Merge pull request #80 from rabbitmq/cert-manager

Manifests and documentation for people with or without cert-manager

Makefile

@@ -130,7 +130,9 @@ cluster-operator:
 ## used in CI pipeline to create release artifact
 generate-manifests:
 	mkdir -p releases
-	kustomize build config/installation/ > releases/messaging-topology-operator.yaml
+	kustomize build config/installation/  > releases/messaging-topology-operator.bak
+	sed '/CERTIFICATE_NAMESPACE.*CERTIFICATE_NAME/d' releases/messaging-topology-operator.bak > releases/messaging-topology-operator.yaml
+	kustomize build config/installation/cert-manager/ > releases/messaging-topology-operator-with-certmanager.yaml
 
 CERT_MANAGER_VERSION ?=v1.2.0
 cert-manager:

README.md

@@ -11,12 +11,11 @@ Before deploying Messaging Topology Operator, you need to have:
 1. A Running k8s cluster
 2. RabbitMQ [Cluster Operator](https://github.com/rabbitmq/cluster-operator) installed in the k8s cluster
 3. A [RabbitMQ cluster](https://github.com/rabbitmq/cluster-operator/tree/main/docs/examples) deployed using the Cluster Operator
-4. (Optional) [cert-manager](https://cert-manager.io/docs/installation/kubernetes/) `1.2.0` or above, installed in the k8s cluster
 
-If you have `kubectl` configured to access your running k8s cluster, you can then run the following command to install the Messaging Topology Operator:
+If you have [cert-manager](https://cert-manager.io/docs/installation/kubernetes/) `1.2.0` or above installed in your k8s cluster, and `kubectl` configured to access your running k8s cluster, you can then run the following command to install the Messaging Topology Operator:
 
 ```bash
-kubectl apply -f https://github.com/rabbitmq/messaging-topology-operator/releases/latest/download/messaging-topology-operator.yml
+kubectl apply -f https://github.com/rabbitmq/messaging-topology-operator/releases/latest/download/messaging-topology-operator-with-certmanager.yml
 ```
 
 You can create RabbitMQ resources:
@@ -30,7 +29,8 @@ You can create RabbitMQ resources:
 
 ## Install without cert-manager
 
-If you do not have cert-manager in your k8s cluster, you need to generate certificates used by admission webhooks yourself and include them in the operator deployment, crds, and webhooks manifests.
+If you do not have cert-manager installed in your k8s cluster, you will need to generate certificates used by admission webhooks yourself and include them in the operator and webhooks manifests.
+You can follow [this doc](./docs/installation/install-without-certmanager.md). 
 
 ## Contributing
 
@@ -44,4 +44,4 @@ Please read [contribution guidelines](CONTRIBUTING.md) if you are interested in
 
 ## Copyright
 
-Copyright 2021 VMware, Inc. All Rights Reserved.
+Copyright 2021 VMware, Inc. All Rights Reserved.

config/default/base/kustomization.yaml

@@ -7,40 +7,11 @@ resources:
 - ../../crd
 - ../../manager
 - ../../webhook
-- ../../certmanager
 
 patches:
 - manager_webhook_patch.yaml
 - webhookcainjection_patch.yaml
 
-vars:
-- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR
-  objref:
-    kind: Certificate
-    group: cert-manager.io
-    version: v1
-    name: serving-cert # this name should match the one in certificate.yaml
-  fieldref:
-    fieldpath: metadata.namespace
-- name: CERTIFICATE_NAME
-  objref:
-    kind: Certificate
-    group: cert-manager.io
-    version: v1
-    name: serving-cert # this name should match the one in certificate.yaml
-- name: SERVICE_NAMESPACE # namespace of the service
-  objref:
-    kind: Service
-    version: v1
-    name: webhook-service
-  fieldref:
-    fieldpath: metadata.namespace
-- name: SERVICE_NAME
-  objref:
-    kind: Service
-    version: v1
-    name: webhook-service
-
 images:
 - name: controller
   newName: rabbitmqoperator/messaging-topology-operator-dev

config/default/overlays/cert-manager/kustomization.yaml

@@ -0,0 +1,40 @@
+# RabbitMQ Messaging Topology Kubernetes Operator
+
+# Copyright 2021 VMware, Inc.
+#
+# This product is licensed to you under the Mozilla Public license, Version 2.0 (the "License").  You may not use this product except in compliance with the Mozilla Public License.
+#
+# This product may include a number of subcomponents with separate copyright notices and license terms. Your use of these subcomponents is subject to the terms and conditions of the subcomponent's license, as noted in the LICENSE file.
+namespace: rabbitmq-system
+
+resources:
+- ../../base
+- ../../../certmanager
+
+vars:
+- name: SERVICE_NAMESPACE # namespace of the service
+  objref:
+    kind: Service
+    version: v1
+    name: webhook-service
+  fieldref:
+    fieldpath: metadata.namespace
+- name: SERVICE_NAME
+  objref:
+    kind: Service
+    version: v1
+    name: webhook-service
+- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR
+  objref:
+    kind: Certificate
+    group: cert-manager.io
+    version: v1
+    name: serving-cert # this name should match the one in certificate.yaml
+  fieldref:
+    fieldpath: metadata.namespace
+- name: CERTIFICATE_NAME
+  objref:
+    kind: Certificate
+    group: cert-manager.io
+    version: v1
+    name: serving-cert # this name should match the one in certificate.yaml

config/default/overlays/dev/kustomization.yaml

@@ -8,7 +8,7 @@
 namespace: rabbitmq-system
 
 resources:
-- ../../base
+- ../cert-manager
 
 patches:
 - manager_image_patch.yaml

config/default/overlays/kind/kustomization.yaml

@@ -8,7 +8,7 @@
 namespace: rabbitmq-system
 
 resources:
-- ../../base
+- ../cert-manager
 
 patches:
 - manager_image_patch.yaml

config/installation/cert-manager/kustomization.yaml

@@ -0,0 +1,18 @@
+# RabbitMQ Messaging Topology Kubernetes Operator
+
+# Copyright 2021 VMware, Inc.
+#
+# This product is licensed to you under the Mozilla Public license, Version 2.0 (the "License").  You may not use this product except in compliance with the Mozilla Public License.
+#
+# This product may include a number of subcomponents with separate copyright notices and license terms. Your use of these subcomponents is subject to the terms and conditions of the subcomponent's license, as noted in the LICENSE file.
+
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: rabbitmq-system
+images:
+- name: rabbitmqoperator/messaging-topology-operator-dev
+  newName: rabbitmqoperator/messaging-topology-operator
+  newTag: latest
+
+resources:
+- ../../default/overlays/cert-manager

config/installation/kustomization.yaml

@@ -10,13 +10,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: rabbitmq-system
 images:
-
 - name: rabbitmqoperator/messaging-topology-operator-dev
   newName: rabbitmqoperator/messaging-topology-operator
   newTag: latest
 
 resources:
-- ../namespace/
-- ../crd/
-- ../rbac/
-- ../manager/
+- ../default/base

docs/installation/install-without-certmanager.md

@@ -0,0 +1,36 @@
+# Installation without cert-manager
+
+Before deploying Messaging Topology Operator, you need to have:
+
+1. A Running k8s cluster
+2. RabbitMQ [Cluster Operator](https://github.com/rabbitmq/cluster-operator) installed in the k8s cluster
+3. A [RabbitMQ cluster](https://github.com/rabbitmq/cluster-operator/tree/main/docs/examples) deployed using the Cluster Operator
+
+## Installation
+
+Download the latest release manifests https://github.com/rabbitmq/messaging-topology-operator/releases/latest/download/messaging-topology-operator.yml.
+
+The Messaging Topology Operator has multiple [admission webhooks](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/). You need to generate the webhook certificate and place it in multiple places in the manifest:
+
+1. Generate certificates for the Webhook. Certificates must be valid for `webhook-service.rabbitmq-system.svc`. `webhook-service` is the name of the webhook service object defined in release manifest `messaging-topology-operator.yml.`. `rabbitmq-system` is the namespace of the service.
+2. Create a k8s secret object with name `webhook-server-cert` in namespace `rabbitmq-system`. The secret object must contain following keys: `ca.crt`, `tls.key`, and `tls.key`. For example:
+    ```yaml
+    apiVersion: v1
+    kind: Secret
+    type: kubernetes.io/tls
+    metadata:
+      name: webhook-server-cert
+      namespace: rabbitmq-system
+    data:
+      ca.crt: # ca cert that can be used to validate the webhook's server certificate
+      tls.crt: # generated certificate
+      tls.key: # generated key
+    ```
+    This secret will be mounted to the operator container, where all webhooks will run from.
+1. Add webhook ca certificate in downloaded release manifest `messaging-topology-operator.yml`. There are 6 admission webhooks, one for each CRD type.
+Look for keyword `caBundle` in the manifest, and paste the webhook ca cert in there (6 places because there are 6 webhooks).
+1. Now you are ready to deploy. If you have `kubectl` configured to access your running k8s cluster, you can then run:
+
+```bash
+kubectl apply -f messaging-topology-operator.yml
+```