kubebuilder
kubebuilder copied to clipboard
kubernetes-sigs
Unnecessary patch for CA injection
What broke? What's expected?
The CA injection patch is not necessary after the switch to replacements instead of vars. To be clear, it is not breaking anything either, it just doesn't add anything on top of what the replacements already does. The reason is that the replacements have create: true, which means they will create the annotation if it doesn't exist.
Since the replacements adds the annotations, it also means that ALL CRDs will get the CA injected instead of just those that have the patch (when uncommenting only some of them, if you have multiple). Is this intentional? I guess it will not cause problems but wanted to double check.
Reproducing this issue
Simply following the quick start: https://book.kubebuilder.io/quick-start
mkdir -p ~/projects/guestbook
cd ~/projects/guestbook
kubebuilder init --domain my.domain --repo my.domain/guestbook
kubebuilder create api --group webapp --version v1 --kind Guestbook --controller --resource
make manifests
After this you will see that config/crd/patches contains cainjection_in_guestbooks.yaml, but we need to add a webhook to make it useful.
Create a webhook:
kubebuilder create webhook --group webapp --version v1 --kind Guestbook --defaulting --programmatic-validation --conversion
make manifests
Now uncomment the [WEBHOOK] and [CERTMANAGER] in config/default/kustomization.yaml. The comments in the file explains that one should uncomment the same sections in config/crd/kustomization.yaml. However, commenting/uncommenting the following lines does not affect the outcome:
# In default/kustomization.yaml
# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'.
# Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks.
# 'CERTMANAGER' needs to be enabled to use ca injection
# - webhookcainjection_patch.yaml
# In crd/kustomization.yaml
# [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix.
# patches here are for enabling the CA injection for each CRD
# - path: patches/cainjection_in_guestbooks.yaml
#+kubebuilder:scaffold:crdkustomizecainjectionpatch
We can check like this:
kustomize build config/default | grep "cert-manager.io/inject-ca-from"
Try running the command with the lines commented/uncommented and see that there is no difference in the output.
The output is as follows:
# With all uncommented:
cert-manager.io/inject-ca-from: guestbook-system/guestbook-serving-cert
cert-manager.io/inject-ca-from: guestbook-system/guestbook-serving-cert
cert-manager.io/inject-ca-from: guestbook-system/guestbook-serving-cert
# With the two mentioned lines commented:
cert-manager.io/inject-ca-from: guestbook-system/guestbook-serving-cert
cert-manager.io/inject-ca-from: guestbook-system/guestbook-serving-cert
cert-manager.io/inject-ca-from: guestbook-system/guestbook-serving-cert
# With the two mentioned lines uncommented, and the replacements commented:
cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME
cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME
cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME
From this it should be clear that the replacements in config/default/kustomization.yaml is enough to inject the CA and the patches are not needed.
KubeBuilder (CLI) Version
Version: main.version{KubeBuilderVersion:"3.11.1", KubernetesVendor:"1.27.1", GitCommit:"1dc8ed95f7cc55fef3151f749d3d541bec3423c9", BuildDate:"2023-07-03T13:10:56Z", GoOs:"linux", GoArch:"amd64"}
PROJECT version
3
Plugin versions
layout:
- go.kubebuilder.io/v4
Other versions
No response
Extra Labels
No response
