[Misc] webhook & server certificate helm configuration (SAP#96)

Author: anirudhprasad-sap

api/v1alpha1/capoperator_types.go

@@ -49,6 +49,16 @@ type CAPOperatorSpec struct {
 	Controller Controller `json:"controller,omitempty"`
 	// Monitoring specification
 	Monitoring Monitoring `json:"monitoring,omitempty"`
+	// Webhook specification
+	Webhook Webhook `json:"webhook,omitempty"`
+}
+
+type Webhook struct {
+	// Certificate manager which can be either `Default` or `CertManager`
+	// +kubebuilder:validation:Enum=Default;CertManager
+	CertificateManager CertificateManager `json:"certificateManager,omitempty"`
+	// Certificate configuration
+	CertificateConfig *CertificateConfig `json:"certificateConfig,omitempty"`
 }
 
 type Monitoring struct {
@@ -58,6 +68,11 @@ type Monitoring struct {
 
 type SubscriptionServer struct {
 	Subdomain string `json:"subDomain"`
+	// Certificate manager which can be either `Gardener` or `CertManager`
+	// +kubebuilder:validation:Enum=Gardener;CertManager
+	CertificateManager CertificateManager `json:"certificateManager,omitempty"`
+	// Certificate configuration
+	CertificateConfig *CertificateConfig `json:"certificateConfig,omitempty"`
 }
 
 type Controller struct {
@@ -80,6 +95,33 @@ type VersionMonitoring struct {
 	PromClientAcquireRetryDelay Duration `json:"promClientAcquireRetryDelay,omitempty"`
 }
 
+type CertificateConfig struct {
+	// Gardener configuration
+	Gardener Gardener `json:"gardener,omitempty"`
+	// CertManager configuration
+	CertManager CertManager `json:"certManager,omitempty"`
+}
+
+type Gardener struct {
+	// Issuer name
+	IssuerName string `json:"issuerName,omitempty"`
+	// Issuer namespace
+	IssuerNamespace string `json:"issuerNamespace,omitempty"`
+}
+
+type CertManager struct {
+	// Issuer name
+	IssuerName string `json:"issuerName,omitempty"`
+	// Issuer kind
+	IssuerKind string `json:"issuerKind,omitempty"`
+	// Issuer group
+	IssuerGroup string `json:"issuerGroup,omitempty"`
+}
+
+// Supported values are Gardener, CertManager, or Default
+// For the subscription server, it can be either Gardener or CertManager, while for the webhook, it can be either Default or CertManager
+type CertificateManager string
+
 // Duration is a valid time duration that can be parsed by Prometheus
 // Supported units: y, w, d, h, m, s, ms
 // Examples: `30s`, `1m`, `1h20m15s`, `15d`

api/v1alpha1/zz_generated.deepcopy.go

@@ -71,6 +71,15 @@ Helm chart to deploy CAP Operator https://sap.github.io/cap-operator/
 | subscriptionServer.ingressGatewayLabels | object | `{"app":"istio-ingressgateway","istio":"ingressgateway"}` | Labels used to identify the istio ingress-gateway component |
 | subscriptionServer.dnsTarget | string | `"public-ingress.clusters.cs.services.sap"` | The dns target mentioned on the public ingress gateway service used in the cluster |
 | subscriptionServer.domain | string | `"cap-operator.clusters.cs.services.sap"` | The domain under which the cap operator subscription server would be available |
+| subscriptionServer.certificateManager | string | `"Gardener"` | Certificate manager which can be either `Gardener` or `CertManager` |
+| subscriptionServer.certificateConfig | object | `{"certManager":{"issuerGroup":"","issuerKind":"","issuerName":""},"gardener":{"issuerName":"","issuerNamespace":""}}` | Certificate configuration |
+| subscriptionServer.certificateConfig.certManager | object | `{"issuerGroup":"","issuerKind":"","issuerName":""}` | Cert Manager configuration |
+| subscriptionServer.certificateConfig.certManager.issuerGroup | string | `""` | Issuer group |
+| subscriptionServer.certificateConfig.certManager.issuerKind | string | `""` | Issuer kind |
+| subscriptionServer.certificateConfig.certManager.issuerName | string | `""` | Issuer name |
+| subscriptionServer.certificateConfig.gardener | object | `{"issuerName":"","issuerNamespace":""}` | Optionally specify the corresponding certificate configuration |
+| subscriptionServer.certificateConfig.gardener.issuerName | string | `""` | Issuer name |
+| subscriptionServer.certificateConfig.gardener.issuerNamespace | string | `""` | Issuer namespace |
 | webhook.sidecar | bool | `false` | Side car to mount admission review |
 | webhook.replicas | int | `1` | Replicas |
 | webhook.image.repository | string | `"ghcr.io/sap/cap-operator/web-hooks"` | Image repository |
@@ -94,4 +103,8 @@ Helm chart to deploy CAP Operator https://sap.github.io/cap-operator/
 | webhook.service.type | string | `"ClusterIP"` | Service type |
 | webhook.service.port | int | `443` | Service port |
 | webhook.service.targetPort | int | `1443` | Target port |
-
+| webhook.certificateManager | string | `"Default"` | Certificate manager which can be either `Default` or `CertManager` |
+| webhook.certificateConfig | object | `{"certManager":{"issuerGroup":"","issuerKind":"","issuerName":""}}` | Optionally specify the corresponding certificate configuration |
+| webhook.certificateConfig.certManager.issuerGroup | string | `""` | Issuer group |
+| webhook.certificateConfig.certManager.issuerKind | string | `""` | Issuer kind |
+| webhook.certificateConfig.certManager.issuerName | string | `""` | Issuer name |

chart/README.md

@@ -8,7 +8,7 @@ metadata:
     operator.sme.sap.com/category: controller
     operator.sme.sap.com/release: {{.Release.Name}}
 spec:
-  replicas: {{.Values.subscriptionServer.replicas}} 
+  replicas: {{.Values.subscriptionServer.replicas}}
   selector:
     matchLabels:
       operator.sme.sap.com/app: subscription-server

chart/templates/server-deployment.yaml

@@ -1,26 +1,40 @@
-{{- if .Capabilities.APIVersions.Has "cert.gardener.cloud/v1alpha1" }}
+{{- if and (.Capabilities.APIVersions.Has "cert-manager.io/v1") (eq .Values.subscriptionServer.certificateManager "CertManager") }}
 ---
-apiVersion: cert.gardener.cloud/v1alpha1
+apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
   name: {{.Release.Name}}-subscription-server
   namespace: {{.Values.subscriptionServer.istioSystemNamespace}}
 spec:
   commonName: {{.Values.subscriptionServer.domain}}
-  secretName: {{.Release.Name}}-subscription-server
-{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1" }}
+  secretName: {{.Release.Name}}-subscription-server-cert-manager
+  issuerRef:
+    {{- with .Values.subscriptionServer.certificateConfig.certManager.issuerGroup }}
+    group: {{ . }}
+    {{- end }}
+    {{- with .Values.subscriptionServer.certificateConfig.certManager.issuerKind }}
+    kind: {{ . }}
+    {{- end }}
+    {{- with .Values.subscriptionServer.certificateConfig.certManager.issuerName }}
+    name: {{ . }}
+    {{- end }}
+{{- else if and (.Capabilities.APIVersions.Has "cert.gardener.cloud/v1alpha1") (eq .Values.subscriptionServer.certificateManager "Gardener") }}
 ---
-apiVersion: cert-manager.io/v1
+apiVersion: cert.gardener.cloud/v1alpha1
 kind: Certificate
 metadata:
   name: {{.Release.Name}}-subscription-server
   namespace: {{.Values.subscriptionServer.istioSystemNamespace}}
 spec:
   commonName: {{.Values.subscriptionServer.domain}}
-  secretName: {{.Release.Name}}-subscription-server
+  secretName: {{.Release.Name}}-subscription-server-gardener
+  {{- if .Values.subscriptionServer.certificateConfig.gardener.issuerName }}
   issuerRef:
-    kind: ClusterIssuer
-    name: cluster-ca
+    name: {{.Values.subscriptionServer.certificateConfig.gardener.issuerName}}
+    {{- if .Values.subscriptionServer.certificateConfig.gardener.issuerNamespace }}
+    namespace: {{.Values.subscriptionServer.certificateConfig.gardener.issuerNamespace}}
+    {{- end }}
+  {{- end }}
 {{- end }}
 {{- if .Capabilities.APIVersions.Has "dns.gardener.cloud/v1alpha1" }}
 ---
@@ -55,7 +69,11 @@ spec:
       number: 443
       protocol: HTTPS
     tls:
-      credentialName: {{.Release.Name}}-subscription-server
+      {{- if and (.Capabilities.APIVersions.Has "cert-manager.io/v1") (eq .Values.subscriptionServer.certificateManager "CertManager") }}
+      credentialName: {{.Release.Name}}-subscription-server-cert-manager
+      {{- else if and (.Capabilities.APIVersions.Has "cert.gardener.cloud/v1alpha1") (eq .Values.subscriptionServer.certificateManager "Gardener") }}
+      credentialName: {{.Release.Name}}-subscription-server-gardener
+      {{- end }}
       mode: SIMPLE
 ---
 apiVersion: networking.istio.io/v1beta1

chart/templates/server-networking.yaml

@@ -1,4 +1,34 @@
 {{- if gt (int .Values.webhook.replicas) 0 }}
+{{- $caCert := "" }}
+---
+{{- if and (.Capabilities.APIVersions.Has "cert-manager.io/v1") (eq .Values.webhook.certificateManager "CertManager") }}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{.Release.Name}}-webhook-cert
+  labels:
+    operator.sme.sap.com/app: webhook
+    operator.sme.sap.com/category: controller
+    operator.sme.sap.com/release: {{.Release.Name}}
+spec:
+  dnsNames:
+  - {{.Release.Name}}-webhook
+  - {{.Release.Name}}-webhook.{{ .Release.Namespace }}
+  - {{.Release.Name}}-webhook.{{ .Release.Namespace }}.svc
+  - {{.Release.Name}}-webhook.{{ .Release.Namespace }}.svc.cluster.local
+  issuerRef:
+    {{- with .Values.webhook.certificateConfig.certManager.issuerGroup }}
+    group: {{ . }}
+    {{- end }}
+    {{- with .Values.webhook.certificateConfig.certManager.issuerKind }}
+    kind: {{ . }}
+    {{- end }}
+    {{- with .Values.webhook.certificateConfig.certManager.issuerName }}
+    name: {{ . }}
+    {{- end }}
+  secretName: {{.Release.Name}}-webhook-tls-managed
+{{- else }}
 ---
 apiVersion: v1
 kind: Secret
@@ -10,20 +40,31 @@ metadata:
     operator.sme.sap.com/release: {{.Release.Name}}
 type: Opaque
 data:
+  {{- $cn := printf "%s-webhook.%s.svc" .Release.Name .Release.Namespace }}
   {{- $data := (lookup "v1" "Secret" .Release.Namespace (printf "%s-webhook-tls" .Release.Name )).data }}
-  {{- $caCert := "" }}
   {{- if $data }}
-  {{ $data | toYaml | nindent 2 }}
-  {{- $caCert = index $data "ca.crt" }}
+    {{- $caCert = index $data "ca.crt" }}
+    {{- if (hasKey $data "ca.key") }}
+      {{- $caKey := index $data "ca.key" }}
+      ca.crt: {{ $caCert }}
+      ca.key: {{ $caKey }}
+      {{- $customCa := buildCustomCert $caCert $caKey }}
+      {{- $customCaCert := genSignedCert $cn (list "127.0.0.1") (list $cn "localhost") 1000 $customCa }}
+      tls.crt: {{ $customCaCert.Cert | b64enc }}
+      tls.key: {{ $customCaCert.Key | b64enc }}
+    {{- else }}
+      {{ $data | toYaml | nindent 2 }}
+    {{- end }}
   {{- else }}
-  {{- $cn := printf "%s-webhook.%s.svc" .Release.Name .Release.Namespace }}
-  {{- $ca := genCA (printf "%s-webhook-ca" .Release.Name  ) 36500 }}
-  {{- $cert := genSignedCert $cn (list "127.0.0.1") (list $cn "localhost") 36500 $ca }}
-  ca.crt: {{ $ca.Cert | b64enc }}
-  tls.crt: {{ $cert.Cert | b64enc }}
-  tls.key: {{ $cert.Key | b64enc }}
-  {{- $caCert = $ca.Cert | b64enc }}
+    {{- $ca := genCA (printf "%s-webhook-ca" .Release.Name  ) 3650 }}
+    {{- $cert := genSignedCert $cn (list "127.0.0.1") (list $cn "localhost") 1000 $ca }}
+    ca.crt: {{ $ca.Cert | b64enc }}
+    ca.key: {{ $ca.Key | b64enc }}
+    tls.crt: {{ $cert.Cert | b64enc }}
+    tls.key: {{ $cert.Key | b64enc }}
+    {{- $caCert = $ca.Cert | b64enc }}
   {{- end }}
+{{- end }}
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
@@ -33,12 +74,18 @@ metadata:
     operator.sme.sap.com/app: webhook
     operator.sme.sap.com/category: controller
     operator.sme.sap.com/release: {{.Release.Name}}
+  {{- if and (.Capabilities.APIVersions.Has "cert-manager.io/v1") (eq .Values.webhook.certificateManager "CertManager") }}
+  annotations:
+    cert-manager.io/inject-ca-from: {{.Release.Namespace}}/{{.Release.Name}}-webhook-cert
+  {{- end }}
 webhooks:
 - name: cap-operator.sme.sap.com
   admissionReviewVersions:
   - v1
   clientConfig:
+    {{- if not (and (.Capabilities.APIVersions.Has "cert-manager.io/v1") (eq .Values.webhook.certificateManager "CertManager")) }}
     caBundle: {{ $caCert }}
+    {{- end }}
     service:
       name: {{.Release.Name}}-webhook
       namespace: {{ .Release.Namespace }}