Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
create custom noop pinax webhook
Browse files Browse the repository at this point in the history
gcleroux committed Sep 12, 2024
1 parent 0dcb653 commit 9bd2b10
Showing 27 changed files with 283 additions and 607 deletions.
54 changes: 54 additions & 0 deletions .github/workflows/docker-publish.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
name: Publish docker images

on:
push:
branches:
- "main"
tags:
- "v*"
pull_request:
branches:
- "main"

env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}

jobs:
docker-publish:
runs-on: ubuntu-latest

permissions:
contents: read
packages: write

outputs:
tags: ${{ steps.meta.outputs.tags }}

steps:
- uses: actions/checkout@v4

- name: Log in to the Container registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Generate docker tags/labels from github build context
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=ref,event=branch
type=ref,event=pr
type=semver,pattern=v{{version}}
- name: Build and push Docker image
uses: docker/build-push-action@v5
with:
context: .
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
40 changes: 40 additions & 0 deletions .github/workflows/helm-publish.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
name: Publish helm chart
permissions: read-all
on:
push:
tags:
- "v*"

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

jobs:
publish-helm-oci:
runs-on: ubuntu-latest
permissions:
contents: write
id-token: write
packages: write
outputs:
chart-digest: ${{ steps.helm_publish.outputs.digest }}
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: "Extract Version"
id: extract_version
run: |
GIT_TAG=${GITHUB_REF##*/}
VERSION=${GIT_TAG##*v}
echo "version=$(echo $VERSION)" >> $GITHUB_OUTPUT
- name: Helm | Publish
id: helm_publish
uses: peak-scale/github-actions/helm-oci-chart@38322faabccd75abfa581c435e367d446b6d2c3b # v0.1.0
with:
registry: ghcr.io
repository: ${{ github.repository_owner }}/charts
name: "cert-manager-webhook-pinax"
version: ${{ steps.extract_version.outputs.version }}
app-version: ${{ steps.extract_version.outputs.version }}
registry-username: ${{ github.actor }}
registry-password: ${{ secrets.GITHUB_TOKEN }}
update-dependencies: "true" # Defaults to false
8 changes: 4 additions & 4 deletions Makefile
Original file line number Diff line number Diff line change
@@ -2,14 +2,14 @@ GO ?= $(shell which go)
OS ?= $(shell $(GO) env GOOS)
ARCH ?= $(shell $(GO) env GOARCH)

IMAGE_NAME := "webhook"
IMAGE_NAME := "localhost:5000/cert-manager-webhook-pinax"
IMAGE_TAG := "latest"

OUT := $(shell pwd)/_out

KUBEBUILDER_VERSION=1.28.0

HELM_FILES := $(shell find deploy/example-webhook)
HELM_FILES := $(shell find deploy/cert-manager-webhook-pinax)

test: _test/kubebuilder-$(KUBEBUILDER_VERSION)-$(OS)-$(ARCH)/etcd _test/kubebuilder-$(KUBEBUILDER_VERSION)-$(OS)-$(ARCH)/kube-apiserver _test/kubebuilder-$(KUBEBUILDER_VERSION)-$(OS)-$(ARCH)/kubectl
TEST_ASSET_ETCD=_test/kubebuilder-$(KUBEBUILDER_VERSION)-$(OS)-$(ARCH)/etcd \
@@ -36,10 +36,10 @@ rendered-manifest.yaml: $(OUT)/rendered-manifest.yaml

$(OUT)/rendered-manifest.yaml: $(HELM_FILES) | $(OUT)
helm template \
--name example-webhook \
--name cert-manager-webhook-pinax \
--set image.repository=$(IMAGE_NAME) \
--set image.tag=$(IMAGE_TAG) \
deploy/example-webhook > $@
deploy/cert-manager-webhook-pinax > $@

_test $(OUT) _test/kubebuilder-$(KUBEBUILDER_VERSION)-$(OS)-$(ARCH):
mkdir -p $@
16 changes: 0 additions & 16 deletions OWNERS

This file was deleted.

File renamed without changes.
5 changes: 5 additions & 0 deletions charts/cert-manager-webhook-pinax/Chart.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
apiVersion: v1
appVersion: "1.0"
description: A Helm chart for the custom Pinax's cert-manager webhook
name: cert-manager-webhook-pinax
version: 0.1.0
File renamed without changes.
Original file line number Diff line number Diff line change
@@ -2,7 +2,7 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "example-webhook.name" -}}
{{- define "cert-manager-webhook-pinax.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}

@@ -11,7 +11,7 @@ Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "example-webhook.fullname" -}}
{{- define "cert-manager-webhook-pinax.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
@@ -27,22 +27,22 @@ If release name contains chart name it will be used as a full name.
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "example-webhook.chart" -}}
{{- define "cert-manager-webhook-pinax.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}

{{- define "example-webhook.selfSignedIssuer" -}}
{{ printf "%s-selfsign" (include "example-webhook.fullname" .) }}
{{- define "cert-manager-webhook-pinax.selfSignedIssuer" -}}
{{ printf "%s-selfsign" (include "cert-manager-webhook-pinax.fullname" .) }}
{{- end -}}

{{- define "example-webhook.rootCAIssuer" -}}
{{ printf "%s-ca" (include "example-webhook.fullname" .) }}
{{- define "cert-manager-webhook-pinax.rootCAIssuer" -}}
{{ printf "%s-ca" (include "cert-manager-webhook-pinax.fullname" .) }}
{{- end -}}

{{- define "example-webhook.rootCACertificate" -}}
{{ printf "%s-ca" (include "example-webhook.fullname" .) }}
{{- define "cert-manager-webhook-pinax.rootCACertificate" -}}
{{ printf "%s-ca" (include "cert-manager-webhook-pinax.fullname" .) }}
{{- end -}}

{{- define "example-webhook.servingCertificate" -}}
{{ printf "%s-webhook-tls" (include "example-webhook.fullname" .) }}
{{- define "cert-manager-webhook-pinax.servingCertificate" -}}
{{ printf "%s-webhook-tls" (include "cert-manager-webhook-pinax.fullname" .) }}
{{- end -}}
Original file line number Diff line number Diff line change
@@ -3,17 +3,17 @@ kind: APIService
metadata:
name: v1alpha1.{{ .Values.groupName }}
labels:
app: {{ include "example-webhook.name" . }}
chart: {{ include "example-webhook.chart" . }}
app: {{ include "cert-manager-webhook-pinax.name" . }}
chart: {{ include "cert-manager-webhook-pinax.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
annotations:
cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/{{ include "example-webhook.servingCertificate" . }}"
cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/{{ include "cert-manager-webhook-pinax.servingCertificate" . }}"
spec:
group: {{ .Values.groupName }}
groupPriorityMinimum: 1000
versionPriority: 15
service:
name: {{ include "example-webhook.fullname" . }}
name: {{ include "cert-manager-webhook-pinax.fullname" . }}
namespace: {{ .Release.Namespace }}
version: v1alpha1
Original file line number Diff line number Diff line change
@@ -1,26 +1,26 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "example-webhook.fullname" . }}
name: {{ include "cert-manager-webhook-pinax.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ include "example-webhook.name" . }}
chart: {{ include "example-webhook.chart" . }}
app: {{ include "cert-manager-webhook-pinax.name" . }}
chart: {{ include "cert-manager-webhook-pinax.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
app: {{ include "example-webhook.name" . }}
app: {{ include "cert-manager-webhook-pinax.name" . }}
release: {{ .Release.Name }}
template:
metadata:
labels:
app: {{ include "example-webhook.name" . }}
app: {{ include "cert-manager-webhook-pinax.name" . }}
release: {{ .Release.Name }}
spec:
serviceAccountName: {{ include "example-webhook.fullname" . }}
serviceAccountName: {{ include "cert-manager-webhook-pinax.fullname" . }}
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
@@ -54,7 +54,7 @@ spec:
volumes:
- name: certs
secret:
secretName: {{ include "example-webhook.servingCertificate" . }}
secretName: {{ include "cert-manager-webhook-pinax.servingCertificate" . }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 8 }}
76 changes: 76 additions & 0 deletions charts/cert-manager-webhook-pinax/templates/pki.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
---
# Create a selfsigned Issuer, in order to create a root CA certificate for
# signing webhook serving certificates
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: {{ include "cert-manager-webhook-pinax.selfSignedIssuer" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ include "cert-manager-webhook-pinax.name" . }}
chart: {{ include "cert-manager-webhook-pinax.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
selfSigned: {}

---

# Generate a CA Certificate used to sign certificates for the webhook
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ include "cert-manager-webhook-pinax.rootCACertificate" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ include "cert-manager-webhook-pinax.name" . }}
chart: {{ include "cert-manager-webhook-pinax.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
secretName: {{ include "cert-manager-webhook-pinax.rootCACertificate" . }}
duration: 43800h # 5y
issuerRef:
name: {{ include "cert-manager-webhook-pinax.selfSignedIssuer" . }}
commonName: "ca.cert-manager-webhook-pinax.cert-manager"
isCA: true

---

# Create an Issuer that uses the above generated CA certificate to issue certs
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: {{ include "cert-manager-webhook-pinax.rootCAIssuer" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ include "cert-manager-webhook-pinax.name" . }}
chart: {{ include "cert-manager-webhook-pinax.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
ca:
secretName: {{ include "cert-manager-webhook-pinax.rootCACertificate" . }}

---

# Finally, generate a serving certificate for the webhook to use
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ include "cert-manager-webhook-pinax.servingCertificate" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ include "cert-manager-webhook-pinax.name" . }}
chart: {{ include "cert-manager-webhook-pinax.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
secretName: {{ include "cert-manager-webhook-pinax.servingCertificate" . }}
duration: 8760h # 1y
issuerRef:
name: {{ include "cert-manager-webhook-pinax.rootCAIssuer" . }}
dnsNames:
- {{ include "cert-manager-webhook-pinax.fullname" . }}
- {{ include "cert-manager-webhook-pinax.fullname" . }}.{{ .Release.Namespace }}
- {{ include "cert-manager-webhook-pinax.fullname" . }}.{{ .Release.Namespace }}.svc
Loading

0 comments on commit 9bd2b10

Please sign in to comment.