diff --git a/config/crd/patches/cainjection_in_ingressclassparams.yaml b/config/certmanager/cainjection_in_ingressclassparams_patch.yaml similarity index 67% rename from config/crd/patches/cainjection_in_ingressclassparams.yaml rename to config/certmanager/cainjection_in_ingressclassparams_patch.yaml index d0fc2a0b22..c29da01068 100644 --- a/config/crd/patches/cainjection_in_ingressclassparams.yaml +++ b/config/certmanager/cainjection_in_ingressclassparams_patch.yaml @@ -4,5 +4,6 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + # `default` and `serving-cert` may be substituted by kustomize + cert-manager.io/inject-ca-from: default/serving-cert name: ingressclassparams.elbv2.k8s.aws diff --git a/config/crd/patches/cainjection_in_targetgroupbindings.yaml b/config/certmanager/cainjection_in_targetgroupbindings_patch.yaml similarity index 67% rename from config/crd/patches/cainjection_in_targetgroupbindings.yaml rename to config/certmanager/cainjection_in_targetgroupbindings_patch.yaml index 76353eb800..55845355e7 100644 --- a/config/crd/patches/cainjection_in_targetgroupbindings.yaml +++ b/config/certmanager/cainjection_in_targetgroupbindings_patch.yaml @@ -4,5 +4,6 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + # `default` and `serving-cert` may be substituted by kustomize + cert-manager.io/inject-ca-from: default/serving-cert name: targetgroupbindings.elbv2.k8s.aws diff --git a/config/certmanager/certificate.yaml b/config/certmanager/certificate.yaml index 78ccadc538..1984131e56 100644 --- a/config/certmanager/certificate.yaml +++ b/config/certmanager/certificate.yaml @@ -14,10 +14,10 @@ kind: Certificate metadata: name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml spec: - # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize + # `webhook-service` and `default` may be substituted by kustomize dnsNames: - - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc - - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local + - webhook-service.default.svc + - webhook-service.default.svc.cluster.local issuerRef: kind: Issuer name: selfsigned-issuer diff --git a/config/certmanager/kustomization.yaml b/config/certmanager/kustomization.yaml index 95f333f3f7..3ebe62a26c 100644 --- a/config/certmanager/kustomization.yaml +++ b/config/certmanager/kustomization.yaml @@ -1,5 +1,21 @@ -resources: - - certificate.yaml - +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component configurations: - kustomizeconfig.yaml +resources: + - certificate.yaml +patches: + # patches here are for enabling the CA injection for each CRD + - path: cainjection_in_targetgroupbindings_patch.yaml + - path: cainjection_in_ingressclassparams_patch.yaml + # This patch add annotation to admission webhook config, `default` and + # `serving-cert` may be substituted by kustomize + - target: + kind: (MutatingWebhookConfiguration|ValidatingWebhookConfiguration) + patch: |- + apiVersion: admissionregistration.k8s.io/v1 + kind: dummy + metadata: + name: webhook + annotations: + cert-manager.io/inject-ca-from: default/serving-cert diff --git a/config/certmanager/kustomizeconfig.yaml b/config/certmanager/kustomizeconfig.yaml index d58c4f20c2..3e23b40da8 100644 --- a/config/certmanager/kustomizeconfig.yaml +++ b/config/certmanager/kustomizeconfig.yaml @@ -1,4 +1,4 @@ -# This configuration is for teaching kustomize how to update name ref and var substitution +# This configuration is for teaching kustomize how to update name ref nameReference: - kind: Issuer group: cert-manager.io @@ -6,11 +6,3 @@ nameReference: - kind: Certificate group: cert-manager.io path: spec/issuerRef/name - -varReference: - - kind: Certificate - group: cert-manager.io - path: spec/commonName - - kind: Certificate - group: cert-manager.io - path: spec/dnsNames diff --git a/config/controller/controller.yaml b/config/controller/controller.yaml index 9dc62eab2b..be44303800 100644 --- a/config/controller/controller.yaml +++ b/config/controller/controller.yaml @@ -2,24 +2,14 @@ apiVersion: v1 kind: ServiceAccount metadata: name: controller - labels: - app.kubernetes.io/component: controller --- apiVersion: apps/v1 kind: Deployment metadata: name: controller - labels: - app.kubernetes.io/component: controller spec: - selector: - matchLabels: - app.kubernetes.io/component: controller replicas: 1 template: - metadata: - labels: - app.kubernetes.io/component: controller spec: containers: - name: controller @@ -34,6 +24,16 @@ spec: requests: cpu: 100m memory: 200Mi + ports: + - containerPort: 9443 + name: webhook + protocol: TCP + - containerPort: 8080 + name: metrics + protocol: TCP + - containerPort: 61779 + name: healthprobe + protocol: TCP livenessProbe: failureThreshold: 2 httpGet: @@ -44,4 +44,4 @@ spec: timeoutSeconds: 10 terminationGracePeriodSeconds: 10 priorityClassName: system-cluster-critical - serviceAccountName: controller \ No newline at end of file + serviceAccountName: controller diff --git a/config/controller/kustomization.yaml b/config/controller/kustomization.yaml index 3d85e498b4..4d0a11086a 100644 --- a/config/controller/kustomization.yaml +++ b/config/controller/kustomization.yaml @@ -1,11 +1,12 @@ -resources: -- controller.yaml -patchesStrategicMerge: -- iam_for_sa_patch.yaml -- security_context_patch.yaml - apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization +commonLabels: + app.kubernetes.io/component: controller +resources: +- controller.yaml +patches: +- path: iam_for_sa_patch.yaml +- path: security_context_patch.yaml images: - name: controller newName: public.ecr.aws/eks/aws-load-balancer-controller diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml index 80942b54a0..578cb2244d 100644 --- a/config/crd/kustomization.yaml +++ b/config/crd/kustomization.yaml @@ -1,3 +1,10 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +# the following config is for teaching kustomize how to do kustomization for CRDs. +configurations: + - kustomizeconfig.yaml + # This kustomization.yaml is not intended to be run by itself, # since it depends on service name and namespace that are out of this kustomize package. # It should be run by config/default @@ -5,20 +12,3 @@ resources: - bases/elbv2.k8s.aws_targetgroupbindings.yaml - bases/elbv2.k8s.aws_ingressclassparams.yaml # +kubebuilder:scaffold:crdkustomizeresource - -patchesStrategicMerge: -# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix. -# patches here are for enabling the conversion webhook for each CRD -#- patches/webhook_in_targetgroupbindings.yaml -#- patches/webhook_in_ingressclassparams.yaml -# +kubebuilder:scaffold:crdkustomizewebhookpatch - -# [CERTMANAGER] To enable webhook, uncomment all the sections with [CERTMANAGER] prefix. -# patches here are for enabling the CA injection for each CRD -#- patches/cainjection_in_targetgroupbindings.yaml -#- patches/cainjection_in_ingressclassparams.yaml -# +kubebuilder:scaffold:crdkustomizecainjectionpatch - -# the following config is for teaching kustomize how to do kustomization for CRDs. -configurations: - - kustomizeconfig.yaml diff --git a/config/crd/kustomizeconfig.yaml b/config/crd/kustomizeconfig.yaml index e9cda71241..c279bc9318 100644 --- a/config/crd/kustomizeconfig.yaml +++ b/config/crd/kustomizeconfig.yaml @@ -1,4 +1,4 @@ -# This file is for teaching kustomize how to substitute name and namespace reference in CRD +# This file is for teaching kustomize how to modify name and namespace references in CRD nameReference: - kind: Service version: v1 @@ -12,6 +12,3 @@ namespace: group: apiextensions.k8s.io path: spec/conversion/webhookClientConfig/service/namespace create: false - -varReference: - - path: metadata/annotations diff --git a/config/crd/patches/webhook_in_ingressclassparams.yaml b/config/crd/patches/webhook_in_ingressclassparams.yaml deleted file mode 100644 index 9862733b51..0000000000 --- a/config/crd/patches/webhook_in_ingressclassparams.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# The following patch enables conversion webhook for CRD -# CRD conversion requires k8s 1.13 or later. -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: ingressclassparams.elbv2.k8s.aws -spec: - conversion: - strategy: Webhook - webhookClientConfig: - # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, - # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) - caBundle: Cg== - service: - name: webhook-service - path: /convert diff --git a/config/crd/patches/webhook_in_targetgroupbindings.yaml b/config/crd/patches/webhook_in_targetgroupbindings.yaml deleted file mode 100644 index 24e7415c47..0000000000 --- a/config/crd/patches/webhook_in_targetgroupbindings.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# The following patch enables conversion webhook for CRD -# CRD conversion requires k8s 1.13 or later. -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: targetgroupbindings.elbv2.k8s.aws -spec: - conversion: - strategy: Webhook - webhookClientConfig: - # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, - # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) - caBundle: Cg== - service: - name: webhook-service - path: /convert diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index 9f7cbfe993..640f247289 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -1,3 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + # Adds namespace to all resources. namespace: kube-system @@ -12,54 +15,90 @@ namePrefix: aws-load-balancer- commonLabels: app.kubernetes.io/name: aws-load-balancer-controller -bases: +resources: - ../crd - ../rbac - ../controller - # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in - # crd/kustomization.yaml + # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. + #- ../prometheus + +components: + # To disable the conversion webhook, comment out this component - ../webhook - # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required. + # To disable cert-manager comment out the following line, the 'webhook' component is required - ../certmanager -# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. -#- ../prometheus - -patchesStrategicMerge: - # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in - # crd/kustomization.yaml - - controller_webhook_patch.yaml - - # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. - # Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks. - # 'CERTMANAGER' needs to be enabled to use ca injection - - webhookcainjection_patch.yaml -# the following config is for teaching kustomize how to do var substitution -vars: - # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. - - name: CERTIFICATE_NAMESPACE # namespace of the certificate CR - objref: +replacements: + # The following patches adds a directive for certmanager to inject CA into the CRD + # CRD conversion requires k8s 1.13 or later. + - source: kind: Certificate - group: cert-manager.io - version: v1 - name: serving-cert # this name should match the one in certificate.yaml - fieldref: - fieldpath: metadata.namespace - - name: CERTIFICATE_NAME - objref: + fieldPath: metadata.namespace + targets: + - select: + kind: CustomResourceDefinition + fieldPaths: + - metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: / + - select: + kind: MutatingWebhookConfiguration + fieldPaths: + - metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: / + - select: + kind: ValidatingWebhookConfiguration + fieldPaths: + - metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: / + - source: kind: Certificate - group: cert-manager.io - version: v1 - name: serving-cert # this name should match the one in certificate.yaml - - name: SERVICE_NAMESPACE # namespace of the service - objref: + fieldPath: metadata.name + targets: + - select: + kind: CustomResourceDefinition + fieldPaths: + - metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: / + index: 1 + - select: + kind: MutatingWebhookConfiguration + fieldPaths: + - metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: / + index: 1 + - select: + kind: ValidatingWebhookConfiguration + fieldPaths: + - metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: / + index: 1 + # Patch dnsNames in webhook Service + - source: kind: Service - version: v1 - name: webhook-service - fieldref: - fieldpath: metadata.namespace - - name: SERVICE_NAME - objref: + fieldPath: metadata.name + targets: + - select: + kind: Certificate + name: serving-cert + fieldPaths: + - spec.dnsNames.* + options: + delimiter: . + - source: kind: Service - version: v1 - name: webhook-service + fieldPath: metadata.namespace + targets: + - select: + kind: Certificate + name: serving-cert + fieldPaths: + - spec.dnsNames.* + options: + delimiter: . + index: 1 diff --git a/config/default/webhookcainjection_patch.yaml b/config/default/webhookcainjection_patch.yaml deleted file mode 100644 index dfdb6f0cb9..0000000000 --- a/config/default/webhookcainjection_patch.yaml +++ /dev/null @@ -1,15 +0,0 @@ -# This patch add annotation to admission webhook config and -# the variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) will be substituted by kustomize. -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - name: webhook - annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: webhook - annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) diff --git a/config/prometheus/kustomization.yaml b/config/prometheus/kustomization.yaml index d556b996a2..6387aa209f 100644 --- a/config/prometheus/kustomization.yaml +++ b/config/prometheus/kustomization.yaml @@ -1,2 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization resources: - monitor.yaml diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml index 90fb2c61f1..ad10900254 100644 --- a/config/rbac/kustomization.yaml +++ b/config/rbac/kustomization.yaml @@ -1,3 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization resources: - role.yaml - role_binding.yaml diff --git a/config/default/controller_webhook_patch.yaml b/config/webhook/controller_webhook_patch.yaml similarity index 100% rename from config/default/controller_webhook_patch.yaml rename to config/webhook/controller_webhook_patch.yaml diff --git a/config/webhook/ingressclassparams_patch.yaml b/config/webhook/ingressclassparams_patch.yaml new file mode 100644 index 0000000000..5ef882dad8 --- /dev/null +++ b/config/webhook/ingressclassparams_patch.yaml @@ -0,0 +1,17 @@ +# The following patch enables conversion webhook for CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: ingressclassparams.elbv2.k8s.aws +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + # `caBundle` should be filled in by cert-manager (or potentially a patch if not using cert-manager) + service: + namespace: default + name: webhook-service + path: /convert + conversionReviewVersions: ["v1", "v1beta1"] diff --git a/config/webhook/kustomization.yaml b/config/webhook/kustomization.yaml index 20d98aca4c..27d5c23f6c 100644 --- a/config/webhook/kustomization.yaml +++ b/config/webhook/kustomization.yaml @@ -1,11 +1,18 @@ -resources: - - manifests.yaml - - service.yaml +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component configurations: - kustomizeconfig.yaml -patchesStrategicMerge: - - pod_mutator_patch.yaml - - service_mutator_patch.yaml - - ingressclassparams_validator_patch.yaml +resources: + - manifests.yaml + - service.yaml + +patches: + - path: pod_mutator_patch.yaml + - path: service_mutator_patch.yaml + - path: ingressclassparams_validator_patch.yaml + - path: controller_webhook_patch.yaml + # patches here are for enabling the conversion webhook for each CRD + - path: targetgroupbindings_patch.yaml + - path: ingressclassparams_patch.yaml diff --git a/config/webhook/kustomizeconfig.yaml b/config/webhook/kustomizeconfig.yaml index 5e35ba0995..a0ac8db564 100644 --- a/config/webhook/kustomizeconfig.yaml +++ b/config/webhook/kustomizeconfig.yaml @@ -1,4 +1,4 @@ -# the following config is for teaching kustomize where to look at when substituting vars. +# the following config is for teaching kustomize where to look at when modifing fields. # It requires kustomize v2.1.0 or newer to work properly. nameReference: - kind: Service @@ -10,6 +10,9 @@ nameReference: - kind: ValidatingWebhookConfiguration group: admissionregistration.k8s.io path: webhooks/clientConfig/service/name + - group: apiextensions.k8s.io + kind: CustomResourceDefinition + path: spec/conversion/webhook/clientConfig/service/name namespace: - kind: MutatingWebhookConfiguration @@ -20,6 +23,3 @@ namespace: group: admissionregistration.k8s.io path: webhooks/clientConfig/service/namespace create: true - -varReference: - - path: metadata/annotations diff --git a/config/webhook/manifests.yaml b/config/webhook/manifests.yaml index 00793b4707..f22643c94c 100644 --- a/config/webhook/manifests.yaml +++ b/config/webhook/manifests.yaml @@ -9,7 +9,6 @@ webhooks: clientConfig: service: name: webhook-service - namespace: system path: /mutate-v1-pod failurePolicy: Ignore name: mpod.elbv2.k8s.aws @@ -28,7 +27,6 @@ webhooks: clientConfig: service: name: webhook-service - namespace: system path: /mutate-v1-service failurePolicy: Fail name: mservice.elbv2.k8s.aws @@ -47,7 +45,6 @@ webhooks: clientConfig: service: name: webhook-service - namespace: system path: /mutate-elbv2-k8s-aws-v1beta1-targetgroupbinding failurePolicy: Fail name: mtargetgroupbinding.elbv2.k8s.aws @@ -73,7 +70,6 @@ webhooks: clientConfig: service: name: webhook-service - namespace: system path: /validate-elbv2-k8s-aws-v1beta1-ingressclassparams failurePolicy: Fail name: vingressclassparams.elbv2.k8s.aws @@ -93,7 +89,6 @@ webhooks: clientConfig: service: name: webhook-service - namespace: system path: /validate-elbv2-k8s-aws-v1beta1-targetgroupbinding failurePolicy: Fail name: vtargetgroupbinding.elbv2.k8s.aws @@ -113,7 +108,6 @@ webhooks: clientConfig: service: name: webhook-service - namespace: system path: /validate-networking-v1-ingress failurePolicy: Fail matchPolicy: Equivalent diff --git a/config/webhook/targetgroupbindings_patch.yaml b/config/webhook/targetgroupbindings_patch.yaml new file mode 100644 index 0000000000..ecd8ce67d9 --- /dev/null +++ b/config/webhook/targetgroupbindings_patch.yaml @@ -0,0 +1,17 @@ +# The following patch enables conversion webhook for CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: targetgroupbindings.elbv2.k8s.aws +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + # `caBundle` should be filled in by cert-manager (or potentially a patch if not using cert-manager) + service: + namespace: default + name: webhook-service + path: /convert + conversionReviewVersions: ["v1", "v1beta1"]