From 09fa19214c82c164c84e3941a21a1bf837b4c787 Mon Sep 17 00:00:00 2001 From: Hector Fernandez Date: Fri, 13 Nov 2020 10:50:20 +0100 Subject: [PATCH] chore: make certain cert-manager properties configurable Signed-off-by: Hector Fernandez --- charts/kubefed/README.md | 4 ++++ .../charts/controllermanager/templates/webhook.yaml | 9 ++++++++- charts/kubefed/values.yaml | 5 +++++ 3 files changed, 17 insertions(+), 1 deletion(-) diff --git a/charts/kubefed/README.md b/charts/kubefed/README.md index cbacf3f6ca..0956fc1281 100644 --- a/charts/kubefed/README.md +++ b/charts/kubefed/README.md @@ -121,6 +121,10 @@ chart and their default values. | controllermanager.clusterHealthCheckTimeout | Duration after which the cluster health check times out. | 3s | | controllermanager.syncController.adoptResources | Whether to adopt pre-existing resource in member clusters. | Enabled | | controllermanager.service.labels | Kubernetes labels attached to the controller manager's services | {} | +| controllermanager.certManager.enabled | Specifies whether to enable the usage of the cert-manager for the certificates generation. | false | +| controllermanager.certManager.rootCertificate.organizations | Specifies the list of organizations to include in the cert-manager generated root certificate. | [] | +| controllermanager.certManager.rootCertificate.commonName | Specifies the CN value for the cert-manager generated root certificate. | ca.webhook.kubefed | +| controllermanager.certManager.rootCertificate.dnsNames | Specifies the list of subject alternative names for the cert-manager generated root certificate. | ["ca.webhook.kubefed"] | | global.scope | Whether the KubeFed namespace will be the only target for the control plane. | Cluster | Specify each parameter using the `--set key=value[,key=value]` argument to diff --git a/charts/kubefed/charts/controllermanager/templates/webhook.yaml b/charts/kubefed/charts/controllermanager/templates/webhook.yaml index 64b5862d2c..00c3a7555d 100644 --- a/charts/kubefed/charts/controllermanager/templates/webhook.yaml +++ b/charts/kubefed/charts/controllermanager/templates/webhook.yaml @@ -169,7 +169,14 @@ spec: duration: 8760h # 1y issuerRef: name: {{ .Release.Name }}-ca-issuer - commonName: "ca.webhook.kubefed" + commonName: {{ .Values.certManager.rootCertificate.commonName }} +{{- if .Values.certManager.rootCertificate.organizations }} + subject: + organizations: + {{- toYaml .Values.certManager.rootCertificate.organizations | nindent 4 }} +{{- end }} + dnsNames: + {{- toYaml .Values.certManager.rootCertificate.dnsNames | nindent 4 }} isCA: true --- # Create an Issuer that uses the above generated CA certificate to issue certs diff --git a/charts/kubefed/values.yaml b/charts/kubefed/values.yaml index 36f9786586..1a8a2f1f19 100644 --- a/charts/kubefed/values.yaml +++ b/charts/kubefed/values.yaml @@ -74,6 +74,11 @@ controllermanager: certManager: enabled: false + rootCertificate: + organizations: [] + dnsNames: + - ca.webhook.kubefed + commonName: ca.webhook.kubefed service: labels: {}