Certificate (#118)

* support other certificates

* support other certificates

* support other certificates

* support other certificates

* support other certificates

config/default/kustomization.yaml

@@ -8,64 +8,8 @@ namespace: releasenamespace
 # field above.
 namePrefix: sap-btp-operator-
 
-# Labels to add to all resources and selectors.
-#commonLabels:
-#  someName: someValue
-
-# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in 
-# crd/kustomization.yaml
-# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required.
-# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. 
-#- ../prometheus
-
-  # Protect the /metrics endpoint by putting it behind auth.
-  # If you want your controller-manager to expose the /metrics
-  # endpoint w/o any authn/z, please comment the following line.
-
-# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in 
-# crd/kustomization.yaml
-
-# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'.
-# Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks.
-# 'CERTMANAGER' needs to be enabled to use ca injection
-patchesStrategicMerge:
-- webhookcainjection_patch.yaml
-
-# the following config is for teaching kustomize how to do var substitution
-# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix.
-vars:
-- fieldref:
-    fieldPath: metadata.namespace
-  name: CERTIFICATE_NAMESPACE
-  objref:
-    group: cert-manager.io
-    kind: Certificate
-    name: serving-cert
-    version: v1
-- fieldref: {}
-  name: CERTIFICATE_NAME
-  objref:
-    group: cert-manager.io
-    kind: Certificate
-    name: serving-cert
-    version: v1
-- fieldref:
-    fieldPath: metadata.namespace
-  name: SERVICE_NAMESPACE
-  objref:
-    kind: Service
-    name: webhook-service
-    version: v1
-- fieldref: {}
-  name: SERVICE_NAME
-  objref:
-    kind: Service
-    name: webhook-service
-    version: v1
-apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../crd
 - ../rbac
-- ../webhook
-- ../certmanager
+apiVersion: kustomize.config.k8s.io/v1beta1

config/rbac/kustomization.yaml

@@ -6,7 +6,6 @@ resources:
 # Comment the following 4 lines if you want to disable
 # the auth proxy (https://github.com/brancz/kube-rbac-proxy)
 # which protects your /metrics endpoint.
-- auth_proxy_service.yaml
 - auth_proxy_role.yaml
 - auth_proxy_role_binding.yaml
 - auth_proxy_client_clusterrole.yaml

sapbtp-operator-charts/templates/cert-manager-certificate.yml

@@ -0,0 +1,16 @@
+{{- if .Values.manager.certificates.certManager }}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: sap-btp-operator-serving-cert
+  namespace: {{.Release.Namespace}}
+spec:
+  dnsNames:
+    - sap-btp-operator-webhook-service.{{.Release.Namespace}}.svc
+    - sap-btp-operator-webhook-service.{{.Release.Namespace}}.svc.cluster.local
+  issuerRef:
+    kind: Issuer
+    name: sap-btp-operator-selfsigned-issuer
+  secretName: webhook-server-cert
+{{- end}}

sapbtp-operator-charts/templates/cert-manager-issuer.yml

@@ -0,0 +1,10 @@
+{{- if .Values.manager.certificates.certManager }}
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: sap-btp-operator-selfsigned-issuer
+  namespace: {{.Release.Namespace}}
+spec:
+  selfSigned: {}
+{{- end}}

sapbtp-operator-charts/templates/gardener-cert-manager-certificate.yml

@@ -0,0 +1,23 @@
+{{- if .Values.manager.certificates.gardenerCertManager }}
+---
+apiVersion: cert.gardener.cloud/v1alpha1
+kind: Certificate
+metadata:
+  name: sap-btp-operator-serving-cert
+  namespace: {{.Release.Namespace}}
+spec:
+  commonName: Kubernetes
+  dnsNames:
+  - sap-btp-operator-webhook-service.{{.Release.Namespace}}.svc
+  - sap-btp-operator-webhook-service.{{.Release.Namespace}}.svc.cluster.local
+  # if issuer is not specified, the default issuer is used
+  issuerRef:
+{{- if .Values.manager.certificates.gardenerCertManager.issuer }}
+    name: {{ .Values.manager.certificates.gardenerCertManager.issuer }}
+{{- else }}
+    name: issuer-ca
+{{- end}}
+  secretRef:
+    name: webhook-server-cert
+    namespace: {{.Release.Namespace}}
+{{- end}}

sapbtp-operator-charts/templates/gardener-cert-manager-issuer-secret.yml

@@ -0,0 +1,14 @@
+{{- if .Values.manager.certificates.gardenerCertManager }}
+{{- if not .Values.manager.certificates.gardenerCertManager.issuer }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: issuer-ca-secret
+  namespace: {{.Release.Namespace}}
+type: kubernetes.io/tls
+data:
+  tls.crt: {{ .Values.manager.certificates.gardenerCertManager.crt }}
+  tls.key: {{ .Values.manager.certificates.gardenerCertManager.key }}
+{{- end}}
+{{- end}}

sapbtp-operator-charts/templates/gardener-cert-manager-issuer.yml

@@ -0,0 +1,15 @@
+{{- if .Values.manager.certificates.gardenerCertManager }}
+{{- if not .Values.manager.certificates.gardenerCertManager.issuer }}
+---
+apiVersion: cert.gardener.cloud/v1alpha1
+kind: Issuer
+metadata:
+  name: issuer-ca
+  namespace: {{.Release.Namespace}}
+spec:
+  ca:
+    privateKeySecretRef:
+      name: issuer-ca-secret
+      namespace: default
+{{- end}}
+{{- end}}

sapbtp-operator-charts/templates/service.yml

@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: sap-btp-operator-webhook-service
+  namespace: {{.Release.Namespace}}
+spec:
+  ports:
+    - port: 443
+      targetPort: 9443
+  selector:
+    control-plane: controller-manager
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    control-plane: controller-manager
+  name: sap-btp-operator-controller-manager-metrics-service
+  namespace: {{.Release.Namespace}}
+spec:
+  ports:
+    - name: https
+      port: 8443
+      targetPort: https
+  selector:
+    control-plane: controller-manager

sapbtp-operator-charts/templates/webhook.yml

@@ -0,0 +1,94 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  {{- if .Values.manager.certificates.certManager }}
+  annotations:
+    cert-manager.io/inject-ca-from: {{.Release.Namespace}}/sap-btp-operator-serving-cert
+  {{- end}}
+  name: sap-btp-operator-mutating-webhook-configuration
+webhooks:
+  - admissionReviewVersions:
+      - v1beta1
+      - v1
+    clientConfig:
+      service:
+        name: sap-btp-operator-webhook-service
+        namespace: {{.Release.Namespace}}
+        path: /mutate-services-cloud-sap-com-v1alpha1-servicebinding
+      {{- if .Values.manager.certificates.selfSigned }}
+      caBundle: {{.Values.manager.certificates.selfSigned.caBundle }}
+      {{- end }}
+      {{- if .Values.manager.certificates.gardenerCertManager }}
+      caBundle: {{.Values.manager.certificates.gardenerCertManager.caBundle }}
+      {{- end }}
+    failurePolicy: Fail
+    name: mservicebinding.kb.io
+    rules:
+      - apiGroups:
+          - services.cloud.sap.com
+        apiVersions:
+          - v1alpha1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - servicebindings
+    sideEffects: None
+  - admissionReviewVersions:
+      - v1beta1
+      - v1
+    clientConfig:
+      service:
+        name: sap-btp-operator-webhook-service
+        namespace: {{.Release.Namespace}}
+        path: /mutate-services-cloud-sap-com-v1alpha1-serviceinstance
+    failurePolicy: Fail
+    name: mserviceinstance.kb.io
+    rules:
+      - apiGroups:
+          - services.cloud.sap.com
+        apiVersions:
+          - v1alpha1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - serviceinstances
+    sideEffects: None
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  {{- if .Values.manager.certificates.certManager }}
+  annotations:
+    cert-manager.io/inject-ca-from: {{.Release.Namespace}}/sap-btp-operator-serving-cert
+  {{- end}}
+  name: sap-btp-operator-validating-webhook-configuration
+webhooks:
+  - admissionReviewVersions:
+      - v1beta1
+      - v1
+    clientConfig:
+      service:
+        name: sap-btp-operator-webhook-service
+        namespace: {{.Release.Namespace}}
+        path: /validate-services-cloud-sap-com-v1alpha1-servicebinding
+      {{- if .Values.manager.certificates.selfSigned }}
+      caBundle: {{.Values.manager.certificates.selfSigned.caBundle }}
+      {{- end }}
+      {{- if .Values.manager.certificates.gardenerCertManager }}
+      caBundle: {{.Values.manager.certificates.gardenerCertManager.caBundle }}
+      {{- end }}
+    failurePolicy: Fail
+    name: vservicebinding.kb.io
+    rules:
+      - apiGroups:
+          - services.cloud.sap.com
+        apiVersions:
+          - v1alpha1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - servicebindings
+    sideEffects: None