make webhook tls setup work w/o cert-manager (optionally)

cbarbian-sap · cbarbian-sap · commit ef05b143860a · 2023-06-21T13:18:31.000+02:00
diff --git a/chart/README.md b/chart/README.md
@@ -30,7 +30,11 @@ A Helm chart for https://github.com/sap/cf-service-operator
 | resources.limits.cpu | float | `0.1` | CPU limit |
 | resources.requests.memory | string | `"20Mi"` | Memory request |
 | resources.requests.cpu | float | `0.01` | CPU request |
-| enableSapBindingMetadata | bool | `false` | Enable SAP binding metadata (per default, can be overridden by annotation service-operator.cf.cs.sap.com/with-sap-binding-metadata) |
+| enableSapBindingMetadata | bool | `false` | Enable SAP binding metadata (per default, can be overridden by annotation per binding object) |
+| webhook.certManager.enabled | bool | `false` | Whether to use cert-manager to manage webhook tls |
+| webhook.certManager.issuerGroup | string | `""` | Issuer group (only relevant if enabled is true; if unset, the default cert-manager group is used) |
+| webhook.certManager.issuerKind | string | `""` | Issuer kind (only relevant if enabled is true; if unset, the default cert-manager type 'Issuer' is used) |
+| webhook.certManager.issuerName | string | `""` | Issuer name (only relevant if enabled is true; if unset, a self-signed issuer is used) |
 
 ----------------------------------------------
 Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)
diff --git a/chart/templates/controller-deployment.yaml b/chart/templates/controller-deployment.yaml
@@ -98,5 +98,5 @@ spec:
       - name: tls
         secret:
           defaultMode: 420
-          secretName: {{ include "cf-service-operator.fullname" . }}-tls
+          secretName: {{ include "cf-service-operator.fullname" . }}-{{ ternary "tls-managed" "tls" .Values.webhook.certManager.enabled }}
 
diff --git a/chart/templates/controller-service.yaml b/chart/templates/controller-service.yaml
@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "cf-service-operator.fullname" . }}
+  labels:
+    {{- include "cf-service-operator.labels" . | nindent 4 }}
+spec:
+  ports:
+    - port: 443
+      protocol: TCP
+      targetPort: webhook-server
+      name: https
+  selector:
+    {{- include "cf-service-operator.selectorLabels" . | nindent 4 }}
diff --git a/chart/templates/webhook.yaml b/chart/templates/webhook.yaml
@@ -1,18 +1,86 @@
+{{- $caCert := "" }}
+{{- if .Values.webhook.certManager.enabled }}
+{{- if not .Values.webhook.certManager.issuerName }}
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ include "cf-service-operator.fullname" . }}
+  labels:
+    {{- include "cf-service-operator.labels" . | nindent 4 }}
+spec:
+  selfSigned: {}
+{{- end }}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ include "cf-service-operator.fullname" . }}
+  labels:
+    {{- include "cf-service-operator.labels" . | nindent 4 }}
+spec:
+  dnsNames:
+  - {{ include "cf-service-operator.fullname" . }}
+  - {{ include "cf-service-operator.fullname" . }}.{{ .Release.Namespace }}
+  - {{ include "cf-service-operator.fullname" . }}.{{ .Release.Namespace }}.svc
+  - {{ include "cf-service-operator.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local
+  issuerRef:
+    {{- if .Values.webhook.certManager.issuerName }}
+    {{- with .Values.webhook.certManager.issuerGroup }}
+    group: {{ . }}
+    {{- end }}
+    {{- with .Values.webhook.certManager.issuerKind }}
+    kind: {{ . }}
+    {{- end }}
+    name: {{ .Values.webhook.certManager.issuerName }}
+    {{- else }}
+    name: {{ include "cf-service-operator.fullname" . }}
+    {{- end }}
+  secretName: {{ include "cf-service-operator.fullname" . }}-tls-managed
+{{- else }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "cf-service-operator.fullname" . }}-tls
+  labels:
+    {{- include "cf-service-operator.labels" . | nindent 4 }}
+type: Opaque
+data:
+  {{- $data := (lookup "v1" "Secret" .Release.Namespace (printf "%s-tls" (include "cf-service-operator.fullname" .))).data }}
+  {{- if $data }}
+  {{ $data | toYaml | nindent 2 }}
+  {{- $caCert = index $data "ca.crt" }}
+  {{- else }}
+  {{- $cn := printf "%s.%s.svc" (include "cf-service-operator.fullname" .) .Release.Namespace }}
+  {{- $ca := genCA (printf "%s-ca" (include "cf-service-operator.fullname" .)) 36500 }}
+  {{- $cert := genSignedCert $cn nil (list $cn) 36500 $ca }}
+  ca.crt: {{ $ca.Cert | b64enc }}
+  tls.crt: {{ $cert.Cert | b64enc }}
+  tls.key: {{ $cert.Key | b64enc }}
+  {{- $caCert = $ca.Cert | b64enc }}
+  {{- end }}
+{{- end }}
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
   name: {{ include "cf-service-operator.fullname" . }}-mutate
   labels:
     {{- include "cf-service-operator.labels" . | nindent 4 }}
+  {{- if .Values.webhook.certManager.enabled }}
   annotations:
     cert-manager.io/inject-ca-from:  {{ .Release.Namespace }}/{{ include "cf-service-operator.fullname" . }}
+  {{- end }}
 webhooks:
 - admissionReviewVersions:
   - v1
   clientConfig:
+    {{- if not .Values.webhook.certManager.enabled }}
+    caBundle: {{ $caCert }}
+    {{- end }}
     service:
-      name: {{ include "cf-service-operator.fullname" . }}-webhook
+      name: {{ include "cf-service-operator.fullname" . }}
       namespace: {{ .Release.Namespace }}
       path: /mutate-cf-cs-sap-com-v1alpha1-clusterspace
   failurePolicy: Fail
@@ -32,8 +100,11 @@ webhooks:
 - admissionReviewVersions:
   - v1
   clientConfig:
+    {{- if not .Values.webhook.certManager.enabled }}
+    caBundle: {{ $caCert }}
+    {{- end }}
     service:
-      name: {{ include "cf-service-operator.fullname" . }}-webhook
+      name: {{ include "cf-service-operator.fullname" . }}
       namespace: {{ .Release.Namespace }}
       path: /mutate-cf-cs-sap-com-v1alpha1-servicebinding
   failurePolicy: Fail
@@ -53,8 +124,11 @@ webhooks:
 - admissionReviewVersions:
   - v1
   clientConfig:
+    {{- if not .Values.webhook.certManager.enabled }}
+    caBundle: {{ $caCert }}
+    {{- end }}
     service:
-      name: {{ include "cf-service-operator.fullname" . }}-webhook
+      name: {{ include "cf-service-operator.fullname" . }}
       namespace: {{ .Release.Namespace }}
       path: /mutate-cf-cs-sap-com-v1alpha1-serviceinstance
   failurePolicy: Fail
@@ -74,8 +148,11 @@ webhooks:
 - admissionReviewVersions:
   - v1
   clientConfig:
+    {{- if not .Values.webhook.certManager.enabled }}
+    caBundle: {{ $caCert }}
+    {{- end }}
     service:
-      name: {{ include "cf-service-operator.fullname" . }}-webhook
+      name: {{ include "cf-service-operator.fullname" . }}
       namespace: {{ .Release.Namespace }}
       path: /mutate-cf-cs-sap-com-v1alpha1-space
   failurePolicy: Fail
@@ -99,14 +176,19 @@ metadata:
   name: {{ include "cf-service-operator.fullname" . }}-validate
   labels:
     {{- include "cf-service-operator.labels" . | nindent 4 }}
+  {{- if .Values.webhook.certManager.enabled }}
   annotations:
     cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "cf-service-operator.fullname" . }}
+  {{- end }}
 webhooks:
 - admissionReviewVersions:
   - v1
   clientConfig:
+    {{- if not .Values.webhook.certManager.enabled }}
+    caBundle: {{ $caCert }}
+    {{- end }}
     service:
-      name: {{ include "cf-service-operator.fullname" . }}-webhook
+      name: {{ include "cf-service-operator.fullname" . }}
       namespace: {{ .Release.Namespace }}
       path: /validate-cf-cs-sap-com-v1alpha1-clusterspace
   failurePolicy: Fail
@@ -126,8 +208,11 @@ webhooks:
 - admissionReviewVersions:
   - v1
   clientConfig:
+    {{- if not .Values.webhook.certManager.enabled }}
+    caBundle: {{ $caCert }}
+    {{- end }}
     service:
-      name: {{ include "cf-service-operator.fullname" . }}-webhook
+      name: {{ include "cf-service-operator.fullname" . }}
       namespace: {{ .Release.Namespace }}
       path: /validate-cf-cs-sap-com-v1alpha1-servicebinding
   failurePolicy: Fail
@@ -147,8 +232,11 @@ webhooks:
 - admissionReviewVersions:
   - v1
   clientConfig:
+    {{- if not .Values.webhook.certManager.enabled }}
+    caBundle: {{ $caCert }}
+    {{- end }}
     service:
-      name: {{ include "cf-service-operator.fullname" . }}-webhook
+      name: {{ include "cf-service-operator.fullname" . }}
       namespace: {{ .Release.Namespace }}
       path: /validate-cf-cs-sap-com-v1alpha1-serviceinstance
   failurePolicy: Fail
@@ -168,8 +256,11 @@ webhooks:
 - admissionReviewVersions:
   - v1
   clientConfig:
+    {{- if not .Values.webhook.certManager.enabled }}
+    caBundle: {{ $caCert }}
+    {{- end }}
     service:
-      name: {{ include "cf-service-operator.fullname" . }}-webhook
+      name: {{ include "cf-service-operator.fullname" . }}
       namespace: {{ .Release.Namespace }}
       path: /validate-cf-cs-sap-com-v1alpha1-space
   failurePolicy: Fail
@@ -185,44 +276,4 @@ webhooks:
     resources:
     - spaces
   sideEffects: None
-  timeoutSeconds: 10
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ include "cf-service-operator.fullname" . }}-webhook
-  labels:
-    {{- include "cf-service-operator.labels" . | nindent 4 }}
-spec:
-  ports:
-    - port: 443
-      protocol: TCP
-      targetPort: 9443
-  selector:
-    {{- include "cf-service-operator.selectorLabels" . | nindent 4 }}
----
-apiVersion: cert-manager.io/v1
-kind: Issuer
-metadata:
-  name: {{ include "cf-service-operator.fullname" . }}
-  labels:
-    {{- include "cf-service-operator.labels" . | nindent 4 }}
-spec:
-  selfSigned: {}
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: {{ include "cf-service-operator.fullname" . }}
-  labels:
-    {{- include "cf-service-operator.labels" . | nindent 4 }}
-spec:
-  dnsNames:
-  - {{ include "cf-service-operator.fullname" . }}-webhook
-  - {{ include "cf-service-operator.fullname" . }}-webhook.{{ .Release.Namespace }}
-  - {{ include "cf-service-operator.fullname" . }}-webhook.{{ .Release.Namespace }}.svc
-  - {{ include "cf-service-operator.fullname" . }}-webhook.{{ .Release.Namespace }}.svc.cluster.local
-  issuerRef:
-    kind: Issuer
-    name: {{ include "cf-service-operator.fullname" . }}
-  secretName: {{ include "cf-service-operator.fullname" . }}-tls
+  timeoutSeconds: 10
diff --git a/chart/values.yaml b/chart/values.yaml
@@ -48,5 +48,16 @@ resources:
     # -- CPU request
     cpu: 0.01
 
-# -- Enable SAP binding metadata (per default, can be overridden by annotation service-operator.cf.cs.sap.com/with-sap-binding-metadata)
+# -- Enable SAP binding metadata (per default, can be overridden by annotation per binding object)
 enableSapBindingMetadata: false
+
+webhook:
+  certManager:
+    # -- Whether to use cert-manager to manage webhook tls
+    enabled: false
+    # -- Issuer group (only relevant if enabled is true; if unset, the default cert-manager group is used)
+    issuerGroup: ""
+    # -- Issuer kind (only relevant if enabled is true; if unset, the default cert-manager type 'Issuer' is used)
+    issuerKind: ""
+    # -- Issuer name (only relevant if enabled is true; if unset, a self-signed issuer is used)
+    issuerName: ""
