From d3c4876f6d6cdce93ae4a50b4d6fd82690c38b7f Mon Sep 17 00:00:00 2001 From: James Callahan Date: Mon, 6 Mar 2023 14:22:54 +1100 Subject: [PATCH 1/9] Clean up kustomizations - Always include apiVersion+kind of kustomization files - `patchesStrategicMerge` was deprecated, use `patches` instead - `bases` was deprecated, use `resources` instead - Order `configurations` first --- config/certmanager/kustomization.yaml | 7 ++++--- config/controller/kustomization.yaml | 11 +++++----- config/crd/kustomization.yaml | 20 +++++++++++-------- config/default/kustomization.yaml | 21 ++++++++++++++++---- config/default/webhookcainjection_patch.yaml | 15 -------------- config/prometheus/kustomization.yaml | 2 ++ config/rbac/kustomization.yaml | 2 ++ config/webhook/kustomization.yaml | 17 +++++++++------- 8 files changed, 52 insertions(+), 43 deletions(-) delete mode 100644 config/default/webhookcainjection_patch.yaml diff --git a/config/certmanager/kustomization.yaml b/config/certmanager/kustomization.yaml index 95f333f3f7..284038014f 100644 --- a/config/certmanager/kustomization.yaml +++ b/config/certmanager/kustomization.yaml @@ -1,5 +1,6 @@ -resources: - - certificate.yaml - +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization configurations: - kustomizeconfig.yaml +resources: + - certificate.yaml diff --git a/config/controller/kustomization.yaml b/config/controller/kustomization.yaml index 877fb06120..7cd7ead0db 100644 --- a/config/controller/kustomization.yaml +++ b/config/controller/kustomization.yaml @@ -1,11 +1,10 @@ -resources: -- controller.yaml -patchesStrategicMerge: -- iam_for_sa_patch.yaml -- security_context_patch.yaml - apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization +resources: +- controller.yaml +patches: +- path: iam_for_sa_patch.yaml +- path: security_context_patch.yaml images: - name: controller newName: public.ecr.aws/eks/aws-load-balancer-controller diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml index 80942b54a0..0cb61adef5 100644 --- a/config/crd/kustomization.yaml +++ b/config/crd/kustomization.yaml @@ -1,3 +1,10 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +# the following config is for teaching kustomize how to do kustomization for CRDs. +configurations: + - kustomizeconfig.yaml + # This kustomization.yaml is not intended to be run by itself, # since it depends on service name and namespace that are out of this kustomize package. # It should be run by config/default @@ -6,19 +13,16 @@ resources: - bases/elbv2.k8s.aws_ingressclassparams.yaml # +kubebuilder:scaffold:crdkustomizeresource -patchesStrategicMerge: +patches: # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix. # patches here are for enabling the conversion webhook for each CRD -#- patches/webhook_in_targetgroupbindings.yaml -#- patches/webhook_in_ingressclassparams.yaml +#- path: patches/webhook_in_targetgroupbindings.yaml +#- path: patches/webhook_in_ingressclassparams.yaml # +kubebuilder:scaffold:crdkustomizewebhookpatch # [CERTMANAGER] To enable webhook, uncomment all the sections with [CERTMANAGER] prefix. # patches here are for enabling the CA injection for each CRD -#- patches/cainjection_in_targetgroupbindings.yaml -#- patches/cainjection_in_ingressclassparams.yaml +#- path: patches/cainjection_in_targetgroupbindings.yaml +#- path: patches/cainjection_in_ingressclassparams.yaml # +kubebuilder:scaffold:crdkustomizecainjectionpatch -# the following config is for teaching kustomize how to do kustomization for CRDs. -configurations: - - kustomizeconfig.yaml diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index 9f7cbfe993..c807c2c4ee 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -1,3 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + # Adds namespace to all resources. namespace: kube-system @@ -12,7 +15,7 @@ namePrefix: aws-load-balancer- commonLabels: app.kubernetes.io/name: aws-load-balancer-controller -bases: +resources: - ../crd - ../rbac - ../controller @@ -24,15 +27,25 @@ bases: # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. #- ../prometheus -patchesStrategicMerge: +patches: # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in # crd/kustomization.yaml - - controller_webhook_patch.yaml + - path: controller_webhook_patch.yaml # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. # Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks. # 'CERTMANAGER' needs to be enabled to use ca injection - - webhookcainjection_patch.yaml + # This patch add annotation to admission webhook config and + # the variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) will be substituted by kustomize. + - target: + kind: (MutatingWebhookConfiguration|ValidatingWebhookConfiguration) + patch: |- + apiVersion: admissionregistration.k8s.io/v1 + kind: dummy + metadata: + name: webhook + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) # the following config is for teaching kustomize how to do var substitution vars: diff --git a/config/default/webhookcainjection_patch.yaml b/config/default/webhookcainjection_patch.yaml deleted file mode 100644 index dfdb6f0cb9..0000000000 --- a/config/default/webhookcainjection_patch.yaml +++ /dev/null @@ -1,15 +0,0 @@ -# This patch add annotation to admission webhook config and -# the variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) will be substituted by kustomize. -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - name: webhook - annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: webhook - annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) diff --git a/config/prometheus/kustomization.yaml b/config/prometheus/kustomization.yaml index d556b996a2..6387aa209f 100644 --- a/config/prometheus/kustomization.yaml +++ b/config/prometheus/kustomization.yaml @@ -1,2 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization resources: - monitor.yaml diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml index 90fb2c61f1..ad10900254 100644 --- a/config/rbac/kustomization.yaml +++ b/config/rbac/kustomization.yaml @@ -1,3 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization resources: - role.yaml - role_binding.yaml diff --git a/config/webhook/kustomization.yaml b/config/webhook/kustomization.yaml index 20d98aca4c..8bc23fa493 100644 --- a/config/webhook/kustomization.yaml +++ b/config/webhook/kustomization.yaml @@ -1,11 +1,14 @@ -resources: - - manifests.yaml - - service.yaml +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization configurations: - kustomizeconfig.yaml -patchesStrategicMerge: - - pod_mutator_patch.yaml - - service_mutator_patch.yaml - - ingressclassparams_validator_patch.yaml +resources: + - manifests.yaml + - service.yaml + +patches: + - path: pod_mutator_patch.yaml + - path: service_mutator_patch.yaml + - path: ingressclassparams_validator_patch.yaml From 863072b40c6561c37975d609a2ba7a1256f82f30 Mon Sep 17 00:00:00 2001 From: James Callahan Date: Mon, 6 Mar 2023 14:23:15 +1100 Subject: [PATCH 2/9] Use commonLabels --- config/controller/controller.yaml | 12 +----------- config/controller/kustomization.yaml | 2 ++ 2 files changed, 3 insertions(+), 11 deletions(-) diff --git a/config/controller/controller.yaml b/config/controller/controller.yaml index 9dc62eab2b..637735a1ea 100644 --- a/config/controller/controller.yaml +++ b/config/controller/controller.yaml @@ -2,24 +2,14 @@ apiVersion: v1 kind: ServiceAccount metadata: name: controller - labels: - app.kubernetes.io/component: controller --- apiVersion: apps/v1 kind: Deployment metadata: name: controller - labels: - app.kubernetes.io/component: controller spec: - selector: - matchLabels: - app.kubernetes.io/component: controller replicas: 1 template: - metadata: - labels: - app.kubernetes.io/component: controller spec: containers: - name: controller @@ -44,4 +34,4 @@ spec: timeoutSeconds: 10 terminationGracePeriodSeconds: 10 priorityClassName: system-cluster-critical - serviceAccountName: controller \ No newline at end of file + serviceAccountName: controller diff --git a/config/controller/kustomization.yaml b/config/controller/kustomization.yaml index 7cd7ead0db..e2d96e7cc1 100644 --- a/config/controller/kustomization.yaml +++ b/config/controller/kustomization.yaml @@ -1,5 +1,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization +commonLabels: + app.kubernetes.io/component: controller resources: - controller.yaml patches: From 510e06cacf1884264c567576fc48fb832499e713 Mon Sep 17 00:00:00 2001 From: James Callahan Date: Mon, 6 Mar 2023 14:29:43 +1100 Subject: [PATCH 3/9] Add ports declaration to controller container --- config/controller/controller.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/config/controller/controller.yaml b/config/controller/controller.yaml index 637735a1ea..be44303800 100644 --- a/config/controller/controller.yaml +++ b/config/controller/controller.yaml @@ -24,6 +24,16 @@ spec: requests: cpu: 100m memory: 200Mi + ports: + - containerPort: 9443 + name: webhook + protocol: TCP + - containerPort: 8080 + name: metrics + protocol: TCP + - containerPort: 61779 + name: healthprobe + protocol: TCP livenessProbe: failureThreshold: 2 httpGet: From c6acc27f866e275929c66595dfad1dd1a33d1c4a Mon Sep 17 00:00:00 2001 From: James Callahan Date: Mon, 6 Mar 2023 14:47:41 +1100 Subject: [PATCH 4/9] Consolidate cert-manager kustomize pieces into the one component --- ...njection_in_ingressclassparams_patch.yaml} | 0 ...jection_in_targetgroupbindings_patch.yaml} | 0 config/certmanager/kustomization.yaml | 19 +++++++++++++-- config/crd/kustomization.yaml | 7 ------ config/default/kustomization.yaml | 23 ++++--------------- 5 files changed, 22 insertions(+), 27 deletions(-) rename config/{crd/patches/cainjection_in_ingressclassparams.yaml => certmanager/cainjection_in_ingressclassparams_patch.yaml} (100%) rename config/{crd/patches/cainjection_in_targetgroupbindings.yaml => certmanager/cainjection_in_targetgroupbindings_patch.yaml} (100%) diff --git a/config/crd/patches/cainjection_in_ingressclassparams.yaml b/config/certmanager/cainjection_in_ingressclassparams_patch.yaml similarity index 100% rename from config/crd/patches/cainjection_in_ingressclassparams.yaml rename to config/certmanager/cainjection_in_ingressclassparams_patch.yaml diff --git a/config/crd/patches/cainjection_in_targetgroupbindings.yaml b/config/certmanager/cainjection_in_targetgroupbindings_patch.yaml similarity index 100% rename from config/crd/patches/cainjection_in_targetgroupbindings.yaml rename to config/certmanager/cainjection_in_targetgroupbindings_patch.yaml diff --git a/config/certmanager/kustomization.yaml b/config/certmanager/kustomization.yaml index 284038014f..7d139cbc2c 100644 --- a/config/certmanager/kustomization.yaml +++ b/config/certmanager/kustomization.yaml @@ -1,6 +1,21 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component configurations: - kustomizeconfig.yaml resources: - certificate.yaml +patches: + # patches here are for enabling the CA injection for each CRD + - path: cainjection_in_targetgroupbindings_patch.yaml + - path: cainjection_in_ingressclassparams_patch.yaml + # This patch add annotation to admission webhook config and + # the variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) will be substituted by kustomize. + - target: + kind: (MutatingWebhookConfiguration|ValidatingWebhookConfiguration) + patch: |- + apiVersion: admissionregistration.k8s.io/v1 + kind: dummy + metadata: + name: webhook + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml index 0cb61adef5..5438e51073 100644 --- a/config/crd/kustomization.yaml +++ b/config/crd/kustomization.yaml @@ -19,10 +19,3 @@ patches: #- path: patches/webhook_in_targetgroupbindings.yaml #- path: patches/webhook_in_ingressclassparams.yaml # +kubebuilder:scaffold:crdkustomizewebhookpatch - -# [CERTMANAGER] To enable webhook, uncomment all the sections with [CERTMANAGER] prefix. -# patches here are for enabling the CA injection for each CRD -#- path: patches/cainjection_in_targetgroupbindings.yaml -#- path: patches/cainjection_in_ingressclassparams.yaml -# +kubebuilder:scaffold:crdkustomizecainjectionpatch - diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index c807c2c4ee..1f9eef451e 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -22,31 +22,18 @@ resources: # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in # crd/kustomization.yaml - ../webhook - # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required. + # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. + #- ../prometheus + +components: + # To disable cert-manager comment out the following line, the 'webhook' component is required - ../certmanager -# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. -#- ../prometheus patches: # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in # crd/kustomization.yaml - path: controller_webhook_patch.yaml - # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. - # Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks. - # 'CERTMANAGER' needs to be enabled to use ca injection - # This patch add annotation to admission webhook config and - # the variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) will be substituted by kustomize. - - target: - kind: (MutatingWebhookConfiguration|ValidatingWebhookConfiguration) - patch: |- - apiVersion: admissionregistration.k8s.io/v1 - kind: dummy - metadata: - name: webhook - annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) - # the following config is for teaching kustomize how to do var substitution vars: # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. From 1e6d80cb3f9a556857523aa4299fb493b75a7859 Mon Sep 17 00:00:00 2001 From: James Callahan Date: Mon, 6 Mar 2023 14:50:28 +1100 Subject: [PATCH 5/9] Consolidate webhook kustomize pieces into the one component --- config/crd/kustomization.yaml | 7 ------- config/default/kustomization.yaml | 10 ++-------- .../{default => webhook}/controller_webhook_patch.yaml | 0 .../ingressclassparams_patch.yaml} | 0 config/webhook/kustomization.yaml | 8 ++++++-- .../targetgroupbindings_patch.yaml} | 0 6 files changed, 8 insertions(+), 17 deletions(-) rename config/{default => webhook}/controller_webhook_patch.yaml (100%) rename config/{crd/patches/webhook_in_ingressclassparams.yaml => webhook/ingressclassparams_patch.yaml} (100%) rename config/{crd/patches/webhook_in_targetgroupbindings.yaml => webhook/targetgroupbindings_patch.yaml} (100%) diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml index 5438e51073..578cb2244d 100644 --- a/config/crd/kustomization.yaml +++ b/config/crd/kustomization.yaml @@ -12,10 +12,3 @@ resources: - bases/elbv2.k8s.aws_targetgroupbindings.yaml - bases/elbv2.k8s.aws_ingressclassparams.yaml # +kubebuilder:scaffold:crdkustomizeresource - -patches: -# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix. -# patches here are for enabling the conversion webhook for each CRD -#- path: patches/webhook_in_targetgroupbindings.yaml -#- path: patches/webhook_in_ingressclassparams.yaml -# +kubebuilder:scaffold:crdkustomizewebhookpatch diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index 1f9eef451e..1a88b10f2e 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -19,21 +19,15 @@ resources: - ../crd - ../rbac - ../controller - # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in - # crd/kustomization.yaml - - ../webhook # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. #- ../prometheus components: + # To disable the conversion webhook, comment out this component + - ../webhook # To disable cert-manager comment out the following line, the 'webhook' component is required - ../certmanager -patches: - # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in - # crd/kustomization.yaml - - path: controller_webhook_patch.yaml - # the following config is for teaching kustomize how to do var substitution vars: # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. diff --git a/config/default/controller_webhook_patch.yaml b/config/webhook/controller_webhook_patch.yaml similarity index 100% rename from config/default/controller_webhook_patch.yaml rename to config/webhook/controller_webhook_patch.yaml diff --git a/config/crd/patches/webhook_in_ingressclassparams.yaml b/config/webhook/ingressclassparams_patch.yaml similarity index 100% rename from config/crd/patches/webhook_in_ingressclassparams.yaml rename to config/webhook/ingressclassparams_patch.yaml diff --git a/config/webhook/kustomization.yaml b/config/webhook/kustomization.yaml index 8bc23fa493..27d5c23f6c 100644 --- a/config/webhook/kustomization.yaml +++ b/config/webhook/kustomization.yaml @@ -1,5 +1,5 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component configurations: - kustomizeconfig.yaml @@ -12,3 +12,7 @@ patches: - path: pod_mutator_patch.yaml - path: service_mutator_patch.yaml - path: ingressclassparams_validator_patch.yaml + - path: controller_webhook_patch.yaml + # patches here are for enabling the conversion webhook for each CRD + - path: targetgroupbindings_patch.yaml + - path: ingressclassparams_patch.yaml diff --git a/config/crd/patches/webhook_in_targetgroupbindings.yaml b/config/webhook/targetgroupbindings_patch.yaml similarity index 100% rename from config/crd/patches/webhook_in_targetgroupbindings.yaml rename to config/webhook/targetgroupbindings_patch.yaml From f7d0c7e844db8cb984cf6ee4e37cce0bfdfa48c5 Mon Sep 17 00:00:00 2001 From: James Callahan Date: Mon, 6 Mar 2023 15:10:56 +1100 Subject: [PATCH 6/9] Kustomize deprecated `vars`, use `replacements` --- ...injection_in_ingressclassparams_patch.yaml | 3 +- ...njection_in_targetgroupbindings_patch.yaml | 3 +- config/certmanager/certificate.yaml | 6 +- config/certmanager/kustomization.yaml | 6 +- config/certmanager/kustomizeconfig.yaml | 10 +- config/crd/kustomizeconfig.yaml | 5 +- config/default/kustomization.yaml | 95 ++++++++++++++----- config/webhook/kustomizeconfig.yaml | 5 +- 8 files changed, 83 insertions(+), 50 deletions(-) diff --git a/config/certmanager/cainjection_in_ingressclassparams_patch.yaml b/config/certmanager/cainjection_in_ingressclassparams_patch.yaml index d0fc2a0b22..c29da01068 100644 --- a/config/certmanager/cainjection_in_ingressclassparams_patch.yaml +++ b/config/certmanager/cainjection_in_ingressclassparams_patch.yaml @@ -4,5 +4,6 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + # `default` and `serving-cert` may be substituted by kustomize + cert-manager.io/inject-ca-from: default/serving-cert name: ingressclassparams.elbv2.k8s.aws diff --git a/config/certmanager/cainjection_in_targetgroupbindings_patch.yaml b/config/certmanager/cainjection_in_targetgroupbindings_patch.yaml index 76353eb800..55845355e7 100644 --- a/config/certmanager/cainjection_in_targetgroupbindings_patch.yaml +++ b/config/certmanager/cainjection_in_targetgroupbindings_patch.yaml @@ -4,5 +4,6 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + # `default` and `serving-cert` may be substituted by kustomize + cert-manager.io/inject-ca-from: default/serving-cert name: targetgroupbindings.elbv2.k8s.aws diff --git a/config/certmanager/certificate.yaml b/config/certmanager/certificate.yaml index 78ccadc538..1984131e56 100644 --- a/config/certmanager/certificate.yaml +++ b/config/certmanager/certificate.yaml @@ -14,10 +14,10 @@ kind: Certificate metadata: name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml spec: - # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize + # `webhook-service` and `default` may be substituted by kustomize dnsNames: - - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc - - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local + - webhook-service.default.svc + - webhook-service.default.svc.cluster.local issuerRef: kind: Issuer name: selfsigned-issuer diff --git a/config/certmanager/kustomization.yaml b/config/certmanager/kustomization.yaml index 7d139cbc2c..3ebe62a26c 100644 --- a/config/certmanager/kustomization.yaml +++ b/config/certmanager/kustomization.yaml @@ -8,8 +8,8 @@ patches: # patches here are for enabling the CA injection for each CRD - path: cainjection_in_targetgroupbindings_patch.yaml - path: cainjection_in_ingressclassparams_patch.yaml - # This patch add annotation to admission webhook config and - # the variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) will be substituted by kustomize. + # This patch add annotation to admission webhook config, `default` and + # `serving-cert` may be substituted by kustomize - target: kind: (MutatingWebhookConfiguration|ValidatingWebhookConfiguration) patch: |- @@ -18,4 +18,4 @@ patches: metadata: name: webhook annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + cert-manager.io/inject-ca-from: default/serving-cert diff --git a/config/certmanager/kustomizeconfig.yaml b/config/certmanager/kustomizeconfig.yaml index d58c4f20c2..3e23b40da8 100644 --- a/config/certmanager/kustomizeconfig.yaml +++ b/config/certmanager/kustomizeconfig.yaml @@ -1,4 +1,4 @@ -# This configuration is for teaching kustomize how to update name ref and var substitution +# This configuration is for teaching kustomize how to update name ref nameReference: - kind: Issuer group: cert-manager.io @@ -6,11 +6,3 @@ nameReference: - kind: Certificate group: cert-manager.io path: spec/issuerRef/name - -varReference: - - kind: Certificate - group: cert-manager.io - path: spec/commonName - - kind: Certificate - group: cert-manager.io - path: spec/dnsNames diff --git a/config/crd/kustomizeconfig.yaml b/config/crd/kustomizeconfig.yaml index e9cda71241..c279bc9318 100644 --- a/config/crd/kustomizeconfig.yaml +++ b/config/crd/kustomizeconfig.yaml @@ -1,4 +1,4 @@ -# This file is for teaching kustomize how to substitute name and namespace reference in CRD +# This file is for teaching kustomize how to modify name and namespace references in CRD nameReference: - kind: Service version: v1 @@ -12,6 +12,3 @@ namespace: group: apiextensions.k8s.io path: spec/conversion/webhookClientConfig/service/namespace create: false - -varReference: - - path: metadata/annotations diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index 1a88b10f2e..640f247289 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -28,32 +28,77 @@ components: # To disable cert-manager comment out the following line, the 'webhook' component is required - ../certmanager -# the following config is for teaching kustomize how to do var substitution -vars: - # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. - - name: CERTIFICATE_NAMESPACE # namespace of the certificate CR - objref: +replacements: + # The following patches adds a directive for certmanager to inject CA into the CRD + # CRD conversion requires k8s 1.13 or later. + - source: kind: Certificate - group: cert-manager.io - version: v1 - name: serving-cert # this name should match the one in certificate.yaml - fieldref: - fieldpath: metadata.namespace - - name: CERTIFICATE_NAME - objref: + fieldPath: metadata.namespace + targets: + - select: + kind: CustomResourceDefinition + fieldPaths: + - metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: / + - select: + kind: MutatingWebhookConfiguration + fieldPaths: + - metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: / + - select: + kind: ValidatingWebhookConfiguration + fieldPaths: + - metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: / + - source: kind: Certificate - group: cert-manager.io - version: v1 - name: serving-cert # this name should match the one in certificate.yaml - - name: SERVICE_NAMESPACE # namespace of the service - objref: + fieldPath: metadata.name + targets: + - select: + kind: CustomResourceDefinition + fieldPaths: + - metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: / + index: 1 + - select: + kind: MutatingWebhookConfiguration + fieldPaths: + - metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: / + index: 1 + - select: + kind: ValidatingWebhookConfiguration + fieldPaths: + - metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: / + index: 1 + # Patch dnsNames in webhook Service + - source: kind: Service - version: v1 - name: webhook-service - fieldref: - fieldpath: metadata.namespace - - name: SERVICE_NAME - objref: + fieldPath: metadata.name + targets: + - select: + kind: Certificate + name: serving-cert + fieldPaths: + - spec.dnsNames.* + options: + delimiter: . + - source: kind: Service - version: v1 - name: webhook-service + fieldPath: metadata.namespace + targets: + - select: + kind: Certificate + name: serving-cert + fieldPaths: + - spec.dnsNames.* + options: + delimiter: . + index: 1 diff --git a/config/webhook/kustomizeconfig.yaml b/config/webhook/kustomizeconfig.yaml index 5e35ba0995..b47a5499ac 100644 --- a/config/webhook/kustomizeconfig.yaml +++ b/config/webhook/kustomizeconfig.yaml @@ -1,4 +1,4 @@ -# the following config is for teaching kustomize where to look at when substituting vars. +# the following config is for teaching kustomize where to look at when modifing fields. # It requires kustomize v2.1.0 or newer to work properly. nameReference: - kind: Service @@ -20,6 +20,3 @@ namespace: group: admissionregistration.k8s.io path: webhooks/clientConfig/service/namespace create: true - -varReference: - - path: metadata/annotations From 1e9da7ccf65b7f357c5e64607082db094bac4018 Mon Sep 17 00:00:00 2001 From: James Callahan Date: Wed, 22 Mar 2023 11:07:47 +1100 Subject: [PATCH 7/9] Use CRD v1 form kustomize also requires that we specify a namespace here, or else it won't add one --- config/webhook/ingressclassparams_patch.yaml | 17 ++++++++++------- config/webhook/kustomizeconfig.yaml | 3 +++ config/webhook/targetgroupbindings_patch.yaml | 17 ++++++++++------- 3 files changed, 23 insertions(+), 14 deletions(-) diff --git a/config/webhook/ingressclassparams_patch.yaml b/config/webhook/ingressclassparams_patch.yaml index 9862733b51..e58168a10e 100644 --- a/config/webhook/ingressclassparams_patch.yaml +++ b/config/webhook/ingressclassparams_patch.yaml @@ -7,10 +7,13 @@ metadata: spec: conversion: strategy: Webhook - webhookClientConfig: - # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, - # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) - caBundle: Cg== - service: - name: webhook-service - path: /convert + webhook: + clientConfig: + # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, + # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) + caBundle: Cg== + service: + namespace: default + name: webhook-service + path: /convert + conversionReviewVersions: ["v1", "v1beta1"] diff --git a/config/webhook/kustomizeconfig.yaml b/config/webhook/kustomizeconfig.yaml index b47a5499ac..a0ac8db564 100644 --- a/config/webhook/kustomizeconfig.yaml +++ b/config/webhook/kustomizeconfig.yaml @@ -10,6 +10,9 @@ nameReference: - kind: ValidatingWebhookConfiguration group: admissionregistration.k8s.io path: webhooks/clientConfig/service/name + - group: apiextensions.k8s.io + kind: CustomResourceDefinition + path: spec/conversion/webhook/clientConfig/service/name namespace: - kind: MutatingWebhookConfiguration diff --git a/config/webhook/targetgroupbindings_patch.yaml b/config/webhook/targetgroupbindings_patch.yaml index 24e7415c47..516a2c07a3 100644 --- a/config/webhook/targetgroupbindings_patch.yaml +++ b/config/webhook/targetgroupbindings_patch.yaml @@ -7,10 +7,13 @@ metadata: spec: conversion: strategy: Webhook - webhookClientConfig: - # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, - # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) - caBundle: Cg== - service: - name: webhook-service - path: /convert + webhook: + clientConfig: + # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, + # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) + caBundle: Cg== + service: + namespace: default + name: webhook-service + path: /convert + conversionReviewVersions: ["v1", "v1beta1"] From 781b0ca3d19f61718eb256098944e55e98b905eb Mon Sep 17 00:00:00 2001 From: James Callahan Date: Fri, 24 Mar 2023 10:33:47 +1100 Subject: [PATCH 8/9] caBundle doesn't need to be set And it causes the resource to show up in e.g. ArgoCD as Out-of-Sync --- config/webhook/ingressclassparams_patch.yaml | 4 +--- config/webhook/targetgroupbindings_patch.yaml | 4 +--- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/config/webhook/ingressclassparams_patch.yaml b/config/webhook/ingressclassparams_patch.yaml index e58168a10e..5ef882dad8 100644 --- a/config/webhook/ingressclassparams_patch.yaml +++ b/config/webhook/ingressclassparams_patch.yaml @@ -9,9 +9,7 @@ spec: strategy: Webhook webhook: clientConfig: - # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, - # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) - caBundle: Cg== + # `caBundle` should be filled in by cert-manager (or potentially a patch if not using cert-manager) service: namespace: default name: webhook-service diff --git a/config/webhook/targetgroupbindings_patch.yaml b/config/webhook/targetgroupbindings_patch.yaml index 516a2c07a3..ecd8ce67d9 100644 --- a/config/webhook/targetgroupbindings_patch.yaml +++ b/config/webhook/targetgroupbindings_patch.yaml @@ -9,9 +9,7 @@ spec: strategy: Webhook webhook: clientConfig: - # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, - # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) - caBundle: Cg== + # `caBundle` should be filled in by cert-manager (or potentially a patch if not using cert-manager) service: namespace: default name: webhook-service From 448dd6ca6e45a7e14d4e182ade4ee6897b2baadd Mon Sep 17 00:00:00 2001 From: James Callahan Date: Mon, 17 Apr 2023 11:29:33 +1000 Subject: [PATCH 9/9] Remove hardcoded namespaces kustomize will fill these in for us --- config/webhook/manifests.yaml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/config/webhook/manifests.yaml b/config/webhook/manifests.yaml index 00793b4707..f22643c94c 100644 --- a/config/webhook/manifests.yaml +++ b/config/webhook/manifests.yaml @@ -9,7 +9,6 @@ webhooks: clientConfig: service: name: webhook-service - namespace: system path: /mutate-v1-pod failurePolicy: Ignore name: mpod.elbv2.k8s.aws @@ -28,7 +27,6 @@ webhooks: clientConfig: service: name: webhook-service - namespace: system path: /mutate-v1-service failurePolicy: Fail name: mservice.elbv2.k8s.aws @@ -47,7 +45,6 @@ webhooks: clientConfig: service: name: webhook-service - namespace: system path: /mutate-elbv2-k8s-aws-v1beta1-targetgroupbinding failurePolicy: Fail name: mtargetgroupbinding.elbv2.k8s.aws @@ -73,7 +70,6 @@ webhooks: clientConfig: service: name: webhook-service - namespace: system path: /validate-elbv2-k8s-aws-v1beta1-ingressclassparams failurePolicy: Fail name: vingressclassparams.elbv2.k8s.aws @@ -93,7 +89,6 @@ webhooks: clientConfig: service: name: webhook-service - namespace: system path: /validate-elbv2-k8s-aws-v1beta1-targetgroupbinding failurePolicy: Fail name: vtargetgroupbinding.elbv2.k8s.aws @@ -113,7 +108,6 @@ webhooks: clientConfig: service: name: webhook-service - namespace: system path: /validate-networking-v1-ingress failurePolicy: Fail matchPolicy: Equivalent