Add more flexibility on how to configure certificates for the admission controllers via helm chart #561

vasrem · 2023-12-15T13:01:07Z

The goal of this PR is to add more flexibility on certificates that can be consumed by SRIOV Network Operator when the Admission Controllers are enabled. In particular, this PR focuses mostly on Helm Chart advancements to enable the following 4 scenarios:

Use certificates that are part of an already created Secret
Create Secret with certificate information found in values.yaml
Use cert-manager Certificate resources that are already created externally
Create self signed cert-manager managed Certificate resources

Testing

I don't seem to find an existing place to add tests. Let me know if there is a place I can add tests. In the meantime, I did some manual tests.

Case 1

Setup:

sriov-network-operator/doc/quickstart.md

Lines 34 to 45 in 7582f30

    
           1. Create certificates for each of the two webhooks using a single CA whose cert you provide through an environment variable. 
        
              For example, given `cacert.pem`, `key.pem` and `cert.pem`: 
        
              ```bash 
        
              kubectl create ns sriov-network-operator 
        
              kubectl -n sriov-network-operator create secret tls operator-webhook-cert --cert=cert.pem --key=key.pem 
        
              kubectl -n sriov-network-operator create secret tls network-resources-injector-cert --cert=cert.pem --key=key.pem 
        
              export ADMISSION_CONTROLLERS__ENABLED=true 
        
              export ADMISSION_CONTROLLERS__CERTIFICATES__OPERATOR__CA_CRT=$(base64 -w 0 < cacert.pem) 
        
              export ADMISSION_CONTROLLERS__CERTIFICATES__INJECTOR__CA_CRT=$(base64 -w 0 < cacert.pem) 
        
              make deploy-setup-k8s 
        
              ```

Expect:

caBundle to be propagated correctly in webhooks configs
secrets to be mounted correctly in webhook servers

Case 2

Setup:

sriov-network-operator/doc/quickstart.md

Lines 47 to 95 in 7582f30

    
           2. Using https://cert-manager.io/, deploy it as: 
        
              ```bash 
        
              kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.3.0/cert-manager.yaml 
        
              ``` 
        
              Define the appropriate Issuer and Certificates, as an example: 
        
              ```bash 
        
              kubectl create ns sriov-network-operator 
        
              cat <<EOF | kubectl apply -f - 
        
              apiVersion: cert-manager.io/v1 
        
              kind: Issuer 
        
              metadata: 
        
                name: sriov-network-operator-selfsigned-issuer 
        
                namespace: sriov-network-operator 
        
              spec: 
        
                selfSigned: {} 
        
              --- 
        
              apiVersion: cert-manager.io/v1 
        
              kind: Certificate 
        
              metadata: 
        
                name: operator-webhook-cert 
        
                namespace: sriov-network-operator 
        
              spec: 
        
                secretName: operator-webhook-cert 
        
                dnsNames: 
        
                - operator-webhook-service.sriov-network-operator.svc 
        
                issuerRef: 
        
                  name: sriov-network-operator-selfsigned-issuer 
        
              --- 
        
              apiVersion: cert-manager.io/v1 
        
              kind: Certificate 
        
              metadata: 
        
                name: network-resources-injector-cert 
        
                namespace: sriov-network-operator 
        
              spec: 
        
                secretName: network-resources-injector-cert 
        
                dnsNames: 
        
                - network-resources-injector-service.sriov-network-operator.svc 
        
                issuerRef: 
        
                  name: sriov-network-operator-selfsigned-issuer 
        
              EOF 
        
              ``` 
        
               And then deploy the operator: 
        
               ```bash 
        
               export ADMISSION_CONTROLLERS__ENABLED=true 
        
               export ADMISSION_CONTROLLERS__CERTIFICATES__CERT_MANAGER__ENABLED=true 
        
               make deploy-setup-k8s 
        
               ```

Expect:

caBundle to be propagated correctly in webhooks configs
cert-manager annotation to exist in webhooks configs
secrets to be mounted correctly in webhook servers

Case 3

Create the following secret and setup helm release:

# Notice that the ca.crt is double base64 encoded so that it fits nicely in an environment variable.
$ cat <<EOF | kubectl apply -f -
---
apiVersion: v1
data:
  ca.crt: TFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTXJSRU5EUVdWRFowRjNTVUpCWjBsU1FVeHNaWHA0UlhsVVpIcG9TM1YyY2pVNGFtcG1TV3QzUkZGWlNrdHZXa2xvZG1OT1FWRkZURUpSUVhjS1FVUkJaVVozTUhsTmVrVjVUVlJWZUUxVVJUVk5ha3BoUm5jd2VVNUVRWHBOVkZGNFRWUkZOVTFxU21GTlFVRjNaMmRGYVUxQk1FZERVM0ZIVTBsaU13cEVVVVZDUVZGVlFVRTBTVUpFZDBGM1oyZEZTMEZ2U1VKQlVVUkNOMmxoVEd4clNFRTJPRXhPYmtOQ2EwdHJVSEZITUcxYU4waEtWWEYzVFZaYVF6aEZDblZEZDNGWVpWUXlZV1l3WkdoSWREZFpRbEZMSzAxek4zbFhiemhpWnpGSFF6bGhWbko1YkUwMlkzQkRObFU0UW5CemVHUnhiSGtyZHl0b2RuRkJPVGtLZUhoQmRUVkJSRmhGYUdkU1ZuaHlkV1ozVUVzNE1VVlhUR0kxY1M5QlltZ3pOa04zYUdWUGIwRkVVblpHUzJWb1YwaFBLMlJwYTJoNFpUZDJTa2MxTmdvMWJFSkVNWGN4ZEdKUGNUSjBPWE4zT1V4WFRXRk5lRTl5T0VOT1ZITnFMMHN2VnpST1ZqUlRUalEzV1VoRE9VbDNNRFEyYzNadVVtZExVRUZTZEVoUENtcFNVRVpxTlZJMmIxbDVUMGxXU2pWWFdVcGlXSHBxZVV0YVF6WTRNWFkzWVV4VllXVkxPRE40TUhCS1VVRkVMMHhYTVROTUx6aEVTazB4Vkhsb1VtY0tURkZRTDNOa09YZEdiMlV4T0V0SGJHSmxOVlF5YzB0cmIzaG5TRWh5V2poamJFcDVkRU5FTW5Jd2RIUnJkRTF3UVdkTlFrRkJSMnBpVkVKeVRVRTBSd3BCTVZWa1JIZEZRaTkzVVVWQmQwbEdiMFJCVFVKblRsWklVazFDUVdZNFJVRnFRVUZOUlhOSFFURlZaRVZSUlVJdmQxSkNUVVFyUTFCWE5XeGtTR1IyQ21OdGMzUmpiVlo2WWpOV2VWa3lWbnBNVjJ4MVlXMVdhbVJIT1hsTVdFNXNZMjVhY0ZreVZYVmpNMHB3WWpOWmRHSnRWakJrTWpsNVlYa3hkbU5IVm5rS1dWaFNkbU5wTlhwa2JVMTNSRkZaU2t0dldrbG9kbU5PUVZGRlRFSlJRVVJuWjBWQ1FVZzRWMWRxTDFaWVRXaEpZM05hTHk5eGMwY3hWRXRaY2xkTUx3cEJNemhHTkM5VFRHeHhRa1l6VGpVellrVjNUMVZHVUZGbU4xZGFTa056WnpNMlNVUjFaMmhpV2tnM1EzazNXRWh5VjNSM01GaEJOM0ZKWVdJemIwZFZDa1JtZVRNd2NVazFZVFY2VjBRMk5rNVZlR1JUZEZGdlpIazNUM28yWVdwd1RUTmtPRTV2ZW1sWlpVWjJhaThyVEdoWWNqa3pRVGxNY1hsdFFrNHpVMmNLV1cxd2QxRXpUV2gwTUV4R1R6RlVVa3BXZGtrMFEwRjBhWE5pZDFwR2NsUnFPRzkzU1hSR1ZVTkdWalJxVFRsTGFEYzViMUpNVUUxUWNqaHFRVk5VUmdwdFZXeGhhVWhxYzBSWFZUWmpVVXB4TTJsblFXbHNXSG8zVTFjME1rczROa2hhTjNnd1MyaFJOMHQ0YnpGTGN6TjRSMWd4TlhwbVJFZEpWM1l2T1ZvMkNtRlRjekJSYXpWS1pXbDBiVGROZGxsWGVYZFFURkJRTDI1M01TdElSbm9yVHpadE1WTkVWSHB2VFdSTFJrMVJSSE5KYms1UVJuWm5kMHhCUFFvdExTMHRMVVZPUkNCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2c9PQ==
  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMrRENDQWVDZ0F3SUJBZ0lSQUxsZXp4RXlUZHpoS3V2cjU4ampmSWt3RFFZSktvWklodmNOQVFFTEJRQXcKQURBZUZ3MHlNekV5TVRVeE1URTVNakphRncweU5EQXpNVFF4TVRFNU1qSmFNQUF3Z2dFaU1BMEdDU3FHU0liMwpEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURCN2lhTGxrSEE2OExObkNCa0trUHFHMG1aN0hKVXF3TVZaQzhFCnVDd3FYZVQyYWYwZGhIdDdZQlFLK01zN3lXbzhiZzFHQzlhVnJ5bE02Y3BDNlU4QnBzeGRxbHkrdytodnFBOTkKeHhBdTVBRFhFaGdSVnhydWZ3UEs4MUVXTGI1cS9BYmgzNkN3aGVPb0FEUnZGS2VoV0hPK2Rpa2h4ZTd2Skc1Ngo1bEJEMXcxdGJPcTJ0OXN3OUxXTWFNeE9yOENOVHNqL0svVzROVjRTTjQ3WUhDOUl3MDQ2c3ZuUmdLUEFSdEhPCmpSUEZqNVI2b1l5T0lWSjVXWUpiWHpqeUtaQzY4MXY3YUxVYWVLODN4MHBKUUFEL0xXMTNMLzhESk0xVHloUmcKTFFQL3NkOXdGb2UxOEtHbGJlNVQyc0trb3hnSEhyWjhjbEp5dENEMnIwdHRrdE1wQWdNQkFBR2piVEJyTUE0RwpBMVVkRHdFQi93UUVBd0lGb0RBTUJnTlZIUk1CQWY4RUFqQUFNRXNHQTFVZEVRRUIvd1JCTUQrQ1BXNWxkSGR2CmNtc3RjbVZ6YjNWeVkyVnpMV2x1YW1WamRHOXlMWE5sY25acFkyVXVjM0pwYjNZdGJtVjBkMjl5YXkxdmNHVnkKWVhSdmNpNXpkbU13RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUg4V1dqL1ZYTWhJY3NaLy9xc0cxVEtZcldMLwpBMzhGNC9TTGxxQkYzTjUzYkV3T1VGUFFmN1daSkNzZzM2SUR1Z2hiWkg3Q3k3WEhyV3R3MFhBN3FJYWIzb0dVCkRmeTMwcUk1YTV6V0Q2Nk5VeGRTdFFvZHk3T3o2YWpwTTNkOE5vemlZZUZ2ai8rTGhYcjkzQTlMcXltQk4zU2cKWW1wd1EzTWh0MExGTzFUUkpWdkk0Q0F0aXNid1pGclRqOG93SXRGVUNGVjRqTTlLaDc5b1JMUE1QcjhqQVNURgptVWxhaUhqc0RXVTZjUUpxM2lnQWlsWHo3U1c0Mks4NkhaN3gwS2hRN0t4bzFLczN4R1gxNXpmREdJV3YvOVo2CmFTczBRazVKZWl0bTdNdllXeXdQTFBQL253MStIRnorTzZtMVNEVHpvTWRLRk1RRHNJbk5QRnZnd0xBPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
  tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBd2U0bWk1WkJ3T3ZDelp3Z1pDcEQ2aHRKbWV4eVZLc0RGV1F2Qkxnc0tsM2s5bW45CkhZUjdlMkFVQ3ZqTE84bHFQRzROUmd2V2xhOHBUT25LUXVsUEFhYk1YYXBjdnNQb2I2Z1BmY2NRTHVRQTF4SVkKRVZjYTduOER5dk5SRmkyK2F2d0c0ZCtnc0lYanFBQTBieFNub1ZoenZuWXBJY1h1N3lSdWV1WlFROWNOYld6cQp0cmZiTVBTMWpHak1UcS9BalU3SS95djF1RFZlRWplTzJCd3ZTTU5PT3JMNTBZQ2p3RWJSem8wVHhZK1VlcUdNCmppRlNlVm1DVzE4NDhpbVF1dk5iKzJpMUduaXZOOGRLU1VBQS95MXRkeS8vQXlUTlU4b1VZQzBELzdIZmNCYUgKdGZDaHBXM3VVOXJDcEtNWUJ4NjJmSEpTY3JRZzlxOUxiWkxUS1FJREFRQUJBb0lCQVFDRkZka1A3Qks5d1UyVAphclJ6Nk9sb2pFZHJRVytJbVQ5cGU3SWtxL3RySzdxSVBGNCsxbjhqUU9FZ1VuS3VXZC8xRHBVL1g3cG9TS2V3Cko3VHRURTB5MWZQang1a1VOVCthK0p1QTlvNHRqN3pmMjRQMnltOHFBckpvb2FnZzcwMkEvK245TWttRk9xenIKeXhBd3R0ei9CY09Ram1oVnpBN1h3SW1zLzhkUGRkNldNSG5ONU1hM3pZUU8yY2tZS3c4V0ZWV0pTcVgzS2tKcwo4YWY3VkJGUmNHZXVBT2phWXlXTkljK2NMcnpRYldneEVwc1haTW85QkJiMjhnb0VVSTZTSHkzS1k4TUpVM2pOCm1EN2tRN1ltRVVkL1ZWb05OUkhmQkRFeHZiV3Y2U3BFOHQzSXFtcDdlTzY0dEl2aW02VmVXRXRYRkRXWnJ5ZVkKclF2MHdNMzlBb0dCQVB3RFJSQUV3cjRTSmRiRW1OVldCdktmZEtsWS9xNytGa0d3SUpRREg5cFB1TkxQdHZwWgpwcDZZdXRKUTBOczdyZmZFOTJ3MlpYOVJpUG1LcUdjand3ZVJnTHV6MzlqWllGUzVGSi9kTWFBemhhdHhGSTcxCm03cHB1UGNjQTYxVHp6ejVNbUdJb0tNTVYzWUlVOWxQd0lINjJsMXJTd0l4OHArRjNZUHlSWlREQW9HQkFNVC8Kb09zbUZWbWN0d1YyTEJMbGxDbmdzSXVjeGNWRExHZDF6UVgrZ2tkL01WbzVxTTNBaWdUSjRkR0xnZzNGOWFyYgplbDU5RUJZYlJldjFrSUE1eTMyYjN1eHVIaTF4K0VvWWdod1lXMWY2MUI1WWJxTGZ2M1lETDMzWmI2SUpUZGZvCkRHUzVVd3poUnhjZDRBNlhRMFY5QmRLUlFYaGsxdFVIaVIzWktNbWpBb0dBTWx2VTZTYUtZOERzbnNZYVpFY1UKakZjZzBOWmZ6a2duMm1oL21oUWx3Vkk4OUtOZFJSbTFHZXdiS1B2TlFJSGtlYVo2YXIxVCt1VW9JZlY3UVdEOApELzhiWW1iSFRHWGp3Z3BaL0xnT3VweVJFWGsvU25INTlINDczK1ZSTnNtUWwvYVVBcmx5b0NKUE45N2lJb0sxClRVUDdicitKOVo1VmhWc1NzTk13NUZFQ2dZRUF0VFZmVkc2SG5SS20yQU5IcjJvMnkvNis1dTJpamoyb0R0TXgKY0o0WVFLUWpSWmRjUzBjY3JpTDE4Y2FlTHdVMVlhRGFBeWlQTDRhTzN1blhyZHQ3NzJMOXdBWGJCSHFkcGFxOQpwQkpUazY1S2lFOVlGY0l6WDk2MlJORkorb2NNYjlvbjdFNzhzaEJYVUZCTzFaMFdhRWtFbmhpM1hJT0ZpaGVRCmJVQmdZSGtDZ1lCTVdQQ0RYTGt0TDRKM0c5Mlk1L3RQOUJmenl3cDhKNFJEZTVDaUo1WU5pZFV5cGRuRkIwR0UKMEI3NzFsczNpQTNPd0hmOGxyM013cllnTmZ0Q2czdDdKVWVEUk1DMk1XbUg1SitleVprUFQzNTBpUnJ2elV4WApFL05GTGNCYWlJcEw4L0NOY2dPMXVpYUVaTmgybkdiOEV0R01MbmNRSXBUQ3l4cllMK0F4SGc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
kind: Secret
metadata:
  name: network-resources-injector-cert
  namespace: sriov-network-operator
---
apiVersion: v1
data:
  ca.crt: TFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTXJSRU5EUVdWRFowRjNTVUpCWjBsU1FVeHNaWHA0UlhsVVpIcG9TM1YyY2pVNGFtcG1TV3QzUkZGWlNrdHZXa2xvZG1OT1FWRkZURUpSUVhjS1FVUkJaVVozTUhsTmVrVjVUVlJWZUUxVVJUVk5ha3BoUm5jd2VVNUVRWHBOVkZGNFRWUkZOVTFxU21GTlFVRjNaMmRGYVUxQk1FZERVM0ZIVTBsaU13cEVVVVZDUVZGVlFVRTBTVUpFZDBGM1oyZEZTMEZ2U1VKQlVVUkNOMmxoVEd4clNFRTJPRXhPYmtOQ2EwdHJVSEZITUcxYU4waEtWWEYzVFZaYVF6aEZDblZEZDNGWVpWUXlZV1l3WkdoSWREZFpRbEZMSzAxek4zbFhiemhpWnpGSFF6bGhWbko1YkUwMlkzQkRObFU0UW5CemVHUnhiSGtyZHl0b2RuRkJPVGtLZUhoQmRUVkJSRmhGYUdkU1ZuaHlkV1ozVUVzNE1VVlhUR0kxY1M5QlltZ3pOa04zYUdWUGIwRkVVblpHUzJWb1YwaFBLMlJwYTJoNFpUZDJTa2MxTmdvMWJFSkVNWGN4ZEdKUGNUSjBPWE4zT1V4WFRXRk5lRTl5T0VOT1ZITnFMMHN2VnpST1ZqUlRUalEzV1VoRE9VbDNNRFEyYzNadVVtZExVRUZTZEVoUENtcFNVRVpxTlZJMmIxbDVUMGxXU2pWWFdVcGlXSHBxZVV0YVF6WTRNWFkzWVV4VllXVkxPRE40TUhCS1VVRkVMMHhYTVROTUx6aEVTazB4Vkhsb1VtY0tURkZRTDNOa09YZEdiMlV4T0V0SGJHSmxOVlF5YzB0cmIzaG5TRWh5V2poamJFcDVkRU5FTW5Jd2RIUnJkRTF3UVdkTlFrRkJSMnBpVkVKeVRVRTBSd3BCTVZWa1JIZEZRaTkzVVVWQmQwbEdiMFJCVFVKblRsWklVazFDUVdZNFJVRnFRVUZOUlhOSFFURlZaRVZSUlVJdmQxSkNUVVFyUTFCWE5XeGtTR1IyQ21OdGMzUmpiVlo2WWpOV2VWa3lWbnBNVjJ4MVlXMVdhbVJIT1hsTVdFNXNZMjVhY0ZreVZYVmpNMHB3WWpOWmRHSnRWakJrTWpsNVlYa3hkbU5IVm5rS1dWaFNkbU5wTlhwa2JVMTNSRkZaU2t0dldrbG9kbU5PUVZGRlRFSlJRVVJuWjBWQ1FVZzRWMWRxTDFaWVRXaEpZM05hTHk5eGMwY3hWRXRaY2xkTUx3cEJNemhHTkM5VFRHeHhRa1l6VGpVellrVjNUMVZHVUZGbU4xZGFTa056WnpNMlNVUjFaMmhpV2tnM1EzazNXRWh5VjNSM01GaEJOM0ZKWVdJemIwZFZDa1JtZVRNd2NVazFZVFY2VjBRMk5rNVZlR1JUZEZGdlpIazNUM28yWVdwd1RUTmtPRTV2ZW1sWlpVWjJhaThyVEdoWWNqa3pRVGxNY1hsdFFrNHpVMmNLV1cxd2QxRXpUV2gwTUV4R1R6RlVVa3BXZGtrMFEwRjBhWE5pZDFwR2NsUnFPRzkzU1hSR1ZVTkdWalJxVFRsTGFEYzViMUpNVUUxUWNqaHFRVk5VUmdwdFZXeGhhVWhxYzBSWFZUWmpVVXB4TTJsblFXbHNXSG8zVTFjME1rczROa2hhTjNnd1MyaFJOMHQ0YnpGTGN6TjRSMWd4TlhwbVJFZEpWM1l2T1ZvMkNtRlRjekJSYXpWS1pXbDBiVGROZGxsWGVYZFFURkJRTDI1M01TdElSbm9yVHpadE1WTkVWSHB2VFdSTFJrMVJSSE5KYms1UVJuWm5kMHhCUFFvdExTMHRMVVZPUkNCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2c9PQ==
  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM3akNDQWRhZ0F3SUJBZ0lSQUpLZkcyV1JDOC94TWswUGdoQlhibVV3RFFZSktvWklodmNOQVFFTEJRQXcKQURBZUZ3MHlNekV5TVRVeE1URTVNakZhRncweU5EQXpNVFF4TVRFNU1qRmFNQUF3Z2dFaU1BMEdDU3FHU0liMwpEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUMxdnR6SGwzYWJyZERCQXZ2dk9SM0ExK00xVkFlUVJocVZIKzl1ClYvSDgzc1F1Y1VhNEp1Y0Vna0JmRmx6U1FaVmoxNGxJQmZWVzloUk84elNhdXVIM1EybENKUnZrNkYwbWVFWXoKZnYvUGFVZVE0TGlpQlkzNTRMWjVGRHdVeHkyRWlPRTZyWGUxUUwwVGtmbkdPd1c2THJ4a3YwajFIZWlSUlRwZgp6OXBMWTNjQ2JpN09QMGZmYm9hTUVYOTFFaU1FWEw5bm9iUDd0TXRTT0hOUnl4QlVlWXVxYXIwVjc0b0tLSE4rCmt2cytFNUdGRUMybnNyby9kN3V0WEpsL2dvc1dnSE5GL0E1UFZmdmJzL0NVZkZOcW5iT0JGZkl4cGFsTkcxNzYKRjljSHBnTGJDd2dtNHNpUDZ4djJwdTllemQ3ZWpHekoyOEtlWllVck8wUDRnbzRQQWdNQkFBR2pZekJoTUE0RwpBMVVkRHdFQi93UUVBd0lGb0RBTUJnTlZIUk1CQWY4RUFqQUFNRUVHQTFVZEVRRUIvd1EzTURXQ00yOXdaWEpoCmRHOXlMWGRsWW1odmIyc3RjMlZ5ZG1salpTNXpjbWx2ZGkxdVpYUjNiM0pyTFc5d1pYSmhkRzl5TG5OMll6QU4KQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBRUx6SEdacmdjeEFrS2E0cEI5aWJPcWtTVzB5SVBaRjVkWWxVSzZSNwplSUtNSUxnVjVaTXpCS3ZxQ21tVWozYVJoSzVGT25kUUVYS2FyZnFhcElUVnFEU1poTDdxZ0xyV2NUTDRjTkNOCjFlT2U1ZEYvd2s2WXRhZ05HcUp5dDJ2RlNVTmFxU3FERG9HSFpQTGswUWg5TFZ6b3BjWks3QmVRM3BRd3ltRXMKVzBDSXdWNDNRZ1l3TjBOU0t1Q1plU0IzR2ZBajE4RWRrc24xc21sUGwyaU91N1VMUTNidkxjeHJoYzhxVTgvbQpSeTVSMXJuOFFHNXdwV3kwazF4WHN4Y3hUZWVVVHVuaE11VlNxWFI1VXN1Q2ZFcTR4eEVNUkRpMzdNL2ZYSVF2CnFrUU1QY2NUZFUrSmQxNGFaTENMMHh1OUJ4Q2E3enc5YUZSZmE3TDFGUW1kVGc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
  tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBdGI3Y3g1ZDJtNjNRd1FMNzd6a2R3TmZqTlZRSGtFWWFsUi92YmxmeC9ON0VMbkZHCnVDYm5CSUpBWHhaYzBrR1ZZOWVKU0FYMVZ2WVVUdk0wbXJyaDkwTnBRaVViNU9oZEpuaEdNMzcvejJsSGtPQzQKb2dXTitlQzJlUlE4Rk1jdGhJamhPcTEzdFVDOUU1SDV4anNGdWk2OFpMOUk5UjNva1VVNlg4L2FTMk4zQW00dQp6ajlIMzI2R2pCRi9kUklqQkZ5L1o2R3orN1RMVWpoelVjc1FWSG1McW1xOUZlK0tDaWh6ZnBMN1BoT1JoUkF0CnA3SzZQM2U3clZ5WmY0S0xGb0J6UmZ3T1QxWDcyN1B3bEh4VGFwMnpnUlh5TWFXcFRSdGUraGZYQjZZQzJ3c0kKSnVMSWorc2I5cWJ2WHMzZTNveHN5ZHZDbm1XRkt6dEQrSUtPRHdJREFRQUJBb0lCQUNmeDN3eHZHYjUxb1dBSwppOXkwTFBucGVTS0xhVzRvT2tkMFVXZHJKT0J6QmFNL2VrK1hIVWM4YVhGOHRNSHhjQ2dWZ3pLMVBJcjBZdHBIClVkU0FKcEgxMnZpU3QyTEVQMVRwTW1TM0VQcEJKVjJPUm9ZMXVsS2xOUFcvb01UZ1VmekRLTjJBcXNMSGk4YjEKV25SYkhKTWpHbno2SGNyaDIrK3h5M2FyZEVzRkhvV3NTK0M4OUJCckllT2NpS0VUU0h0L0hxWlFUSG9NMnNlbgprNG9uZVlKZlVWWGpic1NkWXVwY0dZNGFoNWNKaE92NDl3R2o0R2pFeGNWaDRocTUwRXZlYllzRU9sUEdLS0t0CmxaTndianBwY3ltQ3RjUDNkT3NuNHZORlZ3a1ZTRVVXRzduNW8vRWRHRm5vV0UyY3N2UFplZiswZm1UWnJRNG8KY1NpaG9pRUNnWUVBNFpBOGQ3N2lBUFd6UWgwMkR2QUEvSVk4T1FYeDUra1NhajdlQ0YvRGFSOTI2eEdsazdPKwpNKys2YjI4c0svRGhMSW9HR0ZyeVM3SVJ4TWIwSEN1b1N5YjUyUWROcUpnRGR6L2tqNlQ2RjNrY2NTd1hKOWJ4Cm9tbDRXSGFZZGJ0SEZXQitJaDJGdTc1SkNnSk9xNTh2VG16S0laNWZQSkZqSEVSMktuaU1oZ01DZ1lFQXprVUEKUjIyZDRvSHowS1hFaXppM1o4YTM2VkMyN1lQYjhzM0lzZDBsaEh0T0QzcFVVL2RwSnNMS3BrQmh6YU43Wi9DZwpZM1E2TE1nSEZWd2tRRC9PWlJZbXJOaFphMVVRd0U5OVZhOVpRWUpTNFNzcENCWExRZy9YWWVHTDJlVzFrR0RGCjVqK1U5d1FXNnhYUkFuT3REb3o2dFJNek1PNDV3WTRwMlNTaFVBVUNnWUJ0c3hsRlg0ZEkwalhSSktYQzFBU1cKeTY0RVNaamhvZCs3M2tGYnJ6ODVJLzFReTY5TVN6Rm96dUZNQ3JSZjFuR2NtSy9vTG1zQ1YyTCs0WWVkSDdwawplbHN1cXJlaEUvVXpqTlphNmZCYmRDSmFCQWhxN3NWcnFJSEgvRDJmbkdvd3dsSDF3NGZqeStKM3hMR0FGQllNCnZTbjgrYW4xcWZ1YXBzMFZVTFYvQXdLQmdHSm41T1F1MVo0VVpWOXJWa01kUWRLT3FYcnorUEdEY05GN2YzM3IKaFZTWkJ2cTNYN2ZYVnlFWTJWbExhZDJUV3ZLUmg5TXF4ZjVMUjZYWEdheFZSSUJSZXc0SEFWSUZlVUptS2VOUgpEb0lFVE1vRHIwV2VNQ1JLTG5VU0I0aGk0S1lLcFI5ZHdoRytyN2hqNWgwSFZzNlVUNTlIazZxS1hKK00xVVkxCkJZaUpBb0dCQU0rKzU0Qk43dDBWaWtBUUMzWXJHZUpNVVlJZzFybWVqZ0QzY3F1OFFDL28zTGQ0WHR4MTZUUzEKUTJESzRpRkFGK0JpK050N3YrS2pkV1RHdVI1NkplSEREV2M1WTNUdWJtZXZ0Qm5OVkdQYldjUW5LaldXcFYxWgo3bkczcy81S0VuU1BmdXV0cENUQjhhUmg5VkhRb2k5bTRVd0I5REJqay9kZWhsSlkvTmoyCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
kind: Secret
metadata:
  name: operator-webhook-cert
  namespace: sriov-network-operator
type: kubernetes.io/tls
EOF

$ helm install --set operator.admissionControllers.enabled=true -n sriov-network-operator sriov-network-operator .

Expect:

caBundle to be propagated correctly in webhook configs
cert-manager related annotations do not exist at webhook configs
secrets to be mounted correctly in webhook servers

Case 4

Setup certificate like

sriov-network-operator/doc/quickstart.md

Lines 55 to 87 in 7582f30

    
              cat <<EOF | kubectl apply -f - 
        
              apiVersion: cert-manager.io/v1 
        
              kind: Issuer 
        
              metadata: 
        
                name: sriov-network-operator-selfsigned-issuer 
        
                namespace: sriov-network-operator 
        
              spec: 
        
                selfSigned: {} 
        
              --- 
        
              apiVersion: cert-manager.io/v1 
        
              kind: Certificate 
        
              metadata: 
        
                name: operator-webhook-cert 
        
                namespace: sriov-network-operator 
        
              spec: 
        
                secretName: operator-webhook-cert 
        
                dnsNames: 
        
                - operator-webhook-service.sriov-network-operator.svc 
        
                issuerRef: 
        
                  name: sriov-network-operator-selfsigned-issuer 
        
              --- 
        
              apiVersion: cert-manager.io/v1 
        
              kind: Certificate 
        
              metadata: 
        
                name: network-resources-injector-cert 
        
                namespace: sriov-network-operator 
        
              spec: 
        
                secretName: network-resources-injector-cert 
        
                dnsNames: 
        
                - network-resources-injector-service.sriov-network-operator.svc 
        
                issuerRef: 
        
                  name: sriov-network-operator-selfsigned-issuer 
        
              EOF

and setup helm release:

$ helm install --set operator.admissionControllers.enabled=true,operator.admissionControllers.certificates.certManager.enabled=true -n sriov-network-operator sriov-network-operator .

Expect:

caBundle to be propagated correctly in webhooks configs
secrets to be mounted correctly in webhook servers

Case 5

Setup helm release:

$ helm install --set operator.admissionControllers.enabled=true,operator.admissionControllers.certificates.certManager.enabled=true,operator.admissionControllers.certificates.certManager.generateSelfSigned=true -n sriov-network-operator sriov-network-operator .

Expect:

certificates to be created via helm
caBundle to be propagated correctly in webhooks configs
secrets to be mounted correctly in webhook servers

Case 6

Setup helm release:

$ cat <<EOF >> test_values.yaml
operator:
  admissionControllers:
    enabled: true
    certificates:
      custom:
        enabled: true
        operator:
          caCrt: |
            -----BEGIN CERTIFICATE-----
            MIIC7TCCAdWgAwIBAgIQeNnW/zKehLZScupdfp/BbzANBgkqhkiG9w0BAQsFADAA
            MB4XDTIzMTIxNTEyNDE0OVoXDTI0MDMxNDEyNDE0OVowADCCASIwDQYJKoZIhvcN
            AQEBBQADggEPADCCAQoCggEBAK7ZnM/aPeTmjQWWM4Z2200/IRvwzuSFTQSjqSYk
            gDQGPxZ2OzpKkdNzFAMhJcEQz1zVkmCvuDLBqkpXR1S0d+jaN62JletZKTLg87Ow
            VAQMdHYFyGJmG3wGPLbb/fLxBsTtU50ivWL9khh7hNfGsEzBEvcYlep6usKP8pcJ
            qGILdBZu3UBe80lEwerS7Ji7G2ixtBi6ZNQbyHd69JViPHB2eG2MF5qbHmcvSPBV
            lQl4DiuXB/++UF0L2GY11pefQDJbCTmapMECPbMunV1qWZbs+/22/NHIsf24/ah7
            pSGWg3n9qvZ9JY/AtuFQppAk52vCXqTPfWRCEqQPQ4QYJbUCAwEAAaNjMGEwDgYD
            VR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwQQYDVR0RAQH/BDcwNYIzb3BlcmF0
            b3Itd2ViaG9vay1zZXJ2aWNlLnNyaW92LW5ldHdvcmstb3BlcmF0b3Iuc3ZjMA0G
            CSqGSIb3DQEBCwUAA4IBAQAOYXsHjNRocgGQi81bnQegCVXFCXeq2ZaUCUzQngY3
            CTcizjcPV3ufBvfKHx/7L+oDoMJnl0OpymO3Y0x8vkwlktcapTYIJ2xcY634Tzsz
            cLa32K4HRE+RoDKVAlxOoHN7xPJdY/DpBCQdzwCpnzu5xyAEZnNPIbC8WIcd7hRr
            2YleOufTo/hYhAuSKEhGLmtxtyHBvVk1G2HWxPIxUILl/i3jzEorumd2kOMw//28
            khFMe3rerUppoo+pshQ30KYMZ3BOQlViwEz2QpMby4XY176oqBN6Zwo2u43EtzRN
            RZW2kESQv+8kYuHwjs1BNX2aYwuNFE04WOCvoAp5SNVz
            -----END CERTIFICATE-----
          tlsCrt: |
            -----BEGIN CERTIFICATE-----
            MIIC7TCCAdWgAwIBAgIQeNnW/zKehLZScupdfp/BbzANBgkqhkiG9w0BAQsFADAA
            MB4XDTIzMTIxNTEyNDE0OVoXDTI0MDMxNDEyNDE0OVowADCCASIwDQYJKoZIhvcN
            AQEBBQADggEPADCCAQoCggEBAK7ZnM/aPeTmjQWWM4Z2200/IRvwzuSFTQSjqSYk
            gDQGPxZ2OzpKkdNzFAMhJcEQz1zVkmCvuDLBqkpXR1S0d+jaN62JletZKTLg87Ow
            VAQMdHYFyGJmG3wGPLbb/fLxBsTtU50ivWL9khh7hNfGsEzBEvcYlep6usKP8pcJ
            qGILdBZu3UBe80lEwerS7Ji7G2ixtBi6ZNQbyHd69JViPHB2eG2MF5qbHmcvSPBV
            lQl4DiuXB/++UF0L2GY11pefQDJbCTmapMECPbMunV1qWZbs+/22/NHIsf24/ah7
            pSGWg3n9qvZ9JY/AtuFQppAk52vCXqTPfWRCEqQPQ4QYJbUCAwEAAaNjMGEwDgYD
            VR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwQQYDVR0RAQH/BDcwNYIzb3BlcmF0
            b3Itd2ViaG9vay1zZXJ2aWNlLnNyaW92LW5ldHdvcmstb3BlcmF0b3Iuc3ZjMA0G
            CSqGSIb3DQEBCwUAA4IBAQAOYXsHjNRocgGQi81bnQegCVXFCXeq2ZaUCUzQngY3
            CTcizjcPV3ufBvfKHx/7L+oDoMJnl0OpymO3Y0x8vkwlktcapTYIJ2xcY634Tzsz
            cLa32K4HRE+RoDKVAlxOoHN7xPJdY/DpBCQdzwCpnzu5xyAEZnNPIbC8WIcd7hRr
            2YleOufTo/hYhAuSKEhGLmtxtyHBvVk1G2HWxPIxUILl/i3jzEorumd2kOMw//28
            khFMe3rerUppoo+pshQ30KYMZ3BOQlViwEz2QpMby4XY176oqBN6Zwo2u43EtzRN
            RZW2kESQv+8kYuHwjs1BNX2aYwuNFE04WOCvoAp5SNVz
            -----END CERTIFICATE-----
          tlsKey: |
            -----BEGIN RSA PRIVATE KEY-----
            MIIEogIBAAKCAQEArtmcz9o95OaNBZYzhnbbTT8hG/DO5IVNBKOpJiSANAY/FnY7
            OkqR03MUAyElwRDPXNWSYK+4MsGqSldHVLR36No3rYmV61kpMuDzs7BUBAx0dgXI
            YmYbfAY8ttv98vEGxO1TnSK9Yv2SGHuE18awTMES9xiV6nq6wo/ylwmoYgt0Fm7d
            QF7zSUTB6tLsmLsbaLG0GLpk1BvId3r0lWI8cHZ4bYwXmpseZy9I8FWVCXgOK5cH
            /75QXQvYZjXWl59AMlsJOZqkwQI9sy6dXWpZluz7/bb80cix/bj9qHulIZaDef2q
            9n0lj8C24VCmkCTna8JepM99ZEISpA9DhBgltQIDAQABAoIBAGm3x3lhAjVJNJDh
            LQwrBxOgjNtA8Ub4VgXtElOulBlggXqKR+tJtPv9Q2dU/mfKSyZdN2DgPeXqdJT4
            Snermiie8DUr0Ap5YVCS9KZ7gYDlKvFFM9BS3mFRwBnrz5K5KpecywZiP9H/cPr+
            i+aPCn+N6XKfWd1pEUycDlhGDZohRA8lxOvun034RfcjMW2dWjnfyFLUA9hcQ0wS
            yMozQ8KjXns2WFFsLb4Stoo2m0scRw+oFLVBT6VJEUsAFwYcoCDmtjO/v/DibLE8
            5OzC2rpEaLb/K7eEXNe1/cjogqvG86AUiotx5gBB62ZU5K5uceT6KMyf1G6tbo3h
            LShTIIECgYEAw4f8og5yFT77ucxpKXF8qHpc0aeAwVOSZdEoCz4nCnr4iL487C81
            MNpjy+mSRs9mwdIOebRO1mwBYTEmS5BSU7hmsiOB4WU5GEZ8zNiIvAbRjSM5N0qy
            s/JO/BuXm4XomswIUs+EP9xMosLGbjW8SVFpPhA49CXZALPc9XCoaJUCgYEA5OxR
            wo1j9b18GlkN/8zFhWTRfqRWxyfRxznENHOPet+g6BOzfgnsotuUHGPEr1MURoQq
            cUCTOtFmHI1ZLjOnkF8CKkXY23B+9lRIY9J+WH+oXSy8LRK+VUMDyks0Sx3N10Sh
            cyhR1J/sdEA8gYEKw0fgG/6sRoqnCClSlOz84KECgYBEW8Z24ZYA14Qp8MzTMFnk
            jOLmaSkabZ1A+16Ej7YWc+dv5xJlgBuYeMFrCL2bA+do24c0BVWKoTfaQtSgllQx
            8MX2gXNm2XycgAghlZI4KioYrbfTHMpdHtl+Sic2uBoaBDrkuKgDq4EfZfj5js/E
            0jF5ATLoKFM1a6xUIo6+AQKBgG1uCidWL1JpIcn2iBqfaEw7xWkkZdcN0dnKY2Av
            XYb/H4vQ3xyA4f13uXVYu8yTij2rMB6zH64eKxG6/8Z2KsN4pzBN8zvyqr5Vy8Tr
            +jmTzIe9urZRH2rifg1VpcnClYMx63uA6p0ZVY68pi/B38M5uIepVfDilrXwCunl
            33wBAoGAdXh4UHIuuX9iS55hN1jVH4mRnwK7fs6TnTB1IPLoQrTBNxDTjmWANyHF
            T94eaE/5btNGsXYDGOsEqBtirL5a3pWt0L5Ig1XpQGgUyLnhUBv/s/qTftcW/iah
            VIzLJmG/uiDdwzKGmoRToQr1Wh7P+hPT4QLcMqHWvGTlYIhjlKg=
            -----END RSA PRIVATE KEY-----
        injector:
          caCrt: |
            -----BEGIN CERTIFICATE-----
            MIIC9zCCAd+gAwIBAgIQVNH+QLMzxo4Elw6yaD/jIDANBgkqhkiG9w0BAQsFADAA
            MB4XDTIzMTIxNTEyNDE1MFoXDTI0MDMxNDEyNDE1MFowADCCASIwDQYJKoZIhvcN
            AQEBBQADggEPADCCAQoCggEBANrx6NNj3/T9S4qdLam194XjPexvqHqLg7vrQx3b
            j1UrEi7r8vQEUZhN8XZkWO+by1rNshsbKzeyH7P0TIVnU1AqeffM78Y7orPiltk1
            Fv5dkL0pV0bzQ8QdVpZ2MEab54xQrsww38qtjFQtn6dSZaD63nJfpZfjmY9yfkcN
            ZqwE3gkGxJN32CD6gDdOAt3wtr8APTaerB7QS6R6vZwlMWKraQbL2vgI5WTjM4Hu
            15eb4s9v4QNdKy6GNqKtDvJ9UjAWvoVExgH21s78DTTi3P1W54Zitt3dPC/7asB+
            4dax7+v7F1A1DnT0Akr0J4XQ7XiLMYz8+ckoPcJ9C2Er9PkCAwEAAaNtMGswDgYD
            VR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwSwYDVR0RAQH/BEEwP4I9bmV0d29y
            ay1yZXNvdXJjZXMtaW5qZWN0b3Itc2VydmljZS5zcmlvdi1uZXR3b3JrLW9wZXJh
            dG9yLnN2YzANBgkqhkiG9w0BAQsFAAOCAQEAZS3erVwP47WUxggvVfznEKKOhQwO
            uK52ar9P9HoQCQZQEuRgITCnqgg8etIMHpzfkAs+RwErdy0pFe2IdBY6Zv30cf2O
            +a4KyIA6Uj4SH/LQfYfL2OAF38/+44KZgv7vIMeq8emPGlBQ5yVdFQ/D5oaGcufA
            PuU7h7f33KUvRS16qexMpUF++Tcw76jps+lgLmiRW13x4EZqNfN1nA9nSOmX5u4y
            FHemeQKVQIqHsEEtHiT/K7Wn6AIkblyg+9H+c5J0BsZSo0riW3VQzkYCwmB+XC5y
            qWawLQEGZEih9N213Z58+AACeFzwb/nPM0PrGGJWzAAH1pRBaOaI0mnvfg==
            -----END CERTIFICATE-----
          tlsCrt: |
            -----BEGIN CERTIFICATE-----
            MIIC9zCCAd+gAwIBAgIQVNH+QLMzxo4Elw6yaD/jIDANBgkqhkiG9w0BAQsFADAA
            MB4XDTIzMTIxNTEyNDE1MFoXDTI0MDMxNDEyNDE1MFowADCCASIwDQYJKoZIhvcN
            AQEBBQADggEPADCCAQoCggEBANrx6NNj3/T9S4qdLam194XjPexvqHqLg7vrQx3b
            j1UrEi7r8vQEUZhN8XZkWO+by1rNshsbKzeyH7P0TIVnU1AqeffM78Y7orPiltk1
            Fv5dkL0pV0bzQ8QdVpZ2MEab54xQrsww38qtjFQtn6dSZaD63nJfpZfjmY9yfkcN
            ZqwE3gkGxJN32CD6gDdOAt3wtr8APTaerB7QS6R6vZwlMWKraQbL2vgI5WTjM4Hu
            15eb4s9v4QNdKy6GNqKtDvJ9UjAWvoVExgH21s78DTTi3P1W54Zitt3dPC/7asB+
            4dax7+v7F1A1DnT0Akr0J4XQ7XiLMYz8+ckoPcJ9C2Er9PkCAwEAAaNtMGswDgYD
            VR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwSwYDVR0RAQH/BEEwP4I9bmV0d29y
            ay1yZXNvdXJjZXMtaW5qZWN0b3Itc2VydmljZS5zcmlvdi1uZXR3b3JrLW9wZXJh
            dG9yLnN2YzANBgkqhkiG9w0BAQsFAAOCAQEAZS3erVwP47WUxggvVfznEKKOhQwO
            uK52ar9P9HoQCQZQEuRgITCnqgg8etIMHpzfkAs+RwErdy0pFe2IdBY6Zv30cf2O
            +a4KyIA6Uj4SH/LQfYfL2OAF38/+44KZgv7vIMeq8emPGlBQ5yVdFQ/D5oaGcufA
            PuU7h7f33KUvRS16qexMpUF++Tcw76jps+lgLmiRW13x4EZqNfN1nA9nSOmX5u4y
            FHemeQKVQIqHsEEtHiT/K7Wn6AIkblyg+9H+c5J0BsZSo0riW3VQzkYCwmB+XC5y
            qWawLQEGZEih9N213Z58+AACeFzwb/nPM0PrGGJWzAAH1pRBaOaI0mnvfg==
            -----END CERTIFICATE-----
          tlsKey: |
            -----BEGIN RSA PRIVATE KEY-----
            MIIEogIBAAKCAQEA2vHo02Pf9P1Lip0tqbX3heM97G+oeouDu+tDHduPVSsSLuvy
            9ARRmE3xdmRY75vLWs2yGxsrN7Ifs/RMhWdTUCp598zvxjuis+KW2TUW/l2QvSlX
            RvNDxB1WlnYwRpvnjFCuzDDfyq2MVC2fp1JloPrecl+ll+OZj3J+Rw1mrATeCQbE
            k3fYIPqAN04C3fC2vwA9Np6sHtBLpHq9nCUxYqtpBsva+AjlZOMzge7Xl5viz2/h
            A10rLoY2oq0O8n1SMBa+hUTGAfbWzvwNNOLc/VbnhmK23d08L/tqwH7h1rHv6/sX
            UDUOdPQCSvQnhdDteIsxjPz5ySg9wn0LYSv0+QIDAQABAoIBAAyElj430J8uODp1
            oB265KsIAgtZmvVesqp02gKEAh7pdoGuRdbDxHKDylFtjVQtwSOw7QT1ubPWgE+G
            oTVjYfUMaKrNUcwwrq3AP8WtbmIesV7PVUkeMXqt/rxdh4cR9Nwl5MiR5smswIAz
            l5Q2ds8MaNl7NHmJrsbv0d54Gq2tAm47C9SNxPAcfLSW8PcwdY1v49mp96nd8lgP
            +SA48RxcsWhrjUhfaHAtd4edGFd4uysIkG9uFQdoOVjXHdVZiL1N8JxsnF0HPYh3
            6UZ/nD+nf8JL+X4ENTjQJGduQcBYnpqcZxtp4ilFV1tRm4FTYuYdTPbj04AobLdo
            Ykp8oIECgYEA3R0ayCkrym1kjx4HahES/TVc8QZt/ZF0Lw0HamA5W7DBI8BUQtfp
            64fv6yWfyQMr8wHEj57oBiz8WsR8Dzpge4s4XilHG1Fc7v1L1LiehZ/+YW4dyh4z
            0/EpFABhAaAy/hpiqDfYahVuHi0BXKMKhxvg3MACljQ2BeS2gHaVuzECgYEA/X01
            bWCw7jaqUGbYOFJWQt7fZpc7LlMKP5JOAkKLNKQPLgnM8qgIguAq/ApH0WS+dmmY
            xVWHN+XIY8ExBW0jmJ6JY/SbBnhU3NbZtY3D2JxJdwJ+MUaMbDTj4fM+hV9lH1+R
            ExQx5uhWF3MUSDEUIlkZWReH7JExj4i1aiGF1EkCgYBdB//as6ffFcO3i5TnBaQN
            sUQXjPL+OxK9MSgrk6zObUH1/tf0/89F7/372+qsso7tQZMoMl3BK3BJ6F2iMpeh
            o2PmCkwGrGcDjsM3Dy5zXmuzJpeWELsRs2frKHWoL3UFAKj9yfFeQQIB5EGsblTh
            n9MuTgNIm1MXi7FVv48kIQKBgG/Z7ddDkQ6rxF8R4lqHylRbb4wfMxfvwFfowM8y
            eaZStfgEjxCLoKXPMGhiSOpWX8x0L9rzMGUz2UZbGrxgOhK/8bPPXRBvzFJd41a/
            JSnRXIFM8k3f6VpdxCgRYwcK3t4HF0ap5JMU9dgHCW4Jae72Db9IKMv0DUBefF5G
            SH0xAoGANXwptjm8ghoglGdzbQXcObATMXlKk+AHFGvw4vc+VG/T4DdupGffFrz1
            HVbbMQ119/+BxLbbJ3/nOtYoRkpHkhCEfP1Z03MoEzAWL0we+n4YxV7AX49EX1zD
            vk0vF9YC6EyOkal+a9yJ9/EAKl8PYMNRsSR9lmBuGk5+AJJD8o4=
            -----END RSA PRIVATE KEY-----
EOF
$ helm install -f test_values.yaml -n sriov-network-operator  sriov-network-operator .

Expect:

secrets to be created via helm and encrypted correctly
caBundle to be propagated correctly in webhooks configs
secrets to be mounted correctly in webhook servers

github-actions · 2023-12-15T13:01:21Z

Thanks for your PR,
To run vendors CIs use one of:

/test-all: To run all tests for all vendors.
/test-e2e-all: To run all E2E tests for all vendors.
/test-e2e-nvidia-all: To run all E2E tests for NVIDIA vendor.

To skip the vendors CIs use one of:

/skip-all: To skip all tests for all vendors.
/skip-e2e-all: To skip all E2E tests for all vendors.
/skip-e2e-nvidia-all: To skip all E2E tests for NVIDIA vendor.
Best regards.

github-actions · 2023-12-15T13:28:28Z

Thanks for your PR,
To run vendors CIs use one of:

/test-all: To run all tests for all vendors.
/test-e2e-all: To run all E2E tests for all vendors.
/test-e2e-nvidia-all: To run all E2E tests for NVIDIA vendor.

To skip the vendors CIs use one of:

/skip-all: To skip all tests for all vendors.
/skip-e2e-all: To skip all E2E tests for all vendors.
/skip-e2e-nvidia-all: To skip all E2E tests for NVIDIA vendor.
Best regards.

coveralls · 2023-12-15T13:34:09Z

Pull Request Test Coverage Report for Build 7285020551

6 of 6 (100.0%) changed or added relevant lines in 1 file are covered.
5 unchanged lines in 2 files lost coverage.
Overall coverage decreased (-0.02%) to 25.629%

Files with Coverage Reduction	New Missed Lines	%
controllers/sriovnetwork_controller.go	2	70.68%
api/v1/helper.go	3	42.36%

Totals
Change from base Build 7280777027:	-0.02%
Covered Lines:	2353
Relevant Lines:	9181

💛 - Coveralls

github-actions · 2023-12-15T14:24:28Z

Thanks for your PR,
To run vendors CIs use one of:

/test-all: To run all tests for all vendors.
/test-e2e-all: To run all E2E tests for all vendors.
/test-e2e-nvidia-all: To run all E2E tests for NVIDIA vendor.

To skip the vendors CIs use one of:

/skip-all: To skip all tests for all vendors.
/skip-e2e-all: To skip all E2E tests for all vendors.
/skip-e2e-nvidia-all: To skip all E2E tests for NVIDIA vendor.
Best regards.

github-actions · 2023-12-15T14:26:26Z

Thanks for your PR,
To run vendors CIs use one of:

/test-all: To run all tests for all vendors.
/test-e2e-all: To run all E2E tests for all vendors.
/test-e2e-nvidia-all: To run all E2E tests for NVIDIA vendor.

To skip the vendors CIs use one of:

/skip-all: To skip all tests for all vendors.
/skip-e2e-all: To skip all E2E tests for all vendors.
/skip-e2e-nvidia-all: To skip all E2E tests for NVIDIA vendor.
Best regards.

github-actions · 2023-12-15T17:53:11Z

Thanks for your PR,
To run vendors CIs use one of:

/test-all: To run all tests for all vendors.
/test-e2e-all: To run all E2E tests for all vendors.
/test-e2e-nvidia-all: To run all E2E tests for NVIDIA vendor.

To skip the vendors CIs use one of:

/skip-all: To skip all tests for all vendors.
/skip-e2e-all: To skip all E2E tests for all vendors.
/skip-e2e-nvidia-all: To skip all E2E tests for NVIDIA vendor.
Best regards.

deploy/operator.yaml

bindata/manifests/webhook/001-service.yaml

deployment/sriov-network-operator/values.yaml

deployment/sriov-network-operator/templates/certificate.yaml

github-actions · 2023-12-19T08:55:53Z

Thanks for your PR,
To run vendors CIs use one of:

/test-all: To run all tests for all vendors.
/test-e2e-all: To run all E2E tests for all vendors.
/test-e2e-nvidia-all: To run all E2E tests for NVIDIA vendor.

To skip the vendors CIs use one of:

/skip-all: To skip all tests for all vendors.
/skip-e2e-all: To skip all E2E tests for all vendors.
/skip-e2e-nvidia-all: To skip all E2E tests for NVIDIA vendor.
Best regards.

mlguerrero12 · 2023-12-19T15:32:19Z

hack/run-e2e-conformance-virtual-cluster.sh

@@ -314,7 +314,8 @@ do
 done


-export ENABLE_ADMISSION_CONTROLLER=true
+export ADMISSION_CONTROLLERS__ENABLED=true


I'm trying to understand the implications of changing the name of this env var or the name of the certificates. Wouldn't this break backward compatibility or what would happen at the moment of upgrading the operator?

Could you elaborate on what level of backwards compatibility we need to maintain here? If I try not to break backwards compatibility I will end up with one of the following:

Scattered values in Helm Chart related to admission controllers

Inconsistency in admission controller related environment variables

Multiple env variables handling the same thing

And then the next question arises, who is going to remove those and when is the right time to remove them since we don't have any releases to say e.g. after 3 releases we remove those deprecated env variables?

With this PR, I try to bring some structure on the certificate story for the admission controllers and to do so, I needed to adjust a couple of things for consistency. I think I have done sufficient work to indicate these changes. There are at least 2 ways to deploy the stack based on what I found:

make deploy-setup-k8s

Helm Chart

For the former, the docs are updated. Even before if someone would set the ENABLE_ADMISSION_CONTROLLER env variable they would need to dive deeper to understand which secrets they should pre-populate if they didn't follow the docs. Actually, they would notice because the webhooks pods couldn't start by manually tinkering the cluster. Although I don't like this behavior, I kept it the same to not break your usual flow.

For the latter, to our knowledge we are the only consumers of the Helm Chart and we will handle that appropriately. If the chart was versioned, we would bump the major version to indicate a breaking change and then the admin would have to be careful.

My main concern is changing the name of the var ENABLE_ADMISSION_CONTROLLER. Our downstream version (openshift) uses OLM to install this operator and we would have to make some changes there as far as I see it (we have additional files). So, I need to understand what this implies to us. @SchSeba @zeeke, what do you think?

I'm still trying to understand how we deploy the certificates in openshift. Need to dig on that further.

OpenShift deployment doesn't rely on WEBHOOK_CA_BUNDLE var
https://github.com/k8snetworkplumbingwg/sriov-network-operator/blob/master/bindata/manifests/webhook/003-webhook.yaml#L8

Regarding the ENABLE_ADMISSION_CONTROLLER, we'll have to adjust the downstream deployment files, as you correctly stated:

sriov-network-operator/bundle/manifests/sriov-network-operator.clusterserviceversion.yaml

Line 348 in 7c2f779

- name: ENABLE_ADMISSION_CONTROLLER

sriov-network-operator/config/manager/manager.yaml

Line 75 in fbc5bc1

- name: ENABLE_ADMISSION_CONTROLLER

sriov-network-operator/config/manifests/bases/sriov-network-operator.clusterserviceversion.yaml

Line 130 in ed5bef6

- name: ENABLE_ADMISSION_CONTROLLER

I'm ok with the new name ADMISSION_CONTROLLERS_ENABLED

Folks let me know if there is something for me to address here. If there is, please give me the branch or tag I should be doing the changes.

thanks @zeeke for confirming

deploy/operator.yaml

github-actions · 2023-12-20T07:23:15Z

Thanks for your PR,
To run vendors CIs use one of:

/test-all: To run all tests for all vendors.
/test-e2e-all: To run all E2E tests for all vendors.
/test-e2e-nvidia-all: To run all E2E tests for NVIDIA vendor.

To skip the vendors CIs use one of:

/skip-all: To skip all tests for all vendors.
/skip-e2e-all: To skip all E2E tests for all vendors.
/skip-e2e-nvidia-all: To skip all E2E tests for NVIDIA vendor.
Best regards.

Signed-off-by: Vasilis Remmas <vremmas@nvidia.com>

This commit changes the ENV variable that turns on the admission controllers to enable bundling of additional webhook related settings via the same prefix like certificate mode, CA etc. This is a cosmetic change. Signed-off-by: Vasilis Remmas <vremmas@nvidia.com>

This commit starts to make use of the new ADMISSION_CONTROLLERS__* environment variables when rendering manifests. It also adjusts the logic with which cert-manager related annotation is used. Signed-off-by: Vasilis Remmas <vremmas@nvidia.com>

This commit adjusts the manifests to use the new ADMISSION_CONTROLLERS__* environment variables and also adjusts the relevant documentation files to reflect the new changes. Signed-off-by: Vasilis Remmas <vremmas@nvidia.com>

Signed-off-by: Vasilis Remmas <vremmas@nvidia.com>

Replace double underscores with underscores of admission controller related ENV variables to address feedback on the PR. Signed-off-by: Vasilis Remmas <vremmas@nvidia.com>

SchSeba

nice work

deployment/sriov-network-operator/templates/certificate.yaml

SchSeba · 2023-12-20T20:44:01Z

deployment/sriov-network-operator/templates/certificate.yaml

+spec:
+  selfSigned: {}
+{{- end }}
+{{- if and (not .Values.operator.admissionControllers.certificates.certManager.enabled) (.Values.operator.admissionControllers.certificates.custom.enabled) }}


it should be

if admissionControllers.enabled { if cert manager and certManager.generateSelfSigned { } else if not cert manager and certificates.custom.enabled{ }

deployment/sriov-network-operator/templates/certificate.yaml

github-actions · 2023-12-21T07:01:33Z

Thanks for your PR,
To run vendors CIs use one of:

/test-all: To run all tests for all vendors.
/test-e2e-all: To run all E2E tests for all vendors.
/test-e2e-nvidia-all: To run all E2E tests for NVIDIA vendor.

To skip the vendors CIs use one of:

/skip-all: To skip all tests for all vendors.
/skip-e2e-all: To skip all E2E tests for all vendors.
/skip-e2e-nvidia-all: To skip all E2E tests for NVIDIA vendor.
Best regards.

SchSeba

LGTM

adrianchiris · 2023-12-31T15:23:41Z

deployment/sriov-network-operator/values.yaml

  cniBinPath: "/opt/cni/bin"
  clusterType: "kubernetes"
+  admissionControllers:


@vasrem mind updating helm README with added parameters ?

https://github.com/k8snetworkplumbingwg/sriov-network-operator/blob/master/deployment/sriov-network-operator/README.md

im fine with updating in a separate PR as well.
forgot to mention this in the original PR

Addressed in #570

adrianchiris

LGTM, thx for addressing my comments.

please follow up with additional PR to update helm README, as i dont want to block this one.

PR [1] changed operator's environment variable `ENABLE_ADMISSION_CONTROLLER` to `ADMISSION_CONTROLLERS_ENABLED`. Also, the following environment variable have been introduced as a replacement of the constants: - `operator-webhook-service` -> `ADMISSION_CONTROLLERS_CERTIFICATES_OPERATOR_SECRET_NAME` - `network-resources-injector-secret` -> `ADMISSION_CONTROLLERS_CERTIFICATES_INJECTOR_SECRET_NAME` refs: [1] k8snetworkplumbingwg/sriov-network-operator#561 Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

…#709) Today it's cumbersome to enable admission controllers for SRIOV Network Operator because the user needs to create a secret manually. With this PR k8snetworkplumbingwg/sriov-network-operator#561, it's possible to generate a self signed certificate so the user doesn't need to do manual steps to enable those admission controllers. This PR just updates the chart to the latest chart found in the `master` branch of https://github.com/k8snetworkplumbingwg/sriov-network-operator which at the time was k8snetworkplumbingwg/sriov-network-operator@233b99a. Another PR will enable proper support for admission controllers.

PR [1] changed operator's environment variable `ENABLE_ADMISSION_CONTROLLER` to `ADMISSION_CONTROLLERS_ENABLED`. Also, the following environment variable have been introduced as a replacement of the constants: - `operator-webhook-service` -> `ADMISSION_CONTROLLERS_CERTIFICATES_OPERATOR_SECRET_NAME` - `network-resources-injector-secret` -> `ADMISSION_CONTROLLERS_CERTIFICATES_INJECTOR_SECRET_NAME` refs: [1] k8snetworkplumbingwg/sriov-network-operator#561 Signed-off-by: Andrea Panattoni <apanatto@redhat.com> # Conflicts: # bundle/manifests/sriov-network-operator.clusterserviceversion.yaml # config/manifests/bases/sriov-network-operator.clusterserviceversion.yaml # manifests/stable/sriov-network-operator.clusterserviceversion.yaml

PR [1] changed operator's environment variable `ENABLE_ADMISSION_CONTROLLER` to `ADMISSION_CONTROLLERS_ENABLED`. Also, the following environment variable have been introduced as a replacement of the constants: - `operator-webhook-service` -> `ADMISSION_CONTROLLERS_CERTIFICATES_OPERATOR_SECRET_NAME` - `network-resources-injector-secret` -> `ADMISSION_CONTROLLERS_CERTIFICATES_INJECTOR_SECRET_NAME` refs: [1] k8snetworkplumbingwg/sriov-network-operator#561 Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

vasrem marked this pull request as ready for review December 15, 2023 13:02

vasrem marked this pull request as draft December 15, 2023 13:11

vasrem force-pushed the feature/refactor_certificates_for_webhooks branch from ccdcbcb to c80336c Compare December 15, 2023 13:28

vasrem force-pushed the feature/refactor_certificates_for_webhooks branch from 984b110 to 244cc84 Compare December 15, 2023 14:26

vasrem force-pushed the feature/refactor_certificates_for_webhooks branch from 244cc84 to 23b63a6 Compare December 15, 2023 17:52

vasrem marked this pull request as ready for review December 15, 2023 19:00

adrianchiris reviewed Dec 17, 2023

View reviewed changes

adrianchiris reviewed Dec 18, 2023

View reviewed changes

deployment/sriov-network-operator/templates/certificate.yaml Outdated Show resolved Hide resolved

vasrem force-pushed the feature/refactor_certificates_for_webhooks branch from 23b63a6 to 1a0a61b Compare December 19, 2023 08:55

vasrem mentioned this pull request Dec 19, 2023

chore: Update SR-IOV Network Operator chart to consume new cert logic Mellanox/network-operator#709

Merged

mlguerrero12 reviewed Dec 19, 2023

View reviewed changes

vasrem requested review from adrianchiris and mlguerrero12 December 20, 2023 07:24

vasrem added 6 commits December 20, 2023 21:18

Add configurable certificate in Helm chart

8876217

Signed-off-by: Vasilis Remmas <vremmas@nvidia.com>

Adjust manifests used for development purposes

3a73855

This commit adjusts the manifests to use the new ADMISSION_CONTROLLERS__* environment variables and also adjusts the relevant documentation files to reflect the new changes. Signed-off-by: Vasilis Remmas <vremmas@nvidia.com>

Use new ENV variables in k8s conformance tests

f840b0d

Signed-off-by: Vasilis Remmas <vremmas@nvidia.com>

Replace double underscores with underscores for ENV variables

75d4ad2

Replace double underscores with underscores of admission controller related ENV variables to address feedback on the PR. Signed-off-by: Vasilis Remmas <vremmas@nvidia.com>

SchSeba reviewed Dec 20, 2023

View reviewed changes

vasrem force-pushed the feature/refactor_certificates_for_webhooks branch from f23541d to 75d4ad2 Compare December 21, 2023 07:01

SchSeba approved these changes Dec 21, 2023

View reviewed changes

vasrem mentioned this pull request Dec 27, 2023

Change behavior when deleting default SriovNetworkNodePolicy and SriovOperatorConfig #566

Merged

adrianchiris reviewed Dec 31, 2023

View reviewed changes

adrianchiris approved these changes Dec 31, 2023

View reviewed changes

adrianchiris merged commit 233b99a into k8snetworkplumbingwg:master Dec 31, 2023
11 checks passed

vasrem deleted the feature/refactor_certificates_for_webhooks branch January 2, 2024 08:37

vasrem mentioned this pull request Jan 2, 2024

Update chart README.md to reflect webhook changes #570

Merged

zeeke mentioned this pull request Jan 5, 2024

Downstream Sync 20240104 openshift/sriov-network-operator#880

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add more flexibility on how to configure certificates for the admission controllers via helm chart #561

Add more flexibility on how to configure certificates for the admission controllers via helm chart #561

vasrem commented Dec 15, 2023 •

edited

Loading

github-actions bot commented Dec 15, 2023

github-actions bot commented Dec 15, 2023

coveralls commented Dec 15, 2023 •

edited

Loading

github-actions bot commented Dec 15, 2023

github-actions bot commented Dec 15, 2023

github-actions bot commented Dec 15, 2023

github-actions bot commented Dec 19, 2023

mlguerrero12 Dec 19, 2023

vasrem Dec 20, 2023

mlguerrero12 Dec 20, 2023

zeeke Dec 20, 2023

vasrem Dec 20, 2023

mlguerrero12 Dec 20, 2023

github-actions bot commented Dec 20, 2023

SchSeba left a comment

SchSeba Dec 20, 2023

github-actions bot commented Dec 21, 2023

SchSeba left a comment

adrianchiris Dec 31, 2023

vasrem Jan 2, 2024

adrianchiris left a comment

	1. Create certificates for each of the two webhooks using a single CA whose cert you provide through an environment variable.

	For example, given `cacert.pem`, `key.pem` and `cert.pem`:
	```bash
	kubectl create ns sriov-network-operator
	kubectl -n sriov-network-operator create secret tls operator-webhook-cert --cert=cert.pem --key=key.pem
	kubectl -n sriov-network-operator create secret tls network-resources-injector-cert --cert=cert.pem --key=key.pem
	export ADMISSION_CONTROLLERS__ENABLED=true
	export ADMISSION_CONTROLLERS__CERTIFICATES__OPERATOR__CA_CRT=$(base64 -w 0 < cacert.pem)
	export ADMISSION_CONTROLLERS__CERTIFICATES__INJECTOR__CA_CRT=$(base64 -w 0 < cacert.pem)
	make deploy-setup-k8s
	```

	2. Using https://cert-manager.io/, deploy it as:
	```bash
	kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.3.0/cert-manager.yaml
	```

	Define the appropriate Issuer and Certificates, as an example:
	```bash
	kubectl create ns sriov-network-operator
	cat <<EOF \| kubectl apply -f -
	apiVersion: cert-manager.io/v1
	kind: Issuer
	metadata:
	name: sriov-network-operator-selfsigned-issuer
	namespace: sriov-network-operator
	spec:
	selfSigned: {}
	---
	apiVersion: cert-manager.io/v1
	kind: Certificate
	metadata:
	name: operator-webhook-cert
	namespace: sriov-network-operator
	spec:
	secretName: operator-webhook-cert
	dnsNames:
	- operator-webhook-service.sriov-network-operator.svc
	issuerRef:
	name: sriov-network-operator-selfsigned-issuer
	---
	apiVersion: cert-manager.io/v1
	kind: Certificate
	metadata:
	name: network-resources-injector-cert
	namespace: sriov-network-operator
	spec:
	secretName: network-resources-injector-cert
	dnsNames:
	- network-resources-injector-service.sriov-network-operator.svc
	issuerRef:
	name: sriov-network-operator-selfsigned-issuer
	EOF
	```

	And then deploy the operator:
	```bash
	export ADMISSION_CONTROLLERS__ENABLED=true
	export ADMISSION_CONTROLLERS__CERTIFICATES__CERT_MANAGER__ENABLED=true
	make deploy-setup-k8s
	```

Add more flexibility on how to configure certificates for the admission controllers via helm chart #561

Add more flexibility on how to configure certificates for the admission controllers via helm chart #561

Conversation

vasrem commented Dec 15, 2023 • edited Loading

Testing

Case 1

Case 2

Case 3

Case 4

Case 5

Case 6

github-actions bot commented Dec 15, 2023

github-actions bot commented Dec 15, 2023

coveralls commented Dec 15, 2023 • edited Loading

Pull Request Test Coverage Report for Build 7285020551

💛 - Coveralls

github-actions bot commented Dec 15, 2023

github-actions bot commented Dec 15, 2023

github-actions bot commented Dec 15, 2023

github-actions bot commented Dec 19, 2023

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

github-actions bot commented Dec 20, 2023

SchSeba left a comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

github-actions bot commented Dec 21, 2023

SchSeba left a comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

adrianchiris left a comment

Choose a reason for hiding this comment

vasrem commented Dec 15, 2023 •

edited

Loading

coveralls commented Dec 15, 2023 •

edited

Loading