diff --git a/deploy/cert-manager-desec-webhook/templates/_helpers.tpl b/deploy/cert-manager-desec-webhook/templates/_helpers.tpl index d3c474b..2da07e5 100644 --- a/deploy/cert-manager-desec-webhook/templates/_helpers.tpl +++ b/deploy/cert-manager-desec-webhook/templates/_helpers.tpl @@ -2,7 +2,7 @@ {{/* Expand the name of the chart. */}} -{{- define "example-webhook.name" -}} +{{- define "cert-manager-desec-webhook.name" -}} {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} {{- end -}} @@ -11,7 +11,7 @@ Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). If release name contains chart name it will be used as a full name. */}} -{{- define "example-webhook.fullname" -}} +{{- define "cert-manager-desec-webhook.fullname" -}} {{- if .Values.fullnameOverride -}} {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} {{- else -}} @@ -27,22 +27,22 @@ If release name contains chart name it will be used as a full name. {{/* Create chart name and version as used by the chart label. */}} -{{- define "example-webhook.chart" -}} +{{- define "cert-manager-desec-webhook.chart" -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} {{- end -}} -{{- define "example-webhook.selfSignedIssuer" -}} -{{ printf "%s-selfsign" (include "example-webhook.fullname" .) }} +{{- define "cert-manager-desec-webhook.selfSignedIssuer" -}} +{{ printf "%s-selfsign" (include "cert-manager-desec-webhook.fullname" .) }} {{- end -}} -{{- define "example-webhook.rootCAIssuer" -}} -{{ printf "%s-ca" (include "example-webhook.fullname" .) }} +{{- define "cert-manager-desec-webhook.rootCAIssuer" -}} +{{ printf "%s-ca" (include "cert-manager-desec-webhook.fullname" .) }} {{- end -}} -{{- define "example-webhook.rootCACertificate" -}} -{{ printf "%s-ca" (include "example-webhook.fullname" .) }} +{{- define "cert-manager-desec-webhook.rootCACertificate" -}} +{{ printf "%s-ca" (include "cert-manager-desec-webhook.fullname" .) }} {{- end -}} -{{- define "example-webhook.servingCertificate" -}} -{{ printf "%s-webhook-tls" (include "example-webhook.fullname" .) }} +{{- define "cert-manager-desec-webhook.servingCertificate" -}} +{{ printf "%s-webhook-tls" (include "cert-manager-desec-webhook.fullname" .) }} {{- end -}} diff --git a/deploy/cert-manager-desec-webhook/templates/apiservice.yaml b/deploy/cert-manager-desec-webhook/templates/apiservice.yaml index 4f6d5ce..85a0b33 100644 --- a/deploy/cert-manager-desec-webhook/templates/apiservice.yaml +++ b/deploy/cert-manager-desec-webhook/templates/apiservice.yaml @@ -3,17 +3,17 @@ kind: APIService metadata: name: v1alpha1.{{ .Values.groupName }} labels: - app: {{ include "example-webhook.name" . }} - chart: {{ include "example-webhook.chart" . }} + app: {{ include "cert-manager-desec-webhook.name" . }} + chart: {{ include "cert-manager-desec-webhook.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} annotations: - cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/{{ include "example-webhook.servingCertificate" . }}" + cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/{{ include "cert-manager-desec-webhook.servingCertificate" . }}" spec: group: {{ .Values.groupName }} groupPriorityMinimum: 1000 versionPriority: 15 service: - name: {{ include "example-webhook.fullname" . }} + name: {{ include "cert-manager-desec-webhook.fullname" . }} namespace: {{ .Release.Namespace }} version: v1alpha1 diff --git a/deploy/cert-manager-desec-webhook/templates/deployment.yaml b/deploy/cert-manager-desec-webhook/templates/deployment.yaml index 057cc42..5e97429 100644 --- a/deploy/cert-manager-desec-webhook/templates/deployment.yaml +++ b/deploy/cert-manager-desec-webhook/templates/deployment.yaml @@ -1,26 +1,26 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: {{ include "example-webhook.fullname" . }} + name: {{ include "cert-manager-desec-webhook.fullname" . }} namespace: {{ .Release.Namespace | quote }} labels: - app: {{ include "example-webhook.name" . }} - chart: {{ include "example-webhook.chart" . }} + app: {{ include "cert-manager-desec-webhook.name" . }} + chart: {{ include "cert-manager-desec-webhook.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} spec: replicas: {{ .Values.replicaCount }} selector: matchLabels: - app: {{ include "example-webhook.name" . }} + app: {{ include "cert-manager-desec-webhook.name" . }} release: {{ .Release.Name }} template: metadata: labels: - app: {{ include "example-webhook.name" . }} + app: {{ include "cert-manager-desec-webhook.name" . }} release: {{ .Release.Name }} spec: - serviceAccountName: {{ include "example-webhook.fullname" . }} + serviceAccountName: {{ include "cert-manager-desec-webhook.fullname" . }} containers: - name: {{ .Chart.Name }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" @@ -54,7 +54,7 @@ spec: volumes: - name: certs secret: - secretName: {{ include "example-webhook.servingCertificate" . }} + secretName: {{ include "cert-manager-desec-webhook.servingCertificate" . }} {{- with .Values.nodeSelector }} nodeSelector: {{ toYaml . | indent 8 }} diff --git a/deploy/cert-manager-desec-webhook/templates/pki.yaml b/deploy/cert-manager-desec-webhook/templates/pki.yaml index b4b4c23..8814352 100644 --- a/deploy/cert-manager-desec-webhook/templates/pki.yaml +++ b/deploy/cert-manager-desec-webhook/templates/pki.yaml @@ -4,11 +4,11 @@ apiVersion: cert-manager.io/v1 kind: Issuer metadata: - name: {{ include "example-webhook.selfSignedIssuer" . }} + name: {{ include "cert-manager-desec-webhook.selfSignedIssuer" . }} namespace: {{ .Release.Namespace | quote }} labels: - app: {{ include "example-webhook.name" . }} - chart: {{ include "example-webhook.chart" . }} + app: {{ include "cert-manager-desec-webhook.name" . }} + chart: {{ include "cert-manager-desec-webhook.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} spec: @@ -20,19 +20,19 @@ spec: apiVersion: cert-manager.io/v1 kind: Certificate metadata: - name: {{ include "example-webhook.rootCACertificate" . }} + name: {{ include "cert-manager-desec-webhook.rootCACertificate" . }} namespace: {{ .Release.Namespace | quote }} labels: - app: {{ include "example-webhook.name" . }} - chart: {{ include "example-webhook.chart" . }} + app: {{ include "cert-manager-desec-webhook.name" . }} + chart: {{ include "cert-manager-desec-webhook.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} spec: - secretName: {{ include "example-webhook.rootCACertificate" . }} + secretName: {{ include "cert-manager-desec-webhook.rootCACertificate" . }} duration: 43800h # 5y issuerRef: - name: {{ include "example-webhook.selfSignedIssuer" . }} - commonName: "ca.example-webhook.cert-manager" + name: {{ include "cert-manager-desec-webhook.selfSignedIssuer" . }} + commonName: "ca.cert-manager-desec-webhook.cert-manager" isCA: true --- @@ -41,16 +41,16 @@ spec: apiVersion: cert-manager.io/v1 kind: Issuer metadata: - name: {{ include "example-webhook.rootCAIssuer" . }} + name: {{ include "cert-manager-desec-webhook.rootCAIssuer" . }} namespace: {{ .Release.Namespace | quote }} labels: - app: {{ include "example-webhook.name" . }} - chart: {{ include "example-webhook.chart" . }} + app: {{ include "cert-manager-desec-webhook.name" . }} + chart: {{ include "cert-manager-desec-webhook.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} spec: ca: - secretName: {{ include "example-webhook.rootCACertificate" . }} + secretName: {{ include "cert-manager-desec-webhook.rootCACertificate" . }} --- @@ -58,19 +58,19 @@ spec: apiVersion: cert-manager.io/v1 kind: Certificate metadata: - name: {{ include "example-webhook.servingCertificate" . }} + name: {{ include "cert-manager-desec-webhook.servingCertificate" . }} namespace: {{ .Release.Namespace | quote }} labels: - app: {{ include "example-webhook.name" . }} - chart: {{ include "example-webhook.chart" . }} + app: {{ include "cert-manager-desec-webhook.name" . }} + chart: {{ include "cert-manager-desec-webhook.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} spec: - secretName: {{ include "example-webhook.servingCertificate" . }} + secretName: {{ include "cert-manager-desec-webhook.servingCertificate" . }} duration: 8760h # 1y issuerRef: - name: {{ include "example-webhook.rootCAIssuer" . }} + name: {{ include "cert-manager-desec-webhook.rootCAIssuer" . }} dnsNames: - - {{ include "example-webhook.fullname" . }} - - {{ include "example-webhook.fullname" . }}.{{ .Release.Namespace }} - - {{ include "example-webhook.fullname" . }}.{{ .Release.Namespace }}.svc + - {{ include "cert-manager-desec-webhook.fullname" . }} + - {{ include "cert-manager-desec-webhook.fullname" . }}.{{ .Release.Namespace }} + - {{ include "cert-manager-desec-webhook.fullname" . }}.{{ .Release.Namespace }}.svc diff --git a/deploy/cert-manager-desec-webhook/templates/rbac.yaml b/deploy/cert-manager-desec-webhook/templates/rbac.yaml index 605fcf5..564bf0c 100644 --- a/deploy/cert-manager-desec-webhook/templates/rbac.yaml +++ b/deploy/cert-manager-desec-webhook/templates/rbac.yaml @@ -1,11 +1,11 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: {{ include "example-webhook.fullname" . }} + name: {{ include "cert-manager-desec-webhook.fullname" . }} namespace: {{ .Release.Namespace | quote }} labels: - app: {{ include "example-webhook.name" . }} - chart: {{ include "example-webhook.chart" . }} + app: {{ include "cert-manager-desec-webhook.name" . }} + chart: {{ include "cert-manager-desec-webhook.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} --- @@ -15,11 +15,11 @@ metadata: apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: {{ include "example-webhook.fullname" . }}:webhook-authentication-reader + name: {{ include "cert-manager-desec-webhook.fullname" . }}:webhook-authentication-reader namespace: kube-system labels: - app: {{ include "example-webhook.name" . }} - chart: {{ include "example-webhook.chart" . }} + app: {{ include "cert-manager-desec-webhook.name" . }} + chart: {{ include "cert-manager-desec-webhook.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} roleRef: @@ -29,7 +29,7 @@ roleRef: subjects: - apiGroup: "" kind: ServiceAccount - name: {{ include "example-webhook.fullname" . }} + name: {{ include "cert-manager-desec-webhook.fullname" . }} namespace: {{ .Release.Namespace }} --- # apiserver gets the auth-delegator role to delegate auth decisions to @@ -37,10 +37,10 @@ subjects: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ include "example-webhook.fullname" . }}:auth-delegator + name: {{ include "cert-manager-desec-webhook.fullname" . }}:auth-delegator labels: - app: {{ include "example-webhook.name" . }} - chart: {{ include "example-webhook.chart" . }} + app: {{ include "cert-manager-desec-webhook.name" . }} + chart: {{ include "cert-manager-desec-webhook.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} roleRef: @@ -50,17 +50,17 @@ roleRef: subjects: - apiGroup: "" kind: ServiceAccount - name: {{ include "example-webhook.fullname" . }} + name: {{ include "cert-manager-desec-webhook.fullname" . }} namespace: {{ .Release.Namespace }} --- # Grant cert-manager permission to validate using our apiserver apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: {{ include "example-webhook.fullname" . }}:domain-solver + name: {{ include "cert-manager-desec-webhook.fullname" . }}:domain-solver labels: - app: {{ include "example-webhook.name" . }} - chart: {{ include "example-webhook.chart" . }} + app: {{ include "cert-manager-desec-webhook.name" . }} + chart: {{ include "cert-manager-desec-webhook.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} rules: @@ -74,16 +74,16 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ include "example-webhook.fullname" . }}:domain-solver + name: {{ include "cert-manager-desec-webhook.fullname" . }}:domain-solver labels: - app: {{ include "example-webhook.name" . }} - chart: {{ include "example-webhook.chart" . }} + app: {{ include "cert-manager-desec-webhook.name" . }} + chart: {{ include "cert-manager-desec-webhook.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: {{ include "example-webhook.fullname" . }}:domain-solver + name: {{ include "cert-manager-desec-webhook.fullname" . }}:domain-solver subjects: - apiGroup: "" kind: ServiceAccount diff --git a/deploy/cert-manager-desec-webhook/templates/service.yaml b/deploy/cert-manager-desec-webhook/templates/service.yaml index a76ddc7..5e5afe0 100644 --- a/deploy/cert-manager-desec-webhook/templates/service.yaml +++ b/deploy/cert-manager-desec-webhook/templates/service.yaml @@ -1,11 +1,11 @@ apiVersion: v1 kind: Service metadata: - name: {{ include "example-webhook.fullname" . }} + name: {{ include "cert-manager-desec-webhook.fullname" . }} namespace: {{ .Release.Namespace | quote }} labels: - app: {{ include "example-webhook.name" . }} - chart: {{ include "example-webhook.chart" . }} + app: {{ include "cert-manager-desec-webhook.name" . }} + chart: {{ include "cert-manager-desec-webhook.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} spec: @@ -16,5 +16,5 @@ spec: protocol: TCP name: https selector: - app: {{ include "example-webhook.name" . }} + app: {{ include "cert-manager-desec-webhook.name" . }} release: {{ .Release.Name }} diff --git a/solver/solver.go b/solver/solver.go index 80c7eb3..37075b8 100644 --- a/solver/solver.go +++ b/solver/solver.go @@ -18,8 +18,7 @@ import ( type DeSECDNSProviderSolverConfig struct { // Reference to the kubernetes secret containing the API token for deSEC APIKeySecretRef v1.SecretKeySelector `json:"apiKeySecretRef"` - // Reference to the kubernetes namespace containing the secret - APIKeySecretRefNamespace string `json:"apiKeySecretRefNamespace"` + // A global namespace (e.g APIKeySecretRefNamespace is not required, because ClusterIssuer provides the cert-manager namespace as default value for global issuers) } // A DNS-01 challenge solver for the DeSEC DNS Provider @@ -35,6 +34,7 @@ func (s *DeSECDNSProviderSolver) Name() string { // Initializes a new client func (s *DeSECDNSProviderSolver) getClient(config *apiextensionsv1.JSON, namespace string) (*desec.Client, error) { + // Check if configuration is empty or was not parsed if config == nil { return nil, fmt.Errorf("missing configuration in issuer found; webhook configuration requires apiKeySecretRef containing deSEC API token") } @@ -43,12 +43,6 @@ func (s *DeSECDNSProviderSolver) getClient(config *apiextensionsv1.JSON, namespa if err := json.Unmarshal(config.Raw, &solverConfig); err != nil { return nil, fmt.Errorf("invalid configuration in issuer found; webhook configuration requires apiKeySecretRef containing deSEC API token") } - // Check if the namespace has been provided within the configuration - // Otherwise use the namespace from the request - if solverConfig.APIKeySecretRefNamespace != "" { - fmt.Sprintf("k8s secret namespace has been overwritten in webhook configuration apiKeySecretRefNamespace from %s to %s", namespace, solverConfig.APIKeySecretRefNamespace) - namespace = solverConfig.APIKeySecretRefNamespace - } // Check if the k8s client has been initialized // This should never happen as cert-manager calls s.Initialize() which assigns the k8s client if s.k8s == nil {