From 7eb5fbe85d1f453cc6d07c44d59ffb7c6b598482 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Guilherme=20Vanz?= Date: Wed, 23 Aug 2023 17:07:01 -0300 Subject: [PATCH] feat: remove cert-manager. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Kubewarden controller now create the root CA used by the Kubewarden stack. Therefore, cert-manager is not necessary anymore. Signed-off-by: José Guilherme Vanz --- .../kubewarden-controller/chart-values.yaml | 13 ++----- charts/kubewarden-controller/questions.yaml | 19 ---------- .../templates/cert-tls.yaml | 35 ------------------- .../templates/deployment.yaml | 5 ++- .../kubewarden-controller/templates/rbac.yaml | 1 + .../templates/webhooks.yaml | 2 -- charts/kubewarden-controller/values.yaml | 13 ++----- 7 files changed, 11 insertions(+), 77 deletions(-) delete mode 100644 charts/kubewarden-controller/templates/cert-tls.yaml diff --git a/charts/kubewarden-controller/chart-values.yaml b/charts/kubewarden-controller/chart-values.yaml index b2242883..048c63e8 100644 --- a/charts/kubewarden-controller/chart-values.yaml +++ b/charts/kubewarden-controller/chart-values.yaml @@ -60,16 +60,9 @@ nodeSelector: {} tolerations: [] affinity: {} tls: - # source options: - # - "cert-manager-self-signed": Scaffold cert-manager integration, and create - # a self-signed certificate with a cert-manager self-signed Issuer. Depends - # on cert-manager. (default) - # - "cert-manager": Scafffold cert-manager integration. User configures their - # own Issuer. Depends on cert-manager. Set tls.certManagerIssuerName to the - # desired Issuer. - source: cert-manager-self-signed - # "cert-manager"-only options: - certManagerIssuerName: "" + # secret used to store the certificate and key used by the controller webhook + # server. + controllerCertificateSecretName: "kubewarden-controller-certificate" # Resource limits & requests # Ref: https://kubernetes.io/docs/user-guide/compute-resources/ resources: diff --git a/charts/kubewarden-controller/questions.yaml b/charts/kubewarden-controller/questions.yaml index 4d9433ff..f0ae4a69 100644 --- a/charts/kubewarden-controller/questions.yaml +++ b/charts/kubewarden-controller/questions.yaml @@ -30,22 +30,3 @@ questions: allow viewing secrets, roles or role bindings), and "audit-scanner-cluster-role" (allows read-write to Kubewarden resources and PolicyReports). group: "Features" -- variable: tls.source - default: "cert-manager-self-signed" - description: "Source for TLS certificates" - label: TLS certificates source - type: enum - options: - - "cert-manager-self-signed" - - "cert-manager" - show_subquestion_if: "cert-manager" - group: "Certificates" - subquestions: - - variable: "tls.certManagerIssuerName" - type: string - default: "" - label: cert-manager Issuer name - description: | - Name of cert-manager Issuer - group: "Certificates" - show_if: "tls.source=cert-manager" diff --git a/charts/kubewarden-controller/templates/cert-tls.yaml b/charts/kubewarden-controller/templates/cert-tls.yaml deleted file mode 100644 index 7035b886..00000000 --- a/charts/kubewarden-controller/templates/cert-tls.yaml +++ /dev/null @@ -1,35 +0,0 @@ -# cert-manager resources ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: {{ include "kubewarden-controller.fullname" . }}-serving-cert - namespace: {{ .Release.Namespace }} - labels: - {{- include "kubewarden-controller.labels" . | nindent 4 }} - annotations: - {{- include "kubewarden-controller.annotations" . | nindent 4 }} -spec: - dnsNames: - - {{ include "kubewarden-controller.fullname" . }}-webhook-service.{{ .Release.Namespace }}.svc - - {{ include "kubewarden-controller.fullname" . }}-webhook-service.{{ .Release.Namespace }}.svc.cluster.local - issuerRef: - kind: Issuer -{{- if eq .Values.tls.source "cert-manager-self-signed" }} - name: {{ include "kubewarden-controller.fullname" . }}-selfsigned-issuer -{{- else if eq .Values.tls.source "cert-manager" }} - name: {{ .Values.tls.certManagerIssuerName }} -{{- end}} - secretName: webhook-server-cert ---- -{{- if eq .Values.tls.source "cert-manager-self-signed" }} -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: {{ include "kubewarden-controller.fullname" . }}-selfsigned-issuer - namespace: {{ .Release.Namespace }} - labels: - {{- include "kubewarden-controller.labels" . | nindent 4 }} -spec: - selfSigned: {} -{{- end }} diff --git a/charts/kubewarden-controller/templates/deployment.yaml b/charts/kubewarden-controller/templates/deployment.yaml index a17f6dee..a968150f 100644 --- a/charts/kubewarden-controller/templates/deployment.yaml +++ b/charts/kubewarden-controller/templates/deployment.yaml @@ -42,6 +42,7 @@ spec: - --enable-metrics {{- end }} - --always-accept-admission-reviews-on-deployments-namespace + - --controller-webhook-service-name={{ include "kubewarden-controller.fullname" . }}-webhook-service command: - /manager {{- if .Values.telemetry.enabled }} @@ -83,7 +84,9 @@ spec: - name: cert secret: defaultMode: 420 - secretName: webhook-server-cert + secretName: {{ .Values.tls.controllerCertificateSecretName }} + # This needs to be optional because the secret is created by the controller + optional: true {{- if .Values.podSecurityContext }} securityContext: {{ toYaml .Values.podSecurityContext | indent 8 }} diff --git a/charts/kubewarden-controller/templates/rbac.yaml b/charts/kubewarden-controller/templates/rbac.yaml index 3e472acf..a93b6de0 100644 --- a/charts/kubewarden-controller/templates/rbac.yaml +++ b/charts/kubewarden-controller/templates/rbac.yaml @@ -113,6 +113,7 @@ rules: - list - patch - watch + - get - apiGroups: - policies.kubewarden.io resources: diff --git a/charts/kubewarden-controller/templates/webhooks.yaml b/charts/kubewarden-controller/templates/webhooks.yaml index ecabe2f7..effa9b6d 100644 --- a/charts/kubewarden-controller/templates/webhooks.yaml +++ b/charts/kubewarden-controller/templates/webhooks.yaml @@ -3,7 +3,6 @@ apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: annotations: - cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "kubewarden-controller.fullname" . }}-serving-cert {{- include "kubewarden-controller.annotations" . | nindent 4 }} name: kubewarden-controller-mutating-webhook-configuration labels: @@ -78,7 +77,6 @@ apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: annotations: - cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "kubewarden-controller.fullname" . }}-serving-cert {{- include "kubewarden-controller.annotations" . | nindent 4 }} name: kubewarden-controller-validating-webhook-configuration labels: diff --git a/charts/kubewarden-controller/values.yaml b/charts/kubewarden-controller/values.yaml index c551ba07..6245756a 100644 --- a/charts/kubewarden-controller/values.yaml +++ b/charts/kubewarden-controller/values.yaml @@ -96,16 +96,9 @@ nodeSelector: {} tolerations: [] affinity: {} tls: - # source options: - # - "cert-manager-self-signed": Scaffold cert-manager integration, and create - # a self-signed certificate with a cert-manager self-signed Issuer. Depends - # on cert-manager. (default) - # - "cert-manager": Scafffold cert-manager integration. User configures their - # own Issuer. Depends on cert-manager. Set tls.certManagerIssuerName to the - # desired Issuer. - source: cert-manager-self-signed - # "cert-manager"-only options: - certManagerIssuerName: "" + # secret used to store the certificate and key used by the controller webhook + # server. + controllerCertificateSecretName: "kubewarden-controller-certificate" # Resource limits & requests # Ref: https://kubernetes.io/docs/user-guide/compute-resources/ resources: