diff --git a/Makefile b/Makefile index 928ffa7..b794f36 100644 --- a/Makefile +++ b/Makefile @@ -37,7 +37,7 @@ build: .PHONY: rendered-manifest.yaml rendered-manifest.yaml: helm template \ - --name example-webhook \ + --name certmanager-webhook-rcodezero \ --set image.repository=$(IMAGE_NAME) \ --set image.tag=$(IMAGE_TAG) \ - deploy/example-webhook > "$(OUT)/rendered-manifest.yaml" + deploy/certmanager-webhook-rcodezero > "$(OUT)/rendered-manifest.yaml" diff --git a/charts/rcodezero-webhook/templates/_helpers.tpl b/charts/rcodezero-webhook/templates/_helpers.tpl index d3c474b..e55cbdd 100644 --- a/charts/rcodezero-webhook/templates/_helpers.tpl +++ b/charts/rcodezero-webhook/templates/_helpers.tpl @@ -2,7 +2,7 @@ {{/* Expand the name of the chart. */}} -{{- define "example-webhook.name" -}} +{{- define "certmanager-webhook-rcodezero.name" -}} {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} {{- end -}} @@ -11,7 +11,7 @@ Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). If release name contains chart name it will be used as a full name. */}} -{{- define "example-webhook.fullname" -}} +{{- define "certmanager-webhook-rcodezero.fullname" -}} {{- if .Values.fullnameOverride -}} {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} {{- else -}} @@ -27,22 +27,22 @@ If release name contains chart name it will be used as a full name. {{/* Create chart name and version as used by the chart label. */}} -{{- define "example-webhook.chart" -}} +{{- define "certmanager-webhook-rcodezero.chart" -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} {{- end -}} -{{- define "example-webhook.selfSignedIssuer" -}} -{{ printf "%s-selfsign" (include "example-webhook.fullname" .) }} +{{- define "certmanager-webhook-rcodezero.selfSignedIssuer" -}} +{{ printf "%s-selfsign" (include "certmanager-webhook-rcodezero.fullname" .) }} {{- end -}} -{{- define "example-webhook.rootCAIssuer" -}} -{{ printf "%s-ca" (include "example-webhook.fullname" .) }} +{{- define "certmanager-webhook-rcodezero.rootCAIssuer" -}} +{{ printf "%s-ca" (include "certmanager-webhook-rcodezero.fullname" .) }} {{- end -}} -{{- define "example-webhook.rootCACertificate" -}} -{{ printf "%s-ca" (include "example-webhook.fullname" .) }} +{{- define "certmanager-webhook-rcodezero.rootCACertificate" -}} +{{ printf "%s-ca" (include "certmanager-webhook-rcodezero.fullname" .) }} {{- end -}} -{{- define "example-webhook.servingCertificate" -}} -{{ printf "%s-webhook-tls" (include "example-webhook.fullname" .) }} +{{- define "certmanager-webhook-rcodezero.servingCertificate" -}} +{{ printf "%s-webhook-tls" (include "certmanager-webhook-rcodezero.fullname" .) }} {{- end -}} diff --git a/charts/rcodezero-webhook/templates/apiservice.yaml b/charts/rcodezero-webhook/templates/apiservice.yaml index 4f6d5ce..2ee0e5e 100644 --- a/charts/rcodezero-webhook/templates/apiservice.yaml +++ b/charts/rcodezero-webhook/templates/apiservice.yaml @@ -3,17 +3,17 @@ kind: APIService metadata: name: v1alpha1.{{ .Values.groupName }} labels: - app: {{ include "example-webhook.name" . }} - chart: {{ include "example-webhook.chart" . }} + app: {{ include "certmanager-webhook-rcodezero.name" . }} + chart: {{ include "certmanager-webhook-rcodezero.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} annotations: - cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/{{ include "example-webhook.servingCertificate" . }}" + cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/{{ include "certmanager-webhook-rcodezero.servingCertificate" . }}" spec: group: {{ .Values.groupName }} groupPriorityMinimum: 1000 versionPriority: 15 service: - name: {{ include "example-webhook.fullname" . }} + name: {{ include "certmanager-webhook-rcodezero.fullname" . }} namespace: {{ .Release.Namespace }} version: v1alpha1 diff --git a/charts/rcodezero-webhook/templates/deployment.yaml b/charts/rcodezero-webhook/templates/deployment.yaml index 6db0638..8aaa259 100644 --- a/charts/rcodezero-webhook/templates/deployment.yaml +++ b/charts/rcodezero-webhook/templates/deployment.yaml @@ -1,11 +1,11 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: {{ include "example-webhook.fullname" . }} + name: {{ include "certmanager-webhook-rcodezero.fullname" . }} namespace: {{ .Release.Namespace | quote }} labels: - app: {{ include "example-webhook.name" . }} - chart: {{ include "example-webhook.chart" . }} + app: {{ include "certmanager-webhook-rcodezero.name" . }} + chart: {{ include "certmanager-webhook-rcodezero.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} spec: @@ -15,15 +15,15 @@ spec: {{- end }} selector: matchLabels: - app: {{ include "example-webhook.name" . }} + app: {{ include "certmanager-webhook-rcodezero.name" . }} release: {{ .Release.Name }} template: metadata: labels: - app: {{ include "example-webhook.name" . }} + app: {{ include "certmanager-webhook-rcodezero.name" . }} release: {{ .Release.Name }} spec: - serviceAccountName: {{ include "example-webhook.fullname" . }} + serviceAccountName: {{ include "certmanager-webhook-rcodezero.fullname" . }} containers: - name: {{ .Chart.Name }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" @@ -61,7 +61,7 @@ spec: volumes: - name: certs secret: - secretName: {{ include "example-webhook.servingCertificate" . }} + secretName: {{ include "certmanager-webhook-rcodezero.servingCertificate" . }} {{- with .Values.nodeSelector }} nodeSelector: {{ toYaml . | indent 8 }} diff --git a/charts/rcodezero-webhook/templates/pki.yaml b/charts/rcodezero-webhook/templates/pki.yaml index b4b4c23..4ca8254 100644 --- a/charts/rcodezero-webhook/templates/pki.yaml +++ b/charts/rcodezero-webhook/templates/pki.yaml @@ -4,11 +4,11 @@ apiVersion: cert-manager.io/v1 kind: Issuer metadata: - name: {{ include "example-webhook.selfSignedIssuer" . }} + name: {{ include "certmanager-webhook-rcodezero.selfSignedIssuer" . }} namespace: {{ .Release.Namespace | quote }} labels: - app: {{ include "example-webhook.name" . }} - chart: {{ include "example-webhook.chart" . }} + app: {{ include "certmanager-webhook-rcodezero.name" . }} + chart: {{ include "certmanager-webhook-rcodezero.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} spec: @@ -20,19 +20,19 @@ spec: apiVersion: cert-manager.io/v1 kind: Certificate metadata: - name: {{ include "example-webhook.rootCACertificate" . }} + name: {{ include "certmanager-webhook-rcodezero.rootCACertificate" . }} namespace: {{ .Release.Namespace | quote }} labels: - app: {{ include "example-webhook.name" . }} - chart: {{ include "example-webhook.chart" . }} + app: {{ include "certmanager-webhook-rcodezero.name" . }} + chart: {{ include "certmanager-webhook-rcodezero.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} spec: - secretName: {{ include "example-webhook.rootCACertificate" . }} + secretName: {{ include "certmanager-webhook-rcodezero.rootCACertificate" . }} duration: 43800h # 5y issuerRef: - name: {{ include "example-webhook.selfSignedIssuer" . }} - commonName: "ca.example-webhook.cert-manager" + name: {{ include "certmanager-webhook-rcodezero.selfSignedIssuer" . }} + commonName: "ca.certmanager-webhook-rcodezero.cert-manager" isCA: true --- @@ -41,16 +41,16 @@ spec: apiVersion: cert-manager.io/v1 kind: Issuer metadata: - name: {{ include "example-webhook.rootCAIssuer" . }} + name: {{ include "certmanager-webhook-rcodezero.rootCAIssuer" . }} namespace: {{ .Release.Namespace | quote }} labels: - app: {{ include "example-webhook.name" . }} - chart: {{ include "example-webhook.chart" . }} + app: {{ include "certmanager-webhook-rcodezero.name" . }} + chart: {{ include "certmanager-webhook-rcodezero.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} spec: ca: - secretName: {{ include "example-webhook.rootCACertificate" . }} + secretName: {{ include "certmanager-webhook-rcodezero.rootCACertificate" . }} --- @@ -58,19 +58,19 @@ spec: apiVersion: cert-manager.io/v1 kind: Certificate metadata: - name: {{ include "example-webhook.servingCertificate" . }} + name: {{ include "certmanager-webhook-rcodezero.servingCertificate" . }} namespace: {{ .Release.Namespace | quote }} labels: - app: {{ include "example-webhook.name" . }} - chart: {{ include "example-webhook.chart" . }} + app: {{ include "certmanager-webhook-rcodezero.name" . }} + chart: {{ include "certmanager-webhook-rcodezero.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} spec: - secretName: {{ include "example-webhook.servingCertificate" . }} + secretName: {{ include "certmanager-webhook-rcodezero.servingCertificate" . }} duration: 8760h # 1y issuerRef: - name: {{ include "example-webhook.rootCAIssuer" . }} + name: {{ include "certmanager-webhook-rcodezero.rootCAIssuer" . }} dnsNames: - - {{ include "example-webhook.fullname" . }} - - {{ include "example-webhook.fullname" . }}.{{ .Release.Namespace }} - - {{ include "example-webhook.fullname" . }}.{{ .Release.Namespace }}.svc + - {{ include "certmanager-webhook-rcodezero.fullname" . }} + - {{ include "certmanager-webhook-rcodezero.fullname" . }}.{{ .Release.Namespace }} + - {{ include "certmanager-webhook-rcodezero.fullname" . }}.{{ .Release.Namespace }}.svc diff --git a/charts/rcodezero-webhook/templates/rbac.yaml b/charts/rcodezero-webhook/templates/rbac.yaml index 605fcf5..efe1a3e 100644 --- a/charts/rcodezero-webhook/templates/rbac.yaml +++ b/charts/rcodezero-webhook/templates/rbac.yaml @@ -1,11 +1,11 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: {{ include "example-webhook.fullname" . }} + name: {{ include "certmanager-webhook-rcodezero.fullname" . }} namespace: {{ .Release.Namespace | quote }} labels: - app: {{ include "example-webhook.name" . }} - chart: {{ include "example-webhook.chart" . }} + app: {{ include "certmanager-webhook-rcodezero.name" . }} + chart: {{ include "certmanager-webhook-rcodezero.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} --- @@ -15,11 +15,11 @@ metadata: apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: {{ include "example-webhook.fullname" . }}:webhook-authentication-reader + name: {{ include "certmanager-webhook-rcodezero.fullname" . }}:webhook-authentication-reader namespace: kube-system labels: - app: {{ include "example-webhook.name" . }} - chart: {{ include "example-webhook.chart" . }} + app: {{ include "certmanager-webhook-rcodezero.name" . }} + chart: {{ include "certmanager-webhook-rcodezero.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} roleRef: @@ -29,7 +29,7 @@ roleRef: subjects: - apiGroup: "" kind: ServiceAccount - name: {{ include "example-webhook.fullname" . }} + name: {{ include "certmanager-webhook-rcodezero.fullname" . }} namespace: {{ .Release.Namespace }} --- # apiserver gets the auth-delegator role to delegate auth decisions to @@ -37,10 +37,10 @@ subjects: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ include "example-webhook.fullname" . }}:auth-delegator + name: {{ include "certmanager-webhook-rcodezero.fullname" . }}:auth-delegator labels: - app: {{ include "example-webhook.name" . }} - chart: {{ include "example-webhook.chart" . }} + app: {{ include "certmanager-webhook-rcodezero.name" . }} + chart: {{ include "certmanager-webhook-rcodezero.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} roleRef: @@ -50,17 +50,17 @@ roleRef: subjects: - apiGroup: "" kind: ServiceAccount - name: {{ include "example-webhook.fullname" . }} + name: {{ include "certmanager-webhook-rcodezero.fullname" . }} namespace: {{ .Release.Namespace }} --- # Grant cert-manager permission to validate using our apiserver apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: {{ include "example-webhook.fullname" . }}:domain-solver + name: {{ include "certmanager-webhook-rcodezero.fullname" . }}:domain-solver labels: - app: {{ include "example-webhook.name" . }} - chart: {{ include "example-webhook.chart" . }} + app: {{ include "certmanager-webhook-rcodezero.name" . }} + chart: {{ include "certmanager-webhook-rcodezero.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} rules: @@ -74,18 +74,86 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ include "example-webhook.fullname" . }}:domain-solver + name: {{ include "certmanager-webhook-rcodezero.fullname" . }}:domain-solver labels: - app: {{ include "example-webhook.name" . }} - chart: {{ include "example-webhook.chart" . }} + app: {{ include "certmanager-webhook-rcodezero.name" . }} + chart: {{ include "certmanager-webhook-rcodezero.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: {{ include "example-webhook.fullname" . }}:domain-solver + name: {{ include "certmanager-webhook-rcodezero.fullname" . }}:domain-solver subjects: - apiGroup: "" kind: ServiceAccount name: {{ .Values.certManager.serviceAccountName }} - namespace: {{ .Values.certManager.namespace }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "certmanager-webhook-rcodezero.fullname" . }}:secret-reader + namespace: {{ .Release.Namespace | quote }} +rules: + - apiGroups: + - "" + resources: + - "secrets" + resourceNames: + - "rcodezero-dns-api-key" + verbs: + - "get" + - "watch" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "certmanager-webhook-rcodezero.fullname" . }}:secret-reader + namespace: {{ .Release.Namespace | quote }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "certmanager-webhook-rcodezero.fullname" . }}:secret-reader +subjects: + - apiGroup: "" + kind: ServiceAccount + name: {{ include "certmanager-webhook-rcodezero.fullname" . }} + namespace: {{ .Release.Namespace | quote }} +{{- if .Values.features.apiPriorityAndFairness }} +--- +# Grant certmanager-webhook-rcodezero permission to read the flow control mechanism (APF) +# API Priority and Fairness is enabled by default in Kubernetes 1.20 +# https://kubernetes.io/docs/concepts/cluster-administration/flow-control/ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "certmanager-webhook-rcodezero.fullname" . }}:flowcontrol-solver + labels: + {{- include "certmanager-webhook-rcodezero.labels" . | nindent 4 }} +rules: + - apiGroups: + - "flowcontrol.apiserver.k8s.io" + resources: + - "prioritylevelconfigurations" + - "flowschemas" + verbs: + - "list" + - "watch" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "certmanager-webhook-rcodezero.fullname" . }}:flowcontrol-solver + labels: + {{- include "certmanager-webhook-rcodezero.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "certmanager-webhook-rcodezero.fullname" . }}:flowcontrol-solver +subjects: + - apiGroup: "" + kind: ServiceAccount + name: {{ include "certmanager-webhook-rcodezero.fullname" . }} + namespace: {{ .Release.Namespace | quote }} +{{- end }} \ No newline at end of file diff --git a/charts/rcodezero-webhook/templates/service.yaml b/charts/rcodezero-webhook/templates/service.yaml index a76ddc7..929a91f 100644 --- a/charts/rcodezero-webhook/templates/service.yaml +++ b/charts/rcodezero-webhook/templates/service.yaml @@ -1,11 +1,11 @@ apiVersion: v1 kind: Service metadata: - name: {{ include "example-webhook.fullname" . }} + name: {{ include "certmanager-webhook-rcodezero.fullname" . }} namespace: {{ .Release.Namespace | quote }} labels: - app: {{ include "example-webhook.name" . }} - chart: {{ include "example-webhook.chart" . }} + app: {{ include "certmanager-webhook-rcodezero.name" . }} + chart: {{ include "certmanager-webhook-rcodezero.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} spec: @@ -16,5 +16,5 @@ spec: protocol: TCP name: https selector: - app: {{ include "example-webhook.name" . }} + app: {{ include "certmanager-webhook-rcodezero.name" . }} release: {{ .Release.Name }} diff --git a/go.mod b/go.mod index cc7c135..584cbc9 100644 --- a/go.mod +++ b/go.mod @@ -1,4 +1,4 @@ -module github.com/cert-manager/webhook-example +module github.com/blankdots/certmanager-webhook-rcodezero go 1.22.5