Skip to content

Commit

Permalink
feat: Expose options to allow injection of external certificates (#2249)
Browse files Browse the repository at this point in the history 
* Expose options to allow external certificate injection

* Allow overriding the certificate secret name
* Only generate cert-secret if external injection is disabled
* Disable default certificate rotation when injecting

Signed-off-by: Ethan Range <65268454+ethanrange@users.noreply.github.com>

* Update manifest_staging with cert injection

Signed-off-by: Ethan Range <65268454+ethanrange@users.noreply.github.com>

* Fix typo in Helm Chart README

Co-authored-by: Rita Zhang <rita.z.zhang@gmail.com>
Signed-off-by: Ethan Range <65268454+ethanrange@users.noreply.github.com>

* Update manifest_staging after README change

Signed-off-by: Ethan Range <65268454+ethanrange@users.noreply.github.com>

Signed-off-by: Ethan Range <65268454+ethanrange@users.noreply.github.com>
Co-authored-by: Rita Zhang <rita.z.zhang@gmail.com>
  • Loading branch information
@ethanrange @ritazh
ethanrange and ritazh committed Sep 2, 2022
1 parent 7bde011 commit 6f66057
Show file tree
Hide file tree
Showing 10 changed files with 20 additions and 4 deletions.
2 changes: 1 addition & 1 deletion cmd/build/helmify/kustomize-for-helm.yaml
View file
Expand Up @@ -160,7 +160,7 @@ spec:
- --prometheus-port=HELMSUBST_DEPLOYMENT_AUDIT_METRICS_PORT
- --enable-external-data={{ .Values.enableExternalData }}
- HELMSUBST_METRICS_BACKEND_ARG
- --disable-cert-rotation={{ .Values.audit.disableCertRotation }}
- --disable-cert-rotation={{ or .Values.audit.disableCertRotation .Values.externalCertInjection.enabled }}
imagePullPolicy: "{{ .Values.image.pullPolicy }}"
HELMSUBST_AUDIT_CONTROLLER_MANAGER_DEPLOYMENT_IMAGE_RELEASE: ""
ports:
Expand Down
4 changes: 4 additions & 0 deletions cmd/build/helmify/main.go
View file
Expand Up @@ -113,6 +113,10 @@ func (ks *kindSet) Write() error {
obj = "{{- if not .Values.disableMutation }}\n" + obj + "{{- end }}\n"
}

if name == "gatekeeper-webhook-server-cert" && kind == "Secret" {
obj = "{{- if not .Values.externalCertInjection.enabled }}\n" + obj + "{{- end }}\n"
}

if name == "gatekeeper-critical-pods" && kind == "ResourceQuota" {
obj = "{{- if .Values.resourceQuota }}\n" + obj + "{{- end }}\n"
}
Expand Down
2 changes: 2 additions & 0 deletions cmd/build/helmify/static/README.md
View file
Expand Up @@ -185,6 +185,8 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi
| service.loadBalancerIP | The IP address of LoadBalancer service | `` |
| service.healthzPort | Service port to gatekeeper Webhook health port | `9090` |
| rbac.create | Enable the creation of RBAC resources | `true` |
| externalCertInjection.enabled | Enable the injection of an external certificate. This disables automatic certificate generation and rotation | `false` |
| externalCertInjection.secretName | Name of secret for injected certificate | `gatekeeper-webhook-server-cert` |

## Contributing Changes

Expand Down
2 changes: 1 addition & 1 deletion cmd/build/helmify/static/templates/_helpers.tpl
View file
Expand Up @@ -81,5 +81,5 @@ Output post install webhook probe volume entry
{{- define "gatekeeper.postInstallWebhookProbeVolume" -}}
- name: cert
secret:
secretName: gatekeeper-webhook-server-cert
secretName: {{ .Values.externalCertInjection.secretName }}
{{- end -}}
3 changes: 3 additions & 0 deletions cmd/build/helmify/static/values.yaml
View file
Expand Up @@ -239,3 +239,6 @@ upgradeCRDs:
extraRules: []
rbac:
create: true
externalCertInjection:
enabled: false
secretName: gatekeeper-webhook-server-cert
2 changes: 2 additions & 0 deletions manifest_staging/charts/gatekeeper/README.md
View file
Expand Up @@ -185,6 +185,8 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi
| service.loadBalancerIP | The IP address of LoadBalancer service | `` |
| service.healthzPort | Service port to gatekeeper Webhook health port | `9090` |
| rbac.create | Enable the creation of RBAC resources | `true` |
| externalCertInjection.enabled | Enable the injection of an external certificate. This disables automatic certificate generation and rotation | `false` |
| externalCertInjection.secretName | Name of secret for injected certificate | `gatekeeper-webhook-server-cert` |

## Contributing Changes

Expand Down
2 changes: 1 addition & 1 deletion manifest_staging/charts/gatekeeper/templates/_helpers.tpl
View file
Expand Up @@ -81,5 +81,5 @@ Output post install webhook probe volume entry
{{- define "gatekeeper.postInstallWebhookProbeVolume" -}}
- name: cert
secret:
secretName: gatekeeper-webhook-server-cert
secretName: {{ .Values.externalCertInjection.secretName }}
{{- end -}}
2 changes: 1 addition & 1 deletion manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml
View file
Expand Up @@ -66,7 +66,7 @@ spec:
{{- range .Values.metricsBackends}}
- --metrics-backend={{ . }}
{{- end }}
- --disable-cert-rotation={{ .Values.audit.disableCertRotation }}
- --disable-cert-rotation={{ or .Values.audit.disableCertRotation .Values.externalCertInjection.enabled }}
command:
- /manager
env:
Expand Down
2 changes: 2 additions & 0 deletions manifest_staging/charts/gatekeeper/templates/gatekeeper-webhook-server-cert-secret.yaml
View file
@@ -1,3 +1,4 @@
{{- if not .Values.externalCertInjection.enabled }}
apiVersion: v1
kind: Secret
metadata:
Expand All @@ -10,3 +11,4 @@ metadata:
release: '{{ .Release.Name }}'
name: gatekeeper-webhook-server-cert
namespace: '{{ .Release.Namespace }}'
{{- end }}
3 changes: 3 additions & 0 deletions manifest_staging/charts/gatekeeper/values.yaml
View file
Expand Up @@ -239,3 +239,6 @@ upgradeCRDs:
extraRules: []
rbac:
create: true
externalCertInjection:
enabled: false
secretName: gatekeeper-webhook-server-cert

0 comments on commit 6f66057

Please sign in to comment.