Skip to content

Commit 88a91b6

Browse files
jayl1ejayl1e
authored
feat: replace fixed cert by auto generated (#203)
1 parent 42d43fd commit 88a91b6

File tree

5 files changed

+31
-150
lines changed

5 files changed

+31
-150
lines changed

deploy/kubernetes_v1.22/helm/secrets/ca-cert.pem

Lines changed: 0 additions & 32 deletions
This file was deleted.

deploy/kubernetes_v1.22/helm/secrets/cert.pem

Lines changed: 0 additions & 32 deletions
This file was deleted.

deploy/kubernetes_v1.22/helm/secrets/key.pem

Lines changed: 0 additions & 52 deletions
This file was deleted.

deploy/kubernetes_v1.22/helm/templates/admission-webhooks/mutating-webhook.yaml

Lines changed: 31 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -1,35 +1,29 @@
1+
{{- $ca := genCA "polarismesh-ca" 3650 -}}
2+
{{- $cn := printf "%s.%s.svc" ( .Values.controller.webhook.service ) .Release.Namespace }}
3+
{{- $cert := genSignedCert $cn nil (list $cn) 3650 $ca -}}
4+
{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (include "polaris-controller.controller.fullname" .)}}
5+
{{- if $existingSecret }}
6+
{{- $ca_cert := index $existingSecret.data "ca-cert.pem" | b64dec }}
7+
{{- $ca_key := index $existingSecret.data "ca-key.pem" | b64dec }}
8+
{{- $cert_cert := index $existingSecret.data "cert.pem" | b64dec }}
9+
{{- $cert_key := index $existingSecret.data "key.pem" | b64dec }}
10+
{{- $ca = dict "Cert" $ca_cert "Key" $ca_key }}
11+
{{- $cert = dict "Cert" $cert_cert "Key" $cert_key }}
12+
{{- end }}
113
apiVersion: admissionregistration.k8s.io/v1
214
kind: MutatingWebhookConfiguration
315
metadata:
416
name: {{ include "polaris-controller.controller.fullname" . }}-injector
517
labels:
618
app: sidecar-injector
719
webhooks:
8-
- name: {{ .Values.controller.webhook.host }}
9-
clientConfig:
10-
service:
11-
name: {{ .Values.controller.webhook.service }}
12-
namespace: polaris-system
13-
path: "/inject"
14-
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZpVENDQTNHZ0F3SUJBZ0lVSUJGZmZMeE84K2RNSTNrd3hOcXpibGg4Zm9Vd0RRWUpLb1pJaHZjTkFRRUwKQlFBd05qRTBNRElHQTFVRUF3d3JjRzlzWVhKcGN5MXphV1JsWTJGeUxXbHVhbVZqZEc5eUxuQnZiR0Z5YVhNdApjM2x6ZEdWdExuTjJZekFnRncweU1qQTNNRFF3TXpFNU1UaGFHQTh5TVRJeE1EWXhNREF6TVRreE9Gb3dOakUwCk1ESUdBMVVFQXd3cmNHOXNZWEpwY3kxemFXUmxZMkZ5TFdsdWFtVmpkRzl5TG5CdmJHRnlhWE10YzNsemRHVnQKTG5OMll6Q0NBaUl3RFFZSktvWklodmNOQVFFQkJRQURnZ0lQQURDQ0Fnb0NnZ0lCQUxMWmE4NzZkQnRmQlJ1cgpaSzZpK0UzRUs4UWJFWitlaG1lNWNhaXhsakRwTlJIdHFyb2I2NGExYldTUWQxU0IvMmVxbVdiY1ZXY24vVFRQCk45WFVHN2JsNExSaWRWQktYODE3ekdDWEYra3BqbTNOekFseEdEK3lteXhJeWhYS1U5K3A3VGk5SXpORXNPNE8KSlhaQm5iOVdzWGU2eGJJN0dlUUY5WXVCdit0ekNMNVJ0ZmRiUmtMVGQ2eWF3NlZYTFdEcDFrUUU4Q1pEc0g5ZApTZmxBeUhCUitaLzVqbzBtMnQzU3hiNTVPak9YcDhVNmV3bVRmdzZ0VXE1Z3dmZXBjWGNOUWlVTXJveFl0dXkxCkxnWGVBN3MvMFdCeDcrVlFPWXlGSGlaQUI0V1dkSEk1S0JIeFlpSFA3Y2N5aWEvM0gwQ2lYVSthYnd0NHk5TDQKdmVSMHQ5ZmMvbXZXUU01aFBjT1hwdzVJZU5sUG8wZE9vZ0NNdE1qaTkwTEFFS2RMQVNhemxDT0hzdVFqNkczaQp4Nk4rdzQrYy9VTGFxR1REUGc2K0c0UDl5UUVZNXVDNDRZWWpJSGxjQlhyR0YwVFFKTEZMM3F4dnU1VitpYXF1CnMvaWZyRzllY3RyY3lLczVWM0dESGlDdE93Y29MajI1TG1oYzF4MEdvT1RmWis3VFA1NjRyM1k3cVVhcUJ3WFgKMWREak4wREFtU1k1VW1tTGhhZ205bU9xcVo4T29XY0M2clFEVUJwbW1hTTUxVEVkeVEwbHNCc0g1T0Jvalp1UgpkeUZuTXkxWHdSRjVNenRrTW9nRnZKYWhnN1hVUTJBN1NBaUhxaUlCY1AyZTZKNDdUMVNqa0s4NUpwMU1WRW5PCjZhSFZxR29wQm9tUi9BNzBTUlRLeGp2UW52UC9BZ01CQUFHamdZd3dnWWt3SFFZRFZSME9CQllFRkNMTkZlMHUKd3Z3RGRiT0VRQWwxNFMwRTRBQzhNQjhHQTFVZEl3UVlNQmFBRkNMTkZlMHV3dndEZGJPRVFBbDE0UzBFNEFDOApNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdOZ1lEVlIwUkJDOHdMWUlyY0c5c1lYSnBjeTF6YVdSbFkyRnlMV2x1CmFtVmpkRzl5TG5CdmJHRnlhWE10YzNsemRHVnRMbk4yWXpBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQWdFQWx5aXQKVjdYaHRqZTFXK3RBMUtiUUtBUi8rendiUW1RUHpRTHpRdEdqUERvbmk5VVYyK3A1OEF5YmtvVVo3cEhXb2hFcgoxUGI2WGpKVVYxNjhGb3FZMUR4OS9SRCtDeC9mOWZ1MkswTTEvc2pYTk9oVERuMHZwZ2VvMFZJOVdCcUMrK1EyCllORmZNM2ZhaDQyaXVaSTBZNldnRldJM3dGbUQ3MTBWTC8xOVhMQ0dpditUbmc0ZnRwcHhOZW9rWlI1dU1janAKM0hNeExnUkExbnFYQ2ZhT3VrRVZLbnhvQ1hoQmRySXErV1VsOUZjZ09iVGxaU0RMNEpkZTl2R1B3cFBFRS9pVgo5cHhsMkhxWWdUZEdXZjJXeWluSmhZazFXempmZzFRTEY0TnJIQ2o3alJNbDBFbXZHM0hTNDM0ME9PUURKTlptClBDVHVrODV6L2dwaml5b3RxUlorcmNXSThBbVZDdURWbkg0VHVqb2swU1RXdUlWUDM5c21DUE5kUElwUVIxblIKSnZ1L2szV0IrTmlZbU94QzJ5SjRvMWRtYnZvS2ZadGIxVVBObVRJcmxXNThlMDdmUGV4QmNwR3JSRk5yVS9kaQpJbEpMNytXVVBKQWluTC8zL0FLQm5md1ZaemtrOVlUdld0b2xZeElhRExTd3JsdEdvZjBQUkptYnI0UDdxbm56ClFDUXVlZDFsUjRaUHJnYUlnZEdHSjdac1lESlVZbS8xd2g3N3FmR3FlYlRFZmorV09JYzV2S09vcEZTY0ZXd3oKNGVZVmVMYjBZdkc0dmc3ZHhCNFArbElzaFNpdmRVUE5XMW5ZY05pcFIrNnI2Q3h0ZnIwWjZWSkFjZjdTR1FHNwpYZkNuQXdMdlJtMEs2Q1Z6WUhPTFVRR2ZVSjBEbGFEeUR3c0JOc009Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
15-
rules:
16-
- operations: ["CREATE"]
17-
apiGroups: [""]
18-
apiVersions: ["v1"]
19-
resources: ["pods"]
20-
admissionReviewVersions: ["v1"]
21-
sideEffects: "None"
22-
failurePolicy: Fail
23-
namespaceSelector:
24-
matchLabels:
25-
polaris-injection: enabled
2620
- name: ns.injector.polarismesh.cn
2721
clientConfig:
2822
service:
29-
name: polaris-sidecar-injector
23+
name: {{ .Values.controller.webhook.service }}
3024
namespace: polaris-system
3125
path: "/inject"
32-
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZpVENDQTNHZ0F3SUJBZ0lVSUJGZmZMeE84K2RNSTNrd3hOcXpibGg4Zm9Vd0RRWUpLb1pJaHZjTkFRRUwKQlFBd05qRTBNRElHQTFVRUF3d3JjRzlzWVhKcGN5MXphV1JsWTJGeUxXbHVhbVZqZEc5eUxuQnZiR0Z5YVhNdApjM2x6ZEdWdExuTjJZekFnRncweU1qQTNNRFF3TXpFNU1UaGFHQTh5TVRJeE1EWXhNREF6TVRreE9Gb3dOakUwCk1ESUdBMVVFQXd3cmNHOXNZWEpwY3kxemFXUmxZMkZ5TFdsdWFtVmpkRzl5TG5CdmJHRnlhWE10YzNsemRHVnQKTG5OMll6Q0NBaUl3RFFZSktvWklodmNOQVFFQkJRQURnZ0lQQURDQ0Fnb0NnZ0lCQUxMWmE4NzZkQnRmQlJ1cgpaSzZpK0UzRUs4UWJFWitlaG1lNWNhaXhsakRwTlJIdHFyb2I2NGExYldTUWQxU0IvMmVxbVdiY1ZXY24vVFRQCk45WFVHN2JsNExSaWRWQktYODE3ekdDWEYra3BqbTNOekFseEdEK3lteXhJeWhYS1U5K3A3VGk5SXpORXNPNE8KSlhaQm5iOVdzWGU2eGJJN0dlUUY5WXVCdit0ekNMNVJ0ZmRiUmtMVGQ2eWF3NlZYTFdEcDFrUUU4Q1pEc0g5ZApTZmxBeUhCUitaLzVqbzBtMnQzU3hiNTVPak9YcDhVNmV3bVRmdzZ0VXE1Z3dmZXBjWGNOUWlVTXJveFl0dXkxCkxnWGVBN3MvMFdCeDcrVlFPWXlGSGlaQUI0V1dkSEk1S0JIeFlpSFA3Y2N5aWEvM0gwQ2lYVSthYnd0NHk5TDQKdmVSMHQ5ZmMvbXZXUU01aFBjT1hwdzVJZU5sUG8wZE9vZ0NNdE1qaTkwTEFFS2RMQVNhemxDT0hzdVFqNkczaQp4Nk4rdzQrYy9VTGFxR1REUGc2K0c0UDl5UUVZNXVDNDRZWWpJSGxjQlhyR0YwVFFKTEZMM3F4dnU1VitpYXF1CnMvaWZyRzllY3RyY3lLczVWM0dESGlDdE93Y29MajI1TG1oYzF4MEdvT1RmWis3VFA1NjRyM1k3cVVhcUJ3WFgKMWREak4wREFtU1k1VW1tTGhhZ205bU9xcVo4T29XY0M2clFEVUJwbW1hTTUxVEVkeVEwbHNCc0g1T0Jvalp1UgpkeUZuTXkxWHdSRjVNenRrTW9nRnZKYWhnN1hVUTJBN1NBaUhxaUlCY1AyZTZKNDdUMVNqa0s4NUpwMU1WRW5PCjZhSFZxR29wQm9tUi9BNzBTUlRLeGp2UW52UC9BZ01CQUFHamdZd3dnWWt3SFFZRFZSME9CQllFRkNMTkZlMHUKd3Z3RGRiT0VRQWwxNFMwRTRBQzhNQjhHQTFVZEl3UVlNQmFBRkNMTkZlMHV3dndEZGJPRVFBbDE0UzBFNEFDOApNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdOZ1lEVlIwUkJDOHdMWUlyY0c5c1lYSnBjeTF6YVdSbFkyRnlMV2x1CmFtVmpkRzl5TG5CdmJHRnlhWE10YzNsemRHVnRMbk4yWXpBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQWdFQWx5aXQKVjdYaHRqZTFXK3RBMUtiUUtBUi8rendiUW1RUHpRTHpRdEdqUERvbmk5VVYyK3A1OEF5YmtvVVo3cEhXb2hFcgoxUGI2WGpKVVYxNjhGb3FZMUR4OS9SRCtDeC9mOWZ1MkswTTEvc2pYTk9oVERuMHZwZ2VvMFZJOVdCcUMrK1EyCllORmZNM2ZhaDQyaXVaSTBZNldnRldJM3dGbUQ3MTBWTC8xOVhMQ0dpditUbmc0ZnRwcHhOZW9rWlI1dU1janAKM0hNeExnUkExbnFYQ2ZhT3VrRVZLbnhvQ1hoQmRySXErV1VsOUZjZ09iVGxaU0RMNEpkZTl2R1B3cFBFRS9pVgo5cHhsMkhxWWdUZEdXZjJXeWluSmhZazFXempmZzFRTEY0TnJIQ2o3alJNbDBFbXZHM0hTNDM0ME9PUURKTlptClBDVHVrODV6L2dwaml5b3RxUlorcmNXSThBbVZDdURWbkg0VHVqb2swU1RXdUlWUDM5c21DUE5kUElwUVIxblIKSnZ1L2szV0IrTmlZbU94QzJ5SjRvMWRtYnZvS2ZadGIxVVBObVRJcmxXNThlMDdmUGV4QmNwR3JSRk5yVS9kaQpJbEpMNytXVVBKQWluTC8zL0FLQm5md1ZaemtrOVlUdld0b2xZeElhRExTd3JsdEdvZjBQUkptYnI0UDdxbm56ClFDUXVlZDFsUjRaUHJnYUlnZEdHSjdac1lESlVZbS8xd2g3N3FmR3FlYlRFZmorV09JYzV2S09vcEZTY0ZXd3oKNGVZVmVMYjBZdkc0dmc3ZHhCNFArbElzaFNpdmRVUE5XMW5ZY05pcFIrNnI2Q3h0ZnIwWjZWSkFjZjdTR1FHNwpYZkNuQXdMdlJtMEs2Q1Z6WUhPTFVRR2ZVSjBEbGFEeUR3c0JOc009Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
26+
caBundle: {{ b64enc $ca.Cert }}
3327
rules:
3428
- operations: ["CREATE"]
3529
apiGroups: [""]
@@ -44,10 +38,10 @@ webhooks:
4438
- name: allowlist.polarismesh.cn
4539
clientConfig:
4640
service:
47-
name: polaris-sidecar-injector
41+
name: {{ .Values.controller.webhook.service }}
4842
namespace: polaris-system
4943
path: "/inject"
50-
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZpVENDQTNHZ0F3SUJBZ0lVSUJGZmZMeE84K2RNSTNrd3hOcXpibGg4Zm9Vd0RRWUpLb1pJaHZjTkFRRUwKQlFBd05qRTBNRElHQTFVRUF3d3JjRzlzWVhKcGN5MXphV1JsWTJGeUxXbHVhbVZqZEc5eUxuQnZiR0Z5YVhNdApjM2x6ZEdWdExuTjJZekFnRncweU1qQTNNRFF3TXpFNU1UaGFHQTh5TVRJeE1EWXhNREF6TVRreE9Gb3dOakUwCk1ESUdBMVVFQXd3cmNHOXNZWEpwY3kxemFXUmxZMkZ5TFdsdWFtVmpkRzl5TG5CdmJHRnlhWE10YzNsemRHVnQKTG5OMll6Q0NBaUl3RFFZSktvWklodmNOQVFFQkJRQURnZ0lQQURDQ0Fnb0NnZ0lCQUxMWmE4NzZkQnRmQlJ1cgpaSzZpK0UzRUs4UWJFWitlaG1lNWNhaXhsakRwTlJIdHFyb2I2NGExYldTUWQxU0IvMmVxbVdiY1ZXY24vVFRQCk45WFVHN2JsNExSaWRWQktYODE3ekdDWEYra3BqbTNOekFseEdEK3lteXhJeWhYS1U5K3A3VGk5SXpORXNPNE8KSlhaQm5iOVdzWGU2eGJJN0dlUUY5WXVCdit0ekNMNVJ0ZmRiUmtMVGQ2eWF3NlZYTFdEcDFrUUU4Q1pEc0g5ZApTZmxBeUhCUitaLzVqbzBtMnQzU3hiNTVPak9YcDhVNmV3bVRmdzZ0VXE1Z3dmZXBjWGNOUWlVTXJveFl0dXkxCkxnWGVBN3MvMFdCeDcrVlFPWXlGSGlaQUI0V1dkSEk1S0JIeFlpSFA3Y2N5aWEvM0gwQ2lYVSthYnd0NHk5TDQKdmVSMHQ5ZmMvbXZXUU01aFBjT1hwdzVJZU5sUG8wZE9vZ0NNdE1qaTkwTEFFS2RMQVNhemxDT0hzdVFqNkczaQp4Nk4rdzQrYy9VTGFxR1REUGc2K0c0UDl5UUVZNXVDNDRZWWpJSGxjQlhyR0YwVFFKTEZMM3F4dnU1VitpYXF1CnMvaWZyRzllY3RyY3lLczVWM0dESGlDdE93Y29MajI1TG1oYzF4MEdvT1RmWis3VFA1NjRyM1k3cVVhcUJ3WFgKMWREak4wREFtU1k1VW1tTGhhZ205bU9xcVo4T29XY0M2clFEVUJwbW1hTTUxVEVkeVEwbHNCc0g1T0Jvalp1UgpkeUZuTXkxWHdSRjVNenRrTW9nRnZKYWhnN1hVUTJBN1NBaUhxaUlCY1AyZTZKNDdUMVNqa0s4NUpwMU1WRW5PCjZhSFZxR29wQm9tUi9BNzBTUlRLeGp2UW52UC9BZ01CQUFHamdZd3dnWWt3SFFZRFZSME9CQllFRkNMTkZlMHUKd3Z3RGRiT0VRQWwxNFMwRTRBQzhNQjhHQTFVZEl3UVlNQmFBRkNMTkZlMHV3dndEZGJPRVFBbDE0UzBFNEFDOApNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdOZ1lEVlIwUkJDOHdMWUlyY0c5c1lYSnBjeTF6YVdSbFkyRnlMV2x1CmFtVmpkRzl5TG5CdmJHRnlhWE10YzNsemRHVnRMbk4yWXpBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQWdFQWx5aXQKVjdYaHRqZTFXK3RBMUtiUUtBUi8rendiUW1RUHpRTHpRdEdqUERvbmk5VVYyK3A1OEF5YmtvVVo3cEhXb2hFcgoxUGI2WGpKVVYxNjhGb3FZMUR4OS9SRCtDeC9mOWZ1MkswTTEvc2pYTk9oVERuMHZwZ2VvMFZJOVdCcUMrK1EyCllORmZNM2ZhaDQyaXVaSTBZNldnRldJM3dGbUQ3MTBWTC8xOVhMQ0dpditUbmc0ZnRwcHhOZW9rWlI1dU1janAKM0hNeExnUkExbnFYQ2ZhT3VrRVZLbnhvQ1hoQmRySXErV1VsOUZjZ09iVGxaU0RMNEpkZTl2R1B3cFBFRS9pVgo5cHhsMkhxWWdUZEdXZjJXeWluSmhZazFXempmZzFRTEY0TnJIQ2o3alJNbDBFbXZHM0hTNDM0ME9PUURKTlptClBDVHVrODV6L2dwaml5b3RxUlorcmNXSThBbVZDdURWbkg0VHVqb2swU1RXdUlWUDM5c21DUE5kUElwUVIxblIKSnZ1L2szV0IrTmlZbU94QzJ5SjRvMWRtYnZvS2ZadGIxVVBObVRJcmxXNThlMDdmUGV4QmNwR3JSRk5yVS9kaQpJbEpMNytXVVBKQWluTC8zL0FLQm5md1ZaemtrOVlUdld0b2xZeElhRExTd3JsdEdvZjBQUkptYnI0UDdxbm56ClFDUXVlZDFsUjRaUHJnYUlnZEdHSjdac1lESlVZbS8xd2g3N3FmR3FlYlRFZmorV09JYzV2S09vcEZTY0ZXd3oKNGVZVmVMYjBZdkc0dmc3ZHhCNFArbElzaFNpdmRVUE5XMW5ZY05pcFIrNnI2Q3h0ZnIwWjZWSkFjZjdTR1FHNwpYZkNuQXdMdlJtMEs2Q1Z6WUhPTFVRR2ZVSjBEbGFEeUR3c0JOc009Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
44+
caBundle: {{ b64enc $ca.Cert }}
5145
rules:
5246
- operations: ["CREATE"]
5347
apiGroups: [""]
@@ -58,4 +52,18 @@ webhooks:
5852
failurePolicy: Fail
5953
objectSelector:
6054
matchLabels:
61-
polarismesh.cn/inject: enabled
55+
polarismesh.cn/inject: enabled
56+
57+
---
58+
59+
apiVersion: v1
60+
data:
61+
cert.pem: {{ b64enc $cert.Cert }}
62+
key.pem: {{ b64enc $cert.Key }}
63+
ca-cert.pem: {{ b64enc $ca.Cert }}
64+
ca-key.pem: {{ b64enc $ca.Key }}
65+
kind: Secret
66+
metadata:
67+
name: {{ include "polaris-controller.controller.fullname" . }}
68+
namespace: {{ .Release.Namespace }}
69+
type: Opaque

deploy/kubernetes_v1.22/helm/templates/controller-secret-certs.yaml

Lines changed: 0 additions & 11 deletions
This file was deleted.

0 commit comments

Comments
 (0)