Parameterize the name of the webhook certificate Secret (#2721)

Signed-off-by: Leonardo M. Miranda <leonardomichalskim@gmail.com>

deploy/charts/external-secrets/README.md

@@ -150,6 +150,7 @@ The command removes all the Kubernetes components associated with the chart and
 | topologySpreadConstraints | list | `[]` |  |
 | webhook.affinity | object | `{}` |  |
 | webhook.certCheckInterval | string | `"5m"` | Specifices the time to check if the cert is valid |
+| webhook.certSecretNameOverride | string | `""` | If its value is different from the default one, it overrides the name of the secret resource where the webhook certificates are stored. |
 | webhook.certDir | string | `"/tmp/certs"` |  |
 | webhook.certManager.addInjectorAnnotations | bool | `true` | Automatically add the cert-manager.io/inject-ca-from annotation to the webhooks and CRDs. As long as you have the cert-manager CA Injector enabled, this will automatically setup your webhook's CA to the one used by cert-manager. See https://cert-manager.io/docs/concepts/ca-injector |
 | webhook.certManager.cert.annotations | object | `{}` | Add extra annotations to the Certificate resource. |

deploy/charts/external-secrets/templates/_helpers.tpl

@@ -133,3 +133,13 @@ Create the name of the service account to use
 {{- end }}
 {{- end }}
 
+{{/*
+Create the name of the secret where the webhook certificates are stored.
+*/}}
+{{- define "external-secrets-webhook.certSecretName" -}}
+{{- if (eq .Values.webhook.certSecretNameOverride "") -}}
+{{ include "external-secrets.fullname" . }}-webhook
+{{- else -}}
+{{ .Values.webhook.certSecretNameOverride }}
+{{- end -}}
+{{- end -}}

deploy/charts/external-secrets/templates/cert-controller-deployment.yaml

@@ -52,7 +52,7 @@ spec:
           - --crd-requeue-interval={{ .Values.certController.requeueInterval }}
           - --service-name={{ include "external-secrets.fullname" . }}-webhook
           - --service-namespace={{ .Release.Namespace }}
-          - --secret-name={{ include "external-secrets.fullname" . }}-webhook
+          - --secret-name={{ template "external-secrets-webhook.certSecretName" . }}
           - --secret-namespace={{ .Release.Namespace }}
           - --metrics-addr=:{{ .Values.certController.prometheus.service.port }}
           - --healthz-addr={{ .Values.certController.readinessProbe.address }}:{{ .Values.certController.readinessProbe.port }}

deploy/charts/external-secrets/templates/webhook-certificate.yaml

@@ -26,5 +26,5 @@ spec:
   {{- with .Values.webhook.certManager.cert.renewBefore }}
   renewBefore: {{ . | quote }}
   {{- end }}
-  secretName: {{ include "external-secrets.fullname" . }}-webhook
+  secretName: {{ template "external-secrets-webhook.certSecretName" . }}
 {{- end }}

deploy/charts/external-secrets/templates/webhook-deployment.yaml

@@ -96,7 +96,7 @@ spec:
       volumes:
         - name: certs
           secret:
-            secretName: {{ include "external-secrets.fullname" . }}-webhook
+            secretName: {{ template "external-secrets-webhook.certSecretName" . }}
       {{- if .Values.webhook.extraVolumes }}
       {{- toYaml .Values.webhook.extraVolumes | nindent 8 }}
       {{- end }}

deploy/charts/external-secrets/templates/webhook-secret.yaml

@@ -2,7 +2,7 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ include "external-secrets.fullname" . }}-webhook
+  name: {{ template "external-secrets-webhook.certSecretName" . }}
   namespace: {{ .Release.Namespace | quote }}
   labels:
     {{- include "external-secrets-webhook.labels" . | nindent 4 }}

deploy/charts/external-secrets/tests/webhook_test.yaml

@@ -161,3 +161,20 @@ tests:
     templates:
       - validatingwebhook.yaml
       - crds/externalsecret.yaml
+  - it: should override the name of the certificates Secret
+    set:
+      webhook.certSecretNameOverride: custom-secret-name
+    asserts:
+      - equal:
+          path: metadata.name
+          value: custom-secret-name
+    template: webhook-secret.yaml
+  - it: should override the name of the certificates Secret created by cert-manager
+    set:
+      webhook.certManager.enabled: true
+      webhook.certSecretNameOverride: custom-secret-name
+    asserts:
+      - equal:
+          path: spec.secretName
+          value: custom-secret-name
+    template: webhook-certificate.yaml

deploy/charts/external-secrets/values.yaml

@@ -219,6 +219,10 @@ webhook:
   # -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy)
   revisionHistoryLimit: 10
 
+  # -- If not empty, overrides the name of the secret resource where the webhook certificates are
+  # stored.
+  certSecretNameOverride: ""
+
   certDir: /tmp/certs
   # -- Specifies whether validating webhooks should be created with failurePolicy: Fail or Ignore
   failurePolicy: Fail