keptn · bacherfl · May 4, 2023 · Apr 24, 2023 · Apr 24, 2023 · Apr 24, 2023
@@ -1,6 +1,6 @@
 # klt-cert-manager
 
-The Keptn certificate manager ensures that the webhooks in the Lifecycle Toolkit operator can obtain a valid certificate
+The Keptn certificate manager ensures that the webhooks of an operator can obtain a valid certificate
 to access the Kubernetes API server.
 
 ## Description
@@ -9,6 +9,263 @@ This `klt-cert-manager` operator should only be installed when paired with the L
 or above.
 The TLS certificate is mounted as a volume in the LT operator pod and is renewed every 12 hours or every time the LT
 operator deployment changes.
+THe `klt-cert-manager` retrieves all `MutatingWebhookConfigurations`, `ValidatingWebhookConfigurations` and
+`CustomResourceDefinitions` based on a label selector that can be defined using the following environment variables:
+
+- `LABEL_SELECTOR_KEY`: Label key used or identifying resources for certificate injection.
+Default: `keptn.sh/inject-cert`
+- `LABEL_SELECTOR_VALUE`: Label value used for identifying resources for certificate injection.
+Default: `true`.
+
+Using these label selectors, `MutatingWebhookConfigurations`, `ValidatingWebhookConfigurations` and
+`CustomResourceDefinitions` can be enabled for certificate injection by adding the required labels to their metadata:
+
+````yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  labels:
+    keptn.sh/inject-cert: true
+  name: keptnconfigs.options.keptn.sh
+````
+
+## Using the klt-cert-manager library
+
+The functionality provided by this operator can also be added to other operators by using the `klt-cert-manager` as
+a library.
+To do this, add the library as a dependency to your application:
+
+```shell
+go get github.com/keptn/lifecycle-toolkit/klt-cert-manager
+```
+
+Then, in your operator's setup logic, an instance of the `KeptnWebhookCertificateReconciler` can be
+created and registered to your operator's controller manager:
+
+```golang
+package main
+
+import (
+    "flag"
+    "log"
+    "os"
+    "sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+
+    "github.com/keptn/lifecycle-toolkit/klt-cert-manager/controllers/keptnwebhookcontroller"
+    "github.com/keptn/lifecycle-toolkit/klt-cert-manager/pkg/webhook"
+    // +kubebuilder:scaffold:imports
+)
+
+func main() {
+    // operator setup ... 
+    certificateReconciler := keptnwebhookcontroller.NewReconciler(keptnwebhookcontroller.CertificateReconcilerConfig{
+        Client:    mgr.GetClient(),
+        Scheme:    mgr.GetScheme(),
+        Log:       ctrl.Log.WithName("KeptnWebhookCert Controller"),
+        Namespace: "my-namespace",
+        MatchLabels: map[string]string{
+            "inject-cert": "true",
+        },
+    })
+    if err = certificateReconciler.SetupWithManager(mgr); err != nil {
+        setupLog.Error(err, "unable to create controller", "controller", "Deployment")
+        os.Exit(1)
+    }
+    //...
+    // register mutating/validating webhooks
+    webhookBuilder := webhook.NewWebhookBuilder().
+        SetNamespace(env.PodNamespace).
+        SetPodName(env.PodName).
+        SetConfigProvider(cmdConfig.NewKubeConfigProvider())
+
+    setupLog.Info("starting webhook and manager")
+    if err := webhookBuilder.Run(mgr, map[string]*admission.Webhook{
+            "/webhook-path": &webhook.Admission{},
+        }); err != nil {
+        setupLog.Error(err, "problem running manager")
+        os.Exit(1)
+    }
+}
+```
+
+Using this approach will require the following `ClusterRole` permissions to be bound to your operator's ServiceAccount:
+
+```yaml
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: certificate-operator-role
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - mutatingwebhookconfigurations
+  verbs:
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: certificate-operator-role
+  namespace: my-operator-system
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+```
+
+The required permissions can also be reduced by only allowing access to a specific set of resources, by providing
+the `KeptnWebhookCertificateReconciler` with a list of resources that should by enabled for certificate injection,
+instead of specifying the `MatchLabels`:
+
+```golang
+package main
+
+import (
+    "flag"
+    "log"
+    "os"
+
+    "github.com/keptn/lifecycle-toolkit/klt-cert-manager/controllers/keptnwebhookcontroller"
+    // +kubebuilder:scaffold:imports
+)
+
+func main() {
+    // operator setup ... 
+    certificateReconciler := keptnwebhookcontroller.NewReconciler(keptnwebhookcontroller.CertificateReconcilerConfig{
+        Client:        mgr.GetClient(),
+        Scheme:        mgr.GetScheme(),
+        Log:           ctrl.Log.WithName("KeptnWebhookCert Controller"),
+        Namespace:     "my-namespace",
+        WatchResources: &keptnwebhookcontroller.ObservedObjects{
+            MutatingWebhooks:          []string{"my-mwh-1", "my-mwh-2"},
+            ValidatingWebhooks:        []string{"my-vwh-1", "my-vwh-2"},
+            CustomResourceDefinitions: []string{"my-crd-1", "my-crd-2"},
+            Deployments:               []string{"my-operator-deployment"},
+        },
+    })
+    if err = certificateReconciler.SetupWithManager(mgr); err != nil {
+        setupLog.Error(err, "unable to create controller", "controller", "Deployment")
+        os.Exit(1)
+    }
+    //...
+}
+```
+
+Using this configuration, you can limit the required permissions as follows:
+
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: certificate-operator-role
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - mutatingwebhookconfigurations
+  verbs:
+  - get
+  - patch
+  - update
+  - watch
+  resourceNames:
+    - my-mwh-1
+    - my-mwh-2
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - patch
+  - update
+  - watch
+  resourceNames:
+    - my-vwh-1
+    - my-vwh-2
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - get
+  - patch
+  - update
+  - watch
+  resourceNames:
+    - my-crd-1
+    - my-crd-2
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: certificate-operator-role
+  namespace: my-operator-system
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+```
 
 ## Getting Started
 

@@ -9,6 +9,7 @@ import (
 
 	"github.com/go-logr/logr"
 	"github.com/keptn/lifecycle-toolkit/klt-cert-manager/kubeutils"
+	"github.com/keptn/lifecycle-toolkit/klt-cert-manager/pkg/common"
 	"github.com/pkg/errors"
 	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 	corev1 "k8s.io/api/core/v1"
@@ -76,7 +77,7 @@ func (certSecret *certificateSecret) setCertificates(namespace string) error {
 }
 
 func buildSecretName() string {
-	return secretName
+	return common.SecretName
 }
 
 func getDomain(namespace string) string {
@@ -117,7 +118,7 @@ func (certSecret *certificateSecret) createOrUpdateIfNecessary(ctx context.Conte
 func (certSecret *certificateSecret) loadCombinedBundle() ([]byte, error) {
 	data, hasData := certSecret.secret.Data[RootCert]
 	if !hasData {
-		return nil, errors.New(certificatesSecretEmptyErr)
+		return nil, errors.New(common.CertificatesSecretEmptyErr)
 	}
 
 	if oldData, hasOldData := certSecret.secret.Data[RootCertOld]; hasOldData {