feat: remove cert-manager.

Kubewarden controller now create the root CA used by the Kubewarden stack. Therefore, cert-manager is not necessary anymore. Signed-off-by: José Guilherme Vanz <[email protected]>
kubewarden · Oct 9, 2023 · 7eb5fbe · 7eb5fbe
1 parent 5c0c888
commit 7eb5fbe
Show file tree

Hide file tree

Showing 7 changed files with 11 additions and 77 deletions.
diff --git a/charts/kubewarden-controller/chart-values.yaml b/charts/kubewarden-controller/chart-values.yaml
@@ -60,16 +60,9 @@ nodeSelector: {}
 tolerations: []
 affinity: {}
 tls:
-  # source options:
-  # - "cert-manager-self-signed": Scaffold cert-manager integration, and create
-  #   a self-signed certificate with a cert-manager self-signed Issuer. Depends
-  #   on cert-manager. (default)
-  # - "cert-manager": Scafffold cert-manager integration. User configures their
-  #   own Issuer. Depends on cert-manager. Set tls.certManagerIssuerName to the
-  #   desired Issuer.
-  source: cert-manager-self-signed
-  # "cert-manager"-only options:
-  certManagerIssuerName: ""
+  # secret used to store the certificate and key used by the controller webhook
+  # server.
+  controllerCertificateSecretName:  "kubewarden-controller-certificate"
 # Resource limits & requests
 # Ref: https://kubernetes.io/docs/user-guide/compute-resources/
 resources:

diff --git a/charts/kubewarden-controller/questions.yaml b/charts/kubewarden-controller/questions.yaml
@@ -30,22 +30,3 @@ questions:
     allow viewing secrets, roles or role bindings), and "audit-scanner-cluster-role"
     (allows read-write to Kubewarden resources and PolicyReports).
   group: "Features"
-- variable: tls.source
-  default: "cert-manager-self-signed"
-  description: "Source for TLS certificates"
-  label: TLS certificates source
-  type: enum
-  options:
-  - "cert-manager-self-signed"
-  - "cert-manager"
-  show_subquestion_if: "cert-manager"
-  group: "Certificates"
-  subquestions:
-  - variable: "tls.certManagerIssuerName"
-    type: string
-    default: ""
-    label: cert-manager Issuer name
-    description: |
-      Name of cert-manager Issuer
-    group: "Certificates"
-    show_if: "tls.source=cert-manager"
diff --git a/charts/kubewarden-controller/templates/cert-tls.yaml b/charts/kubewarden-controller/templates/cert-tls.yaml
diff --git a/charts/kubewarden-controller/templates/deployment.yaml b/charts/kubewarden-controller/templates/deployment.yaml
@@ -42,6 +42,7 @@ spec:
         - --enable-metrics
        {{- end }}
         - --always-accept-admission-reviews-on-deployments-namespace
+        - --controller-webhook-service-name={{ include "kubewarden-controller.fullname" . }}-webhook-service
         command:
         - /manager
         {{- if .Values.telemetry.enabled }}
@@ -83,7 +84,9 @@ spec:
       - name: cert
         secret:
           defaultMode: 420
-          secretName: webhook-server-cert
+          secretName: {{ .Values.tls.controllerCertificateSecretName }}
+          # This needs to be optional because the secret is created by the controller
+          optional: true
       {{- if .Values.podSecurityContext }}
       securityContext:
 {{ toYaml .Values.podSecurityContext | indent 8 }}

diff --git a/charts/kubewarden-controller/templates/rbac.yaml b/charts/kubewarden-controller/templates/rbac.yaml
@@ -113,6 +113,7 @@ rules:
   - list
   - patch
   - watch
+  - get
 - apiGroups:
   - policies.kubewarden.io
   resources:

diff --git a/charts/kubewarden-controller/templates/webhooks.yaml b/charts/kubewarden-controller/templates/webhooks.yaml
@@ -3,7 +3,6 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
   annotations:
-    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "kubewarden-controller.fullname" . }}-serving-cert
     {{- include "kubewarden-controller.annotations" . | nindent 4 }}
   name: kubewarden-controller-mutating-webhook-configuration
   labels:
@@ -78,7 +77,6 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   annotations:
-    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "kubewarden-controller.fullname" . }}-serving-cert
     {{- include "kubewarden-controller.annotations" . | nindent 4 }}
   name: kubewarden-controller-validating-webhook-configuration
   labels:

diff --git a/charts/kubewarden-controller/values.yaml b/charts/kubewarden-controller/values.yaml
@@ -96,16 +96,9 @@ nodeSelector: {}
 tolerations: []
 affinity: {}
 tls:
-  # source options:
-  # - "cert-manager-self-signed": Scaffold cert-manager integration, and create
-  #   a self-signed certificate with a cert-manager self-signed Issuer. Depends
-  #   on cert-manager. (default)
-  # - "cert-manager": Scafffold cert-manager integration. User configures their
-  #   own Issuer. Depends on cert-manager. Set tls.certManagerIssuerName to the
-  #   desired Issuer.
-  source: cert-manager-self-signed
-  # "cert-manager"-only options:
-  certManagerIssuerName: ""
+  # secret used to store the certificate and key used by the controller webhook
+  # server.
+  controllerCertificateSecretName:  "kubewarden-controller-certificate"
 # Resource limits & requests
 # Ref: https://kubernetes.io/docs/user-guide/compute-resources/
 resources: