WIP: improve deployment manifests to be on a functional state

Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>

.gitignore

@@ -1,5 +1,6 @@
 .DS_Store
-
+/webhook/bin
+/webhook/certcontroller/bin
 /bin
 /vendor
 cover.out

Makefile

@@ -109,7 +109,7 @@ build-%: generate ## Build binary for the specified arch
 	@$(OK) go build $*
 	@$(INFO) go build $*
 	@CGO_ENABLED=0 GOOS=linux GOARCH=$* \
-		go build -o 'webhook/certcontroller$(OUTPUT_DIR)/external-secrets-cert-controller-linux-$*' webhook/certcontroller/main.go
+		go build -o 'webhook/certcontroller/$(OUTPUT_DIR)/external-secrets-cert-controller-linux-$*' webhook/certcontroller/main.go
 	@$(OK) go build $*
 
 lint.check: ## Check install of golanci-lint
@@ -216,11 +216,15 @@ build.all: docker.build helm.build ## Build all artifacts (docker image, helm ch
 docker.build: $(addprefix build-,$(ARCH)) ## Build the docker image
 	@$(INFO) docker build
 	@docker build . $(BUILD_ARGS) -t $(IMAGE_REGISTRY):$(VERSION)
+	@docker build webhook/ $(BUILD_ARGS) -t $(IMAGE_REGISTRY)-webhook:$(VERSION)
+	@docker build webhook/certcontroller $(BUILD_ARGS) -t $(IMAGE_REGISTRY)-cert-controller:$(VERSION)
 	@$(OK) docker build
 
 docker.push: ## Push the docker image to the registry
 	@$(INFO) docker push
 	@docker push $(IMAGE_REGISTRY):$(VERSION)
+	@docker push $(IMAGE_REGISTRY)-webhook:$(VERSION)
+	@docker push $(IMAGE_REGISTRY)-cert-controller:$(VERSION)
 	@$(OK) docker push
 
 # RELEASE_TAG is tag to promote. Default is promoting to main branch, but can be overriden

deploy/charts/external-secrets/templates/deployment.yaml

@@ -77,65 +77,6 @@ spec:
           resources:
             {{- toYaml . | nindent 12 }}
           {{- end }}
-        - name: webhook
-          {{- with .Values.securityContext }}
-          securityContext:
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
-          args:
-          - --webhook=true
-          - --metrics-addr=:8081
-          {{- if or (.Values.leaderElect) (.Values.scopedNamespace) (.Values.concurrent) (.Values.extraArgs) }}
-          {{- if .Values.leaderElect }}
-          - --enable-leader-election=true
-          {{- end }}
-          {{- if .Values.scopedNamespace }}
-          - --namespace={{ .Values.scopedNamespace }}
-          {{- end }}
-          {{- if .Values.controllerClass }}
-          - --controller-class={{ .Values.controllerClass }}
-          {{- end }}
-          {{- if .Values.concurrent }}
-          - --concurrent={{ .Values.concurrent }}
-          {{- end }}
-          {{- range $key, $value := .Values.extraArgs }}
-            {{- if $value }}
-          - --{{ $key }}={{ $value }}
-            {{- else }}
-          - --{{ $key }}
-            {{- end }}
-          {{- end }}
-          {{- end }}
-          {{- if .Values.webhook.enabled }}
-          volumeMounts:
-          - name: certs
-            mountPath: {{ .Values.webhook.certDir }}
-          {{- end }}
-          ports:
-            - containerPort: 9443
-              protocol: TCP
-              name: webhook
-          readinessProbe:
-            tcpSocket:
-              port: 9443
-            initialDelaySeconds: 20
-            periodSeconds: 5
-          {{- with .Values.extraEnv }}
-          env:
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
-          {{- with .Values.resources }}
-          resources:
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
-      {{- if .Values.webhook.enabled }}
-      volumes:
-      - name: certs
-        secret:
-          secretName: {{ include "external-secrets.fullname" . }}-webhook
-      {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

deploy/charts/external-secrets/templates/webhook-deployment.yaml

@@ -43,6 +43,8 @@ spec:
           {{- end }}
           image: "{{ .Values.webhook.image.repository }}:{{ .Values.webhook.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.webhook.image.pullPolicy }}
+          args:
+          - --dns-name={{ include "external-secrets.fullname" . }}-webhook.{{ .Release.Namespace }}.svc
           {{- range $key, $value := .Values.webhook.extraArgs }}
             {{- if $value }}
           - --{{ $key }}={{ $value }}

deploy/charts/external-secrets/templates/webhook-secret.yaml

@@ -1,9 +1,7 @@
-{{- if .Values.webhook.enabled }}
 apiVersion: v1
 kind: Secret
 metadata:
   name: {{ include "external-secrets.fullname" . }}-webhook
   labels:
     {{- include "external-secrets-webhook.labels" . | nindent 4 }}
-    external-secrets.io/component : webhook
-{{- end }}
+    external-secrets.io/component : webhook

deploy/charts/external-secrets/templates/webhook-service.yaml

@@ -1,4 +1,3 @@
-{{- if .Values.webhook.enabled }}
 apiVersion: v1
 kind: Service
 metadata:
@@ -13,6 +12,9 @@ spec:
       targetPort: 9443
       protocol: TCP
       name: webhook
+    - port: {{ .Values.webhook.prometheus.service.port}}
+      targetPort: {{ .Values.webhook.prometheus.service.port}}
+      protocol: TCP
+      name: metrics
   selector:
-    {{- include "external-secrets.selectorLabels" . | nindent 4 }}
-{{- end }}
+    {{- include "external-secrets-webhook.selectorLabels" . | nindent 4 }}

e2e/Makefile

@@ -23,6 +23,8 @@ test: e2e-image ## Run e2e tests against current kube context
 		BUILD_ARGS="${BUILD_ARGS} --build-arg TARGETARCH=amd64 --build-arg TARGETOS=linux"
 	kind load docker-image --name="external-secrets" $(IMAGE_REGISTRY):$(VERSION)
 	kind load docker-image --name="external-secrets" $(E2E_IMAGE_REGISTRY):$(VERSION)
+	kind load docker-image --name="external-secrets-webhook" $(IMAGE_REGISTRY)-webhook:$(VERSION)
+	kind load docker-image --name="external-secrets-cert-controller" $(IMAGE_REGISTRY)-cert-controller:$(VERSION)
 	./run.sh
 
 test.managed: e2e-image ## Run e2e tests against current kube context

main.go

@@ -40,7 +40,6 @@ var (
 
 const (
 	errCreateController = "unable to create controller"
-	errCreateWebhook    = "unable to create webhook"
 )
 
 func init() {

webhook/certcontroller/main.go

@@ -38,7 +38,6 @@ var (
 
 const (
 	errCreateController = "unable to create controller"
-	errCreateWebhook    = "unable to create webhook"
 )
 
 func init() {

webhook/main.go

@@ -37,8 +37,7 @@ var (
 )
 
 const (
-	errCreateController = "unable to create controller"
-	errCreateWebhook    = "unable to create webhook"
+	errCreateWebhook = "unable to create webhook"
 )
 
 func init() {
@@ -86,7 +85,11 @@ func main() {
 	var enableLeaderElection bool
 	var loglevel string
 	var namespace string
+	var dnsName string
+	var certDir string
 	flag.StringVar(&metricsAddr, "metrics-addr", ":8080", "The address the metric endpoint binds to.")
+	flag.StringVar(&dnsName, "dns-name", "localhost", "DNS name to validate certificates with")
+	flag.StringVar(&certDir, "cert-dir", "/tmp/k8s-webhook-server/serving-certs", "path to check for certs")
 	flag.StringVar(&loglevel, "loglevel", "info", "loglevel to use, one of: debug, info, warn, error, dpanic, panic, fatal")
 	flag.BoolVar(&enableLeaderElection, "enable-leader-election", false,
 		"Enable leader election for controller manager. "+
@@ -100,7 +103,7 @@ func main() {
 		setupLog.Error(err, "error unmarshalling loglevel")
 		os.Exit(1)
 	}
-	go checkCerts("/tmp/k8s-webhook-server/serving-certs", "host.minikube.internal")
+	go checkCerts(certDir, dnsName)
 	logger := zap.New(zap.Level(lvl))
 	ctrl.SetLogger(logger)