fix: use replacements for poddefaults Certificate (#160)

* fix: use replacements for poddefaults Certificate

Signed-off-by: Kimonas Sotirchos <[email protected]>

* fix: remove false substitution in CI scripts

Signed-off-by: Kimonas Sotirchos <[email protected]>

* review: add name prefix to Issuer

Signed-off-by: Kimonas Sotirchos <[email protected]>

* review: modify deploy_component.sh

Signed-off-by: Kimonas Sotirchos <[email protected]>

* fixup: update Issuer for updated Certificate

Signed-off-by: Kimonas Sotirchos <[email protected]>

---------

Signed-off-by: Kimonas Sotirchos <[email protected]>

Author: kimwnasptd

components/poddefaults-webhooks/manifests/base/deployment.yaml

@@ -30,5 +30,5 @@ spec:
       volumes:
       - name: webhook-cert
         secret:
-          secretName: webhook-certs
+          secretName: poddefaults-webhook-certs
       serviceAccountName: service-account

components/poddefaults-webhooks/manifests/base/kustomization.yaml

@@ -13,6 +13,7 @@ images:
   newName: ghcr.io/kubeflow/dashboard/poddefaults-webhook
   newTag: latest
 namespace: kubeflow
+namePrefix: poddefaults-webhook-
 generatorOptions:
   disableNameSuffixHash: true
 configurations:

components/poddefaults-webhooks/manifests/base/params.yaml

@@ -1,10 +1,3 @@
-varReference:
-- path: webhooks/clientConfig/service/namespace
-  kind: MutatingWebhookConfiguration
-- path: webhooks/clientConfig/service/name
-  kind: MutatingWebhookConfiguration
-- path: webhooks/name
-  kind: MutatingWebhookConfiguration
 nameReference:
 - kind: Service
   version: v1

components/poddefaults-webhooks/manifests/overlays/cert-manager/certificate.yaml

@@ -1,23 +1,23 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: cert
+  name: poddefaults-webhook-cert
 spec:
   isCA: true
-  commonName: $(podDefaultsServiceName).$(podDefaultsNamespace).svc
+  commonName: REPLACEMENT-SVC-NAME.SVC-NAMESPACE.svc
   dnsNames:
-  - $(podDefaultsServiceName).$(podDefaultsNamespace).svc
-  - $(podDefaultsServiceName).$(podDefaultsNamespace).svc.cluster.local
+  - REPLACEMENT-SVC-NAME.REPLACEMENT-SVC-NAMESPACE.svc
+  - REPLACEMENT-SVC-NAME.SVC-NAMESPACE.svc.cluster.local
   issuerRef:
     kind: Issuer
-    name: selfsigned-issuer
-  secretName: webhook-certs
+    name: poddefaults-webhook-selfsigned-issuer
+  secretName: poddefaults-webhook-certs
 
 ---
 
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
-  name: selfsigned-issuer
+  name: poddefaults-webhook-selfsigned-issuer
 spec:
   selfSigned: {}

components/poddefaults-webhooks/manifests/overlays/cert-manager/kustomization.yaml

@@ -12,8 +12,6 @@ resources:
 
 namespace: kubeflow
 
-namePrefix: poddefaults-webhook-
-
 commonLabels:
   app: poddefaults
   kustomize.component: poddefaults
@@ -27,21 +25,74 @@ patchesStrategicMerge:
 generatorOptions:
   disableNameSuffixHash: true
 
-vars:
-# These vars are used to substitute in the namespace, service name and
-# deployment name into the mutating WebHookConfiguration.
-# Since its a CR kustomize isn't aware of those fields and won't
-# transform them.
-# We need the var names to be relatively unique so that when we
-# compose with other applications they won't conflict.
-- name: podDefaultsCertName
-  objref:
+replacements:
+# Replacements for the Certificate
+- source:
+    fieldPath: metadata.name
+    kind: Service
+    name: service
+    version: v1
+  targets:
+  - fieldPaths:
+    - spec.commonName
+    - spec.dnsNames.0
+    - spec.dnsNames.1
+    options:
+      delimiter: .
+      index: 0
+    select:
+      group: cert-manager.io
       kind: Certificate
+      version: v1
+- source:
+    fieldPath: metadata.namespace
+    kind: Service
+    name: service
+    version: v1
+  targets:
+  - fieldPaths:
+    - spec.commonName
+    - spec.dnsNames.0
+    - spec.dnsNames.1
+    options:
+      delimiter: .
+      index: 1
+    select:
       group: cert-manager.io
+      kind: Certificate
+      version: v1
+
+# Replacements for the MutatingWebhookCOnfiguration
+- source:
+    fieldPath: metadata.namespace
+    group: cert-manager.io
+    kind: Certificate
+    version: v1
+  targets:
+  - fieldPaths:
+    - metadata.annotations.[cert-manager.io/inject-ca-from]
+    options:
+      delimiter: /
+      index: 0
+    select:
+      group: admissionregistration.k8s.io
+      kind: MutatingWebhookConfiguration
+      version: v1
+- source:
+    fieldPath: metadata.name
+    group: cert-manager.io
+    kind: Certificate
+    version: v1
+  targets:
+  - fieldPaths:
+    - metadata.annotations.[cert-manager.io/inject-ca-from]
+    options:
+      delimiter: /
+      index: 1
+    select:
+      group: admissionregistration.k8s.io
+      kind: MutatingWebhookConfiguration
       version: v1
-      name: cert
-  fieldref:
-    fieldpath: metadata.name
 
 configurations:
 - params.yaml

components/poddefaults-webhooks/manifests/overlays/cert-manager/mutating-webhook-configuration.yaml

@@ -3,5 +3,4 @@ kind: MutatingWebhookConfiguration
 metadata:
   name: mutating-webhook-configuration
   annotations:
-    cert-manager.io/inject-ca-from: $(podDefaultsNamespace)/$(podDefaultsCertName)
-  
+    cert-manager.io/inject-ca-from: REPLACEMENT-NAMESPACE/REPLACEMENT-CERT-NAME

components/poddefaults-webhooks/manifests/overlays/cert-manager/params.yaml

@@ -1,12 +1,3 @@
-varReference:
-- path: spec/commonName
-  kind: Certificate
-- path: spec/dnsNames
-  kind: Certificate
-- path: spec/issuerRef/name
-  kind: Certificate
-- path: metadata/annotations
-  kind: MutatingWebhookConfiguration
 nameReference:
 - kind: Issuer
   group: cert-manager.io

testing/shared/deploy_component.sh

@@ -3,7 +3,7 @@
 set -euo pipefail
 
 # Script to build and deploy a Kubeflow dashboard component
-# Usage: ./deploy_component.sh COMPONENT_NAME COMPONENT_PATH IMAGE_NAME TAG [MANIFESTS_PATH] [OVERLAY]
+# Usage: ./deploy_component.sh COMPONENT_PATH IMAGE_NAME TAG [MANIFESTS_PATH] [OVERLAY]
 
 COMPONENT_PATH="$1"
 IMAGE_NAME="$2"
@@ -38,29 +38,11 @@ export PR_IMAGE="${IMAGE_NAME}:${TAG}"
 export CURRENT_IMAGE_ESCAPED=$(echo "$CURRENT_IMAGE" | sed 's|\.|\\.|g')
 export PR_IMAGE_ESCAPED=$(echo "$PR_IMAGE" | sed 's|\.|\\.|g')
 
-for overlay_path in "${OVERLAY}" "overlays/kserve" "overlays/cert-manager"; do
-    if [ -d "$overlay_path" ]; then
-        if [ "$overlay_path" = "overlays/cert-manager" ]; then
-            kustomize build "$overlay_path" \
-              | sed "s|${CURRENT_IMAGE_ESCAPED}:[a-zA-Z0-9_.-]*|${PR_IMAGE_ESCAPED}|g" \
-              | sed 's/$(podDefaultsServiceName)/poddefaults-webhook-service/g' \
-              | sed 's/$(podDefaultsNamespace)/kubeflow/g' \
-              | sed "s|\$(CD_NAMESPACE)|${CD_NAMESPACE:-kubeflow}|g" \
-              | sed "s|\$(CD_CLUSTER_DOMAIN)|${CD_CLUSTER_DOMAIN:-cluster.local}|g" \
-              | sed "s|CD_NAMESPACE_PLACEHOLDER|${CD_NAMESPACE_PLACEHOLDER:-kubeflow}|g" \
-              | sed "s|CD_CLUSTER_DOMAIN_PLACEHOLDER|${CD_CLUSTER_DOMAIN_PLACEHOLDER:-cluster.local}|g" \
-              | kubectl apply -f -
-        else
-            kustomize build "$overlay_path" \
-              | sed "s|${CURRENT_IMAGE_ESCAPED}:[a-zA-Z0-9_.-]*|${PR_IMAGE_ESCAPED}|g" \
-              | sed "s|\$(CD_NAMESPACE)|${CD_NAMESPACE:-kubeflow}|g" \
-              | sed "s|\$(CD_CLUSTER_DOMAIN)|${CD_CLUSTER_DOMAIN:-cluster.local}|g" \
-              | sed "s|CD_NAMESPACE_PLACEHOLDER|${CD_NAMESPACE_PLACEHOLDER:-kubeflow}|g" \
-              | sed "s|CD_CLUSTER_DOMAIN_PLACEHOLDER|${CD_CLUSTER_DOMAIN_PLACEHOLDER:-cluster.local}|g" \
-              | kubectl apply -f -
-        fi
-        exit 0
-    fi
-done
 
-exit 1 
+kustomize build "$OVERLAY" \
+  | sed "s|${CURRENT_IMAGE_ESCAPED}:[a-zA-Z0-9_.-]*|${PR_IMAGE_ESCAPED}|g" \
+  | sed "s|\$(CD_NAMESPACE)|${CD_NAMESPACE:-kubeflow}|g" \
+  | sed "s|\$(CD_CLUSTER_DOMAIN)|${CD_CLUSTER_DOMAIN:-cluster.local}|g" \
+  | sed "s|CD_NAMESPACE_PLACEHOLDER|${CD_NAMESPACE_PLACEHOLDER:-kubeflow}|g" \
+  | sed "s|CD_CLUSTER_DOMAIN_PLACEHOLDER|${CD_CLUSTER_DOMAIN_PLACEHOLDER:-cluster.local}|g" \
+  | kubectl apply -f -