diff --git a/bootstrap/kubeadm/config/certmanager/certificate.yaml b/bootstrap/kubeadm/config/certmanager/certificate.yaml index d53b0e8e97e7..3defedcf5a01 100644 --- a/bootstrap/kubeadm/config/certmanager/certificate.yaml +++ b/bootstrap/kubeadm/config/certmanager/certificate.yaml @@ -15,14 +15,14 @@ metadata: name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml namespace: system spec: - # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize + # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize dnsNames: - - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc - - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local + - SERVICE_NAME.SERVICE_NAMESPACE.svc + - SERVICE_NAME.SERVICE_NAMESPACE.svc.cluster.local issuerRef: kind: Issuer name: selfsigned-issuer - secretName: $(SERVICE_NAME)-cert # this secret will not be prefixed, since it's not managed by kustomize + secretName: webhook-service-cert # this secret will not be prefixed, since it's not managed by kustomize subject: organizations: - - k8s-sig-cluster-lifecycle \ No newline at end of file + - k8s-sig-cluster-lifecycle diff --git a/bootstrap/kubeadm/config/certmanager/kustomizeconfig.yaml b/bootstrap/kubeadm/config/certmanager/kustomizeconfig.yaml index 28a895a404a9..87d212b8e0b3 100644 --- a/bootstrap/kubeadm/config/certmanager/kustomizeconfig.yaml +++ b/bootstrap/kubeadm/config/certmanager/kustomizeconfig.yaml @@ -6,14 +6,3 @@ nameReference: - kind: Certificate group: cert-manager.io path: spec/issuerRef/name - -varReference: -- kind: Certificate - group: cert-manager.io - path: spec/commonName -- kind: Certificate - group: cert-manager.io - path: spec/dnsNames -- kind: Certificate - group: cert-manager.io - path: spec/secretName diff --git a/bootstrap/kubeadm/config/crd/kustomization.yaml b/bootstrap/kubeadm/config/crd/kustomization.yaml index f273fbabc564..82ffa4cd4127 100644 --- a/bootstrap/kubeadm/config/crd/kustomization.yaml +++ b/bootstrap/kubeadm/config/crd/kustomization.yaml @@ -11,17 +11,17 @@ resources: - bases/bootstrap.cluster.x-k8s.io_kubeadmconfigtemplates.yaml # +kubebuilder:scaffold:crdkustomizeresource -patchesStrategicMerge: +patches: # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix. # patches here are for enabling the conversion webhook for each CRD -- patches/webhook_in_kubeadmconfigs.yaml -- patches/webhook_in_kubeadmconfigtemplates.yaml +- path: patches/webhook_in_kubeadmconfigs.yaml +- path: patches/webhook_in_kubeadmconfigtemplates.yaml # +kubebuilder:scaffold:crdkustomizewebhookpatch # [CERTMANAGER] To enable webhook, uncomment all the sections with [CERTMANAGER] prefix. # patches here are for enabling the CA injection for each CRD -- patches/cainjection_in_kubeadmconfigs.yaml -- patches/cainjection_in_kubeadmconfigtemplates.yaml +- path: patches/cainjection_in_kubeadmconfigs.yaml +- path: patches/cainjection_in_kubeadmconfigtemplates.yaml # +kubebuilder:scaffold:crdkustomizecainjectionpatch # the following config is for teaching kustomize how to do kustomization for CRDs. diff --git a/bootstrap/kubeadm/config/crd/kustomizeconfig.yaml b/bootstrap/kubeadm/config/crd/kustomizeconfig.yaml index e3fd575d604b..3fe85a276895 100644 --- a/bootstrap/kubeadm/config/crd/kustomizeconfig.yaml +++ b/bootstrap/kubeadm/config/crd/kustomizeconfig.yaml @@ -12,6 +12,3 @@ namespace: group: apiextensions.k8s.io path: spec/conversion/webhook/clientConfig/service/namespace create: false - -varReference: - - path: metadata/annotations diff --git a/bootstrap/kubeadm/config/crd/patches/cainjection_in_kubeadmconfigs.yaml b/bootstrap/kubeadm/config/crd/patches/cainjection_in_kubeadmconfigs.yaml index 0e7d35ae87fa..fb0a62fe2008 100644 --- a/bootstrap/kubeadm/config/crd/patches/cainjection_in_kubeadmconfigs.yaml +++ b/bootstrap/kubeadm/config/crd/patches/cainjection_in_kubeadmconfigs.yaml @@ -4,5 +4,5 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME name: kubeadmconfigs.bootstrap.cluster.x-k8s.io diff --git a/bootstrap/kubeadm/config/crd/patches/cainjection_in_kubeadmconfigtemplates.yaml b/bootstrap/kubeadm/config/crd/patches/cainjection_in_kubeadmconfigtemplates.yaml index fe6b5adf60c6..a8bc5dcf1d26 100644 --- a/bootstrap/kubeadm/config/crd/patches/cainjection_in_kubeadmconfigtemplates.yaml +++ b/bootstrap/kubeadm/config/crd/patches/cainjection_in_kubeadmconfigtemplates.yaml @@ -4,5 +4,5 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME name: kubeadmconfigtemplates.bootstrap.cluster.x-k8s.io diff --git a/bootstrap/kubeadm/config/default/kustomization.yaml b/bootstrap/kubeadm/config/default/kustomization.yaml index 340ed757c040..5584ab2e2780 100644 --- a/bootstrap/kubeadm/config/default/kustomization.yaml +++ b/bootstrap/kubeadm/config/default/kustomization.yaml @@ -7,51 +7,116 @@ commonLabels: cluster.x-k8s.io/provider: "bootstrap-kubeadm" resources: -- namespace.yaml - -bases: - ../crd - ../rbac - ../manager - ../webhook - ../certmanager +- namespace.yaml -patchesStrategicMerge: +patches: # Provide customizable hook for make targets. - - manager_image_patch.yaml - - manager_pull_policy.yaml + - path: manager_image_patch.yaml + - path: manager_pull_policy.yaml # Enable webhook. - - manager_webhook_patch.yaml + - path: manager_webhook_patch.yaml # Inject certificate in the webhook definition. - - webhookcainjection_patch.yaml - -vars: - - name: CERTIFICATE_NAMESPACE # namespace of the certificate CR - objref: - kind: Certificate - group: cert-manager.io - version: v1 - name: serving-cert # this name should match the one in certificate.yaml - fieldref: - fieldpath: metadata.namespace - - name: CERTIFICATE_NAME - objref: - kind: Certificate - group: cert-manager.io - version: v1 - name: serving-cert # this name should match the one in certificate.yaml - - name: SERVICE_NAMESPACE # namespace of the service - objref: - kind: Service - version: v1 - name: webhook-service - fieldref: - fieldpath: metadata.namespace - - name: SERVICE_NAME - objref: - kind: Service - version: v1 - name: webhook-service + - path: webhookcainjection_patch.yaml -configurations: - - kustomizeconfig.yaml +replacements: +- source: # Add cert-manager annotation to ValidatingWebhookConfiguration, MutatingWebhookConfiguration and CRDs + kind: Certificate + group: cert-manager.io + version: v1 + name: serving-cert # this name should match the one in certificate.yaml + fieldPath: .metadata.namespace # namespace of the certificate CR + targets: + - select: + kind: ValidatingWebhookConfiguration + fieldPaths: + - .metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: '/' + index: 0 + create: true + - select: + kind: MutatingWebhookConfiguration + fieldPaths: + - .metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: '/' + index: 0 + create: true + - select: + kind: CustomResourceDefinition + fieldPaths: + - .metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: '/' + index: 0 + create: true +- source: + kind: Certificate + group: cert-manager.io + version: v1 + name: serving-cert # this name should match the one in certificate.yaml + fieldPath: .metadata.name + targets: + - select: + kind: ValidatingWebhookConfiguration + fieldPaths: + - .metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: '/' + index: 1 + create: true + - select: + kind: MutatingWebhookConfiguration + fieldPaths: + - .metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: '/' + index: 1 + create: true + - select: + kind: CustomResourceDefinition + fieldPaths: + - .metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: '/' + index: 1 + create: true +- source: # Add cert-manager annotation to the webhook Service + kind: Service + version: v1 + name: webhook-service + fieldPath: .metadata.name # namespace of the service + targets: + - select: + kind: Certificate + group: cert-manager.io + version: v1 + fieldPaths: + - .spec.dnsNames.0 + - .spec.dnsNames.1 + options: + delimiter: '.' + index: 0 + create: true +- source: + kind: Service + version: v1 + name: webhook-service + fieldPath: .metadata.namespace # namespace of the service + targets: + - select: + kind: Certificate + group: cert-manager.io + version: v1 + fieldPaths: + - .spec.dnsNames.0 + - .spec.dnsNames.1 + options: + delimiter: '.' + index: 1 + create: true diff --git a/bootstrap/kubeadm/config/default/kustomizeconfig.yaml b/bootstrap/kubeadm/config/default/kustomizeconfig.yaml deleted file mode 100644 index eb191e64d056..000000000000 --- a/bootstrap/kubeadm/config/default/kustomizeconfig.yaml +++ /dev/null @@ -1,4 +0,0 @@ -# This configuration is for teaching kustomize how to update name ref and var substitution -varReference: -- kind: Deployment - path: spec/template/spec/volumes/secret/secretName diff --git a/bootstrap/kubeadm/config/default/manager_webhook_patch.yaml b/bootstrap/kubeadm/config/default/manager_webhook_patch.yaml index bccef6d70db8..031b9c940b81 100644 --- a/bootstrap/kubeadm/config/default/manager_webhook_patch.yaml +++ b/bootstrap/kubeadm/config/default/manager_webhook_patch.yaml @@ -19,4 +19,4 @@ spec: volumes: - name: cert secret: - secretName: $(SERVICE_NAME)-cert + secretName: webhook-service-cert diff --git a/bootstrap/kubeadm/config/default/webhookcainjection_patch.yaml b/bootstrap/kubeadm/config/default/webhookcainjection_patch.yaml index 04c08d027f3d..b94de4bd6bf0 100644 --- a/bootstrap/kubeadm/config/default/webhookcainjection_patch.yaml +++ b/bootstrap/kubeadm/config/default/webhookcainjection_patch.yaml @@ -4,11 +4,11 @@ kind: MutatingWebhookConfiguration metadata: name: mutating-webhook-configuration annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: name: validating-webhook-configuration annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME diff --git a/bootstrap/kubeadm/config/webhook/kustomizeconfig.yaml b/bootstrap/kubeadm/config/webhook/kustomizeconfig.yaml index 25e21e3c963f..30293f0f5d90 100644 --- a/bootstrap/kubeadm/config/webhook/kustomizeconfig.yaml +++ b/bootstrap/kubeadm/config/webhook/kustomizeconfig.yaml @@ -20,6 +20,3 @@ namespace: group: admissionregistration.k8s.io path: webhooks/clientConfig/service/namespace create: true - -varReference: -- path: metadata/annotations diff --git a/config/certmanager/certificate.yaml b/config/certmanager/certificate.yaml index b1ae09af576d..9fd693e9491d 100644 --- a/config/certmanager/certificate.yaml +++ b/config/certmanager/certificate.yaml @@ -14,14 +14,14 @@ metadata: name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml namespace: system spec: - # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize + # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize dnsNames: - - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc - - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local + - SERVICE_NAME.SERVICE_NAMESPACE.svc + - SERVICE_NAME.SERVICE_NAMESPACE.svc.cluster.local issuerRef: kind: Issuer name: selfsigned-issuer - secretName: $(SERVICE_NAME)-cert # this secret will not be prefixed, since it's not managed by kustomize + secretName: webhook-server-cert # this secret will not be prefixed, since it's not managed by kustomize subject: organizations: - - k8s-sig-cluster-lifecycle \ No newline at end of file + - k8s-sig-cluster-lifecycle diff --git a/config/certmanager/kustomizeconfig.yaml b/config/certmanager/kustomizeconfig.yaml index 28a895a404a9..87d212b8e0b3 100644 --- a/config/certmanager/kustomizeconfig.yaml +++ b/config/certmanager/kustomizeconfig.yaml @@ -6,14 +6,3 @@ nameReference: - kind: Certificate group: cert-manager.io path: spec/issuerRef/name - -varReference: -- kind: Certificate - group: cert-manager.io - path: spec/commonName -- kind: Certificate - group: cert-manager.io - path: spec/dnsNames -- kind: Certificate - group: cert-manager.io - path: spec/secretName diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml index 0ea28e7bae1c..2893a4e8b95c 100644 --- a/config/crd/kustomization.yaml +++ b/config/crd/kustomization.yaml @@ -16,31 +16,31 @@ resources: - bases/ipam.cluster.x-k8s.io_ipaddressclaims.yaml # +kubebuilder:scaffold:crdkustomizeresource -patchesStrategicMerge: +patches: # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix. # patches here are for enabling the conversion webhook for each CRD -- patches/webhook_in_clusterclasses.yaml -- patches/webhook_in_clusters.yaml -- patches/webhook_in_machinepools.yaml -- patches/webhook_in_machines.yaml -- patches/webhook_in_machinesets.yaml -- patches/webhook_in_machinedeployments.yaml -- patches/webhook_in_machinehealthchecks.yaml -- patches/webhook_in_clusterresourcesets.yaml -- patches/webhook_in_clusterresourcesetbindings.yaml +- path: patches/webhook_in_clusterclasses.yaml +- path: patches/webhook_in_clusters.yaml +- path: patches/webhook_in_machinepools.yaml +- path: patches/webhook_in_machines.yaml +- path: patches/webhook_in_machinesets.yaml +- path: patches/webhook_in_machinedeployments.yaml +- path: patches/webhook_in_machinehealthchecks.yaml +- path: patches/webhook_in_clusterresourcesets.yaml +- path: patches/webhook_in_clusterresourcesetbindings.yaml # +kubebuilder:scaffold:crdkustomizewebhookpatch # [CERTMANAGER] To enable webhook, uncomment all the sections with [CERTMANAGER] prefix. # patches here are for enabling the CA injection for each CRD -- patches/cainjection_in_clusterclasses.yaml -- patches/cainjection_in_clusters.yaml -- patches/cainjection_in_machinepools.yaml -- patches/cainjection_in_machines.yaml -- patches/cainjection_in_machinesets.yaml -- patches/cainjection_in_machinedeployments.yaml -- patches/cainjection_in_machinehealthchecks.yaml -- patches/cainjection_in_clusterresourcesets.yaml -- patches/cainjection_in_clusterresourcesetbindings.yaml +- path: patches/cainjection_in_clusterclasses.yaml +- path: patches/cainjection_in_clusters.yaml +- path: patches/cainjection_in_machinepools.yaml +- path: patches/cainjection_in_machines.yaml +- path: patches/cainjection_in_machinesets.yaml +- path: patches/cainjection_in_machinedeployments.yaml +- path: patches/cainjection_in_machinehealthchecks.yaml +- path: patches/cainjection_in_clusterresourcesets.yaml +- path: patches/cainjection_in_clusterresourcesetbindings.yaml # +kubebuilder:scaffold:crdkustomizecainjectionpatch # the following config is for teaching kustomize how to do kustomization for CRDs. diff --git a/config/crd/kustomizeconfig.yaml b/config/crd/kustomizeconfig.yaml index 8e2d8d6b1774..237f9458327a 100644 --- a/config/crd/kustomizeconfig.yaml +++ b/config/crd/kustomizeconfig.yaml @@ -12,6 +12,3 @@ namespace: group: apiextensions.k8s.io path: spec/conversion/webhook/clientConfig/service/namespace create: false - -varReference: -- path: metadata/annotations diff --git a/config/crd/patches/cainjection_in_clusterclasses.yaml b/config/crd/patches/cainjection_in_clusterclasses.yaml index 4b3d83113df4..59f29099f38e 100644 --- a/config/crd/patches/cainjection_in_clusterclasses.yaml +++ b/config/crd/patches/cainjection_in_clusterclasses.yaml @@ -4,5 +4,5 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME name: clusterclasses.cluster.x-k8s.io diff --git a/config/crd/patches/cainjection_in_clusterresourcesetbindings.yaml b/config/crd/patches/cainjection_in_clusterresourcesetbindings.yaml index 7b54b56f62ae..a6df0122dc08 100644 --- a/config/crd/patches/cainjection_in_clusterresourcesetbindings.yaml +++ b/config/crd/patches/cainjection_in_clusterresourcesetbindings.yaml @@ -4,5 +4,5 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME name: clusterresourcesetbindings.addons.cluster.x-k8s.io diff --git a/config/crd/patches/cainjection_in_clusterresourcesets.yaml b/config/crd/patches/cainjection_in_clusterresourcesets.yaml index e3c0e73a81bd..4d193c0c4f03 100644 --- a/config/crd/patches/cainjection_in_clusterresourcesets.yaml +++ b/config/crd/patches/cainjection_in_clusterresourcesets.yaml @@ -4,5 +4,5 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME name: clusterresourcesets.addons.cluster.x-k8s.io diff --git a/config/crd/patches/cainjection_in_clusters.yaml b/config/crd/patches/cainjection_in_clusters.yaml index 2e891790e1db..871b0adf5d70 100644 --- a/config/crd/patches/cainjection_in_clusters.yaml +++ b/config/crd/patches/cainjection_in_clusters.yaml @@ -4,5 +4,5 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME name: clusters.cluster.x-k8s.io diff --git a/config/crd/patches/cainjection_in_machinedeployments.yaml b/config/crd/patches/cainjection_in_machinedeployments.yaml index 15e6de214210..6fe5699f8033 100644 --- a/config/crd/patches/cainjection_in_machinedeployments.yaml +++ b/config/crd/patches/cainjection_in_machinedeployments.yaml @@ -4,5 +4,5 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME name: machinedeployments.cluster.x-k8s.io diff --git a/config/crd/patches/cainjection_in_machinehealthchecks.yaml b/config/crd/patches/cainjection_in_machinehealthchecks.yaml index eb79d32e32af..6b45c097adc9 100644 --- a/config/crd/patches/cainjection_in_machinehealthchecks.yaml +++ b/config/crd/patches/cainjection_in_machinehealthchecks.yaml @@ -4,5 +4,5 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME name: machinehealthchecks.cluster.x-k8s.io diff --git a/config/crd/patches/cainjection_in_machinepools.yaml b/config/crd/patches/cainjection_in_machinepools.yaml index b5329a85f8ba..aa288820ae21 100644 --- a/config/crd/patches/cainjection_in_machinepools.yaml +++ b/config/crd/patches/cainjection_in_machinepools.yaml @@ -4,5 +4,5 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME name: machinepools.cluster.x-k8s.io diff --git a/config/crd/patches/cainjection_in_machines.yaml b/config/crd/patches/cainjection_in_machines.yaml index 0877175c539e..84d59e66adab 100644 --- a/config/crd/patches/cainjection_in_machines.yaml +++ b/config/crd/patches/cainjection_in_machines.yaml @@ -4,5 +4,5 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME name: machines.cluster.x-k8s.io diff --git a/config/crd/patches/cainjection_in_machinesets.yaml b/config/crd/patches/cainjection_in_machinesets.yaml index 0996162d64fe..efb0eb98e8ef 100644 --- a/config/crd/patches/cainjection_in_machinesets.yaml +++ b/config/crd/patches/cainjection_in_machinesets.yaml @@ -4,5 +4,5 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME name: machinesets.cluster.x-k8s.io diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index 18aeca81afe9..856848f20f7a 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -6,55 +6,120 @@ commonLabels: cluster.x-k8s.io/provider: "cluster-api" resources: -- namespace.yaml - -bases: - ../crd - ../rbac - ../manager - ../webhook - ../certmanager +- namespace.yaml -patchesStrategicMerge: +patches: # Provide customizable hook for make targets. -- manager_image_patch.yaml -- manager_pull_policy.yaml +- path: manager_image_patch.yaml +- path: manager_pull_policy.yaml # Enable webhook. -- manager_webhook_patch.yaml +- path: manager_webhook_patch.yaml # Inject certificate in the webhook definition. -- webhookcainjection_patch.yaml +- path: webhookcainjection_patch.yaml # Ease the process of providing extra RBAC to the Cluster API manager for # non SIG Cluster Lifecycle-sponsored provider subprojects by using an # aggregated role -- manager_role_aggregation_patch.yaml - -vars: - - name: CERTIFICATE_NAMESPACE # namespace of the certificate CR - objref: - kind: Certificate - group: cert-manager.io - version: v1 - name: serving-cert # this name should match the one in certificate.yaml - fieldref: - fieldpath: metadata.namespace - - name: CERTIFICATE_NAME - objref: - kind: Certificate - group: cert-manager.io - version: v1 - name: serving-cert # this name should match the one in certificate.yaml - - name: SERVICE_NAMESPACE # namespace of the service - objref: - kind: Service - version: v1 - name: webhook-service - fieldref: - fieldpath: metadata.namespace - - name: SERVICE_NAME - objref: - kind: Service - version: v1 - name: webhook-service +- path: manager_role_aggregation_patch.yaml -configurations: - - kustomizeconfig.yaml +replacements: +- source: # Add cert-manager annotation to ValidatingWebhookConfiguration, MutatingWebhookConfiguration and CRDs + kind: Certificate + group: cert-manager.io + version: v1 + name: serving-cert # this name should match the one in certificate.yaml + fieldPath: .metadata.namespace # namespace of the certificate CR + targets: + - select: + kind: ValidatingWebhookConfiguration + fieldPaths: + - .metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: '/' + index: 0 + create: true + - select: + kind: MutatingWebhookConfiguration + fieldPaths: + - .metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: '/' + index: 0 + create: true + - select: + kind: CustomResourceDefinition + fieldPaths: + - .metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: '/' + index: 0 + create: true +- source: + kind: Certificate + group: cert-manager.io + version: v1 + name: serving-cert # this name should match the one in certificate.yaml + fieldPath: .metadata.name + targets: + - select: + kind: ValidatingWebhookConfiguration + fieldPaths: + - .metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: '/' + index: 1 + create: true + - select: + kind: MutatingWebhookConfiguration + fieldPaths: + - .metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: '/' + index: 1 + create: true + - select: + kind: CustomResourceDefinition + fieldPaths: + - .metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: '/' + index: 1 + create: true +- source: # Add cert-manager annotation to the webhook Service + kind: Service + version: v1 + name: webhook-service + fieldPath: .metadata.name # namespace of the service + targets: + - select: + kind: Certificate + group: cert-manager.io + version: v1 + fieldPaths: + - .spec.dnsNames.0 + - .spec.dnsNames.1 + options: + delimiter: '.' + index: 0 + create: true +- source: + kind: Service + version: v1 + name: webhook-service + fieldPath: .metadata.namespace # namespace of the service + targets: + - select: + kind: Certificate + group: cert-manager.io + version: v1 + fieldPaths: + - .spec.dnsNames.0 + - .spec.dnsNames.1 + options: + delimiter: '.' + index: 1 + create: true diff --git a/config/default/kustomizeconfig.yaml b/config/default/kustomizeconfig.yaml deleted file mode 100644 index eb191e64d056..000000000000 --- a/config/default/kustomizeconfig.yaml +++ /dev/null @@ -1,4 +0,0 @@ -# This configuration is for teaching kustomize how to update name ref and var substitution -varReference: -- kind: Deployment - path: spec/template/spec/volumes/secret/secretName diff --git a/config/default/manager_webhook_patch.yaml b/config/default/manager_webhook_patch.yaml index bccef6d70db8..82ed64f46339 100644 --- a/config/default/manager_webhook_patch.yaml +++ b/config/default/manager_webhook_patch.yaml @@ -19,4 +19,4 @@ spec: volumes: - name: cert secret: - secretName: $(SERVICE_NAME)-cert + secretName: webhook-server-cert diff --git a/config/default/webhookcainjection_patch.yaml b/config/default/webhookcainjection_patch.yaml index 362c633431d4..13e24d341c73 100644 --- a/config/default/webhookcainjection_patch.yaml +++ b/config/default/webhookcainjection_patch.yaml @@ -6,11 +6,11 @@ kind: MutatingWebhookConfiguration metadata: name: mutating-webhook-configuration annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: name: validating-webhook-configuration annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME diff --git a/config/webhook/kustomizeconfig.yaml b/config/webhook/kustomizeconfig.yaml index 25e21e3c963f..30293f0f5d90 100644 --- a/config/webhook/kustomizeconfig.yaml +++ b/config/webhook/kustomizeconfig.yaml @@ -20,6 +20,3 @@ namespace: group: admissionregistration.k8s.io path: webhooks/clientConfig/service/namespace create: true - -varReference: -- path: metadata/annotations diff --git a/controlplane/kubeadm/config/certmanager/certificate.yaml b/controlplane/kubeadm/config/certmanager/certificate.yaml index d53b0e8e97e7..3defedcf5a01 100644 --- a/controlplane/kubeadm/config/certmanager/certificate.yaml +++ b/controlplane/kubeadm/config/certmanager/certificate.yaml @@ -15,14 +15,14 @@ metadata: name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml namespace: system spec: - # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize + # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize dnsNames: - - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc - - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local + - SERVICE_NAME.SERVICE_NAMESPACE.svc + - SERVICE_NAME.SERVICE_NAMESPACE.svc.cluster.local issuerRef: kind: Issuer name: selfsigned-issuer - secretName: $(SERVICE_NAME)-cert # this secret will not be prefixed, since it's not managed by kustomize + secretName: webhook-service-cert # this secret will not be prefixed, since it's not managed by kustomize subject: organizations: - - k8s-sig-cluster-lifecycle \ No newline at end of file + - k8s-sig-cluster-lifecycle diff --git a/controlplane/kubeadm/config/certmanager/kustomizeconfig.yaml b/controlplane/kubeadm/config/certmanager/kustomizeconfig.yaml index 28a895a404a9..87d212b8e0b3 100644 --- a/controlplane/kubeadm/config/certmanager/kustomizeconfig.yaml +++ b/controlplane/kubeadm/config/certmanager/kustomizeconfig.yaml @@ -6,14 +6,3 @@ nameReference: - kind: Certificate group: cert-manager.io path: spec/issuerRef/name - -varReference: -- kind: Certificate - group: cert-manager.io - path: spec/commonName -- kind: Certificate - group: cert-manager.io - path: spec/dnsNames -- kind: Certificate - group: cert-manager.io - path: spec/secretName diff --git a/controlplane/kubeadm/config/crd/kustomization.yaml b/controlplane/kubeadm/config/crd/kustomization.yaml index 9f62fc8d9a09..7a8e8f04a390 100644 --- a/controlplane/kubeadm/config/crd/kustomization.yaml +++ b/controlplane/kubeadm/config/crd/kustomization.yaml @@ -11,17 +11,17 @@ resources: - bases/controlplane.cluster.x-k8s.io_kubeadmcontrolplanetemplates.yaml # +kubebuilder:scaffold:crdkustomizeresource -patchesStrategicMerge: +patches: # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix. # patches here are for enabling the conversion webhook for each CRD - - patches/webhook_in_kubeadmcontrolplanes.yaml - - patches/webhook_in_kubeadmcontrolplanetemplates.yaml + - path: patches/webhook_in_kubeadmcontrolplanes.yaml + - path: patches/webhook_in_kubeadmcontrolplanetemplates.yaml # +kubebuilder:scaffold:crdkustomizewebhookpatch # [CERTMANAGER] To enable webhook, uncomment all the sections with [CERTMANAGER] prefix. # patches here are for enabling the CA injection for each CRD - - patches/cainjection_in_kubeadmcontrolplanes.yaml - - patches/cainjection_in_kubeadmcontrolplanetemplates.yaml + - path: patches/cainjection_in_kubeadmcontrolplanes.yaml + - path: patches/cainjection_in_kubeadmcontrolplanetemplates.yaml # +kubebuilder:scaffold:crdkustomizecainjectionpatch # the following config is for teaching kustomize how to do kustomization for CRDs. diff --git a/controlplane/kubeadm/config/crd/kustomizeconfig.yaml b/controlplane/kubeadm/config/crd/kustomizeconfig.yaml index e3fd575d604b..3fe85a276895 100644 --- a/controlplane/kubeadm/config/crd/kustomizeconfig.yaml +++ b/controlplane/kubeadm/config/crd/kustomizeconfig.yaml @@ -12,6 +12,3 @@ namespace: group: apiextensions.k8s.io path: spec/conversion/webhook/clientConfig/service/namespace create: false - -varReference: - - path: metadata/annotations diff --git a/controlplane/kubeadm/config/crd/patches/cainjection_in_kubeadmcontrolplanes.yaml b/controlplane/kubeadm/config/crd/patches/cainjection_in_kubeadmcontrolplanes.yaml index 08aec1dbb700..8592ccf0e104 100644 --- a/controlplane/kubeadm/config/crd/patches/cainjection_in_kubeadmcontrolplanes.yaml +++ b/controlplane/kubeadm/config/crd/patches/cainjection_in_kubeadmcontrolplanes.yaml @@ -4,5 +4,5 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME name: kubeadmcontrolplanes.controlplane.cluster.x-k8s.io diff --git a/controlplane/kubeadm/config/crd/patches/cainjection_in_kubeadmcontrolplanetemplates.yaml b/controlplane/kubeadm/config/crd/patches/cainjection_in_kubeadmcontrolplanetemplates.yaml index 654e514cb2ca..25c104a96810 100644 --- a/controlplane/kubeadm/config/crd/patches/cainjection_in_kubeadmcontrolplanetemplates.yaml +++ b/controlplane/kubeadm/config/crd/patches/cainjection_in_kubeadmcontrolplanetemplates.yaml @@ -4,5 +4,5 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME name: kubeadmcontrolplanetemplates.controlplane.cluster.x-k8s.io diff --git a/controlplane/kubeadm/config/default/kustomization.yaml b/controlplane/kubeadm/config/default/kustomization.yaml index 3178d82fe330..ea5c4c45cd83 100644 --- a/controlplane/kubeadm/config/default/kustomization.yaml +++ b/controlplane/kubeadm/config/default/kustomization.yaml @@ -6,53 +6,118 @@ commonLabels: cluster.x-k8s.io/provider: "control-plane-kubeadm" resources: -- namespace.yaml - -bases: - ../crd - ../rbac - ../manager - ../webhook - ../certmanager + - namespace.yaml -patchesStrategicMerge: +patches: # Provide customizable hook for make targets. - - manager_image_patch.yaml - - manager_pull_policy.yaml + - path: manager_image_patch.yaml + - path: manager_pull_policy.yaml # Enable webhook. - - manager_webhook_patch.yaml + - path: manager_webhook_patch.yaml # Inject certificate in the webhook definition. - - webhookcainjection_patch.yaml + - path: webhookcainjection_patch.yaml # Enable aggregated ClusterRole aggregation - - manager_role_aggregation_patch.yaml - -vars: - - name: CERTIFICATE_NAMESPACE # namespace of the certificate CR - objref: - kind: Certificate - group: cert-manager.io - version: v1 - name: serving-cert # this name should match the one in certificate.yaml - fieldref: - fieldpath: metadata.namespace - - name: CERTIFICATE_NAME - objref: - kind: Certificate - group: cert-manager.io - version: v1 - name: serving-cert # this name should match the one in certificate.yaml - - name: SERVICE_NAMESPACE # namespace of the service - objref: - kind: Service - version: v1 - name: webhook-service - fieldref: - fieldpath: metadata.namespace - - name: SERVICE_NAME - objref: - kind: Service - version: v1 - name: webhook-service + - path: manager_role_aggregation_patch.yaml -configurations: - - kustomizeconfig.yaml +replacements: +- source: # Add cert-manager annotation to ValidatingWebhookConfiguration, MutatingWebhookConfiguration and CRDs + kind: Certificate + group: cert-manager.io + version: v1 + name: serving-cert # this name should match the one in certificate.yaml + fieldPath: .metadata.namespace # namespace of the certificate CR + targets: + - select: + kind: ValidatingWebhookConfiguration + fieldPaths: + - .metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: '/' + index: 0 + create: true + - select: + kind: MutatingWebhookConfiguration + fieldPaths: + - .metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: '/' + index: 0 + create: true + - select: + kind: CustomResourceDefinition + fieldPaths: + - .metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: '/' + index: 0 + create: true +- source: + kind: Certificate + group: cert-manager.io + version: v1 + name: serving-cert # this name should match the one in certificate.yaml + fieldPath: .metadata.name + targets: + - select: + kind: ValidatingWebhookConfiguration + fieldPaths: + - .metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: '/' + index: 1 + create: true + - select: + kind: MutatingWebhookConfiguration + fieldPaths: + - .metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: '/' + index: 1 + create: true + - select: + kind: CustomResourceDefinition + fieldPaths: + - .metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: '/' + index: 1 + create: true +- source: # Add cert-manager annotation to the webhook Service + kind: Service + version: v1 + name: webhook-service + fieldPath: .metadata.name # namespace of the service + targets: + - select: + kind: Certificate + group: cert-manager.io + version: v1 + fieldPaths: + - .spec.dnsNames.0 + - .spec.dnsNames.1 + options: + delimiter: '.' + index: 0 + create: true +- source: + kind: Service + version: v1 + name: webhook-service + fieldPath: .metadata.namespace # namespace of the service + targets: + - select: + kind: Certificate + group: cert-manager.io + version: v1 + fieldPaths: + - .spec.dnsNames.0 + - .spec.dnsNames.1 + options: + delimiter: '.' + index: 1 + create: true diff --git a/controlplane/kubeadm/config/default/kustomizeconfig.yaml b/controlplane/kubeadm/config/default/kustomizeconfig.yaml deleted file mode 100644 index eb191e64d056..000000000000 --- a/controlplane/kubeadm/config/default/kustomizeconfig.yaml +++ /dev/null @@ -1,4 +0,0 @@ -# This configuration is for teaching kustomize how to update name ref and var substitution -varReference: -- kind: Deployment - path: spec/template/spec/volumes/secret/secretName diff --git a/controlplane/kubeadm/config/default/manager_webhook_patch.yaml b/controlplane/kubeadm/config/default/manager_webhook_patch.yaml index bccef6d70db8..031b9c940b81 100644 --- a/controlplane/kubeadm/config/default/manager_webhook_patch.yaml +++ b/controlplane/kubeadm/config/default/manager_webhook_patch.yaml @@ -19,4 +19,4 @@ spec: volumes: - name: cert secret: - secretName: $(SERVICE_NAME)-cert + secretName: webhook-service-cert diff --git a/controlplane/kubeadm/config/default/webhookcainjection_patch.yaml b/controlplane/kubeadm/config/default/webhookcainjection_patch.yaml index 02ab515d4281..93c0c65aa1de 100644 --- a/controlplane/kubeadm/config/default/webhookcainjection_patch.yaml +++ b/controlplane/kubeadm/config/default/webhookcainjection_patch.yaml @@ -5,11 +5,11 @@ kind: MutatingWebhookConfiguration metadata: name: mutating-webhook-configuration annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: name: validating-webhook-configuration annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME diff --git a/controlplane/kubeadm/config/webhook/kustomizeconfig.yaml b/controlplane/kubeadm/config/webhook/kustomizeconfig.yaml index 25e21e3c963f..30293f0f5d90 100644 --- a/controlplane/kubeadm/config/webhook/kustomizeconfig.yaml +++ b/controlplane/kubeadm/config/webhook/kustomizeconfig.yaml @@ -20,6 +20,3 @@ namespace: group: admissionregistration.k8s.io path: webhooks/clientConfig/service/namespace create: true - -varReference: -- path: metadata/annotations diff --git a/docs/book/src/developer/providers/implementers-guide/configure.md b/docs/book/src/developer/providers/implementers-guide/configure.md index 8d3ad5ab45ba..be6189b976c8 100644 --- a/docs/book/src/developer/providers/implementers-guide/configure.md +++ b/docs/book/src/developer/providers/implementers-guide/configure.md @@ -41,9 +41,9 @@ spec: And then, we have to add that patch to [`config/kustomization.yaml`][kustomizeyaml]: ```yaml -patchesStrategicMerge -- manager_image_patch.yaml -- manager_config.yaml +patches: +- path: manager_image_patch.yaml +- path: manager_config.yaml ``` [kustomizeyaml]: https://kubectl.docs.kubernetes.io/references/kustomize/kustomization diff --git a/test/e2e/data/infrastructure-docker/main/cluster-template-ignition/kustomization.yaml b/test/e2e/data/infrastructure-docker/main/cluster-template-ignition/kustomization.yaml index 79f7346cd20f..f5c7135724f0 100644 --- a/test/e2e/data/infrastructure-docker/main/cluster-template-ignition/kustomization.yaml +++ b/test/e2e/data/infrastructure-docker/main/cluster-template-ignition/kustomization.yaml @@ -1,7 +1,7 @@ -bases: +resources: - ../bases/cluster-with-kcp.yaml - ../bases/md.yaml - ../bases/crs.yaml -patchesStrategicMerge: - - ignition.yaml +patches: + - path: ignition.yaml diff --git a/test/e2e/data/infrastructure-docker/main/cluster-template-ipv6/kustomization.yaml b/test/e2e/data/infrastructure-docker/main/cluster-template-ipv6/kustomization.yaml index 9011ecda0846..5fd734d16df0 100644 --- a/test/e2e/data/infrastructure-docker/main/cluster-template-ipv6/kustomization.yaml +++ b/test/e2e/data/infrastructure-docker/main/cluster-template-ipv6/kustomization.yaml @@ -1,9 +1,9 @@ -bases: +resources: - ../bases/cluster-with-kcp.yaml - ../bases/md.yaml - ../bases/crs.yaml -patchesStrategicMerge: - - cluster-ipv6.yaml - - md-ipv6.yaml - - kcp-ipv6.yaml +patches: + - path: cluster-ipv6.yaml + - path: md-ipv6.yaml + - path: kcp-ipv6.yaml diff --git a/test/e2e/data/infrastructure-docker/main/cluster-template-md-remediation/kustomization.yaml b/test/e2e/data/infrastructure-docker/main/cluster-template-md-remediation/kustomization.yaml index 4095626631c1..ac75c0cf6aad 100644 --- a/test/e2e/data/infrastructure-docker/main/cluster-template-md-remediation/kustomization.yaml +++ b/test/e2e/data/infrastructure-docker/main/cluster-template-md-remediation/kustomization.yaml @@ -1,8 +1,8 @@ -bases: +resources: - ../bases/cluster-with-kcp.yaml - ../bases/md.yaml - ../bases/crs.yaml - mhc.yaml -patchesStrategicMerge: -- md.yaml +patches: +- path: md.yaml diff --git a/test/e2e/data/infrastructure-docker/main/cluster-template-node-drain/kustomization.yaml b/test/e2e/data/infrastructure-docker/main/cluster-template-node-drain/kustomization.yaml index ca0f62cf507c..a2f9bea098b4 100644 --- a/test/e2e/data/infrastructure-docker/main/cluster-template-node-drain/kustomization.yaml +++ b/test/e2e/data/infrastructure-docker/main/cluster-template-node-drain/kustomization.yaml @@ -1,8 +1,8 @@ -bases: +resources: - ../bases/crs.yaml - ../bases/md.yaml - ../bases/cluster-with-kcp.yaml -patchesStrategicMerge: -- md.yaml -- cluster-with-kcp.yaml +patches: +- path: md.yaml +- path: cluster-with-kcp.yaml diff --git a/test/extension/config/certmanager/certificate.yaml b/test/extension/config/certmanager/certificate.yaml index fb8e5187b084..f4f4767aa410 100644 --- a/test/extension/config/certmanager/certificate.yaml +++ b/test/extension/config/certmanager/certificate.yaml @@ -12,16 +12,16 @@ kind: Certificate metadata: name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml spec: - # $(SERVICE_NAMESPACE) will be substituted by kustomize + # SERVICE_NAMESPACE and SERVICE_NAME will be substituted by kustomize dnsNames: - - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc - - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local + - SERVICE_NAME.SERVICE_NAMESPACE.svc + - SERVICE_NAME.SERVICE_NAMESPACE.svc.cluster.local # for local testing. - localhost issuerRef: kind: Issuer name: selfsigned-issuer - secretName: $(SERVICE_NAME)-cert # this secret will not be prefixed, since it's not managed by kustomize + secretName: webhook-service-cert # this secret will not be prefixed, since it's not managed by kustomize subject: organizations: - k8s-sig-cluster-lifecycle diff --git a/test/extension/config/certmanager/kustomizeconfig.yaml b/test/extension/config/certmanager/kustomizeconfig.yaml index 28a895a404a9..87d212b8e0b3 100644 --- a/test/extension/config/certmanager/kustomizeconfig.yaml +++ b/test/extension/config/certmanager/kustomizeconfig.yaml @@ -6,14 +6,3 @@ nameReference: - kind: Certificate group: cert-manager.io path: spec/issuerRef/name - -varReference: -- kind: Certificate - group: cert-manager.io - path: spec/commonName -- kind: Certificate - group: cert-manager.io - path: spec/dnsNames -- kind: Certificate - group: cert-manager.io - path: spec/secretName diff --git a/test/extension/config/default/kustomization.yaml b/test/extension/config/default/kustomization.yaml index e56b07ac75bd..b63213bb48f6 100644 --- a/test/extension/config/default/kustomization.yaml +++ b/test/extension/config/default/kustomization.yaml @@ -7,6 +7,7 @@ commonLabels: cluster.x-k8s.io/provider: "runtime-extension-test" resources: +- ../certmanager - namespace.yaml - manager.yaml - service.yaml @@ -15,29 +16,45 @@ resources: - role.yaml - rolebinding.yaml -bases: -- ../certmanager - -patchesStrategicMerge: +patches: # Enable webhook with corresponding certificate mount. -- manager_webhook_patch.yaml +- path: manager_webhook_patch.yaml # Provide customizable hook for make targets. -- manager_image_patch.yaml -- manager_pull_policy.yaml - -vars: - - name: SERVICE_NAMESPACE - objref: - kind: Service - version: v1 - name: webhook-service - fieldref: - fieldpath: metadata.namespace - - name: SERVICE_NAME - objref: - kind: Service - version: v1 - name: webhook-service +- path: manager_image_patch.yaml +- path: manager_pull_policy.yaml -configurations: - - kustomizeconfig.yaml +replacements: +- source: # Add cert-manager annotation to the webhook Service + kind: Service + version: v1 + name: webhook-service + fieldPath: .metadata.name # namespace of the service + targets: + - select: + kind: Certificate + group: cert-manager.io + version: v1 + fieldPaths: + - .spec.dnsNames.0 + - .spec.dnsNames.1 + options: + delimiter: '.' + index: 0 + create: true +- source: + kind: Service + version: v1 + name: webhook-service + fieldPath: .metadata.namespace # namespace of the service + targets: + - select: + kind: Certificate + group: cert-manager.io + version: v1 + fieldPaths: + - .spec.dnsNames.0 + - .spec.dnsNames.1 + options: + delimiter: '.' + index: 1 + create: true diff --git a/test/extension/config/default/kustomizeconfig.yaml b/test/extension/config/default/kustomizeconfig.yaml deleted file mode 100644 index eb191e64d056..000000000000 --- a/test/extension/config/default/kustomizeconfig.yaml +++ /dev/null @@ -1,4 +0,0 @@ -# This configuration is for teaching kustomize how to update name ref and var substitution -varReference: -- kind: Deployment - path: spec/template/spec/volumes/secret/secretName diff --git a/test/extension/config/default/manager_webhook_patch.yaml b/test/extension/config/default/manager_webhook_patch.yaml index bb0576db44a3..cff136a97b5f 100644 --- a/test/extension/config/default/manager_webhook_patch.yaml +++ b/test/extension/config/default/manager_webhook_patch.yaml @@ -18,4 +18,4 @@ spec: volumes: - name: cert secret: - secretName: $(SERVICE_NAME)-cert + secretName: webhook-service-cert diff --git a/test/framework/kubernetesversions/data/kustomization.yaml b/test/framework/kubernetesversions/data/kustomization.yaml index 9d696642b4ba..b6dc6f256ebd 100644 --- a/test/framework/kubernetesversions/data/kustomization.yaml +++ b/test/framework/kubernetesversions/data/kustomization.yaml @@ -3,9 +3,8 @@ kind: Kustomization namespace: default resources: - ci-artifacts-source-template.yaml -patchesStrategicMerge: -- platform-kustomization.yaml -patchesJson6902: +patches: +- path: platform-kustomization.yaml - path: kubeadmcontrolplane-patch.yaml target: group: controlplane.cluster.x-k8s.io diff --git a/test/infrastructure/docker/config/certmanager/certificate.yaml b/test/infrastructure/docker/config/certmanager/certificate.yaml index 0c895e1172be..66413bb7a44a 100644 --- a/test/infrastructure/docker/config/certmanager/certificate.yaml +++ b/test/infrastructure/docker/config/certmanager/certificate.yaml @@ -14,14 +14,14 @@ metadata: name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml namespace: system spec: - # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize + # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize dnsNames: - - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc - - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local + - SERVICE_NAME.SERVICE_NAMESPACE.svc + - SERVICE_NAME.SERVICE_NAMESPACE.svc.cluster.local issuerRef: kind: Issuer name: selfsigned-issuer - secretName: $(SERVICE_NAME)-cert # this secret will not be prefixed, since it's not managed by kustomize + secretName: webhook-service-cert # this secret will not be prefixed, since it's not managed by kustomize subject: organizations: - - k8s-sig-cluster-lifecycle \ No newline at end of file + - k8s-sig-cluster-lifecycle diff --git a/test/infrastructure/docker/config/certmanager/kustomizeconfig.yaml b/test/infrastructure/docker/config/certmanager/kustomizeconfig.yaml index 28a895a404a9..87d212b8e0b3 100644 --- a/test/infrastructure/docker/config/certmanager/kustomizeconfig.yaml +++ b/test/infrastructure/docker/config/certmanager/kustomizeconfig.yaml @@ -6,14 +6,3 @@ nameReference: - kind: Certificate group: cert-manager.io path: spec/issuerRef/name - -varReference: -- kind: Certificate - group: cert-manager.io - path: spec/commonName -- kind: Certificate - group: cert-manager.io - path: spec/dnsNames -- kind: Certificate - group: cert-manager.io - path: spec/secretName diff --git a/test/infrastructure/docker/config/crd/kustomization.yaml b/test/infrastructure/docker/config/crd/kustomization.yaml index 427d52d4bed6..7830e270b911 100644 --- a/test/infrastructure/docker/config/crd/kustomization.yaml +++ b/test/infrastructure/docker/config/crd/kustomization.yaml @@ -16,22 +16,22 @@ resources: - bases/infrastructure.cluster.x-k8s.io_dockerclustertemplates.yaml # +kubebuilder:scaffold:crdkustomizeresource -patchesStrategicMerge: +patches: # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix. # patches here are for enabling the conversion webhook for each CRD - - patches/webhook_in_dockermachinepools.yaml - - patches/webhook_in_dockermachines.yaml - - patches/webhook_in_dockermachinetemplates.yaml - - patches/webhook_in_dockerclusters.yaml - - patches/webhook_in_dockerclustertemplates.yaml + - path: patches/webhook_in_dockermachinepools.yaml + - path: patches/webhook_in_dockermachines.yaml + - path: patches/webhook_in_dockermachinetemplates.yaml + - path: patches/webhook_in_dockerclusters.yaml + - path: patches/webhook_in_dockerclustertemplates.yaml # +kubebuilder:scaffold:crdkustomizewebhookpatch # [CERTMANAGER] To enable webhook, uncomment all the sections with [CERTMANAGER] prefix. # patches here are for enabling the CA injection for each CRD - - patches/cainjection_in_dockermachinepools.yaml - - patches/cainjection_in_dockermachines.yaml - - patches/cainjection_in_dockermachinetemplates.yaml - - patches/cainjection_in_dockerclusters.yaml - - patches/cainjection_in_dockerclustertemplates.yaml + - path: patches/cainjection_in_dockermachinepools.yaml + - path: patches/cainjection_in_dockermachines.yaml + - path: patches/cainjection_in_dockermachinetemplates.yaml + - path: patches/cainjection_in_dockerclusters.yaml + - path: patches/cainjection_in_dockerclustertemplates.yaml # +kubebuilder:scaffold:crdkustomizecainjectionpatch # the following config is for teaching kustomize how to do kustomization for CRDs. diff --git a/test/infrastructure/docker/config/crd/kustomizeconfig.yaml b/test/infrastructure/docker/config/crd/kustomizeconfig.yaml index 8e2d8d6b1774..237f9458327a 100644 --- a/test/infrastructure/docker/config/crd/kustomizeconfig.yaml +++ b/test/infrastructure/docker/config/crd/kustomizeconfig.yaml @@ -12,6 +12,3 @@ namespace: group: apiextensions.k8s.io path: spec/conversion/webhook/clientConfig/service/namespace create: false - -varReference: -- path: metadata/annotations diff --git a/test/infrastructure/docker/config/crd/patches/cainjection_in_dockerclusters.yaml b/test/infrastructure/docker/config/crd/patches/cainjection_in_dockerclusters.yaml index 588b6d6b24c7..51bc8213a62a 100644 --- a/test/infrastructure/docker/config/crd/patches/cainjection_in_dockerclusters.yaml +++ b/test/infrastructure/docker/config/crd/patches/cainjection_in_dockerclusters.yaml @@ -4,5 +4,5 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME name: dockerclusters.infrastructure.cluster.x-k8s.io diff --git a/test/infrastructure/docker/config/crd/patches/cainjection_in_dockerclustertemplates.yaml b/test/infrastructure/docker/config/crd/patches/cainjection_in_dockerclustertemplates.yaml index 8ed8240f3e2b..0f1873197dd3 100644 --- a/test/infrastructure/docker/config/crd/patches/cainjection_in_dockerclustertemplates.yaml +++ b/test/infrastructure/docker/config/crd/patches/cainjection_in_dockerclustertemplates.yaml @@ -4,5 +4,5 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME name: dockerclustertemplates.infrastructure.cluster.x-k8s.io diff --git a/test/infrastructure/docker/config/crd/patches/cainjection_in_dockermachinepools.yaml b/test/infrastructure/docker/config/crd/patches/cainjection_in_dockermachinepools.yaml index de87401c98d5..14afbabe0469 100644 --- a/test/infrastructure/docker/config/crd/patches/cainjection_in_dockermachinepools.yaml +++ b/test/infrastructure/docker/config/crd/patches/cainjection_in_dockermachinepools.yaml @@ -4,5 +4,5 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME name: dockermachinepools.infrastructure.cluster.x-k8s.io diff --git a/test/infrastructure/docker/config/crd/patches/cainjection_in_dockermachines.yaml b/test/infrastructure/docker/config/crd/patches/cainjection_in_dockermachines.yaml index 324733ad3c9e..60b0c932d166 100644 --- a/test/infrastructure/docker/config/crd/patches/cainjection_in_dockermachines.yaml +++ b/test/infrastructure/docker/config/crd/patches/cainjection_in_dockermachines.yaml @@ -4,5 +4,5 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME name: dockermachines.infrastructure.cluster.x-k8s.io diff --git a/test/infrastructure/docker/config/crd/patches/cainjection_in_dockermachinetemplates.yaml b/test/infrastructure/docker/config/crd/patches/cainjection_in_dockermachinetemplates.yaml index 4e793abce708..ae38017ad159 100644 --- a/test/infrastructure/docker/config/crd/patches/cainjection_in_dockermachinetemplates.yaml +++ b/test/infrastructure/docker/config/crd/patches/cainjection_in_dockermachinetemplates.yaml @@ -4,5 +4,5 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME name: dockermachinetemplates.infrastructure.cluster.x-k8s.io diff --git a/test/infrastructure/docker/config/default/kustomization.yaml b/test/infrastructure/docker/config/default/kustomization.yaml index 11cae275faf7..4eceb60befe6 100644 --- a/test/infrastructure/docker/config/default/kustomization.yaml +++ b/test/infrastructure/docker/config/default/kustomization.yaml @@ -6,51 +6,116 @@ commonLabels: cluster.x-k8s.io/provider: "infrastructure-docker" resources: - - namespace.yaml - -bases: - ../crd - ../rbac - ../manager - ../webhook - ../certmanager + - namespace.yaml -patchesStrategicMerge: +patches: # Provide customizable hook for make targets. - - manager_image_patch.yaml - - manager_pull_policy.yaml + - path: manager_image_patch.yaml + - path: manager_pull_policy.yaml # Enable webhook. - - manager_webhook_patch.yaml + - path: manager_webhook_patch.yaml # Inject certificate in the webhook definition. - - webhookcainjection_patch.yaml - -vars: - - name: CERTIFICATE_NAMESPACE # namespace of the certificate CR - objref: - kind: Certificate - group: cert-manager.io - version: v1 - name: serving-cert # this name should match the one in certificate.yaml - fieldref: - fieldpath: metadata.namespace - - name: CERTIFICATE_NAME - objref: - kind: Certificate - group: cert-manager.io - version: v1 - name: serving-cert # this name should match the one in certificate.yaml - - name: SERVICE_NAMESPACE # namespace of the service - objref: - kind: Service - version: v1 - name: webhook-service - fieldref: - fieldpath: metadata.namespace - - name: SERVICE_NAME - objref: - kind: Service - version: v1 - name: webhook-service + - path: webhookcainjection_patch.yaml -configurations: - - kustomizeconfig.yaml +replacements: +- source: # Add cert-manager annotation to ValidatingWebhookConfiguration, MutatingWebhookConfiguration and CRDs + kind: Certificate + group: cert-manager.io + version: v1 + name: serving-cert # this name should match the one in certificate.yaml + fieldPath: .metadata.namespace # namespace of the certificate CR + targets: + - select: + kind: ValidatingWebhookConfiguration + fieldPaths: + - .metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: '/' + index: 0 + create: true + - select: + kind: MutatingWebhookConfiguration + fieldPaths: + - .metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: '/' + index: 0 + create: true + - select: + kind: CustomResourceDefinition + fieldPaths: + - .metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: '/' + index: 0 + create: true +- source: + kind: Certificate + group: cert-manager.io + version: v1 + name: serving-cert # this name should match the one in certificate.yaml + fieldPath: .metadata.name + targets: + - select: + kind: ValidatingWebhookConfiguration + fieldPaths: + - .metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: '/' + index: 1 + create: true + - select: + kind: MutatingWebhookConfiguration + fieldPaths: + - .metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: '/' + index: 1 + create: true + - select: + kind: CustomResourceDefinition + fieldPaths: + - .metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: '/' + index: 1 + create: true +- source: # Add cert-manager annotation to the webhook Service + kind: Service + version: v1 + name: webhook-service + fieldPath: .metadata.name # namespace of the service + targets: + - select: + kind: Certificate + group: cert-manager.io + version: v1 + fieldPaths: + - .spec.dnsNames.0 + - .spec.dnsNames.1 + options: + delimiter: '.' + index: 0 + create: true +- source: + kind: Service + version: v1 + name: webhook-service + fieldPath: .metadata.namespace # namespace of the service + targets: + - select: + kind: Certificate + group: cert-manager.io + version: v1 + fieldPaths: + - .spec.dnsNames.0 + - .spec.dnsNames.1 + options: + delimiter: '.' + index: 1 + create: true diff --git a/test/infrastructure/docker/config/default/kustomizeconfig.yaml b/test/infrastructure/docker/config/default/kustomizeconfig.yaml deleted file mode 100644 index eb191e64d056..000000000000 --- a/test/infrastructure/docker/config/default/kustomizeconfig.yaml +++ /dev/null @@ -1,4 +0,0 @@ -# This configuration is for teaching kustomize how to update name ref and var substitution -varReference: -- kind: Deployment - path: spec/template/spec/volumes/secret/secretName diff --git a/test/infrastructure/docker/config/default/manager_webhook_patch.yaml b/test/infrastructure/docker/config/default/manager_webhook_patch.yaml index f18fd10f9992..051f6f78efb4 100644 --- a/test/infrastructure/docker/config/default/manager_webhook_patch.yaml +++ b/test/infrastructure/docker/config/default/manager_webhook_patch.yaml @@ -19,5 +19,4 @@ spec: volumes: - name: cert secret: - secretName: $(SERVICE_NAME)-cert # this secret will not be prefixed, since it's not managed by kustomize - + secretName: webhook-service-cert # this secret will not be prefixed, since it's not managed by kustomize diff --git a/test/infrastructure/docker/config/default/webhookcainjection_patch.yaml b/test/infrastructure/docker/config/default/webhookcainjection_patch.yaml index 6eb6e71c2092..13499d7ce64a 100644 --- a/test/infrastructure/docker/config/default/webhookcainjection_patch.yaml +++ b/test/infrastructure/docker/config/default/webhookcainjection_patch.yaml @@ -5,11 +5,11 @@ kind: ValidatingWebhookConfiguration metadata: name: validating-webhook-configuration annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME --- apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: name: mutating-webhook-configuration annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME diff --git a/test/infrastructure/docker/config/webhook/kustomizeconfig.yaml b/test/infrastructure/docker/config/webhook/kustomizeconfig.yaml index e809f78208e0..bafc486d2783 100644 --- a/test/infrastructure/docker/config/webhook/kustomizeconfig.yaml +++ b/test/infrastructure/docker/config/webhook/kustomizeconfig.yaml @@ -13,6 +13,3 @@ namespace: group: admissionregistration.k8s.io path: webhooks/clientConfig/service/namespace create: true - -varReference: -- path: metadata/annotations diff --git a/test/infrastructure/inmemory/config/certmanager/certificate.yaml b/test/infrastructure/inmemory/config/certmanager/certificate.yaml index 0c895e1172be..66413bb7a44a 100644 --- a/test/infrastructure/inmemory/config/certmanager/certificate.yaml +++ b/test/infrastructure/inmemory/config/certmanager/certificate.yaml @@ -14,14 +14,14 @@ metadata: name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml namespace: system spec: - # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize + # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize dnsNames: - - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc - - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local + - SERVICE_NAME.SERVICE_NAMESPACE.svc + - SERVICE_NAME.SERVICE_NAMESPACE.svc.cluster.local issuerRef: kind: Issuer name: selfsigned-issuer - secretName: $(SERVICE_NAME)-cert # this secret will not be prefixed, since it's not managed by kustomize + secretName: webhook-service-cert # this secret will not be prefixed, since it's not managed by kustomize subject: organizations: - - k8s-sig-cluster-lifecycle \ No newline at end of file + - k8s-sig-cluster-lifecycle diff --git a/test/infrastructure/inmemory/config/certmanager/kustomizeconfig.yaml b/test/infrastructure/inmemory/config/certmanager/kustomizeconfig.yaml index 28a895a404a9..87d212b8e0b3 100644 --- a/test/infrastructure/inmemory/config/certmanager/kustomizeconfig.yaml +++ b/test/infrastructure/inmemory/config/certmanager/kustomizeconfig.yaml @@ -6,14 +6,3 @@ nameReference: - kind: Certificate group: cert-manager.io path: spec/issuerRef/name - -varReference: -- kind: Certificate - group: cert-manager.io - path: spec/commonName -- kind: Certificate - group: cert-manager.io - path: spec/dnsNames -- kind: Certificate - group: cert-manager.io - path: spec/secretName diff --git a/test/infrastructure/inmemory/config/crd/kustomization.yaml b/test/infrastructure/inmemory/config/crd/kustomization.yaml index 516fa7db08fa..3c8913719d29 100644 --- a/test/infrastructure/inmemory/config/crd/kustomization.yaml +++ b/test/infrastructure/inmemory/config/crd/kustomization.yaml @@ -13,20 +13,20 @@ resources: - bases/infrastructure.cluster.x-k8s.io_inmemorymachinetemplates.yaml # +kubebuilder:scaffold:crdkustomizeresource -patchesStrategicMerge: +patches: # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix. # patches here are for enabling the conversion webhook for each CRD - - patches/webhook_in_inmemoryclusters.yaml - - patches/webhook_in_inmemoryclustertemplates.yaml - - patches/webhook_in_inmemorymachines.yaml - - patches/webhook_in_inmemorymachinetemplates.yaml + - path: patches/webhook_in_inmemoryclusters.yaml + - path: patches/webhook_in_inmemoryclustertemplates.yaml + - path: patches/webhook_in_inmemorymachines.yaml + - path: patches/webhook_in_inmemorymachinetemplates.yaml # +kubebuilder:scaffold:crdkustomizewebhookpatch # [CERTMANAGER] To enable webhook, uncomment all the sections with [CERTMANAGER] prefix. # patches here are for enabling the CA injection for each CRD - - patches/cainjection_in_inmemoryclusters.yaml - - patches/cainjection_in_inmemoryclustertemplates.yaml - - patches/cainjection_in_inmemorymachines.yaml - - patches/cainjection_in_inmemorymachinetemplates.yaml + - path: patches/cainjection_in_inmemoryclusters.yaml + - path: patches/cainjection_in_inmemoryclustertemplates.yaml + - path: patches/cainjection_in_inmemorymachines.yaml + - path: patches/cainjection_in_inmemorymachinetemplates.yaml # +kubebuilder:scaffold:crdkustomizecainjectionpatch # the following config is for teaching kustomize how to do kustomization for CRDs. diff --git a/test/infrastructure/inmemory/config/crd/kustomizeconfig.yaml b/test/infrastructure/inmemory/config/crd/kustomizeconfig.yaml index 8e2d8d6b1774..237f9458327a 100644 --- a/test/infrastructure/inmemory/config/crd/kustomizeconfig.yaml +++ b/test/infrastructure/inmemory/config/crd/kustomizeconfig.yaml @@ -12,6 +12,3 @@ namespace: group: apiextensions.k8s.io path: spec/conversion/webhook/clientConfig/service/namespace create: false - -varReference: -- path: metadata/annotations diff --git a/test/infrastructure/inmemory/config/crd/patches/cainjection_in_inmemoryclusters.yaml b/test/infrastructure/inmemory/config/crd/patches/cainjection_in_inmemoryclusters.yaml index c0652acdcc00..aefac5f30549 100644 --- a/test/infrastructure/inmemory/config/crd/patches/cainjection_in_inmemoryclusters.yaml +++ b/test/infrastructure/inmemory/config/crd/patches/cainjection_in_inmemoryclusters.yaml @@ -4,5 +4,5 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME name: inmemoryclusters.infrastructure.cluster.x-k8s.io diff --git a/test/infrastructure/inmemory/config/crd/patches/cainjection_in_inmemoryclustertemplates.yaml b/test/infrastructure/inmemory/config/crd/patches/cainjection_in_inmemoryclustertemplates.yaml index 408e800dbc63..b2d147f87fe5 100644 --- a/test/infrastructure/inmemory/config/crd/patches/cainjection_in_inmemoryclustertemplates.yaml +++ b/test/infrastructure/inmemory/config/crd/patches/cainjection_in_inmemoryclustertemplates.yaml @@ -4,5 +4,5 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME name: inmemoryclustertemplates.infrastructure.cluster.x-k8s.io diff --git a/test/infrastructure/inmemory/config/crd/patches/cainjection_in_inmemorymachines.yaml b/test/infrastructure/inmemory/config/crd/patches/cainjection_in_inmemorymachines.yaml index eae061439819..58105eac88d8 100644 --- a/test/infrastructure/inmemory/config/crd/patches/cainjection_in_inmemorymachines.yaml +++ b/test/infrastructure/inmemory/config/crd/patches/cainjection_in_inmemorymachines.yaml @@ -4,5 +4,5 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME name: inmemorymachines.infrastructure.cluster.x-k8s.io diff --git a/test/infrastructure/inmemory/config/crd/patches/cainjection_in_inmemorymachinetemplates.yaml b/test/infrastructure/inmemory/config/crd/patches/cainjection_in_inmemorymachinetemplates.yaml index 420b02f20a2f..4622ae96b141 100644 --- a/test/infrastructure/inmemory/config/crd/patches/cainjection_in_inmemorymachinetemplates.yaml +++ b/test/infrastructure/inmemory/config/crd/patches/cainjection_in_inmemorymachinetemplates.yaml @@ -4,5 +4,5 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME name: inmemorymachinetemplates.infrastructure.cluster.x-k8s.io diff --git a/test/infrastructure/inmemory/config/default/kustomization.yaml b/test/infrastructure/inmemory/config/default/kustomization.yaml index fc99bc392fce..0d8b190abe32 100644 --- a/test/infrastructure/inmemory/config/default/kustomization.yaml +++ b/test/infrastructure/inmemory/config/default/kustomization.yaml @@ -6,51 +6,116 @@ commonLabels: cluster.x-k8s.io/provider: "infrastructure-in-memory" resources: - - namespace.yaml - -bases: - ../crd - ../rbac - ../manager - ../webhook - ../certmanager + - namespace.yaml -patchesStrategicMerge: +patches: # Provide customizable hook for make targets. - - manager_image_patch.yaml - - manager_pull_policy.yaml + - path: manager_image_patch.yaml + - path: manager_pull_policy.yaml # Enable webhook. - - manager_webhook_patch.yaml + - path: manager_webhook_patch.yaml # Inject certificate in the webhook definition. - - webhookcainjection_patch.yaml - -vars: - - name: CERTIFICATE_NAMESPACE # namespace of the certificate CR - objref: - kind: Certificate - group: cert-manager.io - version: v1 - name: serving-cert # this name should match the one in certificate.yaml - fieldref: - fieldpath: metadata.namespace - - name: CERTIFICATE_NAME - objref: - kind: Certificate - group: cert-manager.io - version: v1 - name: serving-cert # this name should match the one in certificate.yaml - - name: SERVICE_NAMESPACE # namespace of the service - objref: - kind: Service - version: v1 - name: webhook-service - fieldref: - fieldpath: metadata.namespace - - name: SERVICE_NAME - objref: - kind: Service - version: v1 - name: webhook-service + - path: webhookcainjection_patch.yaml -configurations: - - kustomizeconfig.yaml +replacements: +- source: # Add cert-manager annotation to ValidatingWebhookConfiguration, MutatingWebhookConfiguration and CRDs + kind: Certificate + group: cert-manager.io + version: v1 + name: serving-cert # this name should match the one in certificate.yaml + fieldPath: .metadata.namespace # namespace of the certificate CR + targets: + - select: + kind: ValidatingWebhookConfiguration + fieldPaths: + - .metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: '/' + index: 0 + create: true + - select: + kind: MutatingWebhookConfiguration + fieldPaths: + - .metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: '/' + index: 0 + create: true + - select: + kind: CustomResourceDefinition + fieldPaths: + - .metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: '/' + index: 0 + create: true +- source: + kind: Certificate + group: cert-manager.io + version: v1 + name: serving-cert # this name should match the one in certificate.yaml + fieldPath: .metadata.name + targets: + - select: + kind: ValidatingWebhookConfiguration + fieldPaths: + - .metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: '/' + index: 1 + create: true + - select: + kind: MutatingWebhookConfiguration + fieldPaths: + - .metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: '/' + index: 1 + create: true + - select: + kind: CustomResourceDefinition + fieldPaths: + - .metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: '/' + index: 1 + create: true +- source: # Add cert-manager annotation to the webhook Service + kind: Service + version: v1 + name: webhook-service + fieldPath: .metadata.name # namespace of the service + targets: + - select: + kind: Certificate + group: cert-manager.io + version: v1 + fieldPaths: + - .spec.dnsNames.0 + - .spec.dnsNames.1 + options: + delimiter: '.' + index: 0 + create: true +- source: + kind: Service + version: v1 + name: webhook-service + fieldPath: .metadata.namespace # namespace of the service + targets: + - select: + kind: Certificate + group: cert-manager.io + version: v1 + fieldPaths: + - .spec.dnsNames.0 + - .spec.dnsNames.1 + options: + delimiter: '.' + index: 1 + create: true diff --git a/test/infrastructure/inmemory/config/default/kustomizeconfig.yaml b/test/infrastructure/inmemory/config/default/kustomizeconfig.yaml deleted file mode 100644 index eb191e64d056..000000000000 --- a/test/infrastructure/inmemory/config/default/kustomizeconfig.yaml +++ /dev/null @@ -1,4 +0,0 @@ -# This configuration is for teaching kustomize how to update name ref and var substitution -varReference: -- kind: Deployment - path: spec/template/spec/volumes/secret/secretName diff --git a/test/infrastructure/inmemory/config/default/manager_webhook_patch.yaml b/test/infrastructure/inmemory/config/default/manager_webhook_patch.yaml index f18fd10f9992..051f6f78efb4 100644 --- a/test/infrastructure/inmemory/config/default/manager_webhook_patch.yaml +++ b/test/infrastructure/inmemory/config/default/manager_webhook_patch.yaml @@ -19,5 +19,4 @@ spec: volumes: - name: cert secret: - secretName: $(SERVICE_NAME)-cert # this secret will not be prefixed, since it's not managed by kustomize - + secretName: webhook-service-cert # this secret will not be prefixed, since it's not managed by kustomize diff --git a/test/infrastructure/inmemory/config/default/webhookcainjection_patch.yaml b/test/infrastructure/inmemory/config/default/webhookcainjection_patch.yaml index 6eb6e71c2092..13499d7ce64a 100644 --- a/test/infrastructure/inmemory/config/default/webhookcainjection_patch.yaml +++ b/test/infrastructure/inmemory/config/default/webhookcainjection_patch.yaml @@ -5,11 +5,11 @@ kind: ValidatingWebhookConfiguration metadata: name: validating-webhook-configuration annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME --- apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: name: mutating-webhook-configuration annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME diff --git a/test/infrastructure/inmemory/config/webhook/kustomizeconfig.yaml b/test/infrastructure/inmemory/config/webhook/kustomizeconfig.yaml index 25e21e3c963f..30293f0f5d90 100644 --- a/test/infrastructure/inmemory/config/webhook/kustomizeconfig.yaml +++ b/test/infrastructure/inmemory/config/webhook/kustomizeconfig.yaml @@ -20,6 +20,3 @@ namespace: group: admissionregistration.k8s.io path: webhooks/clientConfig/service/namespace create: true - -varReference: -- path: metadata/annotations