Refactor webhook.addCustomCertSecretInjectorAnnotations to webhook.certManager.addInjectorAnnotationsFromSecret

Signed-off-by: Leonardo M. Miranda <leonardomichalskim@gmail.com>

deploy/charts/external-secrets/README.md

@@ -148,18 +148,18 @@ The command removes all the Kubernetes components associated with the chart and
 | serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval |
 | tolerations | list | `[]` |  |
 | topologySpreadConstraints | list | `[]` |  |
-| webhook.addCustomCertSecretInjectorAnnotations | bool | `false` | Although webhook.certManager may be disabled, cert-manager still needs to be installed (and this chart does not install it for you). "cert-manager" is used to inject the caBundle into Kind=CustomResourceDefinition for conversion webhooks and Kind=ValidatingWebhookConfiguration for validating admission webhook. The Secret resource MUST have an `cert-manager.io/allow-direct-injection: "true"` annotation. |
 | webhook.affinity | object | `{}` |  |
 | webhook.certCheckInterval | string | `"5m"` | Specifices the time to check if the cert is valid |
 | webhook.certDir | string | `"/tmp/certs"` |  |
-| webhook.certManager.addInjectorAnnotations | bool | `true` | Automatically add the cert-manager.io/inject-ca-from annotation to the webhooks and CRDs. As long as you have the cert-manager CA Injector enabled, this will automatically setup your webhook's CA to the one used by cert-manager. See https://cert-manager.io/docs/concepts/ca-injector |
+| webhook.certManager.addInjectorAnnotations | bool | `true` | Automatically add the cert-manager.io/inject-ca-from (from a Certificate resource) annotation to the webhooks and CRDs. As long as you have the cert-manager CA Injector enabled, this will automatically setup your webhook's CA to the one used by cert-manager. See https://cert-manager.io/docs/concepts/ca-injector |
+| webhook.certManager.addInjectorAnnotationsFromSecret | bool | `false` | Automatically add the cert-manager.io/inject-ca-from-secret (from a Secret resource) annotation to the webhooks and CRDs. For it to work, the cert-manager CA Injector needs be enabled. Also, the Secret resource MUST have an `cert-manager.io/allow-direct-injection: "true"` annotation. See https://cert-manager.io/docs/concepts/ca-injector |
 | webhook.certManager.cert.annotations | object | `{}` | Add extra annotations to the Certificate resource. |
 | webhook.certManager.cert.create | bool | `true` | Create a certificate resource within this chart. See https://cert-manager.io/docs/usage/certificate/ |
 | webhook.certManager.cert.duration | string | `""` | Set the requested duration (i.e. lifetime) of the Certificate. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec |
 | webhook.certManager.cert.issuerRef | object | `{"group":"cert-manager.io","kind":"Issuer","name":"my-issuer"}` | For the Certificate created by this chart, setup the issuer. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.IssuerSpec |
 | webhook.certManager.cert.renewBefore | string | `""` | How long before the currently issued certificate’s expiry cert-manager should renew the certificate. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec Note that renewBefore should be greater than .webhook.lookaheadInterval since the webhook will check this far in advance that the certificate is valid. |
 | webhook.certManager.enabled | bool | `false` | Enabling cert-manager support will disable the built in secret and switch to using cert-manager (installed separately) to automatically issue and renew the webhook certificate. This chart does not install cert-manager for you, See https://cert-manager.io/docs/ |
-| webhook.certSecretNameOverride | string | `""` | If not empty, overrides the name of the secret resource where the webhook certificates are stored. If the secret resource you want to use already exists, also check the following values: `certController.create`; `webhook.certManager.enabled`; `webhook.createWebhookSecret`; `webhook.addCustomCertSecretInjectorAnnotations`. |
+| webhook.certSecretNameOverride | string | `""` | If not empty, overrides the name of the secret resource where the webhook certificates are stored. If the secret resource you want to use already exists, also check the following values: `certController.create`; `webhook.certManager.enabled`; `webhook.createWebhookSecret`; `webhook.certManager.addInjectorAnnotationsFromSecret`. |
 | webhook.create | bool | `true` | Specifies whether a webhook deployment be created. |
 | webhook.createWebhookSecret | bool | `true` | Whether to create the webhook secret resource (doesn't interfere with webhook.certManager.cert.create). |
 | webhook.deploymentAnnotations | object | `{}` | Annotations to add to Deployment |

deploy/charts/external-secrets/templates/validatingwebhook.yaml

@@ -8,7 +8,7 @@ metadata:
     {{- with .Values.commonLabels }}
     {{ toYaml . | nindent 4 }}
     {{- end }}
-  {{- if .Values.webhook.addCustomCertSecretInjectorAnnotations }}
+  {{- if and .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotationsFromSecret }}
   annotations:
     cert-manager.io/inject-ca-from-secret: {{ .Release.Namespace }}/{{ template "external-secrets-webhook.certSecretName" . }}
   {{- else if and .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
@@ -57,7 +57,7 @@ metadata:
     {{- with .Values.commonLabels }}
     {{ toYaml . | nindent 4 }}
     {{- end }}
-  {{- if .Values.webhook.addCustomCertSecretInjectorAnnotations }}
+  {{- if and .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotationsFromSecret }}
   annotations:
     cert-manager.io/inject-ca-from-secret: {{ .Release.Namespace }}/{{ template "external-secrets-webhook.certSecretName" . }}
   {{- else if and .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}

deploy/charts/external-secrets/tests/webhook_test.yaml

@@ -175,8 +175,10 @@ tests:
     set:
       certController.create: false
       webhook.create: true
-      webhook.certManager.enabled: false
-      webhook.addCustomCertSecretInjectorAnnotations: true
+      webhook.certManager.enabled: true
+      webhook.certManager.cert.create: false
+      webhook.certManager.addInjectorAnnotationsFromSecret: true
+      webhook.certManager.addInjectorAnnotations: false
     asserts:
       - equal:
           path: metadata.annotations["cert-manager.io/inject-ca-from-secret"]
@@ -186,8 +188,7 @@ tests:
       - crds/externalsecret.yaml
   - it: should not add injector annotations for the *custom secret*
     set:
-      webhook.addCustomCertSecretInjectorAnnotations: false
-      # just to avoid future conflicts with other annotations
+      webhook.certManager.addInjectorAnnotationsFromSecret: false
       webhook.certManager.addInjectorAnnotations: false
     asserts:
       - isNull:

deploy/charts/external-secrets/values.yaml

@@ -222,20 +222,13 @@ webhook:
   # -- If not empty, overrides the name of the secret resource where the webhook certificates are
   # stored. If the secret resource you want to use already exists, also check the following values:
   # `certController.create`; `webhook.certManager.enabled`; `webhook.createWebhookSecret`;
-  # `webhook.addCustomCertSecretInjectorAnnotations`.
+  # `webhook.certManager.addInjectorAnnotationsFromSecret`.
   certSecretNameOverride: ""
 
   # -- Whether to create the webhook secret resource (doesn't interfere with
   # webhook.certManager.cert.create).
   createWebhookSecret: true
 
-  # -- Although webhook.certManager may be disabled, cert-manager still needs to be installed
-  # (and this chart does not install it for you). "cert-manager" is used to inject the caBundle
-  # into Kind=CustomResourceDefinition for conversion webhooks and Kind=ValidatingWebhookConfiguration
-  # for validating admission webhook. The Secret resource MUST have an
-  # `cert-manager.io/allow-direct-injection: "true"` annotation.
-  addCustomCertSecretInjectorAnnotations: false
-
   certDir: /tmp/certs
   # -- Specifies whether validating webhooks should be created with failurePolicy: Fail or Ignore
   failurePolicy: Fail
@@ -274,11 +267,20 @@ webhook:
     # and renew the webhook certificate. This chart does not install
     # cert-manager for you, See https://cert-manager.io/docs/
     enabled: false
-    # -- Automatically add the cert-manager.io/inject-ca-from annotation to the
-    # webhooks and CRDs. As long as you have the cert-manager CA Injector
-    # enabled, this will automatically setup your webhook's CA to the one used
-    # by cert-manager. See https://cert-manager.io/docs/concepts/ca-injector
+
+    # -- Automatically add the cert-manager.io/inject-ca-from from (from a Certificate
+    #  resource) annotation to the webhooks and CRDs. As long as you have the 
+    # cert-manager CA Injector enabled, this will automatically setup your webhook's CA
+    # to the one used by cert-manager. See https://cert-manager.io/docs/concepts/ca-injector
     addInjectorAnnotations: true
+
+    # -- Automatically add the cert-manager.io/inject-ca-from-secret (from a Secret
+    # resource) annotation to the webhooks and CRDs. For it to work, the cert-manager
+    # CA Injector needs be enabled. Also, the Secret resource MUST have an
+    # `cert-manager.io/allow-direct-injection: "true"`` annotation. See
+    # https://cert-manager.io/docs/concepts/ca-injector
+    addInjectorAnnotationsFromSecret: false
+
     cert:
       # -- Create a certificate resource within this chart. See
       # https://cert-manager.io/docs/usage/certificate/

hack/helm.generate.sh

@@ -31,7 +31,7 @@ for i in "${HELM_DIR}"/templates/crds/*.yml; do
   rm "$i.bkp"
   $SEDPRG -i 's/name: kubernetes/name: {{ include "external-secrets.fullname" . }}-webhook/g' "$i"
   $SEDPRG -i 's/namespace: default/namespace: {{ .Release.Namespace | quote }}/g' "$i"
-  $SEDPRG -i '0,/annotations/!b;//a\    {{- with .Values.crds.annotations }}\n    {{- toYaml . | nindent 4}}\n    {{- end }}\n    {{- if .Values.webhook.addCustomCertSecretInjectorAnnotations }}\n    cert-manager.io/inject-ca-from-secret: {{ .Release.Namespace }}/{{ template "external-secrets-webhook.certSecretName" . }}\n    {{- else if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}\n    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook\n    {{- end }}' "$i"
+  $SEDPRG -i '0,/annotations/!b;//a\    {{- with .Values.crds.annotations }}\n    {{- toYaml . | nindent 4}}\n    {{- end }}\n    {{- if and .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotationsFromSecret }}\n    cert-manager.io/inject-ca-from-secret: {{ .Release.Namespace }}/{{ template "external-secrets-webhook.certSecretName" . }}\n    {{- else if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}\n    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook\n    {{- end }}' "$i"
 
   $SEDPRG -i '/  conversion:/i{{- if .Values.crds.conversion.enabled }}' "$i"
   echo "{{- end }}" >> "$i"