From cd87987197fb8f0c05f25d324ceabc05739db2ff Mon Sep 17 00:00:00 2001 From: Fabrizio Sestito Date: Wed, 24 Jul 2024 12:34:35 +0200 Subject: [PATCH] feat(controller): generate certificates using genCa and genSigneCertificate, inject them in the validating/mutating webhook Signed-off-by: Fabrizio Sestito --- .../templates/webhooks.yaml | 47 ++++++++++++++++++- 1 file changed, 45 insertions(+), 2 deletions(-) diff --git a/charts/kubewarden-controller/templates/webhooks.yaml b/charts/kubewarden-controller/templates/webhooks.yaml index 586e2e76..2127cd8f 100644 --- a/charts/kubewarden-controller/templates/webhooks.yaml +++ b/charts/kubewarden-controller/templates/webhooks.yaml @@ -1,9 +1,48 @@ +# generate certificates +{{ $dnsName := printf "%s-webhook-service.%s.svc" (include "kubewarden-controller.fullname" .) .Release.Namespace }} +{{ $ca := genCA "kubewarden-controller-ca" 365 }} +{{ $cert := genSignedCert $dnsName nil list ( $dnsName ) 3650 $ca }} +{{ $caCert := ($ca.Cert | b64enc) }} +{{ $caPrivatKey := ($ca.Key | b64enc) }} +{{ $serverCert := ($cert.Cert | b64enc) }} +{{ $serverPrivateKey := ($cert.Key | b64enc) }} +# check if the secrets already exist and if so, use the existing values +{{ $caSecret := (lookup "v1" "Secret" .Release.Namespace "kubewarden-ca") }} +{{ if $caSecret }} +{{ $caCert = (index $ca.data "ca.crt") }} +{{ $caPrivateKey = (index $ca.data "ca.key") }} +{{ end }} +{{ $serverCertSecret := (lookup "v1" "Secret" .Release.Namespace "kubewarden-webhook-server-cert") }} +{{ if $serverCertSecret }} +{{ $serverCert = (index $serverCertSecret.data "tls.crt") }} +{{ $serverPrivateKey = (index $serverCertSecret.data "tls.key") }} +{{ end }} +apiVersion: v1 +kind: Secret +metadata: + name: kubewarden-ca + namespace: {{ .Release.Namespace }} +labels: + {{- include "kubewarden-controller.labels" . | nindent 4 }} +data: + ca.crt: {{ $rootCaCert }} + ca.key: {{ $rootCaKey }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: kubewarden-webhook-server-cert + namespace: {{ .Release.Namespace }} +labels: + {{- include "kubewarden-controller.labels" . | nindent 4 }} +data: + tls.crt: {{ $serverCert }} + tls.key: {{ $serverPrivateKey }} --- apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: annotations: - cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "kubewarden-controller.fullname" . }}-serving-cert {{- include "kubewarden-controller.annotations" . | nindent 4 }} name: kubewarden-controller-mutating-webhook-configuration labels: @@ -13,6 +52,7 @@ webhooks: - v1 - v1beta1 clientConfig: + caBundle: {{ $rootCaCert }} service: name: {{ include "kubewarden-controller.fullname" . }}-webhook-service namespace: {{ .Release.Namespace }} @@ -34,6 +74,7 @@ webhooks: - v1 - v1beta1 clientConfig: + caBundle: {{ $rootCaCert }} service: name: {{ include "kubewarden-controller.fullname" . }}-webhook-service namespace: {{ .Release.Namespace }} @@ -78,7 +119,6 @@ apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: annotations: - cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "kubewarden-controller.fullname" . }}-serving-cert {{- include "kubewarden-controller.annotations" . | nindent 4 }} name: kubewarden-controller-validating-webhook-configuration labels: @@ -88,6 +128,7 @@ webhooks: - v1 - v1beta1 clientConfig: + caBundle: {{ $rootCaCert }} service: name: {{ include "kubewarden-controller.fullname" . }}-webhook-service namespace: {{ .Release.Namespace }} @@ -109,6 +150,7 @@ webhooks: - v1 - v1beta1 clientConfig: + caBundle: {{ $rootCaCert }} service: name: {{ include "kubewarden-controller.fullname" . }}-webhook-service namespace: {{ .Release.Namespace }} @@ -129,6 +171,7 @@ webhooks: - admissionReviewVersions: - v1 clientConfig: + caBundle: {{ $rootCaCert }} service: name: {{ include "kubewarden-controller.fullname" . }}-webhook-service namespace: {{ .Release.Namespace }}