k/digitalocean: add a Certificate for snapshot validation webhook

2023-05-16 03:44:24 -04:00 · 2023-05-16 03:44:24 -04:00 · 811bfc4aa3
parent 26c0d26c0c
commit 811bfc4aa3
5 changed files with 89 additions and 34 deletions
--- a/kustomizations/digitalocean/csi-driver/kustomization.yaml
+++ b/kustomizations/digitalocean/csi-driver/kustomization.yaml
@ -4,7 +4,6 @@ namespace: digitalocean-csi
 resources:
 - driver.yaml
 - crds.yaml
- snapshot-validation-webhook.yaml
 - snapshot-controller.yaml
 images:
 - name: k8s.gcr.io/sig-storage/snapshot-validation-webhook:v6.0.1
--- a/kustomizations/digitalocean/csi-driver/webhook/kustomization.yaml
+++ b/kustomizations/digitalocean/csi-driver/webhook/kustomization.yaml
@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- resources.yaml
--- a/kustomizations/digitalocean/csi-driver/webhook/kustomizeconfig.yaml
+++ b/kustomizations/digitalocean/csi-driver/webhook/kustomizeconfig.yaml
@ -0,0 +1,7 @@
+nameReference:
+  - kind: Issuer
+    group: cert-manager.io
+    fieldSpecs:
+      - kind: Certificate
+        group: cert-manager.io
+        path: spec/issuerRef/name
--- a/kustomizations/digitalocean/csi-driver/snapshot-validation-webhook.yaml
+++ b/kustomizations/digitalocean/csi-driver/snapshot-validation-webhook.yaml
@ -16,26 +16,25 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
  name: "validation-webhook.snapshot.storage.k8s.io"
+  annotations:
+    cert-manager.io/inject-ca-from: default/snapshot-validation
 webhooks:
-  - name: "validation-webhook.snapshot.storage.k8s.io"
-    rules:
-      - apiGroups:   ["snapshot.storage.k8s.io"]
-        apiVersions: ["v1", "v1beta1"]
-        operations:  ["CREATE", "UPDATE"]
-        resources:   ["volumesnapshots", "volumesnapshotcontents"]
-        scope:       "*"
-    clientConfig:
-      service:
-        namespace: "kube-system"
-        name: "snapshot-validation-service"
-        path: "/volumesnapshot"
-      # XXX Uncomment and populate the CA bundle field accordingly if a dedicated
-      # CA is to be used.
-      # caBundle: ${CA_BUNDLE}
-    admissionReviewVersions: ["v1", "v1beta1"]
-    sideEffects: None
-    failurePolicy: Fail
-    timeoutSeconds: 5
+- name: "validation-webhook.snapshot.storage.k8s.io"
+  rules:
+  - apiGroups:   ["snapshot.storage.k8s.io"]
+    apiVersions: ["v1", "v1beta1"]
+    operations:  ["CREATE", "UPDATE"]
+    resources:   ["volumesnapshots", "volumesnapshotcontents"]
+    scope:       "*"
+  clientConfig:
+    service:
+      namespace: "kube-system"
+      name: "snapshot-validation-service"
+      path: "/volumesnapshot"
+  admissionReviewVersions: ["v1", "v1beta1"]
+  sideEffects: None
+  failurePolicy: Fail
+  timeoutSeconds: 5

 ---

@ -63,21 +62,20 @@ spec:
    spec:
      serviceAccountName: snapshot-validation
      containers:
-        - name: snapshot-validation
-          image: registry.k8s.io/sig-storage/snapshot-validation-webhook:v6.1.0
-          imagePullPolicy: IfNotPresent
-          args: ['--tls-cert-file=/etc/snapshot-validation-webhook/certs/cert.pem', '--tls-private-key-file=/etc/snapshot-validation-webhook/certs/key.pem']
-          ports:
-            - containerPort: 443
-          volumeMounts:
-            - name: snapshot-validation-webhook-certs
-              mountPath: /etc/snapshot-validation-webhook/certs
-              readOnly: true
-      volumes:
+      - name: snapshot-validation
+        image: registry.k8s.io/sig-storage/snapshot-validation-webhook:v6.1.0
+        imagePullPolicy: IfNotPresent
+        args: ['--tls-cert-file=/etc/snapshot-validation-webhook/certs/tls.crt', '--tls-private-key-file=/etc/snapshot-validation-webhook/certs/tls.key']
+        ports:
+        - containerPort: 443
+        volumeMounts:
        - name: snapshot-validation-webhook-certs
-          secret:
-            # XXX Populate the secret properly with a certificate and key
-            secretName: snapshot-validation-secret
+          mountPath: /etc/snapshot-validation-webhook/certs
+          readOnly: true
+      volumes:
+      - name: snapshot-validation-webhook-certs
+        secret:
+          secretName: snapshot-validation-secret

 ---

@ -126,3 +124,25 @@ roleRef:
  kind: ClusterRole
  name: snapshot-validation
  apiGroup: rbac.authorization.k8s.io
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: selfsigned-issuer
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: snapshot-validation
+spec:
+  dnsNames:
+    - snapshot-validation-service
+    - snapshot-validation-service.default.svc
+  issuerRef:
+    kind: Issuer
+    name: selfsigned-issuer
+  secretName: snapshot-validation-secret
--- a/kustomizations/digitalocean/kustomization.yaml
+++ b/kustomizations/digitalocean/kustomization.yaml
@ -4,5 +4,30 @@ namespace: kube-system
 resources:
 - cloud-controller-manager
 - csi-driver
+- csi-driver/webhook
 generators:
 - secret-generator.yaml
+replacements:
+- source:
+    kind: Certificate
+    fieldPath: metadata.namespace
+  targets:
+  - select:
+      kind: ValidatingWebhookConfiguration
+    fieldPaths:
+    - metadata.annotations.[cert-manager.io/inject-ca-from]
+    options:
+      delimiter: /
+- source:
+    kind: Service
+    fieldPath: metadata.namespace
+    name: snapshot-validation-service
+  targets:
+  - select:
+      kind: Certificate
+      name: snapshot-validation
+    fieldPaths:
+    - spec.dnsNames.1
+    options:
+      delimiter: .
+      index: 1