kubernetes-sigs · james-callahan · Mar 6, 2023 · Mar 6, 2023 · Mar 6, 2023 · Mar 6, 2023
diff --git a/Makefile b/Makefile
@@ -18,18 +18,6 @@ CRD_OPTIONS ?= "crd:crdVersions=v1"
 # Whether to override AWS SDK models. set to 'y' when we need to build against custom AWS SDK models.
 AWS_SDK_MODEL_OVERRIDE ?= "n"
 
-# Move Gateway API CRDs from bases directory to gateway directory
-MOVE_GATEWAY_CRDS = mv config/crd/bases/gateway.k8s.aws_* config/crd/gateway/
-
-# Move AGA CRDs from bases directory to aga directory
-MOVE_AGA_CRDS = mkdir -p config/crd/aga && mv config/crd/bases/aga.k8s.aws_* config/crd/aga/
-
-# Copy combined Gateway API CRDs from bases directory to helm directory
-COPY_GATEWAY_CRDS_TO_HELM = cp config/crd/gateway/gateway-crds.yaml helm/aws-load-balancer-controller/crds/gateway-crds.yaml
-
-# Copy combined AGA CRDs from aga directory to helm directory
-COPY_AGA_CRDS_TO_HELM = cp config/crd/aga/aga-crds.yaml helm/aws-load-balancer-controller/crds/aga-crds.yaml
-
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))
 GOBIN=$(shell go env GOPATH)/bin
@@ -73,17 +61,9 @@ manifests: controller-gen kustomize
 	yq eval '.metadata.name = "webhook"' -i config/webhook/manifests.yaml
 
 crds: manifests
-	$(MOVE_GATEWAY_CRDS)
-	$(MOVE_AGA_CRDS)
 	$(KUSTOMIZE) build config/crd > helm/aws-load-balancer-controller/crds/crds.yaml
-	$(KUSTOMIZE) build config/crd/gateway > config/crd/gateway/gateway-crds.yaml
-	echo '---' > config/crd/gateway/gateway-crds.yaml
-	$(KUSTOMIZE) build config/crd/gateway >> config/crd/gateway/gateway-crds.yaml
-	$(COPY_GATEWAY_CRDS_TO_HELM)
-	$(KUSTOMIZE) build config/crd/aga > config/crd/aga/aga-crds.yaml
-	echo '---' > config/crd/aga/aga-crds.yaml
-	$(KUSTOMIZE) build config/crd/aga >> config/crd/aga/aga-crds.yaml
-	$(COPY_AGA_CRDS_TO_HELM)
+	$(KUSTOMIZE) build config/crd/gateway > helm/aws-load-balancer-controller/crds/gateway-crds.yaml
+	$(KUSTOMIZE) build config/crd/aga > helm/aws-load-balancer-controller/crds/aga-crds.yaml
 
 # Run go fmt against code
 fmt:

diff --git a/...es/cainjection_in_ingressclassparams.yaml → ...njection_in_ingressclassparams_patch.yaml b/...es/cainjection_in_ingressclassparams.yaml → ...njection_in_ingressclassparams_patch.yaml
@@ -4,5 +4,6 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+    # `default` and `serving-cert` may be substituted by kustomize
+    cert-manager.io/inject-ca-from: default/serving-cert
   name: ingressclassparams.elbv2.k8s.aws
diff --git a/...s/cainjection_in_targetgroupbindings.yaml → ...jection_in_targetgroupbindings_patch.yaml b/...s/cainjection_in_targetgroupbindings.yaml → ...jection_in_targetgroupbindings_patch.yaml
@@ -4,5 +4,6 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+    # `default` and `serving-cert` may be substituted by kustomize
+    cert-manager.io/inject-ca-from: default/serving-cert
   name: targetgroupbindings.elbv2.k8s.aws
diff --git a/config/certmanager/certificate.yaml b/config/certmanager/certificate.yaml
@@ -14,10 +14,10 @@ kind: Certificate
 metadata:
   name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml
 spec:
-  # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize
+  # `webhook-service` and `default` may be substituted by kustomize
   dnsNames:
-    - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc
-    - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local
+    - webhook-service.default.svc
+    - webhook-service.default.svc.cluster.local
   issuerRef:
     kind: Issuer
     name: selfsigned-issuer

diff --git a/config/certmanager/kustomization.yaml b/config/certmanager/kustomization.yaml
@@ -1,5 +1,21 @@
-resources:
-  - certificate.yaml
-
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
 configurations:
   - kustomizeconfig.yaml
+resources:
+  - certificate.yaml
+patches:
+  # patches here are for enabling the CA injection for each CRD
+  - path: cainjection_in_targetgroupbindings_patch.yaml
+  - path: cainjection_in_ingressclassparams_patch.yaml
+  # This patch add annotation to admission webhook config, `default` and
+  # `serving-cert` may be substituted by kustomize
+  - target:
+      kind: (MutatingWebhookConfiguration|ValidatingWebhookConfiguration)
+    patch: |-
+      apiVersion: admissionregistration.k8s.io/v1
+      kind: dummy
+      metadata:
+        name: webhook
+        annotations:
+          cert-manager.io/inject-ca-from: default/serving-cert
diff --git a/config/certmanager/kustomizeconfig.yaml b/config/certmanager/kustomizeconfig.yaml
@@ -1,16 +1,8 @@
-# This configuration is for teaching kustomize how to update name ref and var substitution
+# This configuration is for teaching kustomize how to update name ref
 nameReference:
   - kind: Issuer
     group: cert-manager.io
     fieldSpecs:
       - kind: Certificate
         group: cert-manager.io
         path: spec/issuerRef/name
-
-varReference:
-  - kind: Certificate
-    group: cert-manager.io
-    path: spec/commonName
-  - kind: Certificate
-    group: cert-manager.io
-    path: spec/dnsNames
diff --git a/config/controller/controller.yaml b/config/controller/controller.yaml
@@ -2,24 +2,14 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: controller
-  labels:
-    app.kubernetes.io/component: controller
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: controller
-  labels:
-    app.kubernetes.io/component: controller
 spec:
-  selector:
-    matchLabels:
-      app.kubernetes.io/component: controller
   replicas: 1
   template:
-    metadata:
-      labels:
-        app.kubernetes.io/component: controller
     spec:
       containers:
         - name: controller
@@ -34,6 +24,16 @@ spec:
             requests:
               cpu: 100m
               memory: 200Mi
+          ports:
+            - containerPort: 9443
+              name: webhook
+              protocol: TCP
+            - containerPort: 8080
+              name: metrics
+              protocol: TCP
+            - containerPort: 61779
+              name: healthprobe
+              protocol: TCP
           livenessProbe:
             failureThreshold: 2
             httpGet:
@@ -44,4 +44,4 @@ spec:
             timeoutSeconds: 10
       terminationGracePeriodSeconds: 10
       priorityClassName: system-cluster-critical
-      serviceAccountName: controller
+      serviceAccountName: controller
diff --git a/config/controller/kustomization.yaml b/config/controller/kustomization.yaml
@@ -1,11 +1,12 @@
-resources:
-- controller.yaml
-patchesStrategicMerge:
-- iam_for_sa_patch.yaml
-- security_context_patch.yaml
-
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
+commonLabels:
+  app.kubernetes.io/component: controller
+resources:
+- controller.yaml
+patches:
+- path: iam_for_sa_patch.yaml
+- path: security_context_patch.yaml
 images:
 - name: controller
   newName: public.ecr.aws/eks/aws-load-balancer-controller