Merge Upstream changes

Dockerfile

@@ -1,9 +1,8 @@
-FROM golang:1.14-alpine AS build_deps
+FROM golang:1.17-alpine AS build_deps
 
-RUN apk add --no-cache git
+RUN apk add --no-cache git ca-certificates
 
 WORKDIR /workspace
-ENV GO111MODULE=on
 
 COPY go.mod .
 COPY go.sum .
@@ -16,10 +15,9 @@ COPY . .
 
 RUN CGO_ENABLED=0 go build -o webhook -ldflags '-w -extldflags "-static"' .
 
-FROM alpine:3.12
-
-RUN apk add --no-cache ca-certificates
+FROM scratch
 
+COPY --from=build_deps /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
 COPY --from=build /workspace/webhook /usr/local/bin/webhook
 
 ENTRYPOINT ["webhook"]

Makefile

@@ -1,27 +1,38 @@
 IMAGE_NAME := "slicen/cert-manager-webhook-linode"
-IMAGE_TAG := "v0.1.0"
+IMAGE_TAG := "v0.2.0"
+
+K8S_VERSION := "1.22.0"
 
 OUT := $(shell pwd)/_out
 
 $(shell mkdir -p "$(OUT)")
 
 .DEFAULT_GOAL := build
 
-.PHONY: verify test build clean rendered-manifest.yaml
+.PHONY: verify test build clean _out/kubebuilder rendered-manifest.yaml
+
+verify: _out/kubebuilder
+	TEST_ASSET_ETCD=_out/kubebuilder/bin/etcd \
+	TEST_ASSET_KUBECTL=_out/kubebuilder/bin/kubectl \
+	TEST_ASSET_KUBE_APISERVER=_out/kubebuilder/bin/kube-apiserver \
+	go test -v
 
-verify:
-	go test -v .
+_out/kubebuilder:
+	mkdir -p _out/kubebuilder
+	curl -fsSLo envtest-bins.tar.gz "https://go.kubebuilder.io/test-tools/${K8S_VERSION}/$(shell go env GOOS)/$(shell go env GOARCH)"
+	tar -C _out/kubebuilder --strip-components=1 -zvxf envtest-bins.tar.gz
+	rm envtest-bins.tar.gz
 
 test: verify
 
 build:
-	docker build --rm -t "$(IMAGE_NAME):$(IMAGE_TAG)" -t "$(IMAGE_NAME):latest" .
+	docker build --rm -t "${IMAGE_NAME}:${IMAGE_TAG}" -t "${IMAGE_NAME}:latest" .
 
 clean:
-	rm -r "$(OUT)"
+	rm -r "${OUT}"
 
 rendered-manifest.yaml:
 	helm template \
-        --set image.repository=$(IMAGE_NAME) \
-        --set image.tag=$(IMAGE_TAG) \
-        deploy/cert-manager-webhook-linode > "$(OUT)/rendered-manifest.yaml"
+        --set image.repository=${IMAGE_NAME} \
+        --set image.tag=${IMAGE_TAG} \
+        deploy/cert-manager-webhook-linode > "${OUT}/rendered-manifest.yaml"

README.md

@@ -13,7 +13,7 @@ ACME Issuer for [cert-manager](https://github.com/jetstack/cert-manager).
 ```bash
 helm install cert-manager-webhook-linode \
   --namespace cert-manager \
-  https://github.com/slicen/cert-manager-webhook-linode/releases/download/v0.1.0/cert-manager-webhook-linode-v0.1.0.tgz
+  https://github.com/slicen/cert-manager-webhook-linode/releases/download/v0.2.0/cert-manager-webhook-linode-v0.2.0.tgz
 ```
 
 ## Usage
@@ -31,7 +31,7 @@ kubectl create secret generic linode-credentials \
 #### Cluster-wide Linode API Token
 
 ```yaml
-apiVersion: cert-manager.io/v1alpha2
+apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
   name: letsencrypt-staging
@@ -58,7 +58,7 @@ If you would prefer to use separate Linode API tokens for each namespace (e.g.
 in a multi-tenant environment):
 
 ```yaml
-apiVersion: cert-manager.io/v1alpha2
+apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
   name: letsencrypt-staging

deploy/cert-manager-webhook-linode/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: "v0.1.0"
+appVersion: "v0.2.0"
 description: A Helm chart for cert-manager-webhook-linode
 name: cert-manager-webhook-linode
-version: v0.1.0
+version: v0.2.0

deploy/cert-manager-webhook-linode/templates/apiservice.yaml

@@ -1,4 +1,4 @@
-apiVersion: apiregistration.k8s.io/v1beta1
+apiVersion: apiregistration.k8s.io/v1
 kind: APIService
 metadata:
   name: v1alpha1.{{ .Values.api.groupName }}
@@ -15,5 +15,5 @@ spec:
   versionPriority: 15
   service:
     name: {{ include "cert-manager-webhook-linode.fullname" . }}
-    namespace: {{ .Release.Namespace | quote }}
+    namespace: {{ .Values.certManager.namespace | quote }}
   version: v1alpha1

deploy/cert-manager-webhook-linode/templates/deployment.yaml

@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ include "cert-manager-webhook-linode.fullname" . }}
+  namespace: {{ .Values.certManager.namespace | quote }}
   labels:
     app: {{ include "cert-manager-webhook-linode.name" . }}
     chart: {{ include "cert-manager-webhook-linode.chart" . }}

deploy/cert-manager-webhook-linode/templates/pki.yaml

@@ -1,11 +1,11 @@
 ---
 # Create a selfsigned Issuer, in order to create a root CA certificate for
 # signing webhook serving certificates
-apiVersion: cert-manager.io/v1alpha2
+apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
   name: {{ include "cert-manager-webhook-linode.selfSignedIssuer" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ .Values.certManager.namespace | quote }}
   labels:
     app: {{ include "cert-manager-webhook-linode.name" . }}
     chart: {{ include "cert-manager-webhook-linode.chart" . }}
@@ -17,11 +17,11 @@ spec:
 ---
 
 # Generate a CA Certificate used to sign certificates for the webhook
-apiVersion: cert-manager.io/v1alpha2
+apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
   name: {{ include "cert-manager-webhook-linode.rootCACertificate" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ .Values.certManager.namespace | quote }}
   labels:
     app: {{ include "cert-manager-webhook-linode.name" . }}
     chart: {{ include "cert-manager-webhook-linode.chart" . }}
@@ -38,11 +38,11 @@ spec:
 ---
 
 # Create an Issuer that uses the above generated CA certificate to issue certs
-apiVersion: cert-manager.io/v1alpha2
+apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
   name: {{ include "cert-manager-webhook-linode.rootCAIssuer" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ .Values.certManager.namespace | quote }}
   labels:
     app: {{ include "cert-manager-webhook-linode.name" . }}
     chart: {{ include "cert-manager-webhook-linode.chart" . }}
@@ -55,11 +55,11 @@ spec:
 ---
 
 # Finally, generate a serving certificate for the webhook to use
-apiVersion: cert-manager.io/v1alpha2
+apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
   name: {{ include "cert-manager-webhook-linode.servingCertificate" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ .Values.certManager.namespace | quote }}
   labels:
     app: {{ include "cert-manager-webhook-linode.name" . }}
     chart: {{ include "cert-manager-webhook-linode.chart" . }}
@@ -72,5 +72,5 @@ spec:
     name: {{ include "cert-manager-webhook-linode.rootCAIssuer" . }}
   dnsNames:
   - {{ include "cert-manager-webhook-linode.fullname" . }}
-  - {{ include "cert-manager-webhook-linode.fullname" . }}.{{ .Release.Namespace }}
-  - {{ include "cert-manager-webhook-linode.fullname" . }}.{{ .Release.Namespace }}.svc
+  - {{ include "cert-manager-webhook-linode.fullname" . }}.{{ .Values.certManager.namespace }}
+  - {{ include "cert-manager-webhook-linode.fullname" . }}.{{ .Values.certManager.namespace }}.svc

deploy/cert-manager-webhook-linode/templates/rbac.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ include "cert-manager-webhook-linode.fullname" . }}
+  namespace: {{ .Values.certManager.namespace | quote }}
   labels:
     app: {{ include "cert-manager-webhook-linode.name" . }}
     chart: {{ include "cert-manager-webhook-linode.chart" . }}
@@ -29,7 +30,7 @@ subjects:
   - apiGroup: ""
     kind: ServiceAccount
     name: {{ include "cert-manager-webhook-linode.fullname" . }}
-    namespace: {{ .Release.Namespace }}
+    namespace: {{ .Values.certManager.namespace | quote }}
 ---
 # apiserver gets the auth-delegator role to delegate auth decisions to
 # the core apiserver
@@ -50,7 +51,7 @@ subjects:
   - apiGroup: ""
     kind: ServiceAccount
     name: {{ include "cert-manager-webhook-linode.fullname" . }}
-    namespace: {{ .Release.Namespace }}
+    namespace: {{ .Values.certManager.namespace | quote }}
 ---
 # Grant cert-manager permission to validate using our apiserver
 apiVersion: rbac.authorization.k8s.io/v1
@@ -86,15 +87,15 @@ roleRef:
 subjects:
   - apiGroup: ""
     kind: ServiceAccount
-    name: {{ include "cert-manager-webhook-linode.fullname" . }}
-    namespace: {{ .Release.Namespace }}
+    name: {{ .Values.certManager.serviceAccountName }}
+    namespace: {{ .Values.certManager.namespace | quote }}
 ---
 # Grant the webhook permission to read the Secret containing the Linode API token
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: {{ include "cert-manager-webhook-linode.fullname" . }}:secret-reader
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ .Values.certManager.namespace | quote }}
 rules:
 - apiGroups: [""]
   resources: ["secrets"]
@@ -105,12 +106,12 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: {{ include "cert-manager-webhook-linode.fullname" . }}:secret-reader
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ .Values.certManager.namespace | quote }}
 subjects:
  - apiGroup: ""
    kind: ServiceAccount
    name: {{ include "cert-manager-webhook-linode.fullname" . }}
-   namespace: {{ .Release.Namespace | quote }}
+   namespace: {{ .Values.certManager.namespace | quote }}
 roleRef:
   kind: Role
   name: {{ include "cert-manager-webhook-linode.fullname" . }}:secret-reader

deploy/cert-manager-webhook-linode/templates/service.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "cert-manager-webhook-linode.fullname" . }}
+  namespace: {{ .Values.certManager.namespace | quote }}
   labels:
     app: {{ include "cert-manager-webhook-linode.name" . }}
     chart: {{ include "cert-manager-webhook-linode.chart" . }}

deploy/cert-manager-webhook-linode/values.yaml

@@ -9,6 +9,10 @@
 api:
   groupName: acme.slicen.me
 
+certManager:
+  namespace: cert-manager
+  serviceAccountName: cert-manager
+
 deployment:
   secretName: linode-credentials
   secretKey: token