bump to 0.4.0

safespring-community · Aug 8, 2024 · 0d51e8c · 0d51e8c
1 parent 39548d3
commit 0d51e8c
Show file tree

Hide file tree

Showing 8 changed files with 137 additions and 69 deletions.
diff --git a/Makefile b/Makefile
@@ -37,7 +37,7 @@ build:
 .PHONY: rendered-manifest.yaml
 rendered-manifest.yaml:
 	helm template \
-	    --name example-webhook \
+	    --name certmanager-webhook-rcodezero \
             --set image.repository=$(IMAGE_NAME) \
             --set image.tag=$(IMAGE_TAG) \
-            deploy/example-webhook > "$(OUT)/rendered-manifest.yaml"
+            deploy/certmanager-webhook-rcodezero > "$(OUT)/rendered-manifest.yaml"
diff --git a/charts/rcodezero-webhook/templates/_helpers.tpl b/charts/rcodezero-webhook/templates/_helpers.tpl
@@ -2,7 +2,7 @@
 {{/*
 Expand the name of the chart.
 */}}
-{{- define "example-webhook.name" -}}
+{{- define "certmanager-webhook-rcodezero.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
@@ -11,7 +11,7 @@ Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 If release name contains chart name it will be used as a full name.
 */}}
-{{- define "example-webhook.fullname" -}}
+{{- define "certmanager-webhook-rcodezero.fullname" -}}
 {{- if .Values.fullnameOverride -}}
 {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
 {{- else -}}
@@ -27,22 +27,22 @@ If release name contains chart name it will be used as a full name.
 {{/*
 Create chart name and version as used by the chart label.
 */}}
-{{- define "example-webhook.chart" -}}
+{{- define "certmanager-webhook-rcodezero.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
-{{- define "example-webhook.selfSignedIssuer" -}}
-{{ printf "%s-selfsign" (include "example-webhook.fullname" .) }}
+{{- define "certmanager-webhook-rcodezero.selfSignedIssuer" -}}
+{{ printf "%s-selfsign" (include "certmanager-webhook-rcodezero.fullname" .) }}
 {{- end -}}
 
-{{- define "example-webhook.rootCAIssuer" -}}
-{{ printf "%s-ca" (include "example-webhook.fullname" .) }}
+{{- define "certmanager-webhook-rcodezero.rootCAIssuer" -}}
+{{ printf "%s-ca" (include "certmanager-webhook-rcodezero.fullname" .) }}
 {{- end -}}
 
-{{- define "example-webhook.rootCACertificate" -}}
-{{ printf "%s-ca" (include "example-webhook.fullname" .) }}
+{{- define "certmanager-webhook-rcodezero.rootCACertificate" -}}
+{{ printf "%s-ca" (include "certmanager-webhook-rcodezero.fullname" .) }}
 {{- end -}}
 
-{{- define "example-webhook.servingCertificate" -}}
-{{ printf "%s-webhook-tls" (include "example-webhook.fullname" .) }}
+{{- define "certmanager-webhook-rcodezero.servingCertificate" -}}
+{{ printf "%s-webhook-tls" (include "certmanager-webhook-rcodezero.fullname" .) }}
 {{- end -}}
diff --git a/charts/rcodezero-webhook/templates/apiservice.yaml b/charts/rcodezero-webhook/templates/apiservice.yaml
@@ -3,17 +3,17 @@ kind: APIService
 metadata:
   name: v1alpha1.{{ .Values.groupName }}
   labels:
-    app: {{ include "example-webhook.name" . }}
-    chart: {{ include "example-webhook.chart" . }}
+    app: {{ include "certmanager-webhook-rcodezero.name" . }}
+    chart: {{ include "certmanager-webhook-rcodezero.chart" . }}
     release: {{ .Release.Name }}
     heritage: {{ .Release.Service }}
   annotations:
-    cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/{{ include "example-webhook.servingCertificate" . }}"
+    cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/{{ include "certmanager-webhook-rcodezero.servingCertificate" . }}"
 spec:
   group: {{ .Values.groupName }}
   groupPriorityMinimum: 1000
   versionPriority: 15
   service:
-    name: {{ include "example-webhook.fullname" . }}
+    name: {{ include "certmanager-webhook-rcodezero.fullname" . }}
     namespace: {{ .Release.Namespace }}
   version: v1alpha1
diff --git a/charts/rcodezero-webhook/templates/deployment.yaml b/charts/rcodezero-webhook/templates/deployment.yaml
@@ -1,11 +1,11 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: {{ include "example-webhook.fullname" . }}
+  name: {{ include "certmanager-webhook-rcodezero.fullname" . }}
   namespace: {{ .Release.Namespace | quote }}
   labels:
-    app: {{ include "example-webhook.name" . }}
-    chart: {{ include "example-webhook.chart" . }}
+    app: {{ include "certmanager-webhook-rcodezero.name" . }}
+    chart: {{ include "certmanager-webhook-rcodezero.chart" . }}
     release: {{ .Release.Name }}
     heritage: {{ .Release.Service }}
 spec:
@@ -15,15 +15,15 @@ spec:
   {{- end }}
   selector:
     matchLabels:
-      app: {{ include "example-webhook.name" . }}
+      app: {{ include "certmanager-webhook-rcodezero.name" . }}
       release: {{ .Release.Name }}
   template:
     metadata:
       labels:
-        app: {{ include "example-webhook.name" . }}
+        app: {{ include "certmanager-webhook-rcodezero.name" . }}
         release: {{ .Release.Name }}
     spec:
-      serviceAccountName: {{ include "example-webhook.fullname" . }}
+      serviceAccountName: {{ include "certmanager-webhook-rcodezero.fullname" . }}
       containers:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
@@ -61,7 +61,7 @@ spec:
       volumes:
         - name: certs
           secret:
-            secretName: {{ include "example-webhook.servingCertificate" . }}
+            secretName: {{ include "certmanager-webhook-rcodezero.servingCertificate" . }}
     {{- with .Values.nodeSelector }}
       nodeSelector:
 {{ toYaml . | indent 8 }}

diff --git a/charts/rcodezero-webhook/templates/pki.yaml b/charts/rcodezero-webhook/templates/pki.yaml
@@ -4,11 +4,11 @@
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
-  name: {{ include "example-webhook.selfSignedIssuer" . }}
+  name: {{ include "certmanager-webhook-rcodezero.selfSignedIssuer" . }}
   namespace: {{ .Release.Namespace | quote }}
   labels:
-    app: {{ include "example-webhook.name" . }}
-    chart: {{ include "example-webhook.chart" . }}
+    app: {{ include "certmanager-webhook-rcodezero.name" . }}
+    chart: {{ include "certmanager-webhook-rcodezero.chart" . }}
     release: {{ .Release.Name }}
     heritage: {{ .Release.Service }}
 spec:
@@ -20,19 +20,19 @@ spec:
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: {{ include "example-webhook.rootCACertificate" . }}
+  name: {{ include "certmanager-webhook-rcodezero.rootCACertificate" . }}
   namespace: {{ .Release.Namespace | quote }}
   labels:
-    app: {{ include "example-webhook.name" . }}
-    chart: {{ include "example-webhook.chart" . }}
+    app: {{ include "certmanager-webhook-rcodezero.name" . }}
+    chart: {{ include "certmanager-webhook-rcodezero.chart" . }}
     release: {{ .Release.Name }}
     heritage: {{ .Release.Service }}
 spec:
-  secretName: {{ include "example-webhook.rootCACertificate" . }}
+  secretName: {{ include "certmanager-webhook-rcodezero.rootCACertificate" . }}
   duration: 43800h # 5y
   issuerRef:
-    name: {{ include "example-webhook.selfSignedIssuer" . }}
-  commonName: "ca.example-webhook.cert-manager"
+    name: {{ include "certmanager-webhook-rcodezero.selfSignedIssuer" . }}
+  commonName: "ca.certmanager-webhook-rcodezero.cert-manager"
   isCA: true
 
 ---
@@ -41,36 +41,36 @@ spec:
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
-  name: {{ include "example-webhook.rootCAIssuer" . }}
+  name: {{ include "certmanager-webhook-rcodezero.rootCAIssuer" . }}
   namespace: {{ .Release.Namespace | quote }}
   labels:
-    app: {{ include "example-webhook.name" . }}
-    chart: {{ include "example-webhook.chart" . }}
+    app: {{ include "certmanager-webhook-rcodezero.name" . }}
+    chart: {{ include "certmanager-webhook-rcodezero.chart" . }}
     release: {{ .Release.Name }}
     heritage: {{ .Release.Service }}
 spec:
   ca:
-    secretName: {{ include "example-webhook.rootCACertificate" . }}
+    secretName: {{ include "certmanager-webhook-rcodezero.rootCACertificate" . }}
 
 ---
 
 # Finally, generate a serving certificate for the webhook to use
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: {{ include "example-webhook.servingCertificate" . }}
+  name: {{ include "certmanager-webhook-rcodezero.servingCertificate" . }}
   namespace: {{ .Release.Namespace | quote }}
   labels:
-    app: {{ include "example-webhook.name" . }}
-    chart: {{ include "example-webhook.chart" . }}
+    app: {{ include "certmanager-webhook-rcodezero.name" . }}
+    chart: {{ include "certmanager-webhook-rcodezero.chart" . }}
     release: {{ .Release.Name }}
     heritage: {{ .Release.Service }}
 spec:
-  secretName: {{ include "example-webhook.servingCertificate" . }}
+  secretName: {{ include "certmanager-webhook-rcodezero.servingCertificate" . }}
   duration: 8760h # 1y
   issuerRef:
-    name: {{ include "example-webhook.rootCAIssuer" . }}
+    name: {{ include "certmanager-webhook-rcodezero.rootCAIssuer" . }}
   dnsNames:
-  - {{ include "example-webhook.fullname" . }}
-  - {{ include "example-webhook.fullname" . }}.{{ .Release.Namespace }}
-  - {{ include "example-webhook.fullname" . }}.{{ .Release.Namespace }}.svc
+  - {{ include "certmanager-webhook-rcodezero.fullname" . }}
+  - {{ include "certmanager-webhook-rcodezero.fullname" . }}.{{ .Release.Namespace }}
+  - {{ include "certmanager-webhook-rcodezero.fullname" . }}.{{ .Release.Namespace }}.svc
diff --git a/charts/rcodezero-webhook/templates/rbac.yaml b/charts/rcodezero-webhook/templates/rbac.yaml
@@ -1,11 +1,11 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ include "example-webhook.fullname" . }}
+  name: {{ include "certmanager-webhook-rcodezero.fullname" . }}
   namespace: {{ .Release.Namespace | quote }}
   labels:
-    app: {{ include "example-webhook.name" . }}
-    chart: {{ include "example-webhook.chart" . }}
+    app: {{ include "certmanager-webhook-rcodezero.name" . }}
+    chart: {{ include "certmanager-webhook-rcodezero.chart" . }}
     release: {{ .Release.Name }}
     heritage: {{ .Release.Service }}
 ---
@@ -15,11 +15,11 @@ metadata:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: {{ include "example-webhook.fullname" . }}:webhook-authentication-reader
+  name: {{ include "certmanager-webhook-rcodezero.fullname" . }}:webhook-authentication-reader
   namespace: kube-system
   labels:
-    app: {{ include "example-webhook.name" . }}
-    chart: {{ include "example-webhook.chart" . }}
+    app: {{ include "certmanager-webhook-rcodezero.name" . }}
+    chart: {{ include "certmanager-webhook-rcodezero.chart" . }}
     release: {{ .Release.Name }}
     heritage: {{ .Release.Service }}
 roleRef:
@@ -29,18 +29,18 @@ roleRef:
 subjects:
   - apiGroup: ""
     kind: ServiceAccount
-    name: {{ include "example-webhook.fullname" . }}
+    name: {{ include "certmanager-webhook-rcodezero.fullname" . }}
     namespace: {{ .Release.Namespace }}
 ---
 # apiserver gets the auth-delegator role to delegate auth decisions to
 # the core apiserver
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: {{ include "example-webhook.fullname" . }}:auth-delegator
+  name: {{ include "certmanager-webhook-rcodezero.fullname" . }}:auth-delegator
   labels:
-    app: {{ include "example-webhook.name" . }}
-    chart: {{ include "example-webhook.chart" . }}
+    app: {{ include "certmanager-webhook-rcodezero.name" . }}
+    chart: {{ include "certmanager-webhook-rcodezero.chart" . }}
     release: {{ .Release.Name }}
     heritage: {{ .Release.Service }}
 roleRef:
@@ -50,17 +50,17 @@ roleRef:
 subjects:
   - apiGroup: ""
     kind: ServiceAccount
-    name: {{ include "example-webhook.fullname" . }}
+    name: {{ include "certmanager-webhook-rcodezero.fullname" . }}
     namespace: {{ .Release.Namespace }}
 ---
 # Grant cert-manager permission to validate using our apiserver
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: {{ include "example-webhook.fullname" . }}:domain-solver
+  name: {{ include "certmanager-webhook-rcodezero.fullname" . }}:domain-solver
   labels:
-    app: {{ include "example-webhook.name" . }}
-    chart: {{ include "example-webhook.chart" . }}
+    app: {{ include "certmanager-webhook-rcodezero.name" . }}
+    chart: {{ include "certmanager-webhook-rcodezero.chart" . }}
     release: {{ .Release.Name }}
     heritage: {{ .Release.Service }}
 rules:
@@ -74,18 +74,86 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: {{ include "example-webhook.fullname" . }}:domain-solver
+  name: {{ include "certmanager-webhook-rcodezero.fullname" . }}:domain-solver
   labels:
-    app: {{ include "example-webhook.name" . }}
-    chart: {{ include "example-webhook.chart" . }}
+    app: {{ include "certmanager-webhook-rcodezero.name" . }}
+    chart: {{ include "certmanager-webhook-rcodezero.chart" . }}
     release: {{ .Release.Name }}
     heritage: {{ .Release.Service }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: {{ include "example-webhook.fullname" . }}:domain-solver
+  name: {{ include "certmanager-webhook-rcodezero.fullname" . }}:domain-solver
 subjects:
   - apiGroup: ""
     kind: ServiceAccount
     name: {{ .Values.certManager.serviceAccountName }}
-    namespace: {{ .Values.certManager.namespace }}
+    namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "certmanager-webhook-rcodezero.fullname" . }}:secret-reader
+  namespace: {{ .Release.Namespace | quote }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - "secrets"
+    resourceNames:
+      - "rcodezero-dns-api-key"
+    verbs:
+      - "get"
+      - "watch"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "certmanager-webhook-rcodezero.fullname" . }}:secret-reader
+  namespace: {{ .Release.Namespace | quote }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "certmanager-webhook-rcodezero.fullname" . }}:secret-reader
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: {{ include "certmanager-webhook-rcodezero.fullname" . }}
+    namespace: {{ .Release.Namespace | quote }}
+{{- if .Values.features.apiPriorityAndFairness }}
+---
+# Grant certmanager-webhook-rcodezero permission to read the flow control mechanism (APF)
+# API Priority and Fairness is enabled by default in Kubernetes 1.20
+# https://kubernetes.io/docs/concepts/cluster-administration/flow-control/
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "certmanager-webhook-rcodezero.fullname" . }}:flowcontrol-solver
+  labels:
+    {{- include "certmanager-webhook-rcodezero.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - "flowcontrol.apiserver.k8s.io"
+    resources:
+      - "prioritylevelconfigurations"
+      - "flowschemas"
+    verbs:
+      - "list"
+      - "watch"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "certmanager-webhook-rcodezero.fullname" . }}:flowcontrol-solver
+  labels:
+    {{- include "certmanager-webhook-rcodezero.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "certmanager-webhook-rcodezero.fullname" . }}:flowcontrol-solver
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: {{ include "certmanager-webhook-rcodezero.fullname" . }}
+    namespace: {{ .Release.Namespace | quote }}
+{{- end }}