Merge pull request #1 from munnerz/deployment-updates

Build and deployment fixes

Makefile

@@ -0,0 +1,20 @@
+IMAGE_NAME := "webhook"
+IMAGE_TAG := "latest"
+
+OUT := $(shell pwd)/_out
+
+$(shell mkdir -p "$(OUT)")
+
+verify:
+	go test -v .
+
+build:
+	docker build -t "$(IMAGE_NAME):$(IMAGE_TAG)" .
+
+.PHONY: rendered-manifest.yaml
+rendered-manifest.yaml:
+	helm template \
+	    --name example-webhook \
+        --set image.repository=$(IMAGE_NAME) \
+        --set image.tag=$(IMAGE_TAG) \
+        deploy/example-webhook > "$(OUT)/rendered-manifest.yaml"

deploy/example-webhook/templates/NOTES.txt

@@ -1,19 +0,0 @@
-1. Get the application URL by running these commands:
-{{- if .Values.ingress.enabled }}
-{{- range .Values.ingress.hosts }}
-  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ . }}{{ $.Values.ingress.path }}
-{{- end }}
-{{- else if contains "NodePort" .Values.service.type }}
-  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "example-webhook.fullname" . }})
-  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
-  echo http://$NODE_IP:$NODE_PORT
-{{- else if contains "LoadBalancer" .Values.service.type }}
-     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
-           You can watch the status of by running 'kubectl get svc -w {{ include "example-webhook.fullname" . }}'
-  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "example-webhook.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
-  echo http://$SERVICE_IP:{{ .Values.service.port }}
-{{- else if contains "ClusterIP" .Values.service.type }}
-  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ include "example-webhook.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
-  echo "Visit http://127.0.0.1:8080 to use your application"
-  kubectl port-forward $POD_NAME 8080:80
-{{- end }}

deploy/example-webhook/templates/_helpers.tpl

@@ -30,3 +30,19 @@ Create chart name and version as used by the chart label.
 {{- define "example-webhook.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
+
+{{- define "example-webhook.selfSignedIssuer" -}}
+{{ printf "%s-selfsign" (include "example-webhook.fullname" .) }}
+{{- end -}}
+
+{{- define "example-webhook.rootCAIssuer" -}}
+{{ printf "%s-ca" (include "example-webhook.fullname" .) }}
+{{- end -}}
+
+{{- define "example-webhook.rootCACertificate" -}}
+{{ printf "%s-ca" (include "example-webhook.fullname" .) }}
+{{- end -}}
+
+{{- define "example-webhook.servingCertificate" -}}
+{{ printf "%s-webhook-tls" (include "example-webhook.fullname" .) }}
+{{- end -}}

deploy/example-webhook/templates/apiservice.yaml

@@ -7,11 +7,12 @@ metadata:
     chart: {{ include "example-webhook.chart" . }}
     release: {{ .Release.Name }}
     heritage: {{ .Release.Service }}
+  annotations:
+    certmanager.k8s.io/inject-ca-from: "{{ .Release.Namespace }}/{{ include "example-webhook.servingCertificate" . }}"
 spec:
   group: {{ .Values.groupName }}
   groupPriorityMinimum: 1000
   versionPriority: 15
-  insecureSkipTLSVerify: true
   service:
     name: {{ include "example-webhook.fullname" . }}
     namespace: {{ .Release.Namespace }}

deploy/example-webhook/templates/deployment.yaml

@@ -24,6 +24,9 @@ spec:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          args:
+            - --tls-cert-file=/tls/tls.crt
+            - --tls-private-key-file=/tls/tls.key
           env:
             - name: GROUP_NAME
               value: {{ .Values.groupName | quote }}
@@ -41,8 +44,16 @@ spec:
               scheme: HTTPS
               path: /healthz
               port: https
+          volumeMounts:
+            - name: certs
+              mountPath: /tls
+              readOnly: true
           resources:
 {{ toYaml .Values.resources | indent 12 }}
+      volumes:
+        - name: certs
+          secret:
+            secretName: {{ include "example-webhook.servingCertificate" . }}
     {{- with .Values.nodeSelector }}
       nodeSelector:
 {{ toYaml . | indent 8 }}

deploy/example-webhook/templates/pki.yaml

@@ -0,0 +1,76 @@
+---
+# Create a selfsigned Issuer, in order to create a root CA certificate for
+# signing webhook serving certificates
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: Issuer
+metadata:
+  name: {{ include "example-webhook.selfSignedIssuer" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    app: {{ include "example-webhook.name" . }}
+    chart: {{ include "example-webhook.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  selfSigned: {}
+
+---
+
+# Generate a CA Certificate used to sign certificates for the webhook
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: Certificate
+metadata:
+  name: {{ include "example-webhook.rootCACertificate" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    app: {{ include "example-webhook.name" . }}
+    chart: {{ include "example-webhook.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  secretName: {{ include "example-webhook.rootCACertificate" . }}
+  duration: 43800h # 5y
+  issuerRef:
+    name: {{ include "example-webhook.selfSignedIssuer" . }}
+  commonName: "ca.example-webhook.cert-manager"
+  isCA: true
+
+---
+
+# Create an Issuer that uses the above generated CA certificate to issue certs
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: Issuer
+metadata:
+  name: {{ include "example-webhook.rootCAIssuer" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    app: {{ include "example-webhook.name" . }}
+    chart: {{ include "example-webhook.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  ca:
+    secretName: {{ include "example-webhook.rootCACertificate" . }}
+
+---
+
+# Finally, generate a serving certificate for the webhook to use
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: Certificate
+metadata:
+  name: {{ include "example-webhook.servingCertificate" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    app: {{ include "example-webhook.name" . }}
+    chart: {{ include "example-webhook.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  secretName: {{ include "example-webhook.servingCertificate" . }}
+  duration: 8760h # 1y
+  issuerRef:
+    name: {{ include "example-webhook.rootCAIssuer" . }}
+  dnsNames:
+  - {{ include "example-webhook.fullname" . }}
+  - {{ include "example-webhook.fullname" . }}.{{ .Release.Namespace }}
+  - {{ include "example-webhook.fullname" . }}.{{ .Release.Namespace }}.svc

deploy/example-webhook/values.yaml

@@ -14,7 +14,7 @@ certManager:
 
 image:
   repository: mycompany/webhook-image
-  tag: stable
+  tag: latest
   pullPolicy: IfNotPresent
 
 nameOverride: ""
@@ -24,19 +24,6 @@ service:
   type: ClusterIP
   port: 443
 
-ingress:
-  enabled: false
-  annotations: {}
-    # kubernetes.io/ingress.class: nginx
-    # kubernetes.io/tls-acme: "true"
-  path: /
-  hosts:
-    - chart-example.local
-  tls: []
-  #  - secretName: chart-example-tls
-  #    hosts:
-  #      - chart-example.local
-
 resources: {}
   # We usually recommend not to specify default resources and to leave this as a conscious
   # choice for the user. This also increases chances charts run on environments with little

go.mod

@@ -5,7 +5,7 @@ go 1.12
 require (
 	github.com/dgrijalva/jwt-go v3.2.0+incompatible // indirect
 	github.com/imdario/mergo v0.3.7 // indirect
-	github.com/jetstack/cert-manager v0.7.1-0.20190418141904-49f91f9fa4d4
+	github.com/jetstack/cert-manager v0.7.1-0.20190429172244-546d3f1d7627
 	golang.org/x/oauth2 v0.0.0-20190402181905-9f3314589c9a // indirect
 	golang.org/x/time v0.0.0-20190308202827-9d24e82272b4 // indirect
 	k8s.io/apiextensions-apiserver v0.0.0-20190413053546-d0acb7a76918

go.sum

@@ -184,8 +184,8 @@ github.com/imdario/mergo v0.3.7/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJ
 github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/jefferai/jsonx v1.0.0/go.mod h1:OGmqmi2tTeI/PS+qQfBDToLHHJIy/RMp24fPo8vFvoQ=
-github.com/jetstack/cert-manager v0.7.1-0.20190418141904-49f91f9fa4d4 h1:BkzDdMD/2CXv3BWr0uwndx+mXaNbJHamruJNQ/gQNKw=
+github.com/jetstack/cert-manager v0.7.1-0.20190429172244-546d3f1d7627 h1:zHzxugtT5zh7jp/U1ZOWLvPMOb0L6Q39nTQzb849V+s=
-github.com/jetstack/cert-manager v0.7.1-0.20190418141904-49f91f9fa4d4/go.mod h1:jCOiKjYkFd3eh/kJJK2ufc0hyNQ/yJIUV/V4iWxR1t8=
+github.com/jetstack/cert-manager v0.7.1-0.20190429172244-546d3f1d7627/go.mod h1:GsWWdhRdDmHDL/GvVQt82/N/Hr4R6GQfNjZV2BwOPfY=
 github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
 github.com/jonboulle/clockwork v0.0.0-20141017032234-72f9bd7c4e0c h1:XpRROA6ssPlTwJI8/pH+61uieOkcJhmAFz25cu0B94Y=
 github.com/jonboulle/clockwork v0.0.0-20141017032234-72f9bd7c4e0c/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=

main.go

@@ -3,6 +3,7 @@ package main
 import (
 	"encoding/json"
 	"fmt"
+	"os"
 
 	extapi "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
 	//"k8s.io/client-go/kubernetes"
@@ -12,9 +13,13 @@ import (
 	"github.com/jetstack/cert-manager/pkg/acme/webhook/cmd"
 )
 
-const GroupName = "acme.mycompany.com"
+var GroupName = os.Getenv("GROUP_NAME")
 
 func main() {
+	if GroupName == "" {
+		panic("GROUP_NAME must be specified")
+	}
+
 	// This will register our custom DNS provider with the webhook serving
 	// library, making it available as an API under the provided GroupName.
 	// You can register multiple DNS provider implementations with a single