Skip to content

Commit bfb8b54

Browse files
nacxnacx
authored
fix: use the right namespace for DNS names in the default webhook certificates (#1504)
**Description** Removes the hardcoded webhook certificate when cert-manager is not configured and uses the Helm cert functions [1] to generate it, so that the right namespace is used in the certificate DNS names. **Related Issues/PRs (if applicable)** Fixes #1502 Fixes: #1363 **Special notes for reviewers (if applicable)** N/A 1: https://helm.sh/docs/chart_template_guide/function_list#cryptographic-and-security-functions Signed-off-by: Ignasi Barrera <[email protected]>
1 parent a0e4c0e commit bfb8b54

File tree

3 files changed

+46
-80
lines changed

3 files changed

+46
-80
lines changed

manifests/charts/ai-gateway-helm/templates/admission_webhook.yaml

Lines changed: 29 additions & 74 deletions
Original file line numberDiff line numberDiff line change
@@ -54,84 +54,39 @@ metadata:
5454
namespace: {{ .Release.Namespace }}
5555
spec:
5656
selfSigned: {}
57-
{{- else }}
5857
---
58+
{{- else }}
59+
{{- $caCrt := "" }}
60+
{{- $tlsCrt := "" }}
61+
{{- $tlsKey := "" }}
62+
{{/* Check fi the secret exists to avoid regenerating the certificate on upgrades */}}
63+
{{- $existing := lookup "v1" "Secret" .Release.Namespace .Values.controller.mutatingWebhook.tlsCertSecretName }}
64+
{{- if $existing }}
65+
{{- $caCrt = index $existing.data .Values.controller.mutatingWebhook.caBundleName }}
66+
{{- $tlsCrt = index $existing.data .Values.controller.mutatingWebhook.tlsCertName }}
67+
{{- $tlsKey = index $existing.data .Values.controller.mutatingWebhook.tlsKeyName }}
68+
{{- else }}
69+
{{- $serviceName := include "ai-gateway-helm.controller.fullname" . }}
70+
{{- $ca := genCA (printf "%s-ca" $serviceName) 3650 }}
71+
{{- $dnsNames := list
72+
$serviceName
73+
(printf "%s.%s" $serviceName .Release.Namespace)
74+
(printf "%s.%s.svc" $serviceName .Release.Namespace)
75+
(printf "%s.%s.svc.cluster.local" $serviceName .Release.Namespace)
76+
-}}
77+
{{- $cert := genSignedCert (printf "%s.%s.svc" $serviceName .Release.Namespace) nil $dnsNames 365 $ca }}
78+
{{- $caCrt = $ca.Cert | b64enc }}
79+
{{- $tlsCrt = $cert.Cert | b64enc }}
80+
{{- $tlsKey = $cert.Key | b64enc }}
81+
{{- end }}
5982
apiVersion: v1
6083
kind: Secret
6184
metadata:
6285
name: {{ .Values.controller.mutatingWebhook.tlsCertSecretName }}
6386
namespace: {{ .Release.Namespace }}
64-
stringData:
65-
ca.crt: |
66-
-----BEGIN CERTIFICATE-----
67-
MIIDOzCCAiOgAwIBAgIUU+g1Upp1Qtfpk87zY5H2/EY55QUwDQYJKoZIhvcNAQEL
68-
BQAwLTELMAkGA1UEBhMCQVUxHjAcBgNVBAMMFWFpLWdhdGV3YXktY29udHJvbGxl
69-
cjAeFw0yNTA1MjAxNjQzNTJaFw0zNTA1MTgxNjQzNTJaMC0xCzAJBgNVBAYTAkFV
70-
MR4wHAYDVQQDDBVhaS1nYXRld2F5LWNvbnRyb2xsZXIwggEiMA0GCSqGSIb3DQEB
71-
AQUAA4IBDwAwggEKAoIBAQDKN5YmMh7TgGqNpedC0DWBWdn2pMiHtCeRlTkluDjK
72-
l+ZeleiR7rooNUXc6gE02RAaRCEaNMSZL3m6BkZ1Xoo92Mvabu+ORkwApO+OTIvj
73-
NsYb3/blsST1qHXApm7n886Ed80CG3Jczi7AioXsAhTv+SoJeQJsoKLeVYV5m5l/
74-
j4xoJl9fY+lzpmgdcALBm7FDrAbsEgjKwmFEQAxTNxWowZDiARW21io45saC411S
75-
m/ZhthSxDQpqSzPwYcXwR04syZxGUewYrpIE54hRsM8KwpqNEZVnjlaKBssiEgG8
76-
97sx9wDb3HLzep7FShKz4LslePAc8DmvdYjnooZaxzsfAgMBAAGjUzBRMB0GA1Ud
77-
DgQWBBS9puJ0i+zKW4Y3FY2NvRKAb0ONYzAfBgNVHSMEGDAWgBS9puJ0i+zKW4Y3
78-
FY2NvRKAb0ONYzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCZ
79-
ZgPCQnaXt/xSJ7oUFBMba5TLeqvzIKPeDvS0ii64tZeQ75R7nQvSVt2QnGDjpyJ+
80-
00ERja7jWpjL3IWijmE199vv40ZY4pajhBAL3y8wPf6vRh8d7TO4XmN7hser2tci
81-
denNGPxu1bX2tLE8FAGM8SUarVy6veHdiUyoMlJWpvjWYNgaVE5Yx/839WmxRhnS
82-
2IOljAsTwaIkI0wms51lZXGPhRgES9AoLPuywsgq7GcjIhYHpfso/3DgS8/MTR5B
83-
iWqiXpgjD6ZOzTQyp8zpnGzYGdxSKaxd1I0LhLTuawdLQ+DS3zvR5S5V5vLQUZ1r
84-
0Un8E68n7s8EplV8N6xl
85-
-----END CERTIFICATE-----
86-
tls.crt: |
87-
-----BEGIN CERTIFICATE-----
88-
MIIDaTCCAlGgAwIBAgIUHUaEt6oW5HaBSAc/DZZ39PclDaUwDQYJKoZIhvcNAQEL
89-
BQAwLTELMAkGA1UEBhMCQVUxHjAcBgNVBAMMFWFpLWdhdGV3YXktY29udHJvbGxl
90-
cjAeFw0yNTA1MjAxNjQ1MzNaFw0zNTA1MTgxNjQ1MzNaMC0xCzAJBgNVBAYTAkFV
91-
MR4wHAYDVQQDDBVhaS1nYXRld2F5LWNvbnRyb2xsZXIwggEiMA0GCSqGSIb3DQEB
92-
AQUAA4IBDwAwggEKAoIBAQDHhlhQBR2pplNbgA5Q0lvqimzUylfGAeTVPrSQs73L
93-
Fj2Lqi/ROtyFHdfruRzVMnmWfMWbh57kIv6KEXHkhJngD4rjcWjLQvKZjUKUe9s7
94-
P1tQ0S9rIzMeBk8dQ3vrm+XcFy9zhuROccpmaXOTjanW9I7Uxl0/fINfc2++nIUx
95-
8LSJPf845iHJlHF7uuzhRIMD3M0ShXSS8SnPQPicq18mqufczN+8SC5jwDeCAUEM
96-
67ter1OnXdjuJSSHpRY9Rj32jyIGYEjFTgqV1tU+ut86xzzRMGilcXio1NubJxfH
97-
IwOWCG82qyddZpGLVHAUapgaW4H5Lce+uELhShc0HiRpAgMBAAGjgYAwfjA8BgNV
98-
HREENTAzgjFhaS1nYXRld2F5LWNvbnRyb2xsZXIuZW52b3ktYWktZ2F0ZXdheS1z
99-
eXN0ZW0uc3ZjMB0GA1UdDgQWBBTHtH9TzxZK9i29+djfBe6foVNN4jAfBgNVHSME
100-
GDAWgBS9puJ0i+zKW4Y3FY2NvRKAb0ONYzANBgkqhkiG9w0BAQsFAAOCAQEAmOKx
101-
ws4huAPawx1hcZQNNz6TTv6BwxGAVG4WX69Pb3ZWXB/vxPIIPkbhP23oumtn0N7l
102-
ehy6K89FPDCCeuz9kibsDHQWjl349jPSyGULMVYT2DoI9KKxwFdjgVwF8pOOvBe3
103-
8tTiPcCoYbssMpmYQKGXiqENrIKTq9dzzqMxkN9a4XNyk2xB9P8RSiv/6sQqE5Ni
104-
bY6TeD4T8AgaGdHteCeRNBJxaiKPttv9D62zd02lJ9w7BKsphNRDH1dNCNgM8KJE
105-
Rxf1TRtGZTXfz6y7gFYK1w7RwI9v5JUiRH28RyexeNKmAYlP6pbKN6wM4S0OktyY
106-
znuy770iwgvtVaugwQ==
107-
-----END CERTIFICATE-----
108-
tls.key: |
109-
-----BEGIN PRIVATE KEY-----
110-
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDHhlhQBR2pplNb
111-
gA5Q0lvqimzUylfGAeTVPrSQs73LFj2Lqi/ROtyFHdfruRzVMnmWfMWbh57kIv6K
112-
EXHkhJngD4rjcWjLQvKZjUKUe9s7P1tQ0S9rIzMeBk8dQ3vrm+XcFy9zhuROccpm
113-
aXOTjanW9I7Uxl0/fINfc2++nIUx8LSJPf845iHJlHF7uuzhRIMD3M0ShXSS8SnP
114-
QPicq18mqufczN+8SC5jwDeCAUEM67ter1OnXdjuJSSHpRY9Rj32jyIGYEjFTgqV
115-
1tU+ut86xzzRMGilcXio1NubJxfHIwOWCG82qyddZpGLVHAUapgaW4H5Lce+uELh
116-
Shc0HiRpAgMBAAECggEAAe3u5zExeP1Cg5lAqi/qkyFNDZ66TBAjIBvH37lZPcBE
117-
jpfx9+4/iSsBdkZXPMmM6vNgbtFYLEEZYIjsJsdQfJ3x3CKx3ntSgMEgsnJjK5bA
118-
gY7QTFMuEJ2DgNcw+NWMWr0/qHiWtxp7GFPvOe9OA+XgBrc3WiCQXakuXLPDRvkW
119-
SbSurGfzhlPNVSlqRAK/uYYeRFUvjjvuFB77+ozVPCqMxqMDW9ez7y/oMK5Rphl7
120-
GbBSHjv/aCfN4OKno/xtPup3xaYHXkNLP1ktGCplJoyx6JSqBqYoKXP9sGsbhlif
121-
xNI2zhB7VRfjQzclS+26zUIK2GhNd4/LI4ZvzB4bjQKBgQDse6MPqrkW2YFJSQOd
122-
bpghzHfv3P7VCJi5pgneOeH+qgYvWHtXASC6XmHgd7RjIAkmIkI01VGhIQW1Lwzh
123-
/K/qmmNgyP1MVIpAedYaMBFFV6q9qWaT+AojFp+PnHjuQHtFP9Lx0dtMwvafb821
124-
mN1i3ZDWmD7wFt1D6nBetDm2tQKBgQDX/d0HjexwhLILboAzgTWgOPjks60+uh4k
125-
zf/SxdRE6wHaeUuT5disUJD70G52jGQRR5EMazJvSCPDffIsHdId5qM/H1+LuRs9
126-
RvPttxyZACgghV+M2cOCkQkbwpMe8O7+SHtSQt2hNnkXu9QUOrU01qgXJrSF6WQn
127-
vCWiDwczZQKBgH5A/+yEXC7bzs9+gMSTX/tje4D+/rpjzY4IHGqdgo+A3K54UdlA
128-
i+WUMDM0FYV6fAf08F3eqacZxz9VME6SpqTc6kOo6rrOw8TqhykSEpZv2INLpq1H
129-
FrpnAKcehd3FZUqyaX+bZ7aSvDKg8TWLuF5pJkO7opZxzo3M41NcaxelAoGADnfc
130-
5HKnUeoxmv5t7AVNuEvYsEkw47DH8CM0bcP+shcj6qSRYXjWCMTk0Vlm7N3+ngGz
131-
P6e2mymz65Z2MGpW9tXKPaI2Xj+qCXLFSDkp2z3dckA85Ex6AjcA6zEfdcUh3Tqx
132-
uBLukav6dJKKZEiCduWiINrg4M9/fAHoa3CiRNkCgYEAnEn9gCO4e0raIREBFMRW
133-
9uiRLb1cc4GvZxYDj4xf0AR99bL599GMe/yMbtaeqhC5z2pVgyRGwxPCmoY5KQrB
134-
i4X6Yrl37GEpCf94kpkdM6AtzA2DZ9Tfzoai61RKvP1W93vWohjXtv1OZWDuDB+H
135-
SJhKidoVRcKlB8eLvnwIh+g=
136-
-----END PRIVATE KEY-----
87+
data:
88+
{{ .Values.controller.mutatingWebhook.caBundleName }}: {{ $caCrt }}
89+
{{ .Values.controller.mutatingWebhook.tlsCertName }}: {{ $tlsCrt }}
90+
{{ .Values.controller.mutatingWebhook.tlsKeyName }}: {{ $tlsKey }}
91+
---
13792
{{- end }}

tests/e2e-namespaced/namespaced_test.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,7 @@ import (
2121

2222
func TestMain(m *testing.M) {
2323
e2elib.TestMain(m, e2elib.AIGatewayHelmOption{
24+
Namespace: "envoy-ai-gateway-e2e", // Also install AI Gateway on a different namespace
2425
AdditionalArgs: []string{
2526
// Configure the controller to only watch certain namespaces
2627
// By skipping the "route1-ns" the models defined in that namespace routes

tests/internal/e2elib/e2elib.go

Lines changed: 16 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -65,6 +65,15 @@ type AIGatewayHelmOption struct {
6565
ChartVersion string
6666
// AdditionalArgs are additional arguments to pass to the Helm install/upgrade command.
6767
AdditionalArgs []string
68+
// Namespace where the AI Gateway will be installed. Default is "envoy-ai-gateway-system".
69+
Namespace string
70+
}
71+
72+
func (a *AIGatewayHelmOption) GetNamespace() string {
73+
if a.Namespace == "" {
74+
return "envoy-ai-gateway-system"
75+
}
76+
return a.Namespace
6877
}
6978

7079
// TestMain is the entry point for the e2e tests. It sets up the kind cluster, installs the Envoy Gateway,
@@ -104,7 +113,7 @@ func SetupAll(ctx context.Context, clusterName string, aigwOpts AIGatewayHelmOpt
104113
return fmt.Errorf("failed to install inference pool environment: %w", err)
105114
}
106115
}
107-
if err := initEnvoyGateway(ctx, inferenceExtension); err != nil {
116+
if err := initEnvoyGateway(ctx, aigwOpts.GetNamespace(), inferenceExtension); err != nil {
108117
return fmt.Errorf("failed to initialize Envoy Gateway: %w", err)
109118
}
110119

@@ -387,7 +396,7 @@ func installInferencePoolEnvironment(ctx context.Context) (err error) {
387396

388397
// initEnvoyGateway initializes the Envoy Gateway in the kind cluster following the quickstart guide:
389398
// https://gateway.envoyproxy.io/latest/tasks/quickstart/
390-
func initEnvoyGateway(ctx context.Context, inferenceExtension bool) (err error) {
399+
func initEnvoyGateway(ctx context.Context, namespace string, inferenceExtension bool) (err error) {
391400
egVersion := cmp.Or(os.Getenv("EG_VERSION"), "v0.0.0-latest")
392401
initLog("Installing Envoy Gateway")
393402
start := time.Now()
@@ -403,6 +412,7 @@ func initEnvoyGateway(ctx context.Context, inferenceExtension bool) (err error)
403412
"-n", "envoy-gateway-system", "--create-namespace",
404413
"-f", "../../manifests/envoy-gateway-values.yaml",
405414
"-f", "../../examples/token_ratelimit/envoy-gateway-values-addon.yaml",
415+
"--set", fmt.Sprintf("config.envoyGateway.extensionManager.service.fqdn.hostname=ai-gateway-controller.%s.svc.cluster.local", namespace),
406416
}
407417
if inferenceExtension {
408418
helmArgs = append(helmArgs, "-f", "../../examples/inference-pool/envoy-gateway-values-addon.yaml")
@@ -433,7 +443,7 @@ func InstallOrUpgradeAIGateway(ctx context.Context, aigw AIGatewayHelmOption) (e
433443
} else {
434444
cdrChartArgs = append(cdrChartArgs, "../../manifests/charts/ai-gateway-crds-helm")
435445
}
436-
cdrChartArgs = append(cdrChartArgs, "-n", "envoy-ai-gateway-system", "--create-namespace")
446+
cdrChartArgs = append(cdrChartArgs, "-n", aigw.GetNamespace(), "--create-namespace")
437447
crdChart := testsinternal.GoToolCmdContext(ctx, "helm", cdrChartArgs...)
438448
crdChart.Stdout = os.Stdout
439449
crdChart.Stderr = os.Stderr
@@ -447,7 +457,7 @@ func InstallOrUpgradeAIGateway(ctx context.Context, aigw AIGatewayHelmOption) (e
447457
} else {
448458
mainChartArgs = append(mainChartArgs, "../../manifests/charts/ai-gateway-helm")
449459
}
450-
mainChartArgs = append(mainChartArgs, "-n", "envoy-ai-gateway-system", "--create-namespace")
460+
mainChartArgs = append(mainChartArgs, "-n", aigw.GetNamespace(), "--create-namespace")
451461
mainChartArgs = append(mainChartArgs, aigw.AdditionalArgs...)
452462

453463
helm := testsinternal.GoToolCmdContext(ctx, "helm", mainChartArgs...)
@@ -458,10 +468,10 @@ func InstallOrUpgradeAIGateway(ctx context.Context, aigw AIGatewayHelmOption) (e
458468
}
459469
// Restart the controller to pick up the new changes in the AI Gateway.
460470
initLog("\tRestart AI Gateway controller")
461-
if err = KubectlRestartDeployment(ctx, "envoy-ai-gateway-system", "ai-gateway-controller"); err != nil {
471+
if err = KubectlRestartDeployment(ctx, aigw.GetNamespace(), "ai-gateway-controller"); err != nil {
462472
return
463473
}
464-
return kubectlWaitForDeploymentReady(ctx, "envoy-ai-gateway-system", "ai-gateway-controller")
474+
return kubectlWaitForDeploymentReady(ctx, aigw.GetNamespace(), "ai-gateway-controller")
465475
}
466476

467477
func initPrometheus(ctx context.Context) (err error) {

0 commit comments

Comments
 (0)