feat: add cert-manager certificates support (#155)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
kyverno · Oct 27, 2024 · c591306 · c591306
1 parent ca3105a
commit c591306
Show file tree

Hide file tree

Showing 7 changed files with 64 additions and 8 deletions.
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
@@ -79,6 +79,8 @@ jobs:
         run: |
           set -e
           make kind-create-cluster
+          make install-cert-manager
+          make install-cluster-issuer
           make install-kyverno-sidecar-injector
       - name: Run Chainsaw Tests
         run: chainsaw test tests/e2e-test
diff --git a/Makefile b/Makefile
@@ -203,6 +203,23 @@ generate-certs:
         -addext "subjectAltName = DNS:kyverno-sidecar-injector.kyverno.svc" \
         -nodes -newkey rsa:4096 -keyout .certs/tls.key -out .certs/tls.crt 
 
+################
+# CERT MANAGER #
+################
+
+.PHONY: install-cert-manager
+install-cert-manager: ## Install cert-manager
+install-cert-manager: $(HELM)
+	@echo Install cert-manager... >&2
+	@$(HELM) upgrade --install cert-manager --namespace cert-manager --create-namespace --wait --repo https://charts.jetstack.io cert-manager \
+		--set crds.enabled=true
+
+.PHONY: install-cluster-issuer
+install-cluster-issuer: ## Install cert-manager cluster issuer
+install-cluster-issuer:
+	@echo Install cert-manager cluster issuer... >&2
+	@kubectl apply -f manifests/cert-manager/cluster-issuer.yaml
+
 #########
 # ISTIO #
 #########
@@ -221,7 +238,6 @@ install-istio: $(HELM)
 .PHONY: install-kyverno-sidecar-injector
 install-kyverno-sidecar-injector: ## Install kyverno-sidecar-injector chart
 install-kyverno-sidecar-injector: kind-load-image
-install-kyverno-sidecar-injector: generate-certs
 install-kyverno-sidecar-injector: $(HELM)
 	@echo Build kyverno-sidecar-injector dependecy... >&2
 	@$(HELM) dependency build --skip-refresh ./charts/kyverno-sidecar-injector
@@ -230,8 +246,9 @@ install-kyverno-sidecar-injector: $(HELM)
 		--set containers.injector.image.registry=$(KO_REGISTRY) \
 		--set containers.injector.image.repository=$(PACKAGE) \
 		--set containers.injector.image.tag=$(GIT_SHA) \
-		--set-file certificates.static.crt=.certs/tls.crt \
-		--set-file certificates.static.key=.certs/tls.key
+		--set certificates.certManager.issuerRef.name=selfsigned-issuer \
+		--set certificates.certManager.issuerRef.kind=ClusterIssuer \
+		--set certificates.certManager.issuerRef.group=cert-manager.io
 
 .PHONY: install-kyverno-authz-server
 install-kyverno-authz-server: ## Install kyverno-authz-server chart

diff --git a/charts/kyverno-sidecar-injector/templates/certificates/cert-manager/certificate.yaml b/charts/kyverno-sidecar-injector/templates/certificates/cert-manager/certificate.yaml
@@ -0,0 +1,17 @@
+{{- if .Values.certificates.certManager -}}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ template "sidecar-injector.name" . }}
+  namespace: {{ template "kyverno.lib.namespace" . }}
+  labels:
+    {{- include "sidecar-injector.labels" . | nindent 4 }}
+spec:
+  secretName: {{ template "sidecar-injector.name" . }}
+  dnsNames:
+    - {{ printf "%s.%s.svc" (include "sidecar-injector.name" .) (include "kyverno.lib.namespace" .) }}
+  {{- with .Values.certificates.certManager.issuerRef }}
+  issuerRef:
+    {{- tpl (toYaml .) $ | nindent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/...jector/templates/certificates/static.yaml → ...templates/certificates/static/secret.yaml b/...jector/templates/certificates/static.yaml → ...templates/certificates/static/secret.yaml
diff --git a/...ar-injector/templates/webhook/static.yaml → ...o-sidecar-injector/templates/webhook.yaml b/...ar-injector/templates/webhook/static.yaml → ...o-sidecar-injector/templates/webhook.yaml
@@ -1,22 +1,28 @@
-{{- if .Values.certificates.static -}}
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
   name: {{ template "sidecar-injector.name" . }}
   labels:
     {{- include "sidecar-injector.labels" . | nindent 4 }}
-  {{- with .Values.webhook.annotations }}
+  {{- if (or .Values.certificates.certManager .Values.webhook.annotations) }}
   annotations:
-    {{- toYaml . | nindent 4 }}
+    {{- with .Values.webhook.annotations }}
+    {{- tpl (toYaml .) $ | nindent 4 }}
+    {{- end }}
+    {{- if .Values.certificates.certManager }}
+    cert-manager.io/inject-ca-from: {{ printf "%s/%s" (include "kyverno.lib.namespace" .) (include "sidecar-injector.name" .) }}
+    {{- end }}
   {{- end }}
 webhooks:
-  - name: kyverno-envoy-sidecar.kyverno-envoy-sidecar-injector.svc
+  - name: {{ printf "%s.%s.svc" (include "sidecar-injector.name" .) (include "kyverno.lib.namespace" .) }}
     clientConfig:
       service:
         name: {{ template "sidecar-injector.name" . }}
         namespace: {{ template "kyverno.lib.namespace" . }}
         path: "/mutate"
+      {{- if .Values.certificates.static }}
       caBundle: {{ index .Values.certificates.static.crt | b64enc }}
+      {{- end }}
     failurePolicy: {{ .Values.webhook.failurePolicy }}
     sideEffects: None
     admissionReviewVersions: [ v1 ]
@@ -34,4 +40,3 @@ webhooks:
     namespaceSelector:
       {{- tpl (toYaml .) $ | nindent 6 }}
     {{- end }}
-{{- end }}
diff --git a/charts/kyverno-sidecar-injector/values.yaml b/charts/kyverno-sidecar-injector/values.yaml
@@ -29,6 +29,15 @@ certificates:
 
   # -- Static data to set in certificate secret
   static: {}
+    # crt: ...
+    # key: ...
+
+  # -- Infos for creating certificate with cert manager
+  certManager: {}
+    # issuerRef:
+    #   name: selfsigned-issuer
+    #   kind: ClusterIssuer
+    #   group: cert-manager.io
 
 deployment:
 

diff --git a/manifests/cert-manager/cluster-issuer.yaml b/manifests/cert-manager/cluster-issuer.yaml
@@ -0,0 +1,6 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: selfsigned-issuer
+spec:
+  selfSigned: {}