Refine CA injection setup for ConversionWebhook in Kubebuilder scaffold

In PR kubernetes-sigs#4123, cert-manager CA injection annotations were added directly in the centralized config for ConversionWebhook:

  - Fields such as `fieldPath: .metadata.namespace` and `fieldPath: .metadata.name` were added to inject the CA into each CRD’s ConversionWebhook.

However, this setup is redundant for ConversionWebhooks. Each CRD with a ConversionWebhook already receives the necessary CA injection through a patch managed by cert-manager, making a centralized configuration unnecessary.

This commit removes the centralized CA injection configuration for ConversionWebhook to simplify the scaffold and prevent potential duplicate injection issues.

Fixes:
- Ensures CA injection is handled on a per-CRD basis by cert-manager patches, providing clear, efficient CA management for ConversionWebhooks.

Author: camilamacedo86

.github/workflows/test-e2e-samples.yml

@@ -83,7 +83,7 @@ jobs:
           # Uncomment only ValidatingWebhookConfiguration
           # from cert-manager replaces
           sed -i '50,80s/^#//' $KUSTOMIZATION_FILE_PATH
-          sed -i '144,177s/^#//' $KUSTOMIZATION_FILE_PATH
+          sed -i '113,146s/^#//' $KUSTOMIZATION_FILE_PATH
           cd testdata/project-v4-with-plugins/
           go mod tidy
 
@@ -122,11 +122,11 @@ jobs:
         run: |
           KUSTOMIZATION_FILE_PATH="testdata/project-v4-multigroup/config/default/kustomization.yaml"
           sed -i '25s/^#//' $KUSTOMIZATION_FILE_PATH
-          sed -i '50,177s/^#//' $KUSTOMIZATION_FILE_PATH
+          sed -i '50,146s/^#//' $KUSTOMIZATION_FILE_PATH
           cd testdata/project-v4-multigroup
           go mod tidy
 
       - name: Testing make test-e2e for project-v4-multigroup
         working-directory: testdata/project-v4-multigroup/
         run: |
-          make test-e2e          
+          make test-e2e         

docs/book/src/cronjob-tutorial/testdata/project/config/default/kustomization.yaml

@@ -110,37 +110,6 @@ replacements:
          index: 1
          create: true
 
- - source: # Uncomment the following block if you have a ConversionWebhook (--conversion)
-     kind: Certificate
-     group: cert-manager.io
-     version: v1
-     name: serving-cert # This name should match the one in certificate.yaml
-     fieldPath: .metadata.namespace # Namespace of the certificate CR
-   targets:
-     - select:
-         kind: CustomResourceDefinition
-       fieldPaths:
-         - .metadata.annotations.[cert-manager.io/inject-ca-from]
-       options:
-         delimiter: '/'
-         index: 0
-         create: true
- - source:
-     kind: Certificate
-     group: cert-manager.io
-     version: v1
-     name: serving-cert # This name should match the one in certificate.yaml
-     fieldPath: .metadata.name
-   targets:
-     - select:
-         kind: CustomResourceDefinition
-       fieldPaths:
-         - .metadata.annotations.[cert-manager.io/inject-ca-from]
-       options:
-         delimiter: '/'
-         index: 1
-         create: true
-
  - source: # Uncomment the following block if you enable cert-manager
      kind: Service
      version: v1

docs/book/src/getting-started/testdata/project/config/default/kustomization.yaml

@@ -110,37 +110,6 @@ patches:
 #         index: 1
 #         create: true
 #
-# - source: # Uncomment the following block if you have a ConversionWebhook (--conversion)
-#     kind: Certificate
-#     group: cert-manager.io
-#     version: v1
-#     name: serving-cert # This name should match the one in certificate.yaml
-#     fieldPath: .metadata.namespace # Namespace of the certificate CR
-#   targets:
-#     - select:
-#         kind: CustomResourceDefinition
-#       fieldPaths:
-#         - .metadata.annotations.[cert-manager.io/inject-ca-from]
-#       options:
-#         delimiter: '/'
-#         index: 0
-#         create: true
-# - source:
-#     kind: Certificate
-#     group: cert-manager.io
-#     version: v1
-#     name: serving-cert # This name should match the one in certificate.yaml
-#     fieldPath: .metadata.name
-#   targets:
-#     - select:
-#         kind: CustomResourceDefinition
-#       fieldPaths:
-#         - .metadata.annotations.[cert-manager.io/inject-ca-from]
-#       options:
-#         delimiter: '/'
-#         index: 1
-#         create: true
-#
 # - source: # Uncomment the following block if you enable cert-manager
 #     kind: Service
 #     version: v1

docs/book/src/multiversion-tutorial/testdata/project/config/default/kustomization.yaml

@@ -110,37 +110,6 @@ replacements:
          index: 1
          create: true
 
- - source: # Uncomment the following block if you have a ConversionWebhook (--conversion)
-     kind: Certificate
-     group: cert-manager.io
-     version: v1
-     name: serving-cert # This name should match the one in certificate.yaml
-     fieldPath: .metadata.namespace # Namespace of the certificate CR
-   targets:
-     - select:
-         kind: CustomResourceDefinition
-       fieldPaths:
-         - .metadata.annotations.[cert-manager.io/inject-ca-from]
-       options:
-         delimiter: '/'
-         index: 0
-         create: true
- - source:
-     kind: Certificate
-     group: cert-manager.io
-     version: v1
-     name: serving-cert # This name should match the one in certificate.yaml
-     fieldPath: .metadata.name
-   targets:
-     - select:
-         kind: CustomResourceDefinition
-       fieldPaths:
-         - .metadata.annotations.[cert-manager.io/inject-ca-from]
-       options:
-         delimiter: '/'
-         index: 1
-         create: true
-
  - source: # Uncomment the following block if you enable cert-manager
      kind: Service
      version: v1

hack/docs/internal/cronjob-tutorial/sample.go

@@ -96,37 +96,6 @@ const DefaultKustomization = `#replacements:
 #         index: 1
 #         create: true
 #
-# - source: # Uncomment the following block if you have a ConversionWebhook (--conversion)
-#     kind: Certificate
-#     group: cert-manager.io
-#     version: v1
-#     name: serving-cert # This name should match the one in certificate.yaml
-#     fieldPath: .metadata.namespace # Namespace of the certificate CR
-#   targets:
-#     - select:
-#         kind: CustomResourceDefinition
-#       fieldPaths:
-#         - .metadata.annotations.[cert-manager.io/inject-ca-from]
-#       options:
-#         delimiter: '/'
-#         index: 0
-#         create: true
-# - source:
-#     kind: Certificate
-#     group: cert-manager.io
-#     version: v1
-#     name: serving-cert # This name should match the one in certificate.yaml
-#     fieldPath: .metadata.name
-#   targets:
-#     - select:
-#         kind: CustomResourceDefinition
-#       fieldPaths:
-#         - .metadata.annotations.[cert-manager.io/inject-ca-from]
-#       options:
-#         delimiter: '/'
-#         index: 1
-#         create: true
-#
 # - source: # Uncomment the following block if you enable cert-manager
 #     kind: Service
 #     version: v1

pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/kustomization.go

@@ -155,37 +155,6 @@ patches:
 #         index: 1
 #         create: true
 #
-# - source: # Uncomment the following block if you have a ConversionWebhook (--conversion)
-#     kind: Certificate
-#     group: cert-manager.io
-#     version: v1
-#     name: serving-cert # This name should match the one in certificate.yaml
-#     fieldPath: .metadata.namespace # Namespace of the certificate CR
-#   targets:
-#     - select:
-#         kind: CustomResourceDefinition
-#       fieldPaths:
-#         - .metadata.annotations.[cert-manager.io/inject-ca-from]
-#       options:
-#         delimiter: '/'
-#         index: 0
-#         create: true
-# - source:
-#     kind: Certificate
-#     group: cert-manager.io
-#     version: v1
-#     name: serving-cert # This name should match the one in certificate.yaml
-#     fieldPath: .metadata.name
-#   targets:
-#     - select:
-#         kind: CustomResourceDefinition
-#       fieldPaths:
-#         - .metadata.annotations.[cert-manager.io/inject-ca-from]
-#       options:
-#         delimiter: '/'
-#         index: 1
-#         create: true
-#
 # - source: # Uncomment the following block if you enable cert-manager
 #     kind: Service
 #     version: v1

test/e2e/v4/generate_test.go

@@ -287,37 +287,6 @@ const certManagerTarget = `#replacements:
 #         index: 1
 #         create: true
 #
-# - source: # Uncomment the following block if you have a ConversionWebhook (--conversion)
-#     kind: Certificate
-#     group: cert-manager.io
-#     version: v1
-#     name: serving-cert # This name should match the one in certificate.yaml
-#     fieldPath: .metadata.namespace # Namespace of the certificate CR
-#   targets:
-#     - select:
-#         kind: CustomResourceDefinition
-#       fieldPaths:
-#         - .metadata.annotations.[cert-manager.io/inject-ca-from]
-#       options:
-#         delimiter: '/'
-#         index: 0
-#         create: true
-# - source:
-#     kind: Certificate
-#     group: cert-manager.io
-#     version: v1
-#     name: serving-cert # This name should match the one in certificate.yaml
-#     fieldPath: .metadata.name
-#   targets:
-#     - select:
-#         kind: CustomResourceDefinition
-#       fieldPaths:
-#         - .metadata.annotations.[cert-manager.io/inject-ca-from]
-#       options:
-#         delimiter: '/'
-#         index: 1
-#         create: true
-#
 # - source: # Uncomment the following block if you enable cert-manager
 #     kind: Service
 #     version: v1

testdata/project-v4-multigroup/config/default/kustomization.yaml

@@ -110,37 +110,6 @@ patches:
 #         index: 1
 #         create: true
 #
-# - source: # Uncomment the following block if you have a ConversionWebhook (--conversion)
-#     kind: Certificate
-#     group: cert-manager.io
-#     version: v1
-#     name: serving-cert # This name should match the one in certificate.yaml
-#     fieldPath: .metadata.namespace # Namespace of the certificate CR
-#   targets:
-#     - select:
-#         kind: CustomResourceDefinition
-#       fieldPaths:
-#         - .metadata.annotations.[cert-manager.io/inject-ca-from]
-#       options:
-#         delimiter: '/'
-#         index: 0
-#         create: true
-# - source:
-#     kind: Certificate
-#     group: cert-manager.io
-#     version: v1
-#     name: serving-cert # This name should match the one in certificate.yaml
-#     fieldPath: .metadata.name
-#   targets:
-#     - select:
-#         kind: CustomResourceDefinition
-#       fieldPaths:
-#         - .metadata.annotations.[cert-manager.io/inject-ca-from]
-#       options:
-#         delimiter: '/'
-#         index: 1
-#         create: true
-#
 # - source: # Uncomment the following block if you enable cert-manager
 #     kind: Service
 #     version: v1

testdata/project-v4-with-plugins/config/default/kustomization.yaml

@@ -110,37 +110,6 @@ patches:
 #         index: 1
 #         create: true
 #
-# - source: # Uncomment the following block if you have a ConversionWebhook (--conversion)
-#     kind: Certificate
-#     group: cert-manager.io
-#     version: v1
-#     name: serving-cert # This name should match the one in certificate.yaml
-#     fieldPath: .metadata.namespace # Namespace of the certificate CR
-#   targets:
-#     - select:
-#         kind: CustomResourceDefinition
-#       fieldPaths:
-#         - .metadata.annotations.[cert-manager.io/inject-ca-from]
-#       options:
-#         delimiter: '/'
-#         index: 0
-#         create: true
-# - source:
-#     kind: Certificate
-#     group: cert-manager.io
-#     version: v1
-#     name: serving-cert # This name should match the one in certificate.yaml
-#     fieldPath: .metadata.name
-#   targets:
-#     - select:
-#         kind: CustomResourceDefinition
-#       fieldPaths:
-#         - .metadata.annotations.[cert-manager.io/inject-ca-from]
-#       options:
-#         delimiter: '/'
-#         index: 1
-#         create: true
-#
 # - source: # Uncomment the following block if you enable cert-manager
 #     kind: Service
 #     version: v1

testdata/project-v4/config/default/kustomization.yaml

@@ -110,37 +110,6 @@ patches:
 #         index: 1
 #         create: true
 #
-# - source: # Uncomment the following block if you have a ConversionWebhook (--conversion)
-#     kind: Certificate
-#     group: cert-manager.io
-#     version: v1
-#     name: serving-cert # This name should match the one in certificate.yaml
-#     fieldPath: .metadata.namespace # Namespace of the certificate CR
-#   targets:
-#     - select:
-#         kind: CustomResourceDefinition
-#       fieldPaths:
-#         - .metadata.annotations.[cert-manager.io/inject-ca-from]
-#       options:
-#         delimiter: '/'
-#         index: 0
-#         create: true
-# - source:
-#     kind: Certificate
-#     group: cert-manager.io
-#     version: v1
-#     name: serving-cert # This name should match the one in certificate.yaml
-#     fieldPath: .metadata.name
-#   targets:
-#     - select:
-#         kind: CustomResourceDefinition
-#       fieldPaths:
-#         - .metadata.annotations.[cert-manager.io/inject-ca-from]
-#       options:
-#         delimiter: '/'
-#         index: 1
-#         create: true
-#
 # - source: # Uncomment the following block if you enable cert-manager
 #     kind: Service
 #     version: v1