Skip to content

Commit

Permalink
Use cert-manager if USE_CERTMANAGER=true
Browse files Browse the repository at this point in the history
Signed-off-by: ruromero <[email protected]>
  • Loading branch information
ruromero committed Nov 2, 2022
1 parent b0ef5dc commit 32874cc
Show file tree
Hide file tree
Showing 10 changed files with 109 additions and 55 deletions.
18 changes: 9 additions & 9 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -93,18 +93,18 @@ help: ## Display this help.
##@ Development

manifests: controller-gen kustomize
ifeq ($(ENABLE_WEBHOOKS),true)
## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
## v2alpha3, v2alpha4 and v2alpha3 requires allowDangerousTypes=true because they use float32 type
cd config/manager && $(KUSTOMIZE) edit add resource webhook_secret.yaml
$(CONTROLLER_GEN) rbac:roleName=$(OPERATOR_CLUSTER_ROLE_NAME) crd:allowDangerousTypes=true webhook paths="./..." output:crd:artifacts:config=config/crd/bases
find config -type f -exec sed -i -e '/creationTimestamp/d' {} \;
else
ifeq ($(USE_CERTMANAGER),true)
## Generate ClusterRole and CustomResourceDefinition objects.
## v2alpha3, v2alpha4 and v2alpha3 requires allowDangerousTypes=true because they use float32 type
cd config/manager && $(KUSTOMIZE) edit remove resource webhook_secret.yaml
$(CONTROLLER_GEN) rbac:roleName=$(OPERATOR_CLUSTER_ROLE_NAME) crd:allowDangerousTypes=true paths="./..." output:crd:artifacts:config=config/crd/bases
find config -type f -exec sed -i -e '/creationTimestamp/d' {} \;
else
## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
## v2alpha3, v2alpha4 and v2alpha3 requires allowDangerousTypes=true because they use float32 type
cd config/manager && $(KUSTOMIZE) edit add resource webhook_secret.yaml
$(CONTROLLER_GEN) rbac:roleName=$(OPERATOR_CLUSTER_ROLE_NAME) crd:allowDangerousTypes=true webhook paths="./..." output:crd:artifacts:config=config/crd/bases
find config -type f -exec sed -i -e '/creationTimestamp/d' {} \;
endif

generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.
Expand All @@ -120,10 +120,10 @@ test: manifests generate fmt vet envtest ## Run tests.
KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) -p path)" go test ./... $(TEST_ARGS) -ginkgo.fail-fast -coverprofile cover.out

test-mk: manifests generate fmt vet envtest ## Run tests against minikube with local operator.
USE_EXISTING_CLUSTER=true ENABLE_WEBHOOKS=false go test ./... $(TEST_ARGS) -test.timeout=30m -ginkgo.slow-spec-threshold=30s -ginkgo.fail-fast -coverprofile cover-mk.out
USE_EXISTING_CLUSTER=true go test ./... $(TEST_ARGS) -test.timeout=30m -ginkgo.slow-spec-threshold=30s -ginkgo.fail-fast -coverprofile cover-mk.out

test-mk-do: manifests generate fmt vet envtest generate-deploy ## Run tests against minikube with deployed operator(do)
DEPLOY_OPERATOR=true USE_EXISTING_CLUSTER=true ENABLE_WEBHOOKS=false go test ./controllers/... -test.timeout=30m -ginkgo.slow-spec-threshold=30s -ginkgo.fail-fast -ginkgo.v -ginkgo.label-filter="do"
DEPLOY_OPERATOR=true USE_EXISTING_CLUSTER=true go test ./controllers/... -test.timeout=30m -ginkgo.slow-spec-threshold=30s -ginkgo.fail-fast -ginkgo.v -ginkgo.label-filter="do"

##@ Build

Expand Down
31 changes: 31 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -26,3 +26,34 @@ Install delve in the `builder` container, i.e. `RUN go install github.com/go-del
Disable build optimization, i.e. `go build -gcflags="all=-N -l"`
Copy delve to the `base-env` container, i.e. `COPY --from=builder /go/bin/dlv /bin`
Execute operator using delve, i.e. `/bin/dlv exec --listen=0.0.0.0:40000 --headless=true --api-version=2 --accept-multiclient ${OPERATOR} $@`

## Using cert-manager

In case that you want to leverage the cert-manager operator for creating the Webhook certificates, you
must have the operator installed on your cluster. Refer to the [cert-manager installation instructions](https://cert-manager.io/docs/installation/).

Then use the `USE_CERTMANAGER=true` flag during the local deployment.

```bash
make deploy USE_CERTMANAGER=true
```

Then check that the volume is properly mounted:

```bash
$ kubectl get deployment -n activemq-artemis-operator activemq-artemis-controller-manager -oyaml | yq .spec.template.spec.volumes
- name: cert
secret:
defaultMode: 420
secretName: webhook-server-cert
```

By default a self-signed certificate is created and used instead:

```bash
$ kubectl get deployment -n activemq-artemis-operator activemq-artemis-controller-manager -oyaml | yq .spec.template.spec.volumes
- name: cert
secret:
defaultMode: 420
secretName: activemq-artemis-webhook-server-cert
```
2 changes: 1 addition & 1 deletion config/crd/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ patchesStrategicMerge:

# [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix.
# patches here are for enabling the CA injection for each CRD
# - patches/cainjection_in_activemqartemises.yaml
- patches/cainjection_in_activemqartemises.yaml
# - patches/cainjection_in_activemqartemisaddresses.yaml
# - patches/cainjection_in_activemqartemisscaledowns.yaml
# - patches/cainjection_in_activemqartemissecurities.yaml
Expand Down
58 changes: 29 additions & 29 deletions config/default/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ bases:
# crd/kustomization.yaml
- ../webhook
# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required.
# - ../certmanager
- ../certmanager
# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
#- ../prometheus

Expand All @@ -41,34 +41,34 @@ patchesStrategicMerge:
# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'.
# Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks.
# 'CERTMANAGER' needs to be enabled to use ca injection
# - webhookcainjection_patch.yaml
- webhookcainjection_patch.yaml

# the following config is for teaching kustomize how to do var substitution
# vars:
vars:
# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix.
# - name: CERTIFICATE_NAMESPACE # namespace of the certificate CR
# objref:
# kind: Certificate
# group: cert-manager.io
# version: v1
# name: serving-cert # this name should match the one in certificate.yaml
# fieldref:
# fieldpath: metadata.namespace
# - name: CERTIFICATE_NAME
# objref:
# kind: Certificate
# group: cert-manager.io
# version: v1
# name: serving-cert # this name should match the one in certificate.yaml
# - name: SERVICE_NAMESPACE # namespace of the service
# objref:
# kind: Service
# version: v1
# name: webhook-service
# fieldref:
# fieldpath: metadata.namespace
# - name: SERVICE_NAME
# objref:
# kind: Service
# version: v1
# name: webhook-service
- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR
objref:
kind: Certificate
group: cert-manager.io
version: v1
name: serving-cert # this name should match the one in certificate.yaml
fieldref:
fieldpath: metadata.namespace
- name: CERTIFICATE_NAME
objref:
kind: Certificate
group: cert-manager.io
version: v1
name: serving-cert # this name should match the one in certificate.yaml
- name: SERVICE_NAMESPACE # namespace of the service
objref:
kind: Service
version: v1
name: webhook-service
fieldref:
fieldpath: metadata.namespace
- name: SERVICE_NAME
objref:
kind: Service
version: v1
name: webhook-service
32 changes: 16 additions & 16 deletions config/manifests/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,19 +9,19 @@ resources:
# [WEBHOOK] To enable webhooks, uncomment all the sections with [WEBHOOK] prefix.
# Do NOT uncomment sections with prefix [CERTMANAGER], as OLM does not support cert-manager.
# These patches remove the unnecessary "cert" volume and its manager container volumeMount.
# patchesJson6902:
# - target:
# group: apps
# version: v1
# kind: Deployment
# name: controller-manager
# namespace: system
# patch: |-
# # Remove the manager container's "cert" volumeMount, since OLM will create and mount a set of certs.
# # Update the indices in this path if adding or removing containers/volumeMounts in the manager's Deployment.
# - op: remove
# path: /spec/template/spec/containers/1/volumeMounts/0
# # Remove the "cert" volume, since OLM will create and mount a set of certs.
# # Update the indices in this path if adding or removing volumes in the manager's Deployment.
# - op: remove
# path: /spec/template/spec/volumes/0
patchesJson6902:
- target:
group: apps
version: v1
kind: Deployment
name: controller-manager
namespace: system
patch: |-
# Remove the manager container's "cert" volumeMount, since OLM will create and mount a set of certs.
# Update the indices in this path if adding or removing containers/volumeMounts in the manager's Deployment.
- op: remove
path: /spec/template/spec/containers/1/volumeMounts/0
# Remove the "cert" volume, since OLM will create and mount a set of certs.
# Update the indices in this path if adding or removing volumes in the manager's Deployment.
- op: remove
path: /spec/template/spec/volumes/0
12 changes: 12 additions & 0 deletions deploy/Certificate_activemq-artemis-serving-cert.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: activemq-artemis-serving-cert
spec:
dnsNames:
- activemq-artemis-webhook-service.activemq-artemis-operator.svc
- activemq-artemis-webhook-service.activemq-artemis-operator.svc.cluster.local
issuerRef:
kind: Issuer
name: activemq-artemis-selfsigned-issuer
secretName: webhook-server-cert
6 changes: 6 additions & 0 deletions deploy/Issuer_activemq-artemis-selfsigned-issuer.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: activemq-artemis-selfsigned-issuer
spec:
selfSigned: {}
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
annotations:
cert-manager.io/inject-ca-from: activemq-artemis-operator/activemq-artemis-serving-cert
name: activemq-artemis-mutating-webhook-configuration
webhooks:
- admissionReviewVersions:
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
annotations:
cert-manager.io/inject-ca-from: activemq-artemis-operator/activemq-artemis-serving-cert
name: activemq-artemis-validating-webhook-configuration
webhooks:
- admissionReviewVersions:
Expand Down
1 change: 1 addition & 0 deletions deploy/crds/broker_activemqartemis_crd.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
cert-manager.io/inject-ca-from: activemq-artemis-operator/activemq-artemis-serving-cert
controller-gen.kubebuilder.io/version: v0.7.0
name: activemqartemises.broker.amq.io
spec:
Expand Down

0 comments on commit 32874cc

Please sign in to comment.