✨ kustomize restricts about the scope of var definition

We move var definition one level up to work around this restriction.

Author: Mengqi Yu

docs/book/src/cronjob-tutorial/testdata/project/config/certmanager/certificate.yaml

@@ -14,10 +14,10 @@ metadata:
   name: serving-cert  # this name should match the one appeared in kustomizeconfig.yaml
   namespace: system
 spec:
-  # $(SERVICENAME) and $(NAMESPACE) will be substituted by kustomize
-  commonName: $(SERVICENAME).$(NAMESPACE).svc
+  # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize
+  commonName: $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc
   dnsNames:
-  - $(SERVICENAME).$(NAMESPACE).svc.cluster.local
+  - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local
   issuerRef:
     kind: Issuer
     name: selfsigned-issuer

docs/book/src/cronjob-tutorial/testdata/project/config/certmanager/kustomization.yaml

@@ -1,13 +1,5 @@
 resources:
 - certificate.yaml
 
-vars:
-- name: CERTIFICATENAME
-  objref:
-    kind: Certificate
-    group: certmanager.k8s.io
-    version: v1alpha1
-    name: serving-cert # this name should match the one in certificate.yaml
-
 configurations:
 - kustomizeconfig.yaml

docs/book/src/cronjob-tutorial/testdata/project/config/crd/kustomization.yaml

@@ -6,10 +6,16 @@ resources:
 # +kubebuilder:scaffold:kustomizeresource
 
 patches:
+# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix.
 # patches here are for enabling the conversion webhook for each CRD
 #- patches/webhook_in_cronjobs.yaml
 # +kubebuilder:scaffold:kustomizepatch
 
+# [CERTMANAGER] To enable webhook, uncomment all the sections with [CERTMANAGER] prefix.
+# patches here are for enabling the CA injection for each CRD
+#- patches/cainjection_in_cronjobs.yaml
+# +kubebuilder:scaffold:crdkustomizecainjectionpatch
+
 # the following config is for teaching kustomize how to do kustomization for CRDs.
 configurations:
 - kustomizeconfig.yaml

docs/book/src/cronjob-tutorial/testdata/project/config/crd/patches/cainjection_in_cronjobs.yaml

@@ -0,0 +1,8 @@
+# The following patch adds a directive for certmanager to inject CA into the CRD
+# CRD conversion requires k8s 1.13 or later.
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    certmanager.k8s.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+  name: cronjobs.batch.tutorial.kubebuilder.io

docs/book/src/cronjob-tutorial/testdata/project/config/crd/patches/webhook_in_cronjob.yaml docs/book/src/cronjob-tutorial/testdata/project/config/crd/patches/webhook_in_cronjobs.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    certmanager.k8s.io/inject-ca-from: $(NAMESPACE)/$(CERTIFICATENAME)
+    certmanager.k8s.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
   name: cronjobs.batch.tutorial.kubebuilder.io
 spec:
   conversion:
@@ -13,6 +13,6 @@ spec:
       # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager)
       caBundle: XG4= 
       service:
-        namespace: $(NAMESPACE)
+        namespace: $(CERTIFICATE_NAMESPACE)
         name: webhook-service
         path: /convert-cronjob

docs/book/src/cronjob-tutorial/testdata/project/config/default/kustomization.yaml

@@ -18,7 +18,7 @@ bases:
 - ../manager
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in crd/kustomization.yaml
 - ../webhook
-# [CERTMANAGER] To enable cert-manager, uncomment next line. 'WEBHOOK' components are required.
+# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required.
 - ../certmanager
 
 patches:
@@ -41,3 +41,38 @@ patches:
 # Uncomment 'CAINJECTION' in crd/kustomization.yaml to enable the CA injection in the admission webhooks.
 # 'CERTMANAGER' needs to be enabled to use ca injection
 - webhookcainjection_patch.yaml
+
+# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'.
+# Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks.
+# 'CERTMANAGER' needs to be enabled to use ca injection
+#- webhookcainjection_patch.yaml
+
+# the following config is for teaching kustomize how to do var substitution
+vars:
+# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix.
+#- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR
+#  objref:
+#    kind: Certificate
+#    group: certmanager.k8s.io
+#    version: v1alpha1
+#    name: serving-cert # this name should match the one in certificate.yaml
+#  fieldref:
+#    fieldpath: metadata.namespace
+#- name: CERTIFICATE_NAME
+#  objref:
+#    kind: Certificate
+#    group: certmanager.k8s.io
+#    version: v1alpha1
+#    name: serving-cert # this name should match the one in certificate.yaml
+#- name: SERVICE_NAMESPACE # namespace of the service
+#  objref:
+#    kind: Service
+#    version: v1
+#    name: webhook-service
+#  fieldref:
+#    fieldpath: metadata.namespace
+#- name: SERVICE_NAME
+#  objref:
+#    kind: Service
+#    version: v1
+#    name: webhook-service

docs/book/src/cronjob-tutorial/testdata/project/config/default/webhookcainjection_patch.yaml

@@ -1,15 +1,15 @@
 # This patch add annotation to admission webhook config and
-# the variables $(NAMESPACE) and $(CERTIFICATENAME) will be substituted by kustomize.  
+# the variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) will be substituted by kustomize.
 apiVersion: admissionregistration.k8s.io/v1beta1
 kind: MutatingWebhookConfiguration
 metadata:
   name: mutating-webhook-configuration
   annotations:
-    certmanager.k8s.io/inject-ca-from: $(NAMESPACE)/$(CERTIFICATENAME)
+    certmanager.k8s.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
 ---
 apiVersion: admissionregistration.k8s.io/v1beta1
 kind: ValidatingWebhookConfiguration
 metadata:
   name: validating-webhook-configuration
   annotations:
-    certmanager.k8s.io/inject-ca-from: $(NAMESPACE)/$(CERTIFICATENAME)
+    certmanager.k8s.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)

go.mod

@@ -3,30 +3,19 @@ module sigs.k8s.io/kubebuilder
 go 1.12
 
 require (
-	github.com/go-logr/logr v0.1.0 // indirect
-	github.com/go-logr/zapr v0.1.1 // indirect
-	github.com/gobuffalo/envy v1.6.15 // indirect
 	github.com/gobuffalo/flect v0.1.5
-	github.com/imdario/mergo v0.3.7 // indirect
+	github.com/golang/protobuf v1.3.1 // indirect
 	github.com/inconshreveable/mousetrap v1.0.0 // indirect
+	github.com/kr/pretty v0.1.0 // indirect
 	github.com/onsi/ginkgo v1.8.0
 	github.com/onsi/gomega v1.5.0
-	github.com/prometheus/client_golang v1.0.0 // indirect
-	github.com/robfig/cron v1.2.0 // indirect
-	github.com/rogpeppe/go-internal v1.2.2 // indirect
 	github.com/spf13/afero v1.2.2
 	github.com/spf13/cobra v0.0.3
 	github.com/spf13/pflag v1.0.3
-	go.uber.org/atomic v1.4.0 // indirect
-	go.uber.org/multierr v1.1.0 // indirect
-	go.uber.org/zap v1.10.0 // indirect
-	golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45 // indirect
-	golang.org/x/time v0.0.0-20190308202827-9d24e82272b4 // indirect
-	golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c
+	golang.org/x/net v0.0.0-20190620200207-3b0461eec859 // indirect
+	golang.org/x/sys v0.0.0-20190621203818-d432491b9138 // indirect
+	golang.org/x/text v0.3.2 // indirect
+	golang.org/x/tools v0.0.0-20190614205625-5aca471b1d59
+	gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 // indirect
 	gopkg.in/yaml.v2 v2.2.2
-	k8s.io/api v0.0.0-20190627205229-acea843d18eb // indirect
-	k8s.io/apimachinery v0.0.0-20190628045107-49e757626700 // indirect
-	k8s.io/client-go v11.0.0+incompatible // indirect
-	k8s.io/utils v0.0.0-20190607212802-c55fbcfc754a // indirect
-	sigs.k8s.io/controller-runtime v0.1.12 // indirect
 )