Inject the webhook CA into the validated CRDs (#429) (#430)

Author: qbarrand

config/crd-hub/kustomization.yml

@@ -12,6 +12,6 @@ patches:
 
 # [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix.
 # patches here are for enabling the CA injection for each CRD
-#- path: patches/cainjection_in_managedclustermodules.yaml
+- path: patches/cainjection_in_managedclustermodules.yaml
 #+kubebuilder:scaffold:crdkustomizecainjectionpatch
 

config/crd-hub/patches/cainjection_in_managedclustermodules.yaml

@@ -5,4 +5,4 @@ metadata:
   annotations:
     # `default` and `serving-cert` may be substituted by kustomize
     cert-manager.io/inject-ca-from: default/serving-cert
-  name: managedclustermodules.kmm.sigs.x-k8s.io
+  name: managedclustermodules.hub.kmm.sigs.x-k8s.io

config/crd-hub/patches/webhook_in_managedclustermodules.yaml

@@ -2,7 +2,7 @@
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
-  name: managedclustermodules.kmm.sigs.x-k8s.io
+  name: managedclustermodules.hub.kmm.sigs.x-k8s.io
 spec:
   conversion:
     strategy: Webhook

config/crd/kustomization.yaml

@@ -18,8 +18,8 @@ patches:
 
 # [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix.
 # patches here are for enabling the CA injection for each CRD
-#- path: patches/cainjection_in_modules.yaml
-#- path: patches/cainjection_in_managedclustermodules.yaml
+- path: patches/cainjection_in_modules.yaml
+#- path: patches/cainjection_in_preflightvalidations.yaml
 #+kubebuilder:scaffold:crdkustomizecainjectionpatch
 
 # the following config is for teaching kustomize how to do kustomization for CRDs.

config/crd/patches/cainjection_in_managedclustermodules.yaml renamed to config/crd/patches/cainjection_in_preflightvalidations.yaml

@@ -5,4 +5,4 @@ metadata:
   annotations:
     # `default` and `serving-cert` may be substituted by kustomize
     cert-manager.io/inject-ca-from: default/serving-cert
-  name: managedclustermodules.kmm.sigs.x-k8s.io
+  name: preflightvalidations.kmm.sigs.x-k8s.io

config/crd/patches/webhook_in_managedclustermodules.yaml renamed to config/crd/patches/webhook_in_preflightvalidations.yaml

@@ -2,7 +2,7 @@
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
-  name: managedclustermodules.kmm.sigs.x-k8s.io
+  name: preflightvalidations.kmm.sigs.x-k8s.io
 spec:
   conversion:
     strategy: Webhook

config/default-hub/kustomization.yaml

@@ -40,6 +40,12 @@ replacements:
       kind: Certificate
       fieldPath: metadata.namespace
     targets:
+      - select:
+          kind: CustomResourceDefinition
+        fieldPaths:
+          - metadata.annotations.[cert-manager.io/inject-ca-from]
+        options:
+          delimiter: /
       - select:
           kind: ValidatingWebhookConfiguration
         fieldPaths:
@@ -50,6 +56,13 @@ replacements:
       kind: Certificate
       fieldPath: metadata.name
     targets:
+      - select:
+          kind: CustomResourceDefinition
+        fieldPaths:
+          - metadata.annotations.[cert-manager.io/inject-ca-from]
+        options:
+          delimiter: /
+          index: 1
       - select:
           kind: ValidatingWebhookConfiguration
         fieldPaths:

config/default/kustomization.yaml

@@ -39,6 +39,13 @@ replacements:
       kind: Certificate
       fieldPath: metadata.namespace
     targets:
+      - select:
+          kind: CustomResourceDefinition
+          name: modules.kmm.sigs.x-k8s.io
+        fieldPaths:
+          - metadata.annotations.[cert-manager.io/inject-ca-from]
+        options:
+          delimiter: /
       - select:
           kind: ValidatingWebhookConfiguration
         fieldPaths:
@@ -49,6 +56,14 @@ replacements:
       kind: Certificate
       fieldPath: metadata.name
     targets:
+      - select:
+          kind: CustomResourceDefinition
+          name: modules.kmm.sigs.x-k8s.io
+        fieldPaths:
+          - metadata.annotations.[cert-manager.io/inject-ca-from]
+        options:
+          delimiter: /
+          index: 1
       - select:
           kind: ValidatingWebhookConfiguration
         fieldPaths:

config/manager-base/kustomization.yaml

@@ -10,13 +10,7 @@ images:
   newTag: latest
 
 patches:
-# Protect the /metrics endpoint by putting it behind auth.
-# If you want your controller-manager to expose the /metrics
-# endpoint w/o any authn/z, please comment the following line.
 - path: manager_auth_proxy_patch.yaml
-
-# Mount the controller config file for loading manager configurations
-# through a ComponentConfig type
 - path: manager_config_patch.yaml
 
 configurations: