Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Why I can't find webhook related crd in helm install. #24

Closed
yxxchange opened this issue Aug 23, 2023 · 3 comments
Closed

Why I can't find webhook related crd in helm install. #24

yxxchange opened this issue Aug 23, 2023 · 3 comments

Comments

@yxxchange
Copy link 

---
# Source: alidns-webhook/templates/rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: release-name-alidns-webhook
  labels:
    app: alidns-webhook
    chart: alidns-webhook-0.7.0
    release: release-name
    heritage: Helm
---
# Source: alidns-webhook/templates/rbac.yaml
# Grant permissions to read secrets inside the cluster to allow to have issuer in another namespace than the webhook
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: release-name-alidns-webhook:secrets-reader
  labels:
    app: alidns-webhook
    chart: alidns-webhook-0.7.0
    release: release-name
    heritage: Helm
rules:
  - apiGroups:
      - ''
    resources:
      - 'secrets'
    verbs:
      - 'get'
---
# Source: alidns-webhook/templates/rbac.yaml
# Grant cert-manager permission to validate using our apiserver
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: release-name-alidns-webhook:domain-solver
  labels:
    app: alidns-webhook
    chart: alidns-webhook-0.7.0
    release: release-name
    heritage: Helm
rules:
  - apiGroups:
      - example.com
    resources:
      - '*'
    verbs:
      - 'create'
---
# Source: alidns-webhook/templates/rbac.yaml
# Bind the previously created role to the webhook service account to allow reading from secrets in all namespaces
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: release-name-alidns-webhook:secrets-reader
  labels:
    app: alidns-webhook
    chart: alidns-webhook-0.7.0
    release: release-name
    heritage: Helm
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: release-name-alidns-webhook:secrets-reader
subjects:
  - apiGroup: ""
    kind: ServiceAccount
    name: release-name-alidns-webhook
    namespace: default
---
# Source: alidns-webhook/templates/rbac.yaml
# apiserver gets the auth-delegator role to delegate auth decisions to
# the core apiserver
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: release-name-alidns-webhook:auth-delegator
  labels:
    app: alidns-webhook
    chart: alidns-webhook-0.7.0
    release: release-name
    heritage: Helm
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:auth-delegator
subjects:
  - apiGroup: ""
    kind: ServiceAccount
    name: release-name-alidns-webhook
    namespace: default
---
# Source: alidns-webhook/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: release-name-alidns-webhook:domain-solver
  labels:
    app: alidns-webhook
    chart: alidns-webhook-0.7.0
    release: release-name
    heritage: Helm
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: release-name-alidns-webhook:domain-solver
subjects:
  - apiGroup: ""
    kind: ServiceAccount
    name: cert-manager
    namespace: cert-manager
---
# Source: alidns-webhook/templates/rbac.yaml
# Grant the webhook permission to read the ConfigMap containing the Kubernetes
# apiserver's requestheader-ca-certificate.
# This ConfigMap is automatically created by the Kubernetes apiserver.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: release-name-alidns-webhook:webhook-authentication-reader
  namespace: kube-system
  labels:
    app: alidns-webhook
    chart: alidns-webhook-0.7.0
    release: release-name
    heritage: Helm
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: extension-apiserver-authentication-reader
subjects:
  - apiGroup: ""
    kind: ServiceAccount
    name: release-name-alidns-webhook
    namespace: default
---
# Source: alidns-webhook/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
  name: release-name-alidns-webhook
  labels:
    app: alidns-webhook
    chart: alidns-webhook-0.7.0
    release: release-name
    heritage: Helm
spec:
  type: ClusterIP
  ports:
    - port: 443
      targetPort: https
      protocol: TCP
      name: https
  selector:
    app: alidns-webhook
    release: release-name
---
# Source: alidns-webhook/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: release-name-alidns-webhook
  labels:
    app: alidns-webhook
    chart: alidns-webhook-0.7.0
    release: release-name
    heritage: Helm
spec:
  replicas:
  selector:
    matchLabels:
      app: alidns-webhook
      release: release-name
  template:
    metadata:
      labels:
        app: alidns-webhook
        release: release-name
    spec:
      serviceAccountName: release-name-alidns-webhook
      containers:
        - name: alidns-webhook
          image: "ghcr.io/devmachine-fr/cert-manager-alidns-webhook/cert-manager-alidns-webhook:0.2.0"
          imagePullPolicy: IfNotPresent
          args:
            - --tls-cert-file=/tls/tls.crt
            - --tls-private-key-file=/tls/tls.key
            - --secure-port=443
          env:
            - name: GROUP_NAME
              value: "example.com"
          ports:
            - name: https
              containerPort: 443
              protocol: TCP
          livenessProbe:
            httpGet:
              scheme: HTTPS
              path: /healthz
              port: https
          readinessProbe:
            httpGet:
              scheme: HTTPS
              path: /healthz
              port: https
          volumeMounts:
            - name: certs
              mountPath: /tls
              readOnly: true
          resources:
            {}

      volumes:
        - name: certs
          secret:
            secretName: release-name-alidns-webhook-webhook-tls
---
# Source: alidns-webhook/templates/apiservice.yaml
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
  name: v1alpha1.example.com
  labels:
    app: alidns-webhook
    chart: alidns-webhook-0.7.0
    release: release-name
    heritage: Helm
  annotations:
    cert-manager.io/inject-ca-from: "default/release-name-alidns-webhook-webhook-tls"
spec:
  group: example.com
  groupPriorityMinimum: 1000
  versionPriority: 15
  service:
    name: release-name-alidns-webhook
    namespace: default
  version: v1alpha1
---
# Source: alidns-webhook/templates/pki.yaml
# Generate a CA Certificate used to sign certificates for the webhook
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: release-name-alidns-webhook-ca
  namespace: "default"
  labels:
    app: alidns-webhook
    chart: alidns-webhook-0.7.0
    release: release-name
    heritage: Helm
spec:
  secretName: release-name-alidns-webhook-ca
  duration: 43800h0m0s # 5y
  issuerRef:
    name: release-name-alidns-webhook-selfsign
  commonName: "ca.alidns-webhook.cert-manager"
  isCA: true
---
# Source: alidns-webhook/templates/pki.yaml
# Finally, generate a serving certificate for the webhook to use
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: release-name-alidns-webhook-webhook-tls
  namespace: "default"
  labels:
    app: alidns-webhook
    chart: alidns-webhook-0.7.0
    release: release-name
    heritage: Helm
spec:
  secretName: release-name-alidns-webhook-webhook-tls
  duration: 8760h0m0s # 1y
  issuerRef:
    name: release-name-alidns-webhook-ca
  dnsNames:
  - release-name-alidns-webhook
  - release-name-alidns-webhook.default
  - release-name-alidns-webhook.default.svc
---
# Source: alidns-webhook/templates/pki.yaml
# Create a selfsigned Issuer, in order to create a root CA certificate for
# signing webhook serving certificates
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: release-name-alidns-webhook-selfsign
  namespace: "default"
  labels:
    app: alidns-webhook
    chart: alidns-webhook-0.7.0
    release: release-name
    heritage: Helm
spec:
  selfSigned: {}
---
# Source: alidns-webhook/templates/pki.yaml
# Create an Issuer that uses the above generated CA certificate to issue certs
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: release-name-alidns-webhook-ca
  namespace: "default"
  labels:
    app: alidns-webhook
    chart: alidns-webhook-0.7.0
    release: release-name
    heritage: Helm
spec:
  ca:
    secretName: release-name-alidns-webhook-ca

Helm installs a series of supporting resources for webhooks, but where are the webhook?
@olivierboudet
Copy link
Collaborator

Not sure to correctly understand your question, but you have to install cert-manager first. (https://cert-manager.io/docs/installation/helm/#installing-with-helm)

@yxxchange
Copy link
Author

Not sure to correctly understand your question, but you have to install cert-manager first. (https://cert-manager.io/docs/installation/helm/#installing-with-helm)

Not sure to correctly understand your question, but you have to install cert-manager first. (https://cert-manager.io/docs/installation/helm/#installing-with-helm)

I have installed certmanager, but I am not clear about the working principle of cert-manager-alidns-webhook. It seems that it does not register any webhook to my cluster. How does it work? Is the injected pod equivalent to a controller?

@olivierboudet
Copy link
Collaborator

olivierboudet commented Aug 23, 2023
edited

Did you create an Issuer ? (https://github.com/DEVmachine-fr/cert-manager-alidns-webhook#create-an-issuer)
It is the issuer which instruct cert-manager to use the alidns-solver

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@olivierboudet @yxxchange