OLM: do no use cert-manager

OLM provisions its own webhook certificates.
Do not include cert-manager as a dependency when deploying with OLM.
Rework the directory layout to use cert-manager only when using `make
deploy`.
Revert d4f87b0.

Author: qbarrand

Makefile

@@ -279,7 +279,6 @@ bundle: operator-sdk manifests kustomize ## Generate bundle manifests and metada
 	cd config/manager-base && $(KUSTOMIZE) edit set image signer=$(SIGNER_IMG)
 	cd config/webhook-server && $(KUSTOMIZE) edit set image webhook-server=$(WEBHOOK_IMG)
 	kubectl kustomize config/manifests | ${OPERATOR_SDK} generate bundle $(BUNDLE_GEN_FLAGS)
-	cp -r config/manifests/bundle-metadata/* bundle/metadata/
 	${OPERATOR_SDK} bundle validate ./bundle
 
 .PHONY: bundle-hub
@@ -294,7 +293,6 @@ bundle-hub: operator-sdk manifests kustomize ## Generate bundle manifests and me
 	cd config/manager-base && $(KUSTOMIZE) edit set image signer=$(SIGNER_IMG)
 	cd config/webhook-server && $(KUSTOMIZE) edit set image webhook-server=$(WEBHOOK_IMG)
 	kubectl kustomize config/manifests-hub | ${OPERATOR_SDK} generate bundle --package kernel-module-management-hub $(BUNDLE_GEN_FLAGS)
-	cp -r config/manifests-hub/bundle-metadata/* bundle/metadata/
 	${OPERATOR_SDK} bundle validate ./bundle
 
 .PHONY: bundle-build

config/certificate/kustomization.yaml

@@ -4,14 +4,13 @@ kind: Kustomization
 resources:
   - bases/hub.kmm.sigs.x-k8s.io_managedclustermodules.yaml
 
-patches:
+patches: []
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix.
 # patches here are for enabling the conversion webhook for each CRD
 #- path: patches/webhook_in_managedclustermodules.yaml
 #+kubebuilder:scaffold:crdkustomizewebhookpatch
 
 # [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix.
 # patches here are for enabling the CA injection for each CRD
-- path: patches/cainjection_in_managedclustermodules.yaml
+#- path: patches/cainjection_in_managedclustermodules.yaml
 #+kubebuilder:scaffold:crdkustomizecainjectionpatch
-

config/crd-hub/kustomization.yml

@@ -10,7 +10,7 @@ spec:
       clientConfig:
         service:
           namespace: system
-          name: webhook-server-service
+          name: webhook-service
           path: /convert
       conversionReviewVersions:
       - v1

config/crd-hub/patches/cainjection_in_managedclustermodules.yaml

@@ -14,14 +14,9 @@ patches:
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix.
 # patches here are for enabling the conversion webhook for each CRD
 #- path: patches/webhook_in_modules.yaml
-#- path: patches/webhook_in_managedclustermodules.yaml
 - path: patches/webhook_in_preflightvalidations.yaml
   #+kubebuilder:scaffold:crdkustomizewebhookpatch
 
-# [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix.
-# patches here are for enabling the CA injection for each CRD
-- path: patches/cainjection_in_modules.yaml
-- path: patches/cainjection_in_preflightvalidations.yaml
 #+kubebuilder:scaffold:crdkustomizecainjectionpatch
 
 # the following config is for teaching kustomize how to do kustomization for CRDs.

config/crd-hub/patches/webhook_in_managedclustermodules.yaml

@@ -10,7 +10,7 @@ spec:
       clientConfig:
         service:
           namespace: system
-          name: webhook-server-service
+          name: webhook-service
           path: /convert
       conversionReviewVersions:
       - v1

config/crd/kustomization.yaml

@@ -10,7 +10,7 @@ spec:
       clientConfig:
         service:
           namespace: system
-          name: webhook-server-service
+          name: webhook-service
           path: /convert
       conversionReviewVersions:
       - v1beta2

config/crd/patches/cainjection_in_modules.yaml

@@ -4,11 +4,6 @@ kind: Kustomization
 # Adds namespace to all resources.
 namespace: kmm-operator-system
 
-# Value of this field is prepended to the
-# names of all resources, e.g. a deployment named
-# "wordpress" becomes "alices-wordpress".
-# Note that it should also match with the prefix (text before '-') of the namespace
-# field above.
 namePrefix: kmm-operator-hub-
 
 # Labels to add to all resources and selectors.
@@ -18,31 +13,13 @@ commonLabels:
   app.kubernetes.io/part-of: kmm
 
 resources:
-- ../crd-hub
-- ../rbac-hub
-- ../manager-hub
-# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
-# crd/kustomization.yaml
-- ../webhook-hub
-# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required.
-- ../certificate
-# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
-#- ../prometheus
-- ../webhook-server
+- ../deploy-hub
 
-# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in crd/kustomization.yaml
-patches:
-- path: webhookcainjection_patch.yaml
-- target:
-    kind: Deployment
-    name: webhook-server
-  patch: |-
-    - op: add
-      path: /spec/template/spec/containers/0/args/-
-      value: --enable-managedclustermodule
+components:
+- ../webhook-cert
 
 replacements:
-  # The following patches adds a directive for certmanager to inject CA into the CRD
+  # Replacements below adjust the value of the cert-manager.io/inject-ca-from annotation in CRDs and webhook objects.
   - source:
       kind: Certificate
       fieldPath: metadata.namespace
@@ -52,12 +29,14 @@ replacements:
         fieldPaths:
           - metadata.annotations.[cert-manager.io/inject-ca-from]
         options:
+          create: true
           delimiter: /
       - select:
           kind: ValidatingWebhookConfiguration
         fieldPaths:
           - metadata.annotations.[cert-manager.io/inject-ca-from]
         options:
+          create: true
           delimiter: /
   - source:
       kind: Certificate
@@ -68,19 +47,21 @@ replacements:
         fieldPaths:
           - metadata.annotations.[cert-manager.io/inject-ca-from]
         options:
+          create: true
           delimiter: /
           index: 1
       - select:
           kind: ValidatingWebhookConfiguration
         fieldPaths:
           - metadata.annotations.[cert-manager.io/inject-ca-from]
         options:
+          create: true
           delimiter: /
           index: 1
-  # Patch dnsNames in webhook Certificate
+  # Replacements below adjust the DNS names of the webhook certificate based on the service name.
   - source:
       kind: Service
-      name: webhook-server-service
+      name: webhook-service
       fieldPath: metadata.name
     targets:
       - select:
@@ -91,7 +72,7 @@ replacements:
           delimiter: .
   - source:
       kind: Service
-      name: webhook-server-service
+      name: webhook-service
       fieldPath: metadata.namespace
     targets:
       - select:

config/crd/patches/cainjection_in_preflightvalidations.yaml

@@ -1,14 +1,15 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
+resources:
+- ../deploy
+
+components:
+- ../webhook-cert
+
 # Adds namespace to all resources.
 namespace: kmm-operator-system
 
-# Value of this field is prepended to the
-# names of all resources, e.g. a deployment named
-# "wordpress" becomes "alices-wordpress".
-# Note that it should also match with the prefix (text before '-') of the namespace
-# field above.
 namePrefix: kmm-operator-
 
 # Labels to add to all resources and selectors.
@@ -17,91 +18,52 @@ commonLabels:
   app.kubernetes.io/component: kmm
   app.kubernetes.io/part-of: kmm
 
-# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in crd/kustomization.yaml
-# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required.
-resources:
-- ../crd
-- ../rbac
-- ../manager
-- ../webhook
-- ../certificate
-# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
-#- ../prometheus
-- ../webhook-server
-
-patches:
-- path: webhookcainjection_patch.yaml
-- target:
-    kind: Deployment
-    name: webhook-server
-  patch: |-
-    - op: add
-      path: /spec/template/spec/containers/0/args/-
-      value: --enable-module
-    - op: add
-      path: /spec/template/spec/containers/0/args/-
-      value: --enable-namespace
-    - op: add
-      path: /spec/template/spec/containers/0/args/-
-      value: --enable-preflightvalidation
-
 replacements:
-  # The following patches adds a directive for certmanager to inject CA into the CRD
+  # Replacements below adjust the value of the cert-manager.io/inject-ca-from annotation in CRDs and webhook objects.
   - source:
       kind: Certificate
       fieldPath: metadata.namespace
     targets:
-      - select:
-          kind: CustomResourceDefinition
-          name: modules.kmm.sigs.x-k8s.io
-        fieldPaths:
-          - metadata.annotations.[cert-manager.io/inject-ca-from]
-        options:
-          delimiter: /
       - select:
           kind: CustomResourceDefinition
           name: preflightvalidations.kmm.sigs.x-k8s.io
         fieldPaths:
           - metadata.annotations.[cert-manager.io/inject-ca-from]
         options:
+          create: true
           delimiter: /
       - select:
           kind: ValidatingWebhookConfiguration
         fieldPaths:
           - metadata.annotations.[cert-manager.io/inject-ca-from]
         options:
+          create: true
           delimiter: /
   - source:
       kind: Certificate
       fieldPath: metadata.name
     targets:
-      - select:
-          kind: CustomResourceDefinition
-          name: modules.kmm.sigs.x-k8s.io
-        fieldPaths:
-          - metadata.annotations.[cert-manager.io/inject-ca-from]
-        options:
-          delimiter: /
-          index: 1
       - select:
           kind: CustomResourceDefinition
           name: preflightvalidations.kmm.sigs.x-k8s.io
         fieldPaths:
           - metadata.annotations.[cert-manager.io/inject-ca-from]
         options:
+          create: true
           delimiter: /
           index: 1
       - select:
           kind: ValidatingWebhookConfiguration
         fieldPaths:
           - metadata.annotations.[cert-manager.io/inject-ca-from]
         options:
+          create: true
           delimiter: /
           index: 1
-  # Patch dnsNames in webhook Certificate
+  # Replacements below adjust the DNS names of the webhook certificate based on the service name.
   - source:
       kind: Service
-      name: webhook-server-service
+      name: webhook-service
       fieldPath: metadata.name
     targets:
       - select:
@@ -112,7 +74,7 @@ replacements:
           delimiter: .
   - source:
       kind: Service
-      name: webhook-server-service
+      name: webhook-service
       fieldPath: metadata.namespace
     targets:
       - select:

config/crd/patches/webhook_in_modules.yaml

@@ -0,0 +1,22 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in crd/kustomization.yaml
+# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required.
+resources:
+- ../crd-hub
+- ../rbac-hub
+- ../manager-hub
+- ../webhook-hub
+# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
+#- ../prometheus
+- ../webhook-server
+
+patches:
+- target:
+    kind: Deployment
+    name: webhook-server
+  patch: |-
+    - op: add
+      path: /spec/template/spec/containers/0/args/-
+      value: --enable-managedclustermodule