Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add webhook annotations in order to populate caBundle from a cert-manager Certificate #18

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

add webhook annotations in order to populate caBundle from a cert-manager Certificate #18

wants to merge 4 commits into from

Conversation

MalibuKoKo
Copy link

Hi,

Thanks for your work, this project is very interesting.

It's could be very cool if we manage Kubernetes Admission Webhook's certificates with cert-manager CA Injector.

You know what ? It's done :D

Below is an example of use (require argocd & cert-manager + ClusterIssuer) :

---
apiVersion: v1
kind: Namespace
metadata:
  labels:
    admission.kubemod.io/ignore: "true"
    control-plane: controller-manager
  name: kubemod-system
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: serving-cert
  namespace: kubemod-system
spec:
  dnsNames:
  - kubemod-webhook-service
  - kubemod-webhook-service.kubemod-system
  - kubemod-webhook-service.kubemod-system.svc
  - kubemod-webhook-service.kubemod-system.svc.cluster.local
  issuerRef:
    kind: ClusterIssuer
    name: selfsigned-cluster-issuer
  secretName: webhook-server-cert
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: kubemod
spec:
  project: kube-stack
  info:
  - name: artifacthub
    value: https://artifacthub.io/packages/helm/kubmod/kubemod
  - name: values.yaml
    value: https://github.com/kubemod/kubemod-helm/blob/main/helm-chart/kubemod/values.yaml
  - name: table-of-contents
    value: https://github.com/kubemod/kubemod#table-of-contents
  source:
    # chart: kubemod
    # repoURL: https://kubemod.github.io/kubemod-helm
    # targetRevision: v0.3.0
    repoURL: https://github.com/MalibuKoKo/kubemod-helm.git
    path: helm-chart/kubemod
    helm:
      releaseName: kubemod
      skipCrds: false
      values: |
        ---
        job:
          # Deploy the KubeMod certificate generation job
          enabled: false
        webhook:
          annotations:
            cert-manager.io/inject-ca-from: kubemod-system/serving-cert
        modrules:
        - name: add-label-color-blue
          namespace: kubemod-system
          spec:
            targetNamespaceRegex: .*
            match:
              - matchValue: Pod
                select: $.kind
            patch:
              - op: add
                path: /metadata/labels/color
                value: blue
            type: Patch
  destination:
    namespace: kubemod-system
    server: https://kubernetes.default.svc

@MalibuKoKo
increase kubemod version to v0.14.0 and kubemod-crt to v1.1.3, add we…
38bb4db 
…bhook annotations in order to populate caBundle from a cert-manager Certificate
@vassilvk
Copy link
Member

vassilvk commented Apr 7, 2022

Thank you @MalibuKoKo.

This looks good, but I'd like to rethink how KubeMod's helm chart is built.

Currently the helm chart is a separate project and the yaml files are manually picked from the manifest generated by KubeMod's kustomize build process. This is not ideal as one needs to keep reconciling the changes between the two projects.

I am planning on revamping the helm chart and have it be generated as the result of kubemod's build process (similar to the way bundle.yaml is produced).

Once this is done, it would make sense to bring in your changes into the new helm chart.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@MalibuKoKo @vassilvk