +27,7 @@ controllermanager:
     FederatedIngress:
 
   controller:
+    annotations: {}
     replicaCount: 2
     repository: quay.io/kubernetes-multicluster
     image: kubefed
@@ -43,6 +44,7 @@ controllermanager:
         cpu: 100m
         memory: 64Mi
   webhook:
+    annotations: {}
     repository: quay.io/kubernetes-multicluster
     image: kubefed
     tag: canary
@@ -58,6 +60,9 @@ controllermanager:
         cpu: 100m
         memory: 64Mi
 
+  certManager:
+    enabled: false
+
 
 ## Configuration global values for all charts
 ##