Fix webhook/cert namespace

Edan-Hamilton · Edan-Hamilton · commit da9689bfb9cc · 2025-06-05T13:40:02.000+10:00
diff --git a/deploy/helm/templates/static-resources.yaml b/deploy/helm/templates/static-resources.yaml
@@ -17,8 +17,8 @@ metadata:
   namespace: '{{ .Release.Namespace }}'
 spec:
   dnsNames:
-  - webhook-service.security-profiles-operator.svc
-  - webhook-service.security-profiles-operator.svc.cluster.local
+  - webhook-service.{{.Release.Namespace}}.svc
+  - webhook-service.{{.Release.Namespace}}.svc.cluster.local
   issuerRef:
     kind: Issuer
     name: selfsigned-issuer
@@ -121,9 +121,9 @@ metadata:
   namespace: '{{ .Release.Namespace }}'
 spec:
   dnsNames:
-  - metrics.security-profiles-operator
-  - metrics.security-profiles-operator.svc
-  - metrics.security-profiles-operator.svc.cluster.local
+  - metrics.{{.Release.Namespace}}
+  - metrics.{{.Release.Namespace}}.svc
+  - metrics.{{.Release.Namespace}}.svc.cluster.local
   issuerRef:
     kind: Issuer
     name: selfsigned-issuer
@@ -3039,7 +3039,7 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
   annotations:
-    cert-manager.io/inject-ca-from: security-profiles-operator/webhook-cert
+    cert-manager.io/inject-ca-from: '{{.Release.Namespace}}/webhook-cert'
   labels:
     app: '{{.Release.Name}}'
   name: spo-mutating-webhook-configuration
@@ -3064,8 +3064,8 @@ webhooks:
     - key: name
       operator: NotIn
       values:
-      - security-profiles-operator
-      - security-profiles-operator-webhook
+      - '{{ include "security-profiles-operator.name" . }}'
+      - '{{ include "security-profiles-operator.name" . }}-webhook'
   rules:
   - apiGroups:
     - '*'
@@ -3099,8 +3099,8 @@ webhooks:
     - key: name
       operator: NotIn
       values:
-      - security-profiles-operator
-      - security-profiles-operator-webhook
+      - '{{ include "security-profiles-operator.name" . }}'
+      - '{{ include "security-profiles-operator.name" . }}-webhook'
   rules:
   - apiGroups:
     - '*'
diff --git a/deploy/overlays/helm/kustomization.yaml b/deploy/overlays/helm/kustomization.yaml
@@ -67,5 +67,36 @@ patches:
       path: /spec/selector/name
       value: '{{ include "security-profiles-operator.name" . }}-webhook'
 
+# Fix webhook/cert namespaces
+- target: { name: webhook-cert }
+  patch: |
+    - op: replace
+      path: /spec/dnsNames
+      value:
+      - webhook-service.{{.Release.Namespace}}.svc
+      - webhook-service.{{.Release.Namespace}}.svc.cluster.local
+- target: { name: metrics-cert }
+  patch: |
+    - op: replace
+      path: /spec/dnsNames
+      value:
+      - metrics.{{.Release.Namespace}}
+      - metrics.{{.Release.Namespace}}.svc
+      - metrics.{{.Release.Namespace}}.svc.cluster.local
+- target: { name: spo-mutating-webhook-configuration }
+  patch: |
+    - op: replace
+      path: /metadata/annotations/cert-manager.io~1inject-ca-from
+      value: "{{.Release.Namespace}}/webhook-cert"
+    - op: replace
+      path: /webhooks/0/objectSelector/matchExpressions/0/values
+      value: &val
+      - '{{ include "security-profiles-operator.name" . }}'
+      - '{{ include "security-profiles-operator.name" . }}-webhook'
+    - op: replace
+      path: /webhooks/1/objectSelector/matchExpressions/0/values
+      value: *val
+
+
 # Remove the namespace resource.
 - path: delete-ns.yaml
