{{- $caBundle := .Values.controlPlane.tls.general.caBundle }} {{/* Generate certificates see: https://masterminds.github.io/sprig/crypto.html see: https://medium.com/nuvo-group-tech/move-your-certs-to-helm-4f5f61338aca see: https://github.com/networkservicemesh/networkservicemesh/blob/804ad5026bb5dbd285c220f15395fe25e46f5edb/deployments/helm/nsm/charts/admission-webhook/templates/admission-webhook-secret.tpl We only autogenerate certs if user did not chose their own secret. We only autogenerate certs if the cert is not yet generated. This way we keep the secrets between HELM upgrades. */}} {{- if eq .Values.controlPlane.tls.general.secretName "" -}} {{- $cert := "" }} {{- $key := "" }} {{- $secretName := print (include "kuma.name" .) "-tls-cert" }} {{- $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) -}} {{- if $secret -}} {{- $cert = index $secret.data "tls.crt" -}} {{- $key = index $secret.data "tls.key" -}} {{- $caBundle = index $secret.data "ca.crt" -}} {{- else -}} {{- $commonName := (include "kuma.controlPlane.serviceName" .) -}} {{- $altNames := list (printf "%s.%s" $commonName .Release.Namespace) (printf "%s.%s.svc" $commonName .Release.Namespace) -}} {{- $certTTL := 3650 -}} {{- $ca := genCA "kuma-ca" $certTTL -}} {{- $genCert := genSignedCert $commonName nil $altNames $certTTL $ca -}} {{- $cert = $genCert.Cert | b64enc -}} {{- $key = $genCert.Key | b64enc -}} {{ $caBundle = $ca.Cert | b64enc }} {{- end -}} --- apiVersion: v1 kind: Secret type: kubernetes.io/tls metadata: name: {{ $secretName }} namespace: {{ .Release.Namespace }} labels: {{- include "kuma.labels" . | nindent 4 }} data: tls.crt: {{ $cert }} tls.key: {{ $key }} ca.crt: {{ $caBundle }} {{- end }} --- apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: name: {{ include "kuma.name" . }}-admission-mutating-webhook-configuration namespace: {{ .Release.Namespace }} labels: {{ include "kuma.labels" . | nindent 4 }} webhooks: - name: mesh.defaulter.kuma-admission.kuma.io admissionReviewVersions: ["v1"] failurePolicy: Fail clientConfig: caBundle: {{ $caBundle }} service: namespace: {{ .Release.Namespace }} name: {{ include "kuma.controlPlane.serviceName" . }} path: /default-kuma-io-v1alpha1-mesh rules: - apiGroups: - kuma.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - meshes sideEffects: None - name: owner-reference.kuma-admission.kuma.io admissionReviewVersions: ["v1"] failurePolicy: Fail clientConfig: caBundle: {{ $caBundle }} service: namespace: {{ .Release.Namespace }} name: {{ include "kuma.controlPlane.serviceName" . }} path: /owner-reference-kuma-io-v1alpha1 rules: - apiGroups: - kuma.io apiVersions: - v1alpha1 operations: - CREATE resources: - circuitbreakers - externalservices - faultinjections - healthchecks - retries - proxytemplates - ratelimits - trafficlogs - trafficpermissions - trafficroutes - traffictraces - virtualoutbounds {{ .Values.controlPlane.webhooks.ownerReference.additionalRules | nindent 6 }} sideEffects: None - name: namespace-kuma-injector.kuma.io admissionReviewVersions: ["v1"] failurePolicy: {{ .Values.controlPlane.injectorFailurePolicy }} namespaceSelector: matchLabels: kuma.io/sidecar-injection: enabled clientConfig: caBundle: {{ $caBundle }} service: namespace: {{ .Release.Namespace }} name: {{ include "kuma.controlPlane.serviceName" . }} path: /inject-sidecar rules: - apiGroups: - "" apiVersions: - v1 operations: - CREATE resources: - pods sideEffects: None - name: pods-kuma-injector.kuma.io admissionReviewVersions: ["v1"] failurePolicy: {{ .Values.controlPlane.injectorFailurePolicy }} objectSelector: matchLabels: kuma.io/sidecar-injection: enabled clientConfig: caBundle: {{ $caBundle }} service: namespace: {{ .Release.Namespace }} name: {{ include "kuma.controlPlane.serviceName" . }} path: /inject-sidecar rules: - apiGroups: - "" apiVersions: - v1 operations: - CREATE resources: - pods sideEffects: None - name: kuma-injector.kuma.io admissionReviewVersions: ["v1"] failurePolicy: Ignore {{/* Failure policy is hardcoded as Ignore because any other mode will cause CP to be unable to start after all instances are down */}} clientConfig: caBundle: {{ $caBundle }} service: namespace: {{ .Release.Namespace }} name: {{ include "kuma.controlPlane.serviceName" . }} path: /inject-sidecar rules: - apiGroups: - "" apiVersions: - v1 operations: - CREATE resources: - pods sideEffects: None --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: name: {{ include "kuma.name" . }}-validating-webhook-configuration namespace: {{ .Release.Namespace }} labels: {{ include "kuma.labels" . | nindent 4 }} webhooks: - name: validator.kuma-admission.kuma.io admissionReviewVersions: ["v1"] failurePolicy: Fail clientConfig: caBundle: {{ $caBundle }} service: namespace: {{ .Release.Namespace }} name: {{ include "kuma.controlPlane.serviceName" . }} path: /validate-kuma-io-v1alpha1 rules: - apiGroups: - kuma.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE - DELETE resources: - circuitbreakers - dataplanes - externalservices - faultinjections - healthchecks - retries - meshes - proxytemplates - ratelimits - trafficlogs - trafficpermissions - trafficroutes - traffictraces - virtualoutbounds - zones {{ .Values.controlPlane.webhooks.validator.additionalRules | nindent 6 }} sideEffects: None - name: service.validator.kuma-admission.kuma.io admissionReviewVersions: ["v1"] failurePolicy: Ignore clientConfig: caBundle: {{ $caBundle }} service: namespace: {{ .Release.Namespace }} name: {{ include "kuma.controlPlane.serviceName" . }} path: /validate-v1-service rules: - apiGroups: - "" apiVersions: - v1 operations: - CREATE - UPDATE resources: - services sideEffects: None - name: secret.validator.kuma-admission.kuma.io admissionReviewVersions: ["v1"] namespaceSelector: matchLabels: kuma.io/system-namespace: "true" failurePolicy: Ignore clientConfig: caBundle: {{ $caBundle }} service: namespace: {{ .Release.Namespace }} name: {{ include "kuma.controlPlane.serviceName" . }} path: /validate-v1-secret rules: - apiGroups: - "" apiVersions: - v1 operations: - CREATE - UPDATE - DELETE resources: - secrets sideEffects: None