fix ca injection - wip

.github/workflows/test-e2e-samples.yml

@@ -41,7 +41,9 @@ jobs:
         run: |
           KUSTOMIZATION_FILE_PATH="testdata/project-v4/config/default/kustomization.yaml"
           sed -i '25s/^#//' $KUSTOMIZATION_FILE_PATH
-          sed -i '50,177s/^#//' $KUSTOMIZATION_FILE_PATH
+          # Uncomment all cert-manager injections
+          sed -i '50,172s/^#//' $KUSTOMIZATION_FILE_PATH
+          sed -i '174,198s/^#//' $KUSTOMIZATION_FILE_PATH
           cd testdata/project-v4/
           go mod tidy
 
@@ -81,9 +83,12 @@ jobs:
           KUSTOMIZATION_FILE_PATH="testdata/project-v4-with-plugins/config/default/kustomization.yaml"
           sed -i '25s/^#//' $KUSTOMIZATION_FILE_PATH
           # Uncomment only ValidatingWebhookConfiguration
-          # from cert-manager replaces
-          sed -i '50,80s/^#//' $KUSTOMIZATION_FILE_PATH
-          sed -i '144,177s/^#//' $KUSTOMIZATION_FILE_PATH
+          # from cert-manager replaces; we are leaving defaulting uncommented
+          # since this sample has no defaulting webhooks
+          sed -i '50,155s/^#//' $KUSTOMIZATION_FILE_PATH
+          # Uncomment only --conversion webhooks CA injection
+          sed -i '144,163s/^#//' $KUSTOMIZATION_FILE_PATH
+          sed -i '165,180s/^#//' $KUSTOMIZATION_FILE_PATH
           cd testdata/project-v4-with-plugins/
           go mod tidy
 

docs/book/src/cronjob-tutorial/testdata/project/config/crd/kustomization.yaml

@@ -6,14 +6,10 @@ resources:
 # +kubebuilder:scaffold:crdkustomizeresource
 
 patches:
-# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix.
+# [WEBHOOK] To enable the webhooks, uncomment all the sections with [WEBHOOK] prefix.
 # patches here are for enabling the conversion webhook for each CRD
 # +kubebuilder:scaffold:crdkustomizewebhookpatch
 
-# [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix.
-# patches here are for enabling the CA injection for each CRD
-# +kubebuilder:scaffold:crdkustomizecainjectionpatch
-
 # [WEBHOOK] To enable webhook, uncomment the following section
 # the following config is for teaching kustomize how to do kustomization for CRDs.
 #configurations:

docs/book/src/cronjob-tutorial/testdata/project/config/default/kustomization.yaml

@@ -48,6 +48,41 @@ patches:
 # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix.
 # Uncomment the following replacements to add the cert-manager CA injection annotations
 replacements:
+ - source: # Uncomment the following block if you enable cert-manager
+     kind: Service
+     version: v1
+     name: webhook-service
+     fieldPath: .metadata.name # Name of the service
+   targets:
+     - select:
+         kind: Certificate
+         group: cert-manager.io
+         version: v1
+       fieldPaths:
+         - .spec.dnsNames.0
+         - .spec.dnsNames.1
+       options:
+         delimiter: '.'
+         index: 0
+         create: true
+ - source:
+     kind: Service
+     version: v1
+     name: webhook-service
+     fieldPath: .metadata.namespace # Namespace of the service
+   targets:
+     - select:
+         kind: Certificate
+         group: cert-manager.io
+         version: v1
+       fieldPaths:
+         - .spec.dnsNames.0
+         - .spec.dnsNames.1
+       options:
+         delimiter: '.'
+         index: 1
+         create: true
+
  - source: # Uncomment the following block if you have a ValidatingWebhook (--programmatic-validation)
      kind: Certificate
      group: cert-manager.io
@@ -116,62 +151,13 @@ replacements:
 #     version: v1
 #     name: serving-cert # This name should match the one in certificate.yaml
 #     fieldPath: .metadata.namespace # Namespace of the certificate CR
-#   targets:
-#     - select:
-#         kind: CustomResourceDefinition
-#       fieldPaths:
-#         - .metadata.annotations.[cert-manager.io/inject-ca-from]
-#       options:
-#         delimiter: '/'
-#         index: 0
-#         create: true
+#   targets: # Do not remove or uncomment the following scaffold marker; required to generate code for target CRD.
+# +kubebuilder:scaffold:crdcainjectionnamespace
 # - source:
 #     kind: Certificate
 #     group: cert-manager.io
 #     version: v1
 #     name: serving-cert # This name should match the one in certificate.yaml
 #     fieldPath: .metadata.name
-#   targets:
-#     - select:
-#         kind: CustomResourceDefinition
-#       fieldPaths:
-#         - .metadata.annotations.[cert-manager.io/inject-ca-from]
-#       options:
-#         delimiter: '/'
-#         index: 1
-#         create: true
-#
- - source: # Uncomment the following block if you enable cert-manager
-     kind: Service
-     version: v1
-     name: webhook-service
-     fieldPath: .metadata.name # Name of the service
-   targets:
-     - select:
-         kind: Certificate
-         group: cert-manager.io
-         version: v1
-       fieldPaths:
-         - .spec.dnsNames.0
-         - .spec.dnsNames.1
-       options:
-         delimiter: '.'
-         index: 0
-         create: true
- - source:
-     kind: Service
-     version: v1
-     name: webhook-service
-     fieldPath: .metadata.namespace # Namespace of the service
-   targets:
-     - select:
-         kind: Certificate
-         group: cert-manager.io
-         version: v1
-       fieldPaths:
-         - .spec.dnsNames.0
-         - .spec.dnsNames.1
-       options:
-         delimiter: '.'
-         index: 1
-         create: true
+#   targets: # Do not remove or uncomment the following scaffold marker; required to generate code for target CRD.
+# +kubebuilder:scaffold:crdcainjectioncertificate

docs/book/src/cronjob-tutorial/testdata/project/dist/install.yaml

@@ -14,16 +14,6 @@ metadata:
     controller-gen.kubebuilder.io/version: v0.16.4
   name: cronjobs.batch.tutorial.kubebuilder.io
 spec:
-  conversion:
-    strategy: Webhook
-    webhook:
-      clientConfig:
-        service:
-          name: project-webhook-service
-          namespace: project-system
-          path: /convert
-      conversionReviewVersions:
-      - v1
   group: batch.tutorial.kubebuilder.io
   names:
     kind: CronJob

docs/book/src/getting-started/testdata/project/config/crd/kustomization.yaml

@@ -6,14 +6,10 @@ resources:
 # +kubebuilder:scaffold:crdkustomizeresource
 
 patches:
-# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix.
+# [WEBHOOK] To enable the webhooks, uncomment all the sections with [WEBHOOK] prefix.
 # patches here are for enabling the conversion webhook for each CRD
 # +kubebuilder:scaffold:crdkustomizewebhookpatch
 
-# [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix.
-# patches here are for enabling the CA injection for each CRD
-# +kubebuilder:scaffold:crdkustomizecainjectionpatch
-
 # [WEBHOOK] To enable webhook, uncomment the following section
 # the following config is for teaching kustomize how to do kustomization for CRDs.
 #configurations:

docs/book/src/getting-started/testdata/project/config/default/kustomization.yaml

@@ -48,46 +48,50 @@ patches:
 # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix.
 # Uncomment the following replacements to add the cert-manager CA injection annotations
 #replacements:
-# - source: # Uncomment the following block if you have a ValidatingWebhook (--programmatic-validation)
-#     kind: Certificate
-#     group: cert-manager.io
+# - source: # Uncomment the following block if you enable cert-manager
+#     kind: Service
 #     version: v1
-#     name: serving-cert # This name should match the one in certificate.yaml
-#     fieldPath: .metadata.namespace # Namespace of the certificate CR
+#     name: webhook-service
+#     fieldPath: .metadata.name # Name of the service
 #   targets:
 #     - select:
-#         kind: ValidatingWebhookConfiguration
+#         kind: Certificate
+#         group: cert-manager.io
+#         version: v1
 #       fieldPaths:
-#         - .metadata.annotations.[cert-manager.io/inject-ca-from]
+#         - .spec.dnsNames.0
+#         - .spec.dnsNames.1
 #       options:
-#         delimiter: '/'
+#         delimiter: '.'
 #         index: 0
 #         create: true
 # - source:
-#     kind: Certificate
-#     group: cert-manager.io
+#     kind: Service
 #     version: v1
-#     name: serving-cert # This name should match the one in certificate.yaml
-#     fieldPath: .metadata.name
+#     name: webhook-service
+#     fieldPath: .metadata.namespace # Namespace of the service
 #   targets:
 #     - select:
-#         kind: ValidatingWebhookConfiguration
+#         kind: Certificate
+#         group: cert-manager.io
+#         version: v1
 #       fieldPaths:
-#         - .metadata.annotations.[cert-manager.io/inject-ca-from]
+#         - .spec.dnsNames.0
+#         - .spec.dnsNames.1
 #       options:
-#         delimiter: '/'
+#         delimiter: '.'
 #         index: 1
 #         create: true
 #
-# - source: # Uncomment the following block if you have a DefaultingWebhook (--defaulting )
+# - source: # Uncomment the following block if you have a ValidatingWebhook (--programmatic-validation)
 #     kind: Certificate
 #     group: cert-manager.io
 #     version: v1
 #     name: serving-cert # This name should match the one in certificate.yaml
 #     fieldPath: .metadata.namespace # Namespace of the certificate CR
 #   targets:
 #     - select:
-#         kind: MutatingWebhookConfiguration
+#         kind: ValidatingWebhookConfiguration
 #       fieldPaths:
 #         - .metadata.annotations.[cert-manager.io/inject-ca-from]
 #       options:
@@ -102,23 +106,23 @@ patches:
 #     fieldPath: .metadata.name
 #   targets:
 #     - select:
-#         kind: MutatingWebhookConfiguration
+#         kind: ValidatingWebhookConfiguration
 #       fieldPaths:
 #         - .metadata.annotations.[cert-manager.io/inject-ca-from]
 #       options:
 #         delimiter: '/'
 #         index: 1
 #         create: true
 #
-# - source: # Uncomment the following block if you have a ConversionWebhook (--conversion)
+# - source: # Uncomment the following block if you have a DefaultingWebhook (--defaulting )
 #     kind: Certificate
 #     group: cert-manager.io
 #     version: v1
 #     name: serving-cert # This name should match the one in certificate.yaml
 #     fieldPath: .metadata.namespace # Namespace of the certificate CR
 #   targets:
 #     - select:
-#         kind: CustomResourceDefinition
+#         kind: MutatingWebhookConfiguration
 #       fieldPaths:
 #         - .metadata.annotations.[cert-manager.io/inject-ca-from]
 #       options:
@@ -133,45 +137,27 @@ patches:
 #     fieldPath: .metadata.name
 #   targets:
 #     - select:
-#         kind: CustomResourceDefinition
+#         kind: MutatingWebhookConfiguration
 #       fieldPaths:
 #         - .metadata.annotations.[cert-manager.io/inject-ca-from]
 #       options:
 #         delimiter: '/'
 #         index: 1
 #         create: true
 #
-# - source: # Uncomment the following block if you enable cert-manager
-#     kind: Service
+# - source: # Uncomment the following block if you have a ConversionWebhook (--conversion)
+#     kind: Certificate
+#     group: cert-manager.io
 #     version: v1
-#     name: webhook-service
-#     fieldPath: .metadata.name # Name of the service
-#   targets:
-#     - select:
-#         kind: Certificate
-#         group: cert-manager.io
-#         version: v1
-#       fieldPaths:
-#         - .spec.dnsNames.0
-#         - .spec.dnsNames.1
-#       options:
-#         delimiter: '.'
-#         index: 0
-#         create: true
+#     name: serving-cert # This name should match the one in certificate.yaml
+#     fieldPath: .metadata.namespace # Namespace of the certificate CR
+#   targets: # Do not remove or uncomment the following scaffold marker; required to generate code for target CRD.
+# +kubebuilder:scaffold:crdcainjectionnamespace
 # - source:
-#     kind: Service
+#     kind: Certificate
+#     group: cert-manager.io
 #     version: v1
-#     name: webhook-service
-#     fieldPath: .metadata.namespace # Namespace of the service
-#   targets:
-#     - select:
-#         kind: Certificate
-#         group: cert-manager.io
-#         version: v1
-#       fieldPaths:
-#         - .spec.dnsNames.0
-#         - .spec.dnsNames.1
-#       options:
-#         delimiter: '.'
-#         index: 1
-#         create: true
+#     name: serving-cert # This name should match the one in certificate.yaml
+#     fieldPath: .metadata.name
+#   targets: # Do not remove or uncomment the following scaffold marker; required to generate code for target CRD.
+# +kubebuilder:scaffold:crdcainjectioncertificate

docs/book/src/multiversion-tutorial/testdata/project/config/crd/kustomization.yaml

@@ -6,16 +6,11 @@ resources:
 # +kubebuilder:scaffold:crdkustomizeresource
 
 patches:
-# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix.
+# [WEBHOOK] To enable the webhooks, uncomment all the sections with [WEBHOOK] prefix.
 # patches here are for enabling the conversion webhook for each CRD
 - path: patches/webhook_in_cronjobs.yaml
 # +kubebuilder:scaffold:crdkustomizewebhookpatch
 
-# [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix.
-# patches here are for enabling the CA injection for each CRD
-#- path: patches/cainjection_in_cronjobs.yaml
-# +kubebuilder:scaffold:crdkustomizecainjectionpatch
-
 # [WEBHOOK] To enable webhook, uncomment the following section
 # the following config is for teaching kustomize how to do kustomization for CRDs.
 configurations: