Kustomize deprecated vars, use replacements

james-callahan · james-callahan · commit d274f0a3ca8d · 2025-03-11T12:49:16.000+11:00
diff --git a/config/certmanager/cainjection_in_ingressclassparams_patch.yaml b/config/certmanager/cainjection_in_ingressclassparams_patch.yaml
@@ -4,5 +4,6 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+    # `default` and `serving-cert` may be substituted by kustomize
+    cert-manager.io/inject-ca-from: default/serving-cert
   name: ingressclassparams.elbv2.k8s.aws
diff --git a/config/certmanager/cainjection_in_targetgroupbindings_patch.yaml b/config/certmanager/cainjection_in_targetgroupbindings_patch.yaml
@@ -4,5 +4,6 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+    # `default` and `serving-cert` may be substituted by kustomize
+    cert-manager.io/inject-ca-from: default/serving-cert
   name: targetgroupbindings.elbv2.k8s.aws
diff --git a/config/certmanager/certificate.yaml b/config/certmanager/certificate.yaml
@@ -14,10 +14,10 @@ kind: Certificate
 metadata:
   name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml
 spec:
-  # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize
+  # `webhook-service` and `default` may be substituted by kustomize
   dnsNames:
-    - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc
-    - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local
+    - webhook-service.default.svc
+    - webhook-service.default.svc.cluster.local
   issuerRef:
     kind: Issuer
     name: selfsigned-issuer
diff --git a/config/certmanager/kustomization.yaml b/config/certmanager/kustomization.yaml
@@ -8,8 +8,8 @@ patches:
   # patches here are for enabling the CA injection for each CRD
   - path: cainjection_in_targetgroupbindings_patch.yaml
   - path: cainjection_in_ingressclassparams_patch.yaml
-  # This patch add annotation to admission webhook config and
-  # the variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) will be substituted by kustomize.
+  # This patch add annotation to admission webhook config, `default` and
+  # `serving-cert` may be substituted by kustomize
   - target:
       kind: (MutatingWebhookConfiguration|ValidatingWebhookConfiguration)
     patch: |-
@@ -18,4 +18,4 @@ patches:
       metadata:
         name: webhook
         annotations:
-          cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+          cert-manager.io/inject-ca-from: default/serving-cert
diff --git a/config/certmanager/kustomizeconfig.yaml b/config/certmanager/kustomizeconfig.yaml
@@ -1,16 +1,8 @@
-# This configuration is for teaching kustomize how to update name ref and var substitution
+# This configuration is for teaching kustomize how to update name ref
 nameReference:
   - kind: Issuer
     group: cert-manager.io
     fieldSpecs:
       - kind: Certificate
         group: cert-manager.io
         path: spec/issuerRef/name
-
-varReference:
-  - kind: Certificate
-    group: cert-manager.io
-    path: spec/commonName
-  - kind: Certificate
-    group: cert-manager.io
-    path: spec/dnsNames
diff --git a/config/crd/kustomizeconfig.yaml b/config/crd/kustomizeconfig.yaml
@@ -1,4 +1,4 @@
-# This file is for teaching kustomize how to substitute name and namespace reference in CRD
+# This file is for teaching kustomize how to modify name and namespace references in CRD
 nameReference:
   - kind: Service
     version: v1
@@ -12,6 +12,3 @@ namespace:
     group: apiextensions.k8s.io
     path: spec/conversion/webhookClientConfig/service/namespace
     create: false
-
-varReference:
-  - path: metadata/annotations
diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml
@@ -28,32 +28,77 @@ components:
   # To disable cert-manager comment out the following line, the 'webhook' component is required
   - ../certmanager
 
-# the following config is for teaching kustomize how to do var substitution
-vars:
-  # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix.
-  - name: CERTIFICATE_NAMESPACE # namespace of the certificate CR
-    objref:
+replacements:
+  # The following patches adds a directive for certmanager to inject CA into the CRD
+  # CRD conversion requires k8s 1.13 or later.
+  - source:
       kind: Certificate
-      group: cert-manager.io
-      version: v1
-      name: serving-cert # this name should match the one in certificate.yaml
-    fieldref:
-      fieldpath: metadata.namespace
-  - name: CERTIFICATE_NAME
-    objref:
+      fieldPath: metadata.namespace
+    targets:
+      - select:
+          kind: CustomResourceDefinition
+        fieldPaths:
+          - metadata.annotations.[cert-manager.io/inject-ca-from]
+        options:
+          delimiter: /
+      - select:
+          kind: MutatingWebhookConfiguration
+        fieldPaths:
+          - metadata.annotations.[cert-manager.io/inject-ca-from]
+        options:
+          delimiter: /
+      - select:
+          kind: ValidatingWebhookConfiguration
+        fieldPaths:
+          - metadata.annotations.[cert-manager.io/inject-ca-from]
+        options:
+          delimiter: /
+  - source:
       kind: Certificate
-      group: cert-manager.io
-      version: v1
-      name: serving-cert # this name should match the one in certificate.yaml
-  - name: SERVICE_NAMESPACE # namespace of the service
-    objref:
+      fieldPath: metadata.name
+    targets:
+      - select:
+          kind: CustomResourceDefinition
+        fieldPaths:
+          - metadata.annotations.[cert-manager.io/inject-ca-from]
+        options:
+          delimiter: /
+          index: 1
+      - select:
+          kind: MutatingWebhookConfiguration
+        fieldPaths:
+          - metadata.annotations.[cert-manager.io/inject-ca-from]
+        options:
+          delimiter: /
+          index: 1
+      - select:
+          kind: ValidatingWebhookConfiguration
+        fieldPaths:
+          - metadata.annotations.[cert-manager.io/inject-ca-from]
+        options:
+          delimiter: /
+          index: 1
+  # Patch dnsNames in webhook Service
+  - source:
       kind: Service
-      version: v1
-      name: webhook-service
-    fieldref:
-      fieldpath: metadata.namespace
-  - name: SERVICE_NAME
-    objref:
+      fieldPath: metadata.name
+    targets:
+      - select:
+          kind: Certificate
+          name: serving-cert
+        fieldPaths:
+          - spec.dnsNames.*
+        options:
+          delimiter: .
+  - source:
       kind: Service
-      version: v1
-      name: webhook-service
+      fieldPath: metadata.namespace
+    targets:
+      - select:
+          kind: Certificate
+          name: serving-cert
+        fieldPaths:
+          - spec.dnsNames.*
+        options:
+          delimiter: .
+          index: 1
diff --git a/config/webhook/kustomizeconfig.yaml b/config/webhook/kustomizeconfig.yaml
@@ -1,4 +1,4 @@
-# the following config is for teaching kustomize where to look at when substituting vars.
+# the following config is for teaching kustomize where to look at when modifing fields.
 # It requires kustomize v2.1.0 or newer to work properly.
 nameReference:
   - kind: Service
@@ -20,6 +20,3 @@ namespace:
     group: admissionregistration.k8s.io
     path: webhooks/clientConfig/service/namespace
     create: true
-
-varReference:
-  - path: metadata/annotations
