diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 5ea8bf9..5f91331 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -79,6 +79,8 @@ jobs: run: | set -e make kind-create-cluster + make install-cert-manager + make install-cluster-issuer make install-kyverno-sidecar-injector - name: Run Chainsaw Tests run: chainsaw test tests/e2e-test diff --git a/Makefile b/Makefile index 29ac0f5..ed32205 100644 --- a/Makefile +++ b/Makefile @@ -203,6 +203,23 @@ generate-certs: -addext "subjectAltName = DNS:kyverno-sidecar-injector.kyverno.svc" \ -nodes -newkey rsa:4096 -keyout .certs/tls.key -out .certs/tls.crt +################ +# CERT MANAGER # +################ + +.PHONY: install-cert-manager +install-cert-manager: ## Install cert-manager +install-cert-manager: $(HELM) + @echo Install cert-manager... >&2 + @$(HELM) upgrade --install cert-manager --namespace cert-manager --create-namespace --wait --repo https://charts.jetstack.io cert-manager \ + --set crds.enabled=true + +.PHONY: install-cluster-issuer +install-cluster-issuer: ## Install cert-manager cluster issuer +install-cluster-issuer: + @echo Install cert-manager cluster issuer... >&2 + @kubectl apply -f manifests/cert-manager/cluster-issuer.yaml + ######### # ISTIO # ######### @@ -221,7 +238,6 @@ install-istio: $(HELM) .PHONY: install-kyverno-sidecar-injector install-kyverno-sidecar-injector: ## Install kyverno-sidecar-injector chart install-kyverno-sidecar-injector: kind-load-image -install-kyverno-sidecar-injector: generate-certs install-kyverno-sidecar-injector: $(HELM) @echo Build kyverno-sidecar-injector dependecy... >&2 @$(HELM) dependency build --skip-refresh ./charts/kyverno-sidecar-injector @@ -230,8 +246,9 @@ install-kyverno-sidecar-injector: $(HELM) --set containers.injector.image.registry=$(KO_REGISTRY) \ --set containers.injector.image.repository=$(PACKAGE) \ --set containers.injector.image.tag=$(GIT_SHA) \ - --set-file certificates.static.crt=.certs/tls.crt \ - --set-file certificates.static.key=.certs/tls.key + --set certificates.certManager.issuerRef.name=selfsigned-issuer \ + --set certificates.certManager.issuerRef.kind=ClusterIssuer \ + --set certificates.certManager.issuerRef.group=cert-manager.io .PHONY: install-kyverno-authz-server install-kyverno-authz-server: ## Install kyverno-authz-server chart diff --git a/charts/kyverno-sidecar-injector/templates/certificates/cert-manager/certificate.yaml b/charts/kyverno-sidecar-injector/templates/certificates/cert-manager/certificate.yaml new file mode 100644 index 0000000..ffd843a --- /dev/null +++ b/charts/kyverno-sidecar-injector/templates/certificates/cert-manager/certificate.yaml @@ -0,0 +1,17 @@ +{{- if .Values.certificates.certManager -}} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ template "sidecar-injector.name" . }} + namespace: {{ template "kyverno.lib.namespace" . }} + labels: + {{- include "sidecar-injector.labels" . | nindent 4 }} +spec: + secretName: {{ template "sidecar-injector.name" . }} + dnsNames: + - {{ printf "%s.%s.svc" (include "sidecar-injector.name" .) (include "kyverno.lib.namespace" .) }} + {{- with .Values.certificates.certManager.issuerRef }} + issuerRef: + {{- tpl (toYaml .) $ | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/kyverno-sidecar-injector/templates/certificates/static.yaml b/charts/kyverno-sidecar-injector/templates/certificates/static/secret.yaml similarity index 100% rename from charts/kyverno-sidecar-injector/templates/certificates/static.yaml rename to charts/kyverno-sidecar-injector/templates/certificates/static/secret.yaml diff --git a/charts/kyverno-sidecar-injector/templates/webhook/static.yaml b/charts/kyverno-sidecar-injector/templates/webhook.yaml similarity index 65% rename from charts/kyverno-sidecar-injector/templates/webhook/static.yaml rename to charts/kyverno-sidecar-injector/templates/webhook.yaml index 12358c4..cb5c8a0 100644 --- a/charts/kyverno-sidecar-injector/templates/webhook/static.yaml +++ b/charts/kyverno-sidecar-injector/templates/webhook.yaml @@ -1,22 +1,28 @@ -{{- if .Values.certificates.static -}} apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: name: {{ template "sidecar-injector.name" . }} labels: {{- include "sidecar-injector.labels" . | nindent 4 }} - {{- with .Values.webhook.annotations }} + {{- if (or .Values.certificates.certManager .Values.webhook.annotations) }} annotations: - {{- toYaml . | nindent 4 }} + {{- with .Values.webhook.annotations }} + {{- tpl (toYaml .) $ | nindent 4 }} + {{- end }} + {{- if .Values.certificates.certManager }} + cert-manager.io/inject-ca-from: {{ printf "%s/%s" (include "kyverno.lib.namespace" .) (include "sidecar-injector.name" .) }} + {{- end }} {{- end }} webhooks: - - name: kyverno-envoy-sidecar.kyverno-envoy-sidecar-injector.svc + - name: {{ printf "%s.%s.svc" (include "sidecar-injector.name" .) (include "kyverno.lib.namespace" .) }} clientConfig: service: name: {{ template "sidecar-injector.name" . }} namespace: {{ template "kyverno.lib.namespace" . }} path: "/mutate" + {{- if .Values.certificates.static }} caBundle: {{ index .Values.certificates.static.crt | b64enc }} + {{- end }} failurePolicy: {{ .Values.webhook.failurePolicy }} sideEffects: None admissionReviewVersions: [ v1 ] @@ -34,4 +40,3 @@ webhooks: namespaceSelector: {{- tpl (toYaml .) $ | nindent 6 }} {{- end }} -{{- end }} diff --git a/charts/kyverno-sidecar-injector/values.yaml b/charts/kyverno-sidecar-injector/values.yaml index 60b31b4..f7795bc 100644 --- a/charts/kyverno-sidecar-injector/values.yaml +++ b/charts/kyverno-sidecar-injector/values.yaml @@ -29,6 +29,15 @@ certificates: # -- Static data to set in certificate secret static: {} + # crt: ... + # key: ... + + # -- Infos for creating certificate with cert manager + certManager: {} + # issuerRef: + # name: selfsigned-issuer + # kind: ClusterIssuer + # group: cert-manager.io deployment: diff --git a/manifests/cert-manager/cluster-issuer.yaml b/manifests/cert-manager/cluster-issuer.yaml new file mode 100644 index 0000000..56366fa --- /dev/null +++ b/manifests/cert-manager/cluster-issuer.yaml @@ -0,0 +1,6 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: selfsigned-issuer +spec: + selfSigned: {}