From 7d4c91d9a8d872ff5f51d365744460f41751b9b0 Mon Sep 17 00:00:00 2001 From: Camila Macedo Date: Fri, 1 Nov 2024 16:04:37 +0000 Subject: [PATCH] (kustomize/v2, go/v4): Fix ca injection for conversion webhooks MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The CA injection patch has **not** worked for `go/v4` and `kustomize/v2` (release `3.5.0`) due to the need to replace `vars` with `replacements`, as `vars` are no longer supported in the latest major versions of Kustomize. However, since webhook `--conversion` was an incomplete feature until the upcoming Kubebuilder future release `v4.4.0` (where [PR #4254](https://github.com/kubernetes-sigs/kubebuilder/pull/4254) is expected to be merged), users likely didn’t encounter this issue or addressed it manually by fixing the scaffold. **Note:** This change only affects projects that require a **conversion webhook**. --- .github/workflows/test-e2e-samples.yml | 15 ++- .../project/config/crd/kustomization.yaml | 4 - .../project/config/default/kustomization.yaml | 22 +---- .../project/config/crd/kustomization.yaml | 4 - .../project/config/default/kustomization.yaml | 22 +---- .../project/config/crd/kustomization.yaml | 5 - .../crd/patches/cainjection_in_cronjobs.yaml | 7 -- .../project/config/default/kustomization.yaml | 8 +- docs/book/src/reference/markers/scaffold.md | 59 ++++++++++- .../generate_multiversion.go | 8 +- .../multiversion-tutorial/kustomize.go | 13 ++- .../common/kustomize/v2/scaffolds/api.go | 1 + .../templates/config/crd/kustomization.go | 25 +---- .../config/kdefault/kustomization.go | 22 +---- .../kustomization_conversion_updater.go | 99 +++++++++++++++++++ .../common/kustomize/v2/scaffolds/webhook.go | 73 +++++++++++++- test/e2e/v4/generate_test.go | 31 ++++-- test/testdata/generate.sh | 2 +- .../config/crd/kustomization.yaml | 5 - ...ainjection_in_example.com_wordpresses.yaml | 7 -- .../config/default/kustomization.yaml | 8 +- .../config/crd/kustomization.yaml | 5 - .../patches/cainjection_in_wordpresses.yaml | 7 -- .../config/default/kustomization.yaml | 8 +- .../project-v4/config/crd/kustomization.yaml | 5 - .../patches/cainjection_in_firstmates.yaml | 7 -- .../config/default/kustomization.yaml | 8 +- 27 files changed, 320 insertions(+), 160 deletions(-) delete mode 100644 docs/book/src/multiversion-tutorial/testdata/project/config/crd/patches/cainjection_in_cronjobs.yaml create mode 100644 pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/kustomization_conversion_updater.go delete mode 100644 testdata/project-v4-multigroup/config/crd/patches/cainjection_in_example.com_wordpresses.yaml delete mode 100644 testdata/project-v4-with-plugins/config/crd/patches/cainjection_in_wordpresses.yaml delete mode 100644 testdata/project-v4/config/crd/patches/cainjection_in_firstmates.yaml diff --git a/.github/workflows/test-e2e-samples.yml b/.github/workflows/test-e2e-samples.yml index 1a73e9f6890..b0db7dc21c6 100644 --- a/.github/workflows/test-e2e-samples.yml +++ b/.github/workflows/test-e2e-samples.yml @@ -41,7 +41,9 @@ jobs: run: | KUSTOMIZATION_FILE_PATH="testdata/project-v4/config/default/kustomization.yaml" sed -i '25s/^#//' $KUSTOMIZATION_FILE_PATH - sed -i '55,182s/^#//' $KUSTOMIZATION_FILE_PATH + # Uncomment all cert-manager injections + sed -i '55,168s/^#//' $KUSTOMIZATION_FILE_PATH + sed -i '170,185s/^#//' $KUSTOMIZATION_FILE_PATH cd testdata/project-v4/ go mod tidy @@ -81,9 +83,12 @@ jobs: KUSTOMIZATION_FILE_PATH="testdata/project-v4-with-plugins/config/default/kustomization.yaml" sed -i '25s/^#//' $KUSTOMIZATION_FILE_PATH # Uncomment only ValidatingWebhookConfiguration - # from cert-manager replaces + # from cert-manager replaces; we are leaving defaulting uncommented + # since this sample has no defaulting webhooks sed -i '55,121s/^#//' $KUSTOMIZATION_FILE_PATH - sed -i '153,182s/^#//' $KUSTOMIZATION_FILE_PATH + # Uncomment only --conversion webhooks CA injection + sed -i '153,168s/^#//' $KUSTOMIZATION_FILE_PATH + sed -i '170,185s/^#//' $KUSTOMIZATION_FILE_PATH cd testdata/project-v4-with-plugins/ go mod tidy @@ -122,7 +127,9 @@ jobs: run: | KUSTOMIZATION_FILE_PATH="testdata/project-v4-multigroup/config/default/kustomization.yaml" sed -i '25s/^#//' $KUSTOMIZATION_FILE_PATH - sed -i '55,182s/^#//' $KUSTOMIZATION_FILE_PATH + # Uncomment all cert-manager injections + sed -i '55,168s/^#//' $KUSTOMIZATION_FILE_PATH + sed -i '170,185s/^#//' $KUSTOMIZATION_FILE_PATH cd testdata/project-v4-multigroup go mod tidy diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/crd/kustomization.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/crd/kustomization.yaml index ce4e7415d87..398aa123164 100644 --- a/docs/book/src/cronjob-tutorial/testdata/project/config/crd/kustomization.yaml +++ b/docs/book/src/cronjob-tutorial/testdata/project/config/crd/kustomization.yaml @@ -10,10 +10,6 @@ patches: # patches here are for enabling the conversion webhook for each CRD # +kubebuilder:scaffold:crdkustomizewebhookpatch -# [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix. -# patches here are for enabling the CA injection for each CRD -# +kubebuilder:scaffold:crdkustomizecainjectionpatch - # [WEBHOOK] To enable webhook, uncomment the following section # the following config is for teaching kustomize how to do kustomization for CRDs. #configurations: diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/default/kustomization.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/default/kustomization.yaml index ab2925bc69e..b5cf1e32e2f 100644 --- a/docs/book/src/cronjob-tutorial/testdata/project/config/default/kustomization.yaml +++ b/docs/book/src/cronjob-tutorial/testdata/project/config/default/kustomization.yaml @@ -156,27 +156,13 @@ replacements: # version: v1 # name: serving-cert # This name should match the one in certificate.yaml # fieldPath: .metadata.namespace # Namespace of the certificate CR -# targets: -# - select: -# kind: CustomResourceDefinition -# fieldPaths: -# - .metadata.annotations.[cert-manager.io/inject-ca-from] -# options: -# delimiter: '/' -# index: 0 -# create: true +# targets: # Do not remove or uncomment the following scaffold marker; required to generate code for target CRD. +# +kubebuilder:scaffold:crdkustomizecainjectionns # - source: # kind: Certificate # group: cert-manager.io # version: v1 # name: serving-cert # This name should match the one in certificate.yaml # fieldPath: .metadata.name -# targets: -# - select: -# kind: CustomResourceDefinition -# fieldPaths: -# - .metadata.annotations.[cert-manager.io/inject-ca-from] -# options: -# delimiter: '/' -# index: 1 -# create: true +# targets: # Do not remove or uncomment the following scaffold marker; required to generate code for target CRD. +# +kubebuilder:scaffold:crdkustomizecainjectionname diff --git a/docs/book/src/getting-started/testdata/project/config/crd/kustomization.yaml b/docs/book/src/getting-started/testdata/project/config/crd/kustomization.yaml index 217b2175494..bdf76e3b9ca 100644 --- a/docs/book/src/getting-started/testdata/project/config/crd/kustomization.yaml +++ b/docs/book/src/getting-started/testdata/project/config/crd/kustomization.yaml @@ -10,10 +10,6 @@ patches: # patches here are for enabling the conversion webhook for each CRD # +kubebuilder:scaffold:crdkustomizewebhookpatch -# [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix. -# patches here are for enabling the CA injection for each CRD -# +kubebuilder:scaffold:crdkustomizecainjectionpatch - # [WEBHOOK] To enable webhook, uncomment the following section # the following config is for teaching kustomize how to do kustomization for CRDs. #configurations: diff --git a/docs/book/src/getting-started/testdata/project/config/default/kustomization.yaml b/docs/book/src/getting-started/testdata/project/config/default/kustomization.yaml index 20d178afc14..317242ed92c 100644 --- a/docs/book/src/getting-started/testdata/project/config/default/kustomization.yaml +++ b/docs/book/src/getting-started/testdata/project/config/default/kustomization.yaml @@ -156,27 +156,13 @@ patches: # version: v1 # name: serving-cert # This name should match the one in certificate.yaml # fieldPath: .metadata.namespace # Namespace of the certificate CR -# targets: -# - select: -# kind: CustomResourceDefinition -# fieldPaths: -# - .metadata.annotations.[cert-manager.io/inject-ca-from] -# options: -# delimiter: '/' -# index: 0 -# create: true +# targets: # Do not remove or uncomment the following scaffold marker; required to generate code for target CRD. +# +kubebuilder:scaffold:crdkustomizecainjectionns # - source: # kind: Certificate # group: cert-manager.io # version: v1 # name: serving-cert # This name should match the one in certificate.yaml # fieldPath: .metadata.name -# targets: -# - select: -# kind: CustomResourceDefinition -# fieldPaths: -# - .metadata.annotations.[cert-manager.io/inject-ca-from] -# options: -# delimiter: '/' -# index: 1 -# create: true +# targets: # Do not remove or uncomment the following scaffold marker; required to generate code for target CRD. +# +kubebuilder:scaffold:crdkustomizecainjectionname diff --git a/docs/book/src/multiversion-tutorial/testdata/project/config/crd/kustomization.yaml b/docs/book/src/multiversion-tutorial/testdata/project/config/crd/kustomization.yaml index 4cae15b8d87..575332229dd 100644 --- a/docs/book/src/multiversion-tutorial/testdata/project/config/crd/kustomization.yaml +++ b/docs/book/src/multiversion-tutorial/testdata/project/config/crd/kustomization.yaml @@ -11,11 +11,6 @@ patches: - path: patches/webhook_in_cronjobs.yaml # +kubebuilder:scaffold:crdkustomizewebhookpatch -# [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix. -# patches here are for enabling the CA injection for each CRD -#- path: patches/cainjection_in_cronjobs.yaml -# +kubebuilder:scaffold:crdkustomizecainjectionpatch - # [WEBHOOK] To enable webhook, uncomment the following section # the following config is for teaching kustomize how to do kustomization for CRDs. configurations: diff --git a/docs/book/src/multiversion-tutorial/testdata/project/config/crd/patches/cainjection_in_cronjobs.yaml b/docs/book/src/multiversion-tutorial/testdata/project/config/crd/patches/cainjection_in_cronjobs.yaml deleted file mode 100644 index 752fa9ac6a0..00000000000 --- a/docs/book/src/multiversion-tutorial/testdata/project/config/crd/patches/cainjection_in_cronjobs.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# The following patch adds a directive for certmanager to inject CA into the CRD -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME - name: cronjobs.batch.tutorial.kubebuilder.io diff --git a/docs/book/src/multiversion-tutorial/testdata/project/config/default/kustomization.yaml b/docs/book/src/multiversion-tutorial/testdata/project/config/default/kustomization.yaml index 9cba521a7c6..16e19c0840f 100644 --- a/docs/book/src/multiversion-tutorial/testdata/project/config/default/kustomization.yaml +++ b/docs/book/src/multiversion-tutorial/testdata/project/config/default/kustomization.yaml @@ -156,27 +156,31 @@ replacements: version: v1 name: serving-cert # This name should match the one in certificate.yaml fieldPath: .metadata.namespace # Namespace of the certificate CR - targets: + targets: # Do not remove or uncomment the following scaffold marker; required to generate code for target CRD. - select: kind: CustomResourceDefinition + name: cronjobs.batch.tutorial.kubebuilder.io fieldPaths: - .metadata.annotations.[cert-manager.io/inject-ca-from] options: delimiter: '/' index: 0 create: true +# +kubebuilder:scaffold:crdkustomizecainjectionns - source: kind: Certificate group: cert-manager.io version: v1 name: serving-cert # This name should match the one in certificate.yaml fieldPath: .metadata.name - targets: + targets: # Do not remove or uncomment the following scaffold marker; required to generate code for target CRD. - select: kind: CustomResourceDefinition + name: cronjobs.batch.tutorial.kubebuilder.io fieldPaths: - .metadata.annotations.[cert-manager.io/inject-ca-from] options: delimiter: '/' index: 1 create: true +# +kubebuilder:scaffold:crdkustomizecainjectionname diff --git a/docs/book/src/reference/markers/scaffold.md b/docs/book/src/reference/markers/scaffold.md index 48d18fa88bf..ab68f4f02db 100644 --- a/docs/book/src/reference/markers/scaffold.md +++ b/docs/book/src/reference/markers/scaffold.md @@ -103,10 +103,67 @@ properly registered with the manager, so that the controller can reconcile the r | `+kubebuilder:scaffold:webhook` | `webhooks suite tests` files | Marks where webhook setup functions are added. | | `+kubebuilder:scaffold:crdkustomizeresource`| `config/crd` | Marks where CRD custom resource patches are added. | | `+kubebuilder:scaffold:crdkustomizewebhookpatch` | `config/crd` | Marks where CRD webhook patches are added. | -| `+kubebuilder:scaffold:crdkustomizecainjectionpatch` | `config/crd` | Marks where CA injection patches are added for the webhook. | +| `+kubebuilder:scaffold:crdkustomizecainjectionns` | `config/default` | Marks where CA injection patches are added for the conversion webhooks. | +| `+kubebuilder:scaffold:crdkustomizecainjectioname` | `config/default` | Marks where CA injection patches are added for the conversion webhooks. | +| **(No longer supported)** `+kubebuilder:scaffold:crdkustomizecainjectionpatch` | `config/crd` | Marks where CA injection patches are added for the webhooks. Replaced by `+kubebuilder:scaffold:crdkustomizecainjectionns` and `+kubebuilder:scaffold:crdkustomizecainjectioname` | | `+kubebuilder:scaffold:manifestskustomizesamples` | `config/samples` | Marks where Kustomize sample manifests are injected. | | `+kubebuilder:scaffold:e2e-webhooks-checks` | `test/e2e` | Adds e2e checks for webhooks depending on the types of webhooks scaffolded. | + +