feat(external-secrets): use cert-manager to generate/inject CA for we…

…bhooks

external-secrets/kustomization.yaml

@@ -6,6 +6,7 @@ namespace: external-secrets
 resources:
 - namespace.yaml
 - gcpsm-cluster-secret-store.yaml
+- webhook-ca.yaml
 
 helmCharts:
 - name: external-secrets
@@ -16,9 +17,29 @@ helmCharts:
   includeCRDs: true
   valuesInline:
     certController:
+      create: false
+    webhook:
       tolerations:
       - operator: Exists
         key: "node-role.kubernetes.io/master"
     tolerations:
     - operator: Exists
-      key: "node-role.kubernetes.io/master"
+      key: "node-role.kubernetes.io/master"
+
+patches:
+- target:
+    group: apiextensions.k8s.io
+    version: v1
+    kind: CustomResourceDefinition
+  patch: |-
+    - op: add
+      path: /metadata/annotations/cert-manager.io~1inject-ca-from
+      value: external-secrets/external-secrets-webhook-ca
+- target:
+    group: admissionregistration.k8s.io
+    version: v1
+    kind: ValidatingWebhookConfiguration
+  patch: |-
+    - op: add
+      path: /metadata/annotations/cert-manager.io~1inject-ca-from
+      value: external-secrets/external-secrets-webhook-ca

external-secrets/webhook-ca.yaml

@@ -0,0 +1,17 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: external-secrets-webhook-ca
+spec:
+  issuerRef:
+    kind: ClusterIssuer
+    name: selfsigned-issuer
+  secretName: homelab-external-secrets-webhook # hard-coded for deploy/homelab-external-secrets-webhook
+  commonName: external-secrets-webhook-ca
+  subject:
+    organizations: ["external-secrets"]
+  dnsNames:
+  - homelab-external-secrets-webhook.external-secrets.svc
+  - homelab-external-secrets-webhook.external-secrets.svc.cluster.local
+  duration: 4560h # 190 days
+  renewBefore: 2400h # 100 days