✨ improve webhook scaffolding

pkg/scaffold/api.go

@@ -162,6 +162,7 @@ func (api *API) scaffoldV2() error {
 			&resourcev2.Group{Resource: r},
 			&resourcev2.CRDSample{Resource: r},
 			&crdv2.EnableWebhookPatch{Resource: r},
+			&crdv2.EnableCAInjectionPatch{Resource: r},
 		)
 		if err != nil {
 			return fmt.Errorf("error scaffolding APIs: %v", err)

pkg/scaffold/v2/certmanager/kustomize.go

@@ -41,20 +41,24 @@ var kustomizationTemplate = `resources:
 
 # the following config is for teaching kustomize how to do var substitution
 vars:
+- name: NAMESPACE # namespace of the service and the certificate CR
+  objref:
+    kind: Service
+    version: v1
+    name: webhook-service
+  fieldref:
+    fieldpath: metadata.namespace
 - name: CERTIFICATENAME
   objref:
     kind: Certificate
     group: certmanager.k8s.io
     version: v1alpha1
     name: serving-cert # this name should match the one in certificate.yaml
-- name: CERTIFICATENAMESPACE
+- name: SERVICENAME
   objref:
-    kind: Certificate
-    group: certmanager.k8s.io
-    version: v1alpha1
-    name: serving-cert # this name should match the one in certificate.yaml
-  fieldref:
-    fieldpath: metadata.namespace
+    kind: Service
+    version: v1
+    name: webhook-service
 
 configurations:
 - kustomizeconfig.yaml

pkg/scaffold/v2/crd/enablecainjection_patch.go

@@ -0,0 +1,63 @@
+/*
+Copyright 2019 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v2
+
+import (
+	"fmt"
+	"path/filepath"
+	"strings"
+
+	"github.com/markbates/inflect"
+
+	"sigs.k8s.io/kubebuilder/pkg/scaffold/input"
+	"sigs.k8s.io/kubebuilder/pkg/scaffold/v1/resource"
+)
+
+// EnableCAInjectionPatch scaffolds a EnableCAInjectionPatch for a Resource
+type EnableCAInjectionPatch struct {
+	input.Input
+
+	// Resource is the Resource to make the EnableCAInjectionPatch for
+	Resource *resource.Resource
+}
+
+// GetInput implements input.File
+func (p *EnableCAInjectionPatch) GetInput() (input.Input, error) {
+	if p.Path == "" {
+		rs := inflect.NewDefaultRuleset()
+		plural := rs.Pluralize(strings.ToLower(p.Resource.Kind))
+		p.Path = filepath.Join("config", "crd", "patches",
+			fmt.Sprintf("cainjection_in_%s.yaml", plural))
+	}
+	p.TemplateBody = EnableCAInjectionPatchTemplate
+	return p.Input, nil
+}
+
+// Validate validates the values
+func (g *EnableCAInjectionPatch) Validate() error {
+	return g.Resource.Validate()
+}
+
+var EnableCAInjectionPatchTemplate = `# The following patch adds a directive for certmanager to inject CA into the CRD
+# CRD conversion requires k8s 1.13 or later.
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    certmanager.k8s.io/inject-ca-from: $(NAMESPACE)/$(CERTIFICATENAME)
+  name: {{ .Resource.Resource }}.{{ .Resource.Group }}.{{ .Domain }}
+`

pkg/scaffold/v2/crd/enablewebhook_patch.go

@@ -52,13 +52,11 @@ func (g *EnableWebhookPatch) Validate() error {
 	return g.Resource.Validate()
 }
 
-// TODO(mengqiy): plural of the resources
-var enableWebhookPatchTemplate = `# The following patch enables conversion webhook for CRDw
+var enableWebhookPatchTemplate = `# The following patch enables conversion webhook for CRD
+# CRD conversion requires k8s 1.13 or later.
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
-  annotations:
-    certmanager.k8s.io/inject-ca-from: $(NAMESPACE)/$(CERTIFICATENAME)
   name: {{ .Resource.Resource }}.{{ .Resource.Group }}.{{ .Domain }}
 spec:
   conversion:
@@ -68,7 +66,7 @@ spec:
       # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager)
       caBundle: Cg==
       service:
-        namespace: $(NAMESPACE)
+        namespace: system
         name: webhook-service
-        path: /convert-{{ lower .Resource.Kind }}
+        path: /convert
 `

pkg/scaffold/v2/crd/kustomization.go

@@ -29,8 +29,9 @@ import (
 )
 
 const (
-	kustomizeResourceScaffoldMarker = "# +kubebuilder:scaffold:kustomizeresource"
-	kustomizePatchScaffoldMarker    = "# +kubebuilder:scaffold:kustomizepatch"
+	kustomizeResourceScaffoldMarker         = "# +kubebuilder:scaffold:crdkustomizeresource"
+	kustomizeWebhookPatchScaffoldMarker     = "# +kubebuilder:scaffold:crdkustomizewebhookpatch"
+	kustomizeCAInjectionPatchScaffoldMarker = "# +kubebuilder:scaffold:crdkustomizecainjectionpatch"
 )
 
 var _ input.File = &Kustomization{}
@@ -64,12 +65,14 @@ func (c *Kustomization) Update() error {
 	plural := rs.Pluralize(strings.ToLower(c.Resource.Kind))
 
 	kustomizeResourceCodeFragment := fmt.Sprintf("- bases/%s.%s_%s.yaml\n", c.Resource.Group, c.Domain, plural)
-	kustomizePatchCodeFragment := fmt.Sprintf("#- patches/webhook_in_%s.yaml\n", plural)
+	kustomizeWebhookPatchCodeFragment := fmt.Sprintf("#- patches/webhook_in_%s.yaml\n", plural)
+	kustomizeCAInjectionPatchCodeFragment := fmt.Sprintf("#- patches/cainjection_in_%s.yaml\n", plural)
 
 	return internal.InsertStringsInFile(c.Path,
 		map[string][]string{
-			kustomizeResourceScaffoldMarker: []string{kustomizeResourceCodeFragment},
-			kustomizePatchScaffoldMarker:    []string{kustomizePatchCodeFragment},
+			kustomizeResourceScaffoldMarker:         {kustomizeResourceCodeFragment},
+			kustomizeWebhookPatchScaffoldMarker:     {kustomizeWebhookPatchCodeFragment},
+			kustomizeCAInjectionPatchScaffoldMarker: {kustomizeCAInjectionPatchCodeFragment},
 		})
 }
 
@@ -80,10 +83,13 @@ resources:
 %s
 
 patches:
-# patches here are for enabling the conversion webhook for each CRD
+# [WEBHOOK] patches here are for enabling the conversion webhook for each CRD
+%s
+
+# [CAINJECTION] patches here are for enabling the CA injection for each CRD
 %s
 
 # the following config is for teaching kustomize how to do kustomization for CRDs.
 configurations:
 - kustomizeconfig.yaml
-`, kustomizeResourceScaffoldMarker, kustomizePatchScaffoldMarker)
+`, kustomizeResourceScaffoldMarker, kustomizeWebhookPatchScaffoldMarker, kustomizeCAInjectionPatchScaffoldMarker)

pkg/scaffold/v2/crd/kustomizeconfig.go

@@ -48,9 +48,12 @@ nameReference:
     group: apiextensions.k8s.io
     path: spec/conversion/webhookClientConfig/service/name
 
-varReference:
-- path: metadata/annotations
+namespace:
 - kind: CustomResourceDefinition
   group: apiextensions.k8s.io
   path: spec/conversion/webhookClientConfig/service/namespace
+  create: false
+
+varReference:
+- path: metadata/annotations
 `

pkg/scaffold/v2/kustomize.go

@@ -69,9 +69,9 @@ bases:
 - ../crd
 - ../rbac
 - ../manager
-# [WEBHOOK] Uncomment all the sections with [WEBHOOK] prefix to enable webhook.
+# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in crd/kustomization.yaml
 #- ../webhook
-# [CERTMANAGER] Uncomment next line to enable cert-manager
+# [CERTMANAGER] To enable cert-manager, uncomment next line. 'WEBHOOK' components are required.
 #- ../certmanager
 
 patches:
@@ -87,10 +87,11 @@ patches:
   # manager_prometheus_metrics_patch.yaml should be enabled.
 #- manager_prometheus_metrics_patch.yaml
 
-# [WEBHOOK] Uncomment all the sections with [WEBHOOK] prefix to enable webhook.
+# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in crd/kustomization.yaml
 #- manager_webhook_patch.yaml
 
-# [CAINJECTION] Uncomment next line to enable the CA injection in the admission webhooks. [CERTMANAGER] needs to be
-# enabled to use ca injection
+# [CAINJECTION] Uncomment next line to enable the CA injection in the admission webhooks.
+# Uncomment 'CAINJECTION' in crd/kustomization.yaml to enable the CA injection in the admission webhooks.
+# 'CERTMANAGER' needs to be enabled to use ca injection
 #- webhookcainjection_patch.yaml
 `

pkg/scaffold/v2/main.go

@@ -138,21 +138,27 @@ func init() {
 	%s
 }
 
+// Persmissions to do leader election.
+// +kubebuilder:rbac:groups="",resources=configmaps,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups="",resources=configmaps/status,verbs=get;update;patch
+
 func main() {
 	var metricsAddr string
 	flag.StringVar(&metricsAddr, "metrics-addr", ":8080", "The address the metric endpoint binds to.")
 	flag.Parse()
 
 	ctrl.SetLogger(zap.Logger(true))
 
-	// Persmissions to do leader election.
-	// +kubebuilder:rbac:groups="",resources=configmaps,verbs=get;list;watch;create;update;patch;delete
-	// +kubebuilder:rbac:groups="",resources=configmaps/status,verbs=get;update;patch
+	leaderElectionNamespace := "default"
+	if len(os.Getenv("POD_NAMESPACE")) != 0 {
+		leaderElectionNamespace = os.Getenv("POD_NAMESPACE")
+	}
+
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
 		Scheme:                  scheme,
 		MetricsBindAddress:      metricsAddr,
 		LeaderElection:          true,
-		LeaderElectionNamespace: "default",
+		LeaderElectionNamespace: leaderElectionNamespace,
 	})
 	if err != nil {
 		setupLog.Error(err, "unable to start manager")

pkg/scaffold/v2/manager/config.go

@@ -76,7 +76,7 @@ spec:
     matchLabels:
       control-plane: controller-manager
       controller-tools.k8s.io: "1.0"
-  replicas: 1
+  replicas: 2
   template:
     metadata:
       labels:
@@ -86,6 +86,11 @@ spec:
       containers:
       - command:
         - /manager
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
         image: {{ .Image }}
         imagePullPolicy: Always
         name: manager

pkg/scaffold/v2/webhook/enablecainection_patch.go

@@ -46,12 +46,12 @@ kind: MutatingWebhookConfiguration
 metadata:
   name: mutating-webhook-configuration
   annotations:
-    certmanager.k8s.io/inject-ca-from: $(CERTIFICATENAMESPACE)/$(CERTIFICATENAME)
+    certmanager.k8s.io/inject-ca-from: $(NAMESPACE)/$(CERTIFICATENAME)
 ---
 apiVersion: admissionregistration.k8s.io/v1beta1
 kind: ValidatingWebhookConfiguration
 metadata:
   name: validating-webhook-configuration
   annotations:
-    certmanager.k8s.io/inject-ca-from: $(CERTIFICATENAMESPACE)/$(CERTIFICATENAME)
+    certmanager.k8s.io/inject-ca-from: $(NAMESPACE)/$(CERTIFICATENAME)
 `

pkg/scaffold/v2/webhook/kustomization.go

@@ -45,19 +45,4 @@ var KustomizeWebhookTemplate = `resources:
 
 configurations:
 - kustomizeconfig.yaml
-
-# the following config is for teaching kustomize how to do var substitution
-vars:
-- name: NAMESPACE
-  objref:
-    kind: Service
-    version: v1
-    name: webhook-service
-  fieldref:
-    fieldpath: metadata.namespace
-- name: SERVICENAME
-  objref:
-    kind: Service
-    version: v1
-    name: webhook-service
 `

testdata/project-v2/config/certmanager/kustomization.yaml

@@ -3,20 +3,24 @@ resources:
 
 # the following config is for teaching kustomize how to do var substitution
 vars:
+- name: NAMESPACE # namespace of the service and the certificate CR
+  objref:
+    kind: Service
+    version: v1
+    name: webhook-service
+  fieldref:
+    fieldpath: metadata.namespace
 - name: CERTIFICATENAME
   objref:
     kind: Certificate
     group: certmanager.k8s.io
     version: v1alpha1
     name: serving-cert # this name should match the one in certificate.yaml
-- name: CERTIFICATENAMESPACE
+- name: SERVICENAME
   objref:
-    kind: Certificate
-    group: certmanager.k8s.io
-    version: v1alpha1
-    name: serving-cert # this name should match the one in certificate.yaml
-  fieldref:
-    fieldpath: metadata.namespace
+    kind: Service
+    version: v1
+    name: webhook-service
 
 configurations:
 - kustomizeconfig.yaml

testdata/project-v2/config/crd/kustomization.yaml

@@ -4,13 +4,18 @@
 resources:
 - bases/crew.testproject.org_captains.yaml
 - bases/crew.testproject.org_firstmates.yaml
-# +kubebuilder:scaffold:kustomizeresource
+# +kubebuilder:scaffold:crdkustomizeresource
 
 patches:
-# patches here are for enabling the conversion webhook for each CRD
+# [WEBHOOK] patches here are for enabling the conversion webhook for each CRD
 #- patches/webhook_in_captains.yaml
 #- patches/webhook_in_firstmates.yaml
-# +kubebuilder:scaffold:kustomizepatch
+# +kubebuilder:scaffold:crdkustomizewebhookpatch
+
+# [CAINJECTION] patches here are for enabling the CA injection for each CRD
+#- patches/cainjection_in_captains.yaml
+#- patches/cainjection_in_firstmates.yaml
+# +kubebuilder:scaffold:crdkustomizecainjectionpatch
 
 # the following config is for teaching kustomize how to do kustomization for CRDs.
 configurations:

testdata/project-v2/config/crd/kustomizeconfig.yaml

@@ -7,8 +7,11 @@ nameReference:
     group: apiextensions.k8s.io
     path: spec/conversion/webhookClientConfig/service/name
 
-varReference:
-- path: metadata/annotations
+namespace:
 - kind: CustomResourceDefinition
   group: apiextensions.k8s.io
   path: spec/conversion/webhookClientConfig/service/namespace
+  create: false
+
+varReference:
+- path: metadata/annotations

testdata/project-v2/config/crd/patches/cainjection_in_captains.yaml

@@ -0,0 +1,8 @@
+# The following patch adds a directive for certmanager to inject CA into the CRD
+# CRD conversion requires k8s 1.13 or later.
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    certmanager.k8s.io/inject-ca-from: $(NAMESPACE)/$(CERTIFICATENAME)
+  name: captains.crew.testproject.org

testdata/project-v2/config/crd/patches/cainjection_in_firstmates.yaml

@@ -0,0 +1,8 @@
+# The following patch adds a directive for certmanager to inject CA into the CRD
+# CRD conversion requires k8s 1.13 or later.
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    certmanager.k8s.io/inject-ca-from: $(NAMESPACE)/$(CERTIFICATENAME)
+  name: firstmates.crew.testproject.org