fix(helm): webhook — template cert/secret names, gate on certManager.enabled, scope rules

Author: syscod3

charts/imp/templates/operator/deployment.yaml

@@ -74,5 +74,5 @@ spec:
       volumes:
       - name: webhook-tls
         secret:
-          secretName: imp-webhook-tls
+          secretName: {{ include "imp.fullname" . }}-webhook-tls
       terminationGracePeriodSeconds: 10

charts/imp/templates/webhook/certificate.yaml

@@ -2,14 +2,14 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: imp-webhook-tls
+  name: {{ include "imp.fullname" . }}-webhook-tls
   namespace: {{ .Release.Namespace }}
   labels:
     {{- include "imp.labels" . | nindent 4 }}
 spec:
-  secretName: imp-webhook-tls
-  duration: 8760h
-  renewBefore: 720h
+  secretName: {{ include "imp.fullname" . }}-webhook-tls
+  duration: {{ .Values.webhook.certManager.duration }}
+  renewBefore: {{ .Values.webhook.certManager.renewBefore }}
   dnsNames:
     - {{ include "imp.fullname" . }}-operator.{{ .Release.Namespace }}.svc
     - {{ include "imp.fullname" . }}-operator.{{ .Release.Namespace }}.svc.cluster.local
@@ -19,5 +19,6 @@ spec:
     {{- else }}
     name: {{ include "imp.fullname" . }}-selfsigned
     kind: Issuer
+    group: cert-manager.io
     {{- end }}
 {{- end }}

charts/imp/templates/webhook/mutatingwebhook.yaml

@@ -1,11 +1,12 @@
+{{- if .Values.webhook.certManager.enabled }}
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
-  name: {{ include "imp.fullname" . }}
+  name: {{ include "imp.fullname" . }}-mutating-webhooks
   labels:
     {{- include "imp.labels" . | nindent 4 }}
   annotations:
-    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/imp-webhook-tls
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "imp.fullname" . }}-webhook-tls
 webhooks:
 - name: mimpvm.kb.io
   admissionReviewVersions: ["v1"]
@@ -17,7 +18,11 @@ webhooks:
   rules:
   - apiGroups: ["imp.dev"]
     apiVersions: ["v1alpha1"]
-    operations: [CREATE, UPDATE]
+    operations:
+      - CREATE
+      - UPDATE
     resources: [impvms]
+    scope: Namespaced
   failurePolicy: Fail
   sideEffects: None
+{{- end }}

charts/imp/templates/webhook/validatingwebhook.yaml

@@ -1,11 +1,12 @@
+{{- if .Values.webhook.certManager.enabled }}
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
-  name: {{ include "imp.fullname" . }}
+  name: {{ include "imp.fullname" . }}-validating-webhooks
   labels:
     {{- include "imp.labels" . | nindent 4 }}
   annotations:
-    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/imp-webhook-tls
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "imp.fullname" . }}-webhook-tls
 webhooks:
 - name: vimpvm.kb.io
   admissionReviewVersions: ["v1"]
@@ -17,8 +18,11 @@ webhooks:
   rules:
   - apiGroups: ["imp.dev"]
     apiVersions: ["v1alpha1"]
-    operations: [CREATE, UPDATE]
+    operations:
+      - CREATE
+      - UPDATE
     resources: [impvms]
+    scope: Namespaced
   failurePolicy: Fail
   sideEffects: None
 - name: vimpvmclass.kb.io
@@ -31,8 +35,11 @@ webhooks:
   rules:
   - apiGroups: ["imp.dev"]
     apiVersions: ["v1alpha1"]
-    operations: [CREATE, UPDATE]
+    operations:
+      - CREATE
+      - UPDATE
     resources: [impvmclasses]
+    scope: Cluster
   failurePolicy: Fail
   sideEffects: None
 - name: vimpvmtemplate.kb.io
@@ -45,7 +52,11 @@ webhooks:
   rules:
   - apiGroups: ["imp.dev"]
     apiVersions: ["v1alpha1"]
-    operations: [CREATE, UPDATE]
+    operations:
+      - CREATE
+      - UPDATE
     resources: [impvmtemplates]
+    scope: Namespaced
   failurePolicy: Fail
   sideEffects: None
+{{- end }}

charts/imp/tests/operator-deployment_test.yaml

@@ -37,7 +37,7 @@ tests:
           content:
             name: webhook-tls
             secret:
-              secretName: imp-webhook-tls
+              secretName: RELEASE-NAME-imp-webhook-tls
 
   - it: renders Service with webhook and metrics ports
     template: templates/operator/service.yaml

charts/imp/tests/webhook_test.yaml

@@ -30,7 +30,7 @@ tests:
           of: Certificate
       - equal:
           path: spec.secretName
-          value: imp-webhook-tls
+          value: RELEASE-NAME-imp-webhook-tls
       - contains:
           path: spec.dnsNames
           content: RELEASE-NAME-imp-operator.NAMESPACE.svc
@@ -45,7 +45,7 @@ tests:
           of: MutatingWebhookConfiguration
       - equal:
           path: metadata.annotations["cert-manager.io/inject-ca-from"]
-          value: NAMESPACE/imp-webhook-tls
+          value: NAMESPACE/RELEASE-NAME-imp-webhook-tls
 
   - it: ValidatingWebhookConfiguration has cainjector annotation
     template: templates/webhook/validatingwebhook.yaml
@@ -54,11 +54,37 @@ tests:
           of: ValidatingWebhookConfiguration
       - equal:
           path: metadata.annotations["cert-manager.io/inject-ca-from"]
-          value: NAMESPACE/imp-webhook-tls
+          value: NAMESPACE/RELEASE-NAME-imp-webhook-tls
 
   - it: ValidatingWebhookConfiguration has three webhooks
     template: templates/webhook/validatingwebhook.yaml
     asserts:
       - lengthEqual:
           path: webhooks
           count: 3
+
+  - it: Certificate uses custom issuerRef when provided
+    template: templates/webhook/certificate.yaml
+    set:
+      webhook.certManager.issuerRef.name: my-issuer
+      webhook.certManager.issuerRef.kind: ClusterIssuer
+      webhook.certManager.issuerRef.group: cert-manager.io
+    asserts:
+      - equal:
+          path: spec.issuerRef.name
+          value: my-issuer
+      - equal:
+          path: spec.issuerRef.kind
+          value: ClusterIssuer
+
+  - it: MutatingWebhookConfiguration has one webhook with correct path
+    template: templates/webhook/mutatingwebhook.yaml
+    asserts:
+      - isKind:
+          of: MutatingWebhookConfiguration
+      - lengthEqual:
+          path: webhooks
+          count: 1
+      - equal:
+          path: webhooks[0].clientConfig.service.path
+          value: /mutate-imp-dev-v1alpha1-impvm

charts/imp/values.yaml

@@ -49,3 +49,5 @@ webhook:
   certManager:
     enabled: true
     issuerRef: {}
+    duration: 8760h
+    renewBefore: 720h