kubernetes-sigs · lentzi90 · Aug 17, 2023 · lentzi90 · Aug 17, 2023 · lentzi90
diff --git a/bootstrap/kubeadm/config/certmanager/certificate.yaml b/bootstrap/kubeadm/config/certmanager/certificate.yaml
@@ -15,14 +15,14 @@ metadata:
   name: serving-cert  # this name should match the one appeared in kustomizeconfig.yaml
   namespace: system
 spec:
-  # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize
+  # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize
   dnsNames:
-  - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc
-  - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local
+  - SERVICE_NAME.SERVICE_NAMESPACE.svc
+  - SERVICE_NAME.SERVICE_NAMESPACE.svc.cluster.local
   issuerRef:
     kind: Issuer
     name: selfsigned-issuer
-  secretName: $(SERVICE_NAME)-cert # this secret will not be prefixed, since it's not managed by kustomize
+  secretName: webhook-service-cert # this secret will not be prefixed, since it's not managed by kustomize
   subject:
     organizations:
-      - k8s-sig-cluster-lifecycle
+      - k8s-sig-cluster-lifecycle
diff --git a/bootstrap/kubeadm/config/certmanager/kustomizeconfig.yaml b/bootstrap/kubeadm/config/certmanager/kustomizeconfig.yaml
@@ -6,14 +6,3 @@ nameReference:
   - kind: Certificate
     group: cert-manager.io
     path: spec/issuerRef/name
-
-varReference:
-- kind: Certificate
-  group: cert-manager.io
-  path: spec/commonName
-- kind: Certificate
-  group: cert-manager.io
-  path: spec/dnsNames
-- kind: Certificate
-  group: cert-manager.io
-  path: spec/secretName
diff --git a/bootstrap/kubeadm/config/crd/kustomization.yaml b/bootstrap/kubeadm/config/crd/kustomization.yaml
@@ -11,17 +11,17 @@ resources:
   - bases/bootstrap.cluster.x-k8s.io_kubeadmconfigtemplates.yaml
 # +kubebuilder:scaffold:crdkustomizeresource
 
-patchesStrategicMerge:
+patches:
   # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix.
   # patches here are for enabling the conversion webhook for each CRD
-- patches/webhook_in_kubeadmconfigs.yaml
-- patches/webhook_in_kubeadmconfigtemplates.yaml
+- path: patches/webhook_in_kubeadmconfigs.yaml
+- path: patches/webhook_in_kubeadmconfigtemplates.yaml
   # +kubebuilder:scaffold:crdkustomizewebhookpatch
 
   # [CERTMANAGER] To enable webhook, uncomment all the sections with [CERTMANAGER] prefix.
   # patches here are for enabling the CA injection for each CRD
-- patches/cainjection_in_kubeadmconfigs.yaml
-- patches/cainjection_in_kubeadmconfigtemplates.yaml
+- path: patches/cainjection_in_kubeadmconfigs.yaml
+- path: patches/cainjection_in_kubeadmconfigtemplates.yaml
 # +kubebuilder:scaffold:crdkustomizecainjectionpatch
 
 # the following config is for teaching kustomize how to do kustomization for CRDs.

diff --git a/bootstrap/kubeadm/config/crd/kustomizeconfig.yaml b/bootstrap/kubeadm/config/crd/kustomizeconfig.yaml
@@ -12,6 +12,3 @@ namespace:
     group: apiextensions.k8s.io
     path: spec/conversion/webhook/clientConfig/service/namespace
     create: false
-
-varReference:
-  - path: metadata/annotations
diff --git a/bootstrap/kubeadm/config/crd/patches/cainjection_in_kubeadmconfigs.yaml b/bootstrap/kubeadm/config/crd/patches/cainjection_in_kubeadmconfigs.yaml
@@ -4,5 +4,5 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+    cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME
   name: kubeadmconfigs.bootstrap.cluster.x-k8s.io
diff --git a/bootstrap/kubeadm/config/crd/patches/cainjection_in_kubeadmconfigtemplates.yaml b/bootstrap/kubeadm/config/crd/patches/cainjection_in_kubeadmconfigtemplates.yaml
@@ -4,5 +4,5 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+    cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME
   name: kubeadmconfigtemplates.bootstrap.cluster.x-k8s.io
diff --git a/bootstrap/kubeadm/config/default/kustomization.yaml b/bootstrap/kubeadm/config/default/kustomization.yaml
@@ -7,51 +7,116 @@ commonLabels:
   cluster.x-k8s.io/provider: "bootstrap-kubeadm"
 
 resources:
-- namespace.yaml
-
-bases:
 - ../crd
 - ../rbac
 - ../manager
 - ../webhook
 - ../certmanager
+- namespace.yaml
 
-patchesStrategicMerge:
+patches:
   # Provide customizable hook for make targets.
-  - manager_image_patch.yaml
-  - manager_pull_policy.yaml
+  - path: manager_image_patch.yaml
+  - path: manager_pull_policy.yaml
   # Enable webhook.
-  - manager_webhook_patch.yaml
+  - path: manager_webhook_patch.yaml
   # Inject certificate in the webhook definition.
-  - webhookcainjection_patch.yaml
-
-vars:
-  - name: CERTIFICATE_NAMESPACE # namespace of the certificate CR
-    objref:
-      kind: Certificate
-      group: cert-manager.io
-      version: v1
-      name: serving-cert # this name should match the one in certificate.yaml
-    fieldref:
-      fieldpath: metadata.namespace
-  - name: CERTIFICATE_NAME
-    objref:
-      kind: Certificate
-      group: cert-manager.io
-      version: v1
-      name: serving-cert # this name should match the one in certificate.yaml
-  - name: SERVICE_NAMESPACE # namespace of the service
-    objref:
-      kind: Service
-      version: v1
-      name: webhook-service
-    fieldref:
-      fieldpath: metadata.namespace
-  - name: SERVICE_NAME
-    objref:
-      kind: Service
-      version: v1
-      name: webhook-service
+  - path: webhookcainjection_patch.yaml
 
-configurations:
-  - kustomizeconfig.yaml
+replacements:
+- source: # Add cert-manager annotation to ValidatingWebhookConfiguration, MutatingWebhookConfiguration and CRDs
+    kind: Certificate
+    group: cert-manager.io
+    version: v1
+    name: serving-cert # this name should match the one in certificate.yaml
+    fieldPath: .metadata.namespace # namespace of the certificate CR
+  targets:
+    - select:
+        kind: ValidatingWebhookConfiguration
+      fieldPaths:
+        - .metadata.annotations.[cert-manager.io/inject-ca-from]
+      options:
+        delimiter: '/'
+        index: 0
+        create: true
+    - select:
+        kind: MutatingWebhookConfiguration
+      fieldPaths:
+        - .metadata.annotations.[cert-manager.io/inject-ca-from]
+      options:
+        delimiter: '/'
+        index: 0
+        create: true
+    - select:
+        kind: CustomResourceDefinition
+      fieldPaths:
+        - .metadata.annotations.[cert-manager.io/inject-ca-from]
+      options:
+        delimiter: '/'
+        index: 0
+        create: true
+- source:
+    kind: Certificate
+    group: cert-manager.io
+    version: v1
+    name: serving-cert # this name should match the one in certificate.yaml
+    fieldPath: .metadata.name
+  targets:
+    - select:
+        kind: ValidatingWebhookConfiguration
+      fieldPaths:
+        - .metadata.annotations.[cert-manager.io/inject-ca-from]
+      options:
+        delimiter: '/'
+        index: 1
+        create: true
+    - select:
+        kind: MutatingWebhookConfiguration
+      fieldPaths:
+        - .metadata.annotations.[cert-manager.io/inject-ca-from]
+      options:
+        delimiter: '/'
+        index: 1
+        create: true
+    - select:
+        kind: CustomResourceDefinition
+      fieldPaths:
+        - .metadata.annotations.[cert-manager.io/inject-ca-from]
+      options:
+        delimiter: '/'
+        index: 1
+        create: true
+- source: # Add cert-manager annotation to the webhook Service
+    kind: Service
+    version: v1
+    name: webhook-service
+    fieldPath: .metadata.name # namespace of the service
+  targets:
+    - select:
+        kind: Certificate
+        group: cert-manager.io
+        version: v1
+      fieldPaths:
+        - .spec.dnsNames.0
+        - .spec.dnsNames.1
+      options:
+        delimiter: '.'
+        index: 0
+        create: true
+- source:
+    kind: Service
+    version: v1
+    name: webhook-service
+    fieldPath: .metadata.namespace # namespace of the service
+  targets:
+    - select:
+        kind: Certificate
+        group: cert-manager.io
+        version: v1
+      fieldPaths:
+        - .spec.dnsNames.0
+        - .spec.dnsNames.1
+      options:
+        delimiter: '.'
+        index: 1
+        create: true
diff --git a/bootstrap/kubeadm/config/default/kustomizeconfig.yaml b/bootstrap/kubeadm/config/default/kustomizeconfig.yaml
diff --git a/bootstrap/kubeadm/config/default/manager_webhook_patch.yaml b/bootstrap/kubeadm/config/default/manager_webhook_patch.yaml
@@ -19,4 +19,4 @@ spec:
       volumes:
       - name: cert
         secret:
-          secretName: $(SERVICE_NAME)-cert
+          secretName: webhook-service-cert
diff --git a/bootstrap/kubeadm/config/default/webhookcainjection_patch.yaml b/bootstrap/kubeadm/config/default/webhookcainjection_patch.yaml
@@ -4,11 +4,11 @@ kind: MutatingWebhookConfiguration
 metadata:
   name: mutating-webhook-configuration
   annotations:
-    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+    cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   name: validating-webhook-configuration
   annotations:
-    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+    cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME
diff --git a/bootstrap/kubeadm/config/webhook/kustomizeconfig.yaml b/bootstrap/kubeadm/config/webhook/kustomizeconfig.yaml
@@ -20,6 +20,3 @@ namespace:
   group: admissionregistration.k8s.io
   path: webhooks/clientConfig/service/namespace
   create: true
-
-varReference:
-- path: metadata/annotations
diff --git a/config/certmanager/certificate.yaml b/config/certmanager/certificate.yaml
@@ -14,14 +14,14 @@ metadata:
   name: serving-cert  # this name should match the one appeared in kustomizeconfig.yaml
   namespace: system
 spec:
-  # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize
+  # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize
   dnsNames:
-  - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc
-  - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local
+  - SERVICE_NAME.SERVICE_NAMESPACE.svc
+  - SERVICE_NAME.SERVICE_NAMESPACE.svc.cluster.local
   issuerRef:
     kind: Issuer
     name: selfsigned-issuer
-  secretName: $(SERVICE_NAME)-cert # this secret will not be prefixed, since it's not managed by kustomize
+  secretName: webhook-server-cert # this secret will not be prefixed, since it's not managed by kustomize
   subject:
     organizations:
-      - k8s-sig-cluster-lifecycle
+      - k8s-sig-cluster-lifecycle
diff --git a/config/certmanager/kustomizeconfig.yaml b/config/certmanager/kustomizeconfig.yaml
@@ -6,14 +6,3 @@ nameReference:
   - kind: Certificate
     group: cert-manager.io
     path: spec/issuerRef/name
-
-varReference:
-- kind: Certificate
-  group: cert-manager.io
-  path: spec/commonName
-- kind: Certificate
-  group: cert-manager.io
-  path: spec/dnsNames
-- kind: Certificate
-  group: cert-manager.io
-  path: spec/secretName
diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml
@@ -16,31 +16,31 @@ resources:
 - bases/ipam.cluster.x-k8s.io_ipaddressclaims.yaml
 # +kubebuilder:scaffold:crdkustomizeresource
 
-patchesStrategicMerge:
+patches:
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix.
 # patches here are for enabling the conversion webhook for each CRD
-- patches/webhook_in_clusterclasses.yaml
-- patches/webhook_in_clusters.yaml
-- patches/webhook_in_machinepools.yaml
-- patches/webhook_in_machines.yaml
-- patches/webhook_in_machinesets.yaml
-- patches/webhook_in_machinedeployments.yaml
-- patches/webhook_in_machinehealthchecks.yaml
-- patches/webhook_in_clusterresourcesets.yaml
-- patches/webhook_in_clusterresourcesetbindings.yaml
+- path: patches/webhook_in_clusterclasses.yaml
+- path: patches/webhook_in_clusters.yaml
+- path: patches/webhook_in_machinepools.yaml
+- path: patches/webhook_in_machines.yaml
+- path: patches/webhook_in_machinesets.yaml
+- path: patches/webhook_in_machinedeployments.yaml
+- path: patches/webhook_in_machinehealthchecks.yaml
+- path: patches/webhook_in_clusterresourcesets.yaml
+- path: patches/webhook_in_clusterresourcesetbindings.yaml
 # +kubebuilder:scaffold:crdkustomizewebhookpatch
 
 # [CERTMANAGER] To enable webhook, uncomment all the sections with [CERTMANAGER] prefix.
 # patches here are for enabling the CA injection for each CRD
-- patches/cainjection_in_clusterclasses.yaml
-- patches/cainjection_in_clusters.yaml
-- patches/cainjection_in_machinepools.yaml
-- patches/cainjection_in_machines.yaml
-- patches/cainjection_in_machinesets.yaml
-- patches/cainjection_in_machinedeployments.yaml
-- patches/cainjection_in_machinehealthchecks.yaml
-- patches/cainjection_in_clusterresourcesets.yaml
-- patches/cainjection_in_clusterresourcesetbindings.yaml
+- path: patches/cainjection_in_clusterclasses.yaml
+- path: patches/cainjection_in_clusters.yaml
+- path: patches/cainjection_in_machinepools.yaml
+- path: patches/cainjection_in_machines.yaml
+- path: patches/cainjection_in_machinesets.yaml
+- path: patches/cainjection_in_machinedeployments.yaml
+- path: patches/cainjection_in_machinehealthchecks.yaml
+- path: patches/cainjection_in_clusterresourcesets.yaml
+- path: patches/cainjection_in_clusterresourcesetbindings.yaml
 # +kubebuilder:scaffold:crdkustomizecainjectionpatch
 
 # the following config is for teaching kustomize how to do kustomization for CRDs.

diff --git a/config/crd/kustomizeconfig.yaml b/config/crd/kustomizeconfig.yaml
@@ -12,6 +12,3 @@ namespace:
   group: apiextensions.k8s.io
   path: spec/conversion/webhook/clientConfig/service/namespace
   create: false
-
-varReference:
-- path: metadata/annotations
diff --git a/config/crd/patches/cainjection_in_clusterclasses.yaml b/config/crd/patches/cainjection_in_clusterclasses.yaml
@@ -4,5 +4,5 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+    cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME
   name: clusterclasses.cluster.x-k8s.io
diff --git a/config/crd/patches/cainjection_in_clusterresourcesetbindings.yaml b/config/crd/patches/cainjection_in_clusterresourcesetbindings.yaml
@@ -4,5 +4,5 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+    cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME
   name: clusterresourcesetbindings.addons.cluster.x-k8s.io
diff --git a/config/crd/patches/cainjection_in_clusterresourcesets.yaml b/config/crd/patches/cainjection_in_clusterresourcesets.yaml
@@ -4,5 +4,5 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+    cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME
   name: clusterresourcesets.addons.cluster.x-k8s.io
diff --git a/config/crd/patches/cainjection_in_clusters.yaml b/config/crd/patches/cainjection_in_clusters.yaml
@@ -4,5 +4,5 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+    cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME
   name: clusters.cluster.x-k8s.io
diff --git a/config/crd/patches/cainjection_in_machinedeployments.yaml b/config/crd/patches/cainjection_in_machinedeployments.yaml
@@ -4,5 +4,5 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+    cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME
   name: machinedeployments.cluster.x-k8s.io