diff --git a/charts/opentelemetry-operator/templates/_helpers.tpl b/charts/opentelemetry-operator/templates/_helpers.tpl index 6d14f1bca..4812314db 100644 --- a/charts/opentelemetry-operator/templates/_helpers.tpl +++ b/charts/opentelemetry-operator/templates/_helpers.tpl @@ -79,3 +79,39 @@ Create an ordered name of the MutatingWebhookConfiguration {{- define "opentelemetry-operator.MutatingWebhookName" -}} {{- printf "%s-%s" (.Values.admissionWebhooks.namePrefix | toString) (include "opentelemetry-operator.fullname" .) | trimPrefix "-" }} {{- end }} + +{{/* +Return certificate and CA for Webhooks. +It handles variants when a cert has to be generated by Helm, +a cert is loaded from an existing secret or is provided via `.Values` +*/}} +{{- define "opentelemetry-operator.WebhookCert" -}} +{{- $caCertEnc := "" }} +{{- $certCrtEnc := "" }} +{{- $certKeyEnc := "" }} +{{- if .Values.admissionWebhooks.autoGenerateCert.enabled }} +{{- $prevSecret := (lookup "v1" "Secret" .Release.Namespace (default (printf "%s-controller-manager-service-cert" (include "opentelemetry-operator.fullname" .)) .Values.admissionWebhooks.secretName )) }} +{{- if and (not .Values.admissionWebhooks.autoGenerateCert.recreate) $prevSecret }} +{{- $certCrtEnc = index $prevSecret "data" "tls.crt" }} +{{- $certKeyEnc = index $prevSecret "data" "tls.key" }} +{{- $caCertEnc = index $prevSecret "data" "ca.crt" }} +{{- if not $caCertEnc }} +{{- $prevHook := (lookup "admissionregistration.k8s.io/v1" "MutatingWebhookConfiguration" .Release.Namespace (print (include "opentelemetry-operator.MutatingWebhookName" . ) "-mutation")) }} +{{- $caCertEnc = (first $prevHook.webhooks).clientConfig.caBundle }} +{{- end }} +{{- else }} +{{- $altNames := list ( printf "%s-webhook.%s" (include "opentelemetry-operator.fullname" .) .Release.Namespace ) ( printf "%s-webhook.%s.svc" (include "opentelemetry-operator.fullname" .) .Release.Namespace ) -}} +{{- $ca := genCA "opentelemetry-operator-operator-ca" 365 }} +{{- $cert := genSignedCert (include "opentelemetry-operator.fullname" .) nil $altNames 365 $ca }} +{{- $certCrtEnc = b64enc $cert.Cert }} +{{- $certKeyEnc = b64enc $cert.Key }} +{{- $caCertEnc = b64enc $ca.Cert }} +{{- end }} +{{- else }} +{{- $certCrtEnc = b64enc .Values.admissionWebhooks.cert_file }} +{{- $certKeyEnc = b64enc .Values.admissionWebhooks.key_file }} +{{- $caCertEnc = b64enc .Values.admissionWebhooks.ca_file }} +{{- end }} +{{- $result := dict "crt" $certCrtEnc "key" $certKeyEnc "ca" $caCertEnc }} +{{- $result | toYaml }} +{{- end }} diff --git a/charts/opentelemetry-operator/templates/admission-webhooks/operator-webhook.yaml b/charts/opentelemetry-operator/templates/admission-webhooks/operator-webhook.yaml index 5bb7d7668..4a4eab693 100644 --- a/charts/opentelemetry-operator/templates/admission-webhooks/operator-webhook.yaml +++ b/charts/opentelemetry-operator/templates/admission-webhooks/operator-webhook.yaml @@ -1,27 +1,8 @@ {{- if and (.Values.admissionWebhooks.create) (not .Values.admissionWebhooks.certManager.enabled) }} -{{- $altNames := list ( printf "%s-webhook.%s" (include "opentelemetry-operator.fullname" .) .Release.Namespace ) ( printf "%s-webhook.%s.svc" (include "opentelemetry-operator.fullname" .) .Release.Namespace ) -}} -{{- $caCertEnc := "" }} -{{- $certCrtEnc := "" }} -{{- $certKeyEnc := "" }} -{{- if .Values.admissionWebhooks.autoGenerateCert.enabled }} -{{- $prevSecret := (lookup "v1" "Secret" .Release.Namespace (default (printf "%s-controller-manager-service-cert" (include "opentelemetry-operator.fullname" .)) .Values.admissionWebhooks.secretName )) }} -{{- $prevHook := (lookup "admissionregistration.k8s.io/v1" "MutatingWebhookConfiguration" .Release.Namespace (print (include "opentelemetry-operator.MutatingWebhookName" . ) "-mutation")) }} -{{- if and .Values.admissionWebhooks.autoGenerateCert.ifNotExists $prevSecret $prevHook }} -{{- $certCrtEnc = index $prevSecret "data" "tls.crt" }} -{{- $certKeyEnc = index $prevSecret "data" "tls.key" }} -{{- $caCertEnc = (first $prevHook.webhooks).clientConfig.caBundle }} -{{- else }} -{{- $ca := genCA "opentelemetry-operator-operator-ca" 365 }} -{{- $cert := genSignedCert (include "opentelemetry-operator.fullname" .) nil $altNames 365 $ca }} -{{- $certCrtEnc = b64enc $cert.Cert }} -{{- $certKeyEnc = b64enc $cert.Key }} -{{- $caCertEnc = b64enc $ca.Cert }} -{{- end }} -{{- else }} -{{- $certCrtEnc = b64enc .Values.admissionWebhooks.cert_file }} -{{- $certKeyEnc = b64enc .Values.admissionWebhooks.key_file }} -{{- $caCertEnc = b64enc .Values.admissionWebhooks.ca_file }} -{{- end }} +{{- $cert := fromYaml (include "opentelemetry-operator.WebhookCert" .) }} +{{- $caCertEnc := $cert.ca }} +{{- $certCrtEnc := $cert.crt }} +{{- $certKeyEnc := $cert.key }} apiVersion: v1 kind: Secret type: kubernetes.io/tls @@ -43,6 +24,7 @@ metadata: data: tls.crt: {{ $certCrtEnc }} tls.key: {{ $certKeyEnc }} + ca.crt: {{ $caCertEnc }} --- apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration diff --git a/charts/opentelemetry-operator/values.schema.json b/charts/opentelemetry-operator/values.schema.json index 7e855408c..8681159e5 100644 --- a/charts/opentelemetry-operator/values.schema.json +++ b/charts/opentelemetry-operator/values.schema.json @@ -1309,7 +1309,7 @@ "title": "The autoGenerateCert Schema", "required": [ "enabled", - "ifNotExists" + "recreate" ], "properties": { "enabled": { @@ -1320,10 +1320,10 @@ true ] }, - "ifNotExists": { + "recreate": { "type": "boolean", "default": true, - "title": "The ifNotExists Schema", + "title": "The recreate Schema", "examples": [ true ] diff --git a/charts/opentelemetry-operator/values.yaml b/charts/opentelemetry-operator/values.yaml index 7172087fa..321e11e40 100644 --- a/charts/opentelemetry-operator/values.yaml +++ b/charts/opentelemetry-operator/values.yaml @@ -220,8 +220,8 @@ admissionWebhooks: ## If true and certManager.enabled is false, Helm will automatically create a self-signd cert and secret for you. autoGenerateCert: enabled: true - # true means generate cert if cert not exists only - ifNotExists: true + # If set to true, new webhook key/certificate is generated on helm upgrade. + recreate: false ## TLS Certificate Option 3: Use your own self-signed certificate. ## certManager and autoGenerateCert must be disabled and cert_file, key_file, and ca_file must be set.