feat(controller): generate certificates using genCa and genSigneCerti…

…ficate, inject them in the validating/mutating webhook Signed-off-by: Fabrizio Sestito <[email protected]>
kubewarden · Jul 24, 2024 · cd87987 · cd87987
1 parent fad7e6a
commit cd87987
Showing 1 changed file with 45 additions and 2 deletions.
diff --git a/charts/kubewarden-controller/templates/webhooks.yaml b/charts/kubewarden-controller/templates/webhooks.yaml
@@ -1,9 +1,48 @@
+# generate certificates
+{{ $dnsName :=  printf "%s-webhook-service.%s.svc" (include "kubewarden-controller.fullname" .) .Release.Namespace }}
+{{ $ca := genCA "kubewarden-controller-ca" 365 }}
+{{ $cert := genSignedCert $dnsName nil list ( $dnsName ) 3650 $ca }}
+{{ $caCert := ($ca.Cert | b64enc) }}
+{{ $caPrivatKey := ($ca.Key | b64enc) }}
+{{ $serverCert := ($cert.Cert | b64enc) }}
+{{ $serverPrivateKey := ($cert.Key | b64enc) }}
+# check if the secrets already exist and if so, use the existing values
+{{ $caSecret := (lookup "v1" "Secret" .Release.Namespace "kubewarden-ca") }}
+{{ if $caSecret }}
+{{ $caCert = (index $ca.data "ca.crt") }}
+{{ $caPrivateKey = (index $ca.data "ca.key") }}
+{{ end }}
+{{ $serverCertSecret := (lookup "v1" "Secret" .Release.Namespace "kubewarden-webhook-server-cert") }}
+{{ if $serverCertSecret }}
+{{ $serverCert = (index $serverCertSecret.data "tls.crt") }}
+{{ $serverPrivateKey = (index $serverCertSecret.data "tls.key") }}
+{{ end }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: kubewarden-ca
+  namespace: {{ .Release.Namespace }}
+labels:
+  {{- include "kubewarden-controller.labels" . | nindent 4 }}
+data:
+  ca.crt: {{ $rootCaCert }}
+  ca.key: {{ $rootCaKey }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: kubewarden-webhook-server-cert
+  namespace: {{ .Release.Namespace }}
+labels:
+  {{- include "kubewarden-controller.labels" . | nindent 4 }}
+data:
+  tls.crt: {{ $serverCert }}
+  tls.key: {{ $serverPrivateKey }}
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
   annotations:
-    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "kubewarden-controller.fullname" . }}-serving-cert
     {{- include "kubewarden-controller.annotations" . | nindent 4 }}
   name: kubewarden-controller-mutating-webhook-configuration
   labels:
@@ -13,6 +52,7 @@ webhooks:
   - v1
   - v1beta1
   clientConfig:
+    caBundle: {{ $rootCaCert }}
     service:
       name: {{ include "kubewarden-controller.fullname" . }}-webhook-service
       namespace: {{ .Release.Namespace }}
@@ -34,6 +74,7 @@ webhooks:
     - v1
     - v1beta1
   clientConfig:
+    caBundle: {{ $rootCaCert }}
     service:
       name: {{ include "kubewarden-controller.fullname" . }}-webhook-service
       namespace: {{ .Release.Namespace }}
@@ -78,7 +119,6 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   annotations:
-    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "kubewarden-controller.fullname" . }}-serving-cert
     {{- include "kubewarden-controller.annotations" . | nindent 4 }}
   name: kubewarden-controller-validating-webhook-configuration
   labels:
@@ -88,6 +128,7 @@ webhooks:
   - v1
   - v1beta1
   clientConfig:
+    caBundle: {{ $rootCaCert }}
     service:
       name: {{ include "kubewarden-controller.fullname" . }}-webhook-service
       namespace: {{ .Release.Namespace }}
@@ -109,6 +150,7 @@ webhooks:
   - v1
   - v1beta1
   clientConfig:
+    caBundle: {{ $rootCaCert }}
     service:
       name: {{ include "kubewarden-controller.fullname" . }}-webhook-service
       namespace: {{ .Release.Namespace }}
@@ -129,6 +171,7 @@ webhooks:
 - admissionReviewVersions:
   - v1
   clientConfig:
+    caBundle: {{ $rootCaCert }}
     service:
       name: {{ include "kubewarden-controller.fullname" . }}-webhook-service
       namespace: {{ .Release.Namespace }}