Migrate away from deprecated kustomize features

config/crd/patches/cainjection_in_ingressclassparams.yaml → config/certmanager/cainjection_in_ingressclassparams_patch.yaml

@@ -4,5 +4,6 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+    # `default` and `serving-cert` may be substituted by kustomize
+    cert-manager.io/inject-ca-from: default/serving-cert
   name: ingressclassparams.elbv2.k8s.aws

config/crd/patches/cainjection_in_targetgroupbindings.yaml → config/certmanager/cainjection_in_targetgroupbindings_patch.yaml

@@ -4,5 +4,6 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+    # `default` and `serving-cert` may be substituted by kustomize
+    cert-manager.io/inject-ca-from: default/serving-cert
   name: targetgroupbindings.elbv2.k8s.aws

config/certmanager/certificate.yaml

@@ -14,10 +14,10 @@ kind: Certificate
 metadata:
   name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml
 spec:
-  # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize
+  # `webhook-service` and `default` may be substituted by kustomize
   dnsNames:
-    - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc
-    - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local
+    - webhook-service.default.svc
+    - webhook-service.default.svc.cluster.local
   issuerRef:
     kind: Issuer
     name: selfsigned-issuer

config/certmanager/kustomization.yaml

@@ -1,5 +1,21 @@
-resources:
-  - certificate.yaml
-
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
 configurations:
   - kustomizeconfig.yaml
+resources:
+  - certificate.yaml
+patches:
+  # patches here are for enabling the CA injection for each CRD
+  - path: cainjection_in_targetgroupbindings_patch.yaml
+  - path: cainjection_in_ingressclassparams_patch.yaml
+  # This patch add annotation to admission webhook config, `default` and
+  # `serving-cert` may be substituted by kustomize
+  - target:
+      kind: (MutatingWebhookConfiguration|ValidatingWebhookConfiguration)
+    patch: |-
+      apiVersion: admissionregistration.k8s.io/v1
+      kind: dummy
+      metadata:
+        name: webhook
+        annotations:
+          cert-manager.io/inject-ca-from: default/serving-cert

config/certmanager/kustomizeconfig.yaml

@@ -1,16 +1,8 @@
-# This configuration is for teaching kustomize how to update name ref and var substitution
+# This configuration is for teaching kustomize how to update name ref
 nameReference:
   - kind: Issuer
     group: cert-manager.io
     fieldSpecs:
       - kind: Certificate
         group: cert-manager.io
         path: spec/issuerRef/name
-
-varReference:
-  - kind: Certificate
-    group: cert-manager.io
-    path: spec/commonName
-  - kind: Certificate
-    group: cert-manager.io
-    path: spec/dnsNames

config/controller/controller.yaml

@@ -2,24 +2,14 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: controller
-  labels:
-    app.kubernetes.io/component: controller
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: controller
-  labels:
-    app.kubernetes.io/component: controller
 spec:
-  selector:
-    matchLabels:
-      app.kubernetes.io/component: controller
   replicas: 1
   template:
-    metadata:
-      labels:
-        app.kubernetes.io/component: controller
     spec:
       containers:
         - name: controller
@@ -34,6 +24,16 @@ spec:
             requests:
               cpu: 100m
               memory: 200Mi
+          ports:
+            - containerPort: 9443
+              name: webhook
+              protocol: TCP
+            - containerPort: 8080
+              name: metrics
+              protocol: TCP
+            - containerPort: 61779
+              name: healthprobe
+              protocol: TCP
           livenessProbe:
             failureThreshold: 2
             httpGet:
@@ -44,4 +44,4 @@ spec:
             timeoutSeconds: 10
       terminationGracePeriodSeconds: 10
       priorityClassName: system-cluster-critical
-      serviceAccountName: controller
+      serviceAccountName: controller

config/controller/kustomization.yaml

@@ -1,11 +1,12 @@
-resources:
-- controller.yaml
-patchesStrategicMerge:
-- iam_for_sa_patch.yaml
-- security_context_patch.yaml
-
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
+commonLabels:
+  app.kubernetes.io/component: controller
+resources:
+- controller.yaml
+patches:
+- path: iam_for_sa_patch.yaml
+- path: security_context_patch.yaml
 images:
 - name: controller
   newName: public.ecr.aws/eks/aws-load-balancer-controller

config/crd/kustomization.yaml

@@ -1,24 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+# the following config is for teaching kustomize how to do kustomization for CRDs.
+configurations:
+  - kustomizeconfig.yaml
+
 # This kustomization.yaml is not intended to be run by itself,
 # since it depends on service name and namespace that are out of this kustomize package.
 # It should be run by config/default
 resources:
   - bases/elbv2.k8s.aws_targetgroupbindings.yaml
   - bases/elbv2.k8s.aws_ingressclassparams.yaml
 # +kubebuilder:scaffold:crdkustomizeresource
-
-patchesStrategicMerge:
-# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix.
-# patches here are for enabling the conversion webhook for each CRD
-#- patches/webhook_in_targetgroupbindings.yaml
-#- patches/webhook_in_ingressclassparams.yaml
-# +kubebuilder:scaffold:crdkustomizewebhookpatch
-
-# [CERTMANAGER] To enable webhook, uncomment all the sections with [CERTMANAGER] prefix.
-# patches here are for enabling the CA injection for each CRD
-#- patches/cainjection_in_targetgroupbindings.yaml
-#- patches/cainjection_in_ingressclassparams.yaml
-# +kubebuilder:scaffold:crdkustomizecainjectionpatch
-
-# the following config is for teaching kustomize how to do kustomization for CRDs.
-configurations:
-  - kustomizeconfig.yaml

config/crd/kustomizeconfig.yaml

@@ -1,4 +1,4 @@
-# This file is for teaching kustomize how to substitute name and namespace reference in CRD
+# This file is for teaching kustomize how to modify name and namespace references in CRD
 nameReference:
   - kind: Service
     version: v1
@@ -12,6 +12,3 @@ namespace:
     group: apiextensions.k8s.io
     path: spec/conversion/webhookClientConfig/service/namespace
     create: false
-
-varReference:
-  - path: metadata/annotations

config/default/kustomization.yaml

@@ -1,3 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
 # Adds namespace to all resources.
 namespace: kube-system
 
@@ -12,54 +15,90 @@ namePrefix: aws-load-balancer-
 commonLabels:
   app.kubernetes.io/name: aws-load-balancer-controller
 
-bases:
+resources:
   - ../crd
   - ../rbac
   - ../controller
-  # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
-  # crd/kustomization.yaml
+  # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
+  #- ../prometheus
+
+components:
+  # To disable the conversion webhook, comment out this component
   - ../webhook
-  # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required.
+  # To disable cert-manager comment out the following line, the 'webhook' component is required
   - ../certmanager
-# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
-#- ../prometheus
-
-patchesStrategicMerge:
-  # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
-  # crd/kustomization.yaml
-  - controller_webhook_patch.yaml
-
-  # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'.
-  # Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks.
-  # 'CERTMANAGER' needs to be enabled to use ca injection
-  - webhookcainjection_patch.yaml
 
-# the following config is for teaching kustomize how to do var substitution
-vars:
-  # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix.
-  - name: CERTIFICATE_NAMESPACE # namespace of the certificate CR
-    objref:
+replacements:
+  # The following patches adds a directive for certmanager to inject CA into the CRD
+  # CRD conversion requires k8s 1.13 or later.
+  - source:
       kind: Certificate
-      group: cert-manager.io
-      version: v1
-      name: serving-cert # this name should match the one in certificate.yaml
-    fieldref:
-      fieldpath: metadata.namespace
-  - name: CERTIFICATE_NAME
-    objref:
+      fieldPath: metadata.namespace
+    targets:
+      - select:
+          kind: CustomResourceDefinition
+        fieldPaths:
+          - metadata.annotations.[cert-manager.io/inject-ca-from]
+        options:
+          delimiter: /
+      - select:
+          kind: MutatingWebhookConfiguration
+        fieldPaths:
+          - metadata.annotations.[cert-manager.io/inject-ca-from]
+        options:
+          delimiter: /
+      - select:
+          kind: ValidatingWebhookConfiguration
+        fieldPaths:
+          - metadata.annotations.[cert-manager.io/inject-ca-from]
+        options:
+          delimiter: /
+  - source:
       kind: Certificate
-      group: cert-manager.io
-      version: v1
-      name: serving-cert # this name should match the one in certificate.yaml
-  - name: SERVICE_NAMESPACE # namespace of the service
-    objref:
+      fieldPath: metadata.name
+    targets:
+      - select:
+          kind: CustomResourceDefinition
+        fieldPaths:
+          - metadata.annotations.[cert-manager.io/inject-ca-from]
+        options:
+          delimiter: /
+          index: 1
+      - select:
+          kind: MutatingWebhookConfiguration
+        fieldPaths:
+          - metadata.annotations.[cert-manager.io/inject-ca-from]
+        options:
+          delimiter: /
+          index: 1
+      - select:
+          kind: ValidatingWebhookConfiguration
+        fieldPaths:
+          - metadata.annotations.[cert-manager.io/inject-ca-from]
+        options:
+          delimiter: /
+          index: 1
+  # Patch dnsNames in webhook Service
+  - source:
       kind: Service
-      version: v1
-      name: webhook-service
-    fieldref:
-      fieldpath: metadata.namespace
-  - name: SERVICE_NAME
-    objref:
+      fieldPath: metadata.name
+    targets:
+      - select:
+          kind: Certificate
+          name: serving-cert
+        fieldPaths:
+          - spec.dnsNames.*
+        options:
+          delimiter: .
+  - source:
       kind: Service
-      version: v1
-      name: webhook-service
+      fieldPath: metadata.namespace
+    targets:
+      - select:
+          kind: Certificate
+          name: serving-cert
+        fieldPaths:
+          - spec.dnsNames.*
+        options:
+          delimiter: .
+          index: 1

config/prometheus/kustomization.yaml

@@ -1,2 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
 resources:
   - monitor.yaml

config/rbac/kustomization.yaml

@@ -1,3 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
 resources:
   - role.yaml
   - role_binding.yaml