Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

🐛 (kustomize/v2, go/v4): Fix ca injection for conversion webhooks #4282

Conversation

camilamacedo86
Copy link
Member

@camilamacedo86 camilamacedo86 commented Nov 2, 2024

PR Description

The CA injection patch has not worked for go/v4 and kustomize/v2 (release 3.5.0) due to the need to replace vars with replacements, as vars are no longer supported in the latest major versions of Kustomize.

However, since webhook --conversion was an incomplete feature until the upcoming Kubebuilder future release v4.4.0 (where PR #4254 is expected to be merged), users likely didn’t encounter this issue or addressed it manually by fixing the scaffold.

Note: This change only affects projects that require a conversion webhook.

To better understand the issue and context please see: #4285

Closes: #4285

To manually fix projects scaffolded with previous versions, users can:

  1. Remove the CERTMANAGER Section from config/crd/kustomization.yaml:

    Delete the CERTMANAGER section to avoid unintended CA injection patches for CRDs. Ensure the following lines are removed or commented out:

    # [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix.
    # patches here are for enabling the CA injection for each CRD
    #- path: patches/cainjection_in_firstmates.yaml
    # +kubebuilder:scaffold:crdkustomizecainjectionpatch
  2. Add CA Injection Configuration in config/default/kustomization.yaml:

    In config/default/kustomization.yaml, add the following code under [CERTMANAGER] for CA injection:

    Important: Ensure that these scaffold markers are included:

    • +kubebuilder:scaffold:crdkustomizecainjectionns
    • +kubebuilder:scaffold:crdkustomizecainjectioname
    # - source: # Uncomment the following block if you have a ConversionWebhook (--conversion)
    #     kind: Certificate
    #     group: cert-manager.io
    #     version: v1
    #     name: serving-cert # This name should match the one in certificate.yaml
    #     fieldPath: .metadata.namespace # Namespace of the certificate CR
    #   targets: # Do not remove or uncomment the following scaffold marker; required to generate code for target CRD.
    # +kubebuilder:scaffold:crdkustomizecainjectionns
    # - source:
    #     kind: Certificate
    #     group: cert-manager.io
    #     version: v1
    #     name: serving-cert # This name should match the one in certificate.yaml
    #     fieldPath: .metadata.name
    #   targets: # Do not remove or uncomment the following scaffold marker; required to generate code for target CRD.
    # +kubebuilder:scaffold:crdkustomizecainjectioname
  3. Ensure Only Conversion Webhook Patches in config/crd/patches:

    The config/crd/patches directory and the corresponding entries in config/crd/kustomization.yaml should only
    contain files for conversion webhooks. Previously, a bug (🐛 (kustomize/v2, go/v4): Fix incorrect generation of manifests under config/crd/patches. Previously, the /convert service patch was being generated for all webhooks instead of only for those with --conversion enabled. #4280) caused the patch file to be generated for any webhook,
    but only patches for webhooks created with the --conversion option should be included.

For further guidance, you can refer to examples in the testdata/ directory in the Kubebuilder repository.

Alternatively: You can use the 'alpha generate' command to re-generate the project from scratch using the latest
release available. Afterward, you can re-add only your code implementation on top to ensure your project includes all
the latest bug fixes and enhancements.

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Nov 2, 2024
@k8s-ci-robot k8s-ci-robot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label Nov 2, 2024
@camilamacedo86 camilamacedo86 force-pushed the fix-ca-injection-conversion-webhooks branch from 1b5cddf to 41e2c58 Compare November 2, 2024 12:56
@camilamacedo86 camilamacedo86 changed the title (Blocked by #4280) WIP - Fix ca injection conversion webhooks (Blocked by #4280) WIP - 🐛 (kustomize/v2, go/v4): Fix ca injection for conversion webhooks Nov 2, 2024
@camilamacedo86 camilamacedo86 force-pushed the fix-ca-injection-conversion-webhooks branch 2 times, most recently from 771d28b to fd37dfc Compare November 2, 2024 17:40
@camilamacedo86 camilamacedo86 changed the title (Blocked by #4280) WIP - 🐛 (kustomize/v2, go/v4): Fix ca injection for conversion webhooks 🐛 (kustomize/v2, go/v4): Fix ca injection for conversion webhooks Nov 2, 2024
@camilamacedo86 camilamacedo86 changed the title 🐛 (kustomize/v2, go/v4): Fix ca injection for conversion webhooks 🐛 WIP: (kustomize/v2, go/v4): Fix ca injection for conversion webhooks Nov 2, 2024
@camilamacedo86 camilamacedo86 force-pushed the fix-ca-injection-conversion-webhooks branch from fd37dfc to 093c664 Compare November 2, 2024 18:15
@camilamacedo86 camilamacedo86 changed the title 🐛 WIP: (kustomize/v2, go/v4): Fix ca injection for conversion webhooks 🐛 (kustomize/v2, go/v4): Fix ca injection for conversion webhooks Nov 2, 2024
@camilamacedo86 camilamacedo86 added release-blocker priority/backlog Higher priority than priority/awaiting-more-evidence. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. and removed priority/backlog Higher priority than priority/awaiting-more-evidence. labels Nov 2, 2024
@camilamacedo86 camilamacedo86 force-pushed the fix-ca-injection-conversion-webhooks branch 4 times, most recently from 6cc8aba to eb167ea Compare November 6, 2024 07:40
@camilamacedo86 camilamacedo86 changed the title 🐛 (kustomize/v2, go/v4): Fix ca injection for conversion webhooks 🐛 (WIP) (kustomize/v2, go/v4): Fix ca injection for conversion webhooks Nov 9, 2024
@camilamacedo86 camilamacedo86 changed the title 🐛 (WIP) (kustomize/v2, go/v4): Fix ca injection for conversion webhooks 🐛 (kustomize/v2, go/v4): Fix ca injection for conversion webhooks Nov 9, 2024
@camilamacedo86 camilamacedo86 force-pushed the fix-ca-injection-conversion-webhooks branch 3 times, most recently from 5a198df to d5055b5 Compare November 9, 2024 20:19
@camilamacedo86 camilamacedo86 changed the title 🐛 (kustomize/v2, go/v4): Fix ca injection for conversion webhooks 🐛 (WIP - TODO FIX AFTER REBASES )(kustomize/v2, go/v4): Fix ca injection for conversion webhooks Nov 9, 2024
@camilamacedo86 camilamacedo86 changed the title 🐛 (WIP - TODO FIX AFTER REBASES )(kustomize/v2, go/v4): Fix ca injection for conversion webhooks (WIP - TODO FIX AFTER REBASES ) 🐛 (kustomize/v2, go/v4): Fix ca injection for conversion webhooks Nov 9, 2024
@k8s-ci-robot k8s-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 9, 2024
@camilamacedo86 camilamacedo86 changed the title (WIP - TODO FIX AFTER REBASES ) 🐛 (kustomize/v2, go/v4): Fix ca injection for conversion webhooks (WIP - fix rebase changes ) 🐛 (kustomize/v2, go/v4): Fix ca injection for conversion webhooks Nov 9, 2024
@camilamacedo86 camilamacedo86 force-pushed the fix-ca-injection-conversion-webhooks branch from d5055b5 to 2d60e80 Compare November 10, 2024 04:15
@camilamacedo86 camilamacedo86 changed the title (WIP - fix rebase changes ) 🐛 (kustomize/v2, go/v4): Fix ca injection for conversion webhooks 🐛 (kustomize/v2, go/v4): Fix ca injection for conversion webhooks Nov 10, 2024
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 10, 2024
@camilamacedo86 camilamacedo86 force-pushed the fix-ca-injection-conversion-webhooks branch from 2d60e80 to c8ab90e Compare November 10, 2024 07:43
@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Nov 23, 2024
@camilamacedo86 camilamacedo86 force-pushed the fix-ca-injection-conversion-webhooks branch from c8ab90e to f0f3641 Compare November 24, 2024 11:26
@k8s-ci-robot k8s-ci-robot added needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. and removed needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Nov 24, 2024
@camilamacedo86 camilamacedo86 force-pushed the fix-ca-injection-conversion-webhooks branch from f0f3641 to 6ecb044 Compare December 1, 2024 15:33
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Dec 1, 2024
@camilamacedo86 camilamacedo86 force-pushed the fix-ca-injection-conversion-webhooks branch 3 times, most recently from 32e0924 to 5a8cda8 Compare December 1, 2024 22:07
The CA injection patch has **not** worked for `go/v4` and `kustomize/v2` (release `3.5.0`) due to the need to replace `vars` with `replacements`, as `vars` are no longer supported in the latest major versions of Kustomize.

However, since webhook `--conversion` was an incomplete feature until the upcoming Kubebuilder future release `v4.4.0` (where [PR kubernetes-sigs#4254](kubernetes-sigs#4254) is expected to be merged), users likely didn’t encounter this issue or addressed it manually by fixing the scaffold.

**Note:** This change only affects projects that require a **conversion webhook**.
@camilamacedo86 camilamacedo86 force-pushed the fix-ca-injection-conversion-webhooks branch from 5a8cda8 to 7d4c91d Compare December 1, 2024 22:39
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Dec 1, 2024
Copy link
Member

@varshaprasad96 varshaprasad96 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Dec 9, 2024
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: camilamacedo86, grzesuav, varshaprasad96

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [camilamacedo86,varshaprasad96]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot merged commit 423d56b into kubernetes-sigs:master Dec 9, 2024
26 checks passed
@camilamacedo86 camilamacedo86 deleted the fix-ca-injection-conversion-webhooks branch December 9, 2024 06:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-blocker size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Inconsistent CA Injection for Conversion Webhooks
4 participants