existing_arrikto: add cert-manager (kubeflow#549)

* kfdef: existing_arrikto: add cert-manager Signed-off-by: Yannis Zarkadas <[email protected]> * admission-webhook: support cert-manager certificate Signed-off-by: Yannis Zarkadas <[email protected]> * kfctl: existing_arrikto: use cert-manager for admission-webhook certificate Signed-off-by: Yannis Zarkadas <[email protected]> * regenerate tests Signed-off-by: Yannis Zarkadas <[email protected]>
Dibel · Nov 5, 2019 · 5582927 · 5582927
1 parent e580d56
commit 5582927
Show file tree

Hide file tree

Showing 8 changed files with 470 additions and 1 deletion.
diff --git a/admission-webhook/webhook/overlays/cert-manager/certificate.yaml b/admission-webhook/webhook/overlays/cert-manager/certificate.yaml
@@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1alpha2
+kind: Certificate
+metadata:
+  name: admission-webhook-cert
+spec:
+  isCA: true
+  commonName: $(serviceName).$(namespace).svc
+  dnsNames:
+  - $(serviceName).$(namespace).svc
+  - $(serviceName).$(namespace).svc.cluster.local
+  issuerRef:
+    kind: ClusterIssuer
+    name: $(issuer)
+  secretName: webhook-certs
diff --git a/admission-webhook/webhook/overlays/cert-manager/deployment.yaml b/admission-webhook/webhook/overlays/cert-manager/deployment.yaml
@@ -0,0 +1,12 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: deployment
+spec:
+  template:
+    spec:
+      containers:
+      - name: admission-webhook
+        args:
+        - --tlsCertFile=/etc/webhook/certs/tls.crt
+        - --tlsKeyFile=/etc/webhook/certs/tls.key
diff --git a/admission-webhook/webhook/overlays/cert-manager/kustomization.yaml b/admission-webhook/webhook/overlays/cert-manager/kustomization.yaml
@@ -0,0 +1,36 @@
+bases:
+- ../../base
+
+resources:
+- certificate.yaml
+
+patchesStrategicMerge:
+- mutating-webhook-configuration.yaml
+- deployment.yaml
+
+configMapGenerator:
+- name: admission-webhook-parameters
+  behavior: merge
+  env: params.env
+generatorOptions:
+  disableNameSuffixHash: true
+
+vars:
+- name: issuer
+  objref:
+    kind: ConfigMap
+    name: admission-webhook-parameters
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.issuer
+- name: cert_name
+  objref:
+      kind: Certificate
+      group: cert-manager.io
+      version: v1alpha2
+      name: admission-webhook-cert
+  fieldref:
+    fieldpath: metadata.name
+
+configurations:
+- params.yaml
diff --git a/admission-webhook/webhook/overlays/cert-manager/mutating-webhook-configuration.yaml b/admission-webhook/webhook/overlays/cert-manager/mutating-webhook-configuration.yaml
@@ -0,0 +1,7 @@
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: mutating-webhook-configuration
+  annotations:
+    cert-manager.io/inject-ca-from: $(namespace)/$(cert_name)
+
diff --git a/admission-webhook/webhook/overlays/cert-manager/params.env b/admission-webhook/webhook/overlays/cert-manager/params.env
@@ -0,0 +1 @@
+issuer=kubeflow-self-signing-issuer
diff --git a/admission-webhook/webhook/overlays/cert-manager/params.yaml b/admission-webhook/webhook/overlays/cert-manager/params.yaml
@@ -0,0 +1,9 @@
+varReference:
+- path: spec/commonName
+  kind: Certificate
+- path: spec/dnsNames
+  kind: Certificate
+- path: spec/issuerRef/name
+  kind: Certificate
+- path: metadata/annotations
+  kind: MutatingWebhookConfiguration
diff --git a/kfdef/kfctl_existing_arrikto.0.7.0.yaml b/kfdef/kfctl_existing_arrikto.0.7.0.yaml
@@ -324,4 +324,4 @@ spec:
     name: seldon-core-operator
   repos:
   - name: manifests
-    uri: https://github.com/kubeflow/manifests/archive/2b34c263cf5165339f856b50cd759db30c6cae9d.tar.gz
+    uri: https://github.com/Dibel/manifests/archive/v0.7-branch.tar.gz