Merge pull request #9 from Azure/simon/replace-cert-manager

feat: remove cert-manager dependency

Author: croomes

Makefile

@@ -116,7 +116,6 @@ test: manifests generate envtest go-junit-report gocov gocov-xml ## Run tests an
 # Prometheus and CertManager and Jaeger are installed by default if they not
 # already installed. Skip install with:
 # - SKIP_INSTALL_PROMETHEUS=true
-# - SKIP_INSTALL_CERT_MANAGER=true
 # To avoid uninstalling everything after the tests, use:
 # - SKIP_UNINSTALL=true
 .PHONY: e2e
@@ -432,7 +431,6 @@ ENVTEST_VERSION ?= release-0.19
 KIND_VERSION ?= v0.25.0
 GOLANGCI_LINT_VERSION ?= v2.1.6
 GO_JUNIT_REPORT_VERSION ?= v2.1.0
-CERT_MANAGER_VERSION ?= 1.12.12-5
 PROMETHEUS_VERSION ?= v0.77.1
 JAEGER_VERSION ?= v1.62.0
 GINKGO_VERSION ?= v2.23.3
@@ -499,16 +497,6 @@ set-docker-pipeline-variables: # Echos variables used to pass information to doc
 	@echo "##vso[task.setvariable variable=build_date;isOutput=true]$$( date -u +%Y-%m-%dT%H:%M:%SZ )"
 	@echo "##vso[task.setvariable variable=git_revision;isOutput=true]$$( git rev-parse HEAD )"
 
-CERT_MANAGER_CHART="oci://mcr.microsoft.com/azurelinux/helm/cert-manager"
-.PHONY: cert-manager
-cert-manager: helm ## Install cert-manager into the current cluster.
-	$(HELM) install cert-manager $(CERT_MANAGER_CHART) --version $(CERT_MANAGER_VERSION) \
-		--set cert-manager.installCRDs=true --namespace cert-manager --create-namespace --wait --debug --atomic
-
-.PHONY: cert-manager-uninstall
-cert-manager-uninstall: helm ## Uninstall cert-manager from the current cluster.
-	$(HELM) uninstall cert-manager --namespace cert-manager --wait --debug --ignore-not-found
-
 .PHONY: kyverno
 kyverno: helm ## Install kyverno into the current cluster.
 	$(HELM) repo add kyverno https://kyverno.github.io/kyverno/

api/v1alpha1/clusterconfig_types.go

@@ -32,12 +32,6 @@ type ClusterConfig struct {
 	// Version is the semver version of the Helm chart that installed this
 	// configuration.
 	Version string `json:"version,omitempty"`
-	// Enable the PVC webhook, to enforce generic ephemeral volumes only unless
-	// pvc annotations for persistent storage are set.
-	EnforceEphemeralPVC *bool `json:"enforceEphemeralPVC,omitempty"`
-	// EnforceHyperconvergedWithWebhook enables the webhook that enforces
-	// hyperconverged mode for the Local CSI Driver.
-	EnforceHyperconvergedWithWebhook *bool `json:"enforceHyperconvergedWithWebhook,omitempty"`
 }
 
 func init() {

api/v1alpha1/zz_generated.deepcopy.go

@@ -0,0 +1,34 @@
+{{- if or .Values.node.driver.webhooks.ephemeral.enabled .Values.node.driver.webhooks.hyperconverged.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "chart.fullname" . }}-certificate-role
+  labels:
+  {{- include "chart.labels" . | nindent 4 }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - patch
+  - update
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "chart.fullname" . }}-certificate-rolebinding
+  labels:
+  {{- include "chart.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "chart.fullname" . }}-certificate-role
+subjects:
+- kind: ServiceAccount
+  name: {{ include "chart.fullname" . }}-node
+  namespace: '{{ .Release.Namespace }}'
+{{- end }}

charts/latest/templates/certificate-rbac.yaml

@@ -33,6 +33,18 @@ spec:
                 - linux
       containers:
       - args: {{- toYaml .Values.node.driver.args | nindent 8 }}
+        {{- if or .Values.node.driver.webhooks.ephemeral.enabled .Values.node.driver.webhooks.hyperconverged.enabled }}
+        - --webhook-service-name={{ include "chart.fullname" . }}-webhook-service
+        {{- end }}
+        {{- if .Values.node.driver.webhooks.ephemeral.enabled }}
+        - --ephemeral-webhook-config={{ include "chart.fullname" . }}-ephemeral-webhook
+        {{- end }}
+        {{- if .Values.node.driver.webhooks.hyperconverged.enabled }}
+        - --hyperconverged-webhook-config={{ include "chart.fullname" . }}-hyperconverged-webhook
+        {{- end }}
+        {{- if or .Values.node.driver.webhooks.ephemeral.enabled .Values.node.driver.webhooks.hyperconverged.enabled }}
+        - --certificate-secret-name={{ include "chart.fullname" . }}-webhook-server-cert
+        {{- end }}
         command:
         - /local-csi-driver
         env:
@@ -194,7 +206,7 @@ spec:
       volumes:
       - name: cert
         secret:
-          secretName: webhook-server-cert
+          secretName: {{ include "chart.fullname" . }}-webhook-server-cert
       - configMap:
           name: {{ include "chart.fullname" . }}-cluster-config
         name: cluster-config

charts/latest/templates/daemonset.yaml

@@ -94,6 +94,28 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - "admissionregistration.k8s.io"
+  resources:
+  - "validatingwebhookconfigurations"
+  - "mutatingwebhookconfigurations"
+  verbs:
+  - "get"
+  - "list"
+  - "watch"
+  - "update"
+  - "patch"
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

charts/latest/templates/node-rbac.yaml

@@ -1,9 +1,8 @@
+{{- if .Values.node.driver.webhooks.ephemeral.enabled }}
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
-  name: {{ include "chart.fullname" . }}-pvc-create-webhook
-  annotations:
-    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "chart.fullname" . }}-serving-cert
+  name: {{ include "chart.fullname" . }}-ephemeral-webhook
   labels:
   {{- include "chart.labels" . | nindent 4 }}
 webhooks:
@@ -13,7 +12,7 @@ webhooks:
     service:
       name: {{ include "chart.fullname" . }}-webhook-service
       namespace: '{{ .Release.Namespace }}'
-      path: /pvc-create
+      path: /validate-pvc
   failurePolicy: Ignore
   name: pvc.acstor.azure.com
   rules:
@@ -27,3 +26,4 @@ webhooks:
     - persistentvolumeclaims
     scope: Namespaced
   sideEffects: None
+{{- end }}

charts/latest/templates/selfsigned-issuer.yaml

@@ -1,9 +1,8 @@
+{{- if .Values.node.driver.webhooks.hyperconverged.enabled }}
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
   name: {{ include "chart.fullname" . }}-hyperconverged-webhook
-  annotations:
-    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "chart.fullname" . }}-serving-cert
   labels:
   {{- include "chart.labels" . | nindent 4 }}
 webhooks:
@@ -13,7 +12,7 @@ webhooks:
     service:
       name: {{ include "chart.fullname" . }}-webhook-service
       namespace: '{{ .Release.Namespace }}'
-      path: /mutate-hyperconverged-pods
+      path: /mutate-pod
   failurePolicy: Ignore
   name: hyperconverged.local.csi.azure.com
   rules:
@@ -26,3 +25,4 @@ webhooks:
     resources:
     - pods
   sideEffects: None
+{{- end }}