Merge pull request #1318 from mesosphere/hectorj2f/specify_properties…

…_certificate chore: make certain cert-manager properties configurable
kubernetes-retired · Nov 13, 2020 · 8a2f4a4 · 8a2f4a4
2 parents ac176c4 + 09fa192
commit 8a2f4a4
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 1 deletion.
diff --git a/charts/kubefed/README.md b/charts/kubefed/README.md
@@ -121,6 +121,10 @@ chart and their default values.
 | controllermanager.clusterHealthCheckTimeout          | Duration after which the cluster health check times out.                                                                                                                     | 3s                              |
 | controllermanager.syncController.adoptResources      | Whether to adopt pre-existing resource in member clusters.                                                                                                        		        | Enabled                         |
 | controllermanager.service.labels                     | Kubernetes labels attached to the controller manager's services                                                                                                       		    | {}                              |
+| controllermanager.certManager.enabled             | Specifies whether to enable the usage of the cert-manager for the certificates generation.                                                                                      | false                           |
+| controllermanager.certManager.rootCertificate.organizations       | Specifies the list of organizations to include in the cert-manager generated root certificate.                                                                  | []                              |
+| controllermanager.certManager.rootCertificate.commonName     | Specifies the CN value for the cert-manager generated root certificate.                                                                                              | ca.webhook.kubefed              |
+| controllermanager.certManager.rootCertificate.dnsNames       | Specifies the list of subject alternative names for the cert-manager generated root certificate.                                                                     | ["ca.webhook.kubefed"]          |
 | global.scope                   | Whether the KubeFed namespace will be the only target for the control plane.                                                                                                                       | Cluster                         |
 
 Specify each parameter using the `--set key=value[,key=value]` argument to

diff --git a/charts/kubefed/charts/controllermanager/templates/webhook.yaml b/charts/kubefed/charts/controllermanager/templates/webhook.yaml
@@ -169,7 +169,14 @@ spec:
   duration: 8760h # 1y
   issuerRef:
     name: {{ .Release.Name }}-ca-issuer
-  commonName: "ca.webhook.kubefed"
+  commonName: {{ .Values.certManager.rootCertificate.commonName }}
+{{- if .Values.certManager.rootCertificate.organizations }}
+  subject:
+    organizations:
+      {{- toYaml .Values.certManager.rootCertificate.organizations | nindent 4 }}
+{{- end }}
+  dnsNames:
+    {{- toYaml .Values.certManager.rootCertificate.dnsNames | nindent 4 }}
   isCA: true
 ---
 # Create an Issuer that uses the above generated CA certificate to issue certs

diff --git a/charts/kubefed/values.yaml b/charts/kubefed/values.yaml
@@ -74,6 +74,11 @@ controllermanager:
 
   certManager:
     enabled: false
+    rootCertificate:
+      organizations: []
+      dnsNames:
+        - ca.webhook.kubefed
+      commonName: ca.webhook.kubefed
 
   service:
     labels: {}