Skip to content

Commit

Permalink
Updating the caBundle for the controller webhook (radius-project#7022)
Browse files Browse the repository at this point in the history
# Description
Updating the caBundle for the controller webhook

## Type of change
- This pull request fixes a bug in Radius and has an approved issue
(issue link required).
Fixes: radius-project#6989

Signed-off-by: ytimocin <ytimocin@microsoft.com>
  • Loading branch information
ytimocin authored Jan 16, 2024
1 parent 21b25dd commit d7cdbf2
Show file tree
Hide file tree
Showing 3 changed files with 39 additions and 20 deletions.
29 changes: 29 additions & 0 deletions deploy/Chart/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -12,3 +12,32 @@
{{- end -}}
{{- print $version }}
{{- end -}}

{{/*
Reuses the value from an existing secret, otherwise sets its value to a default value.
Usage:
{{ include "secrets.lookup" (dict "secret" "secret-name" "namespace" "ns-name" "key" "key-name" "defaultValue" "default-secret") }}

Params:
- secret - String - Required - Name of the 'Secret' resource where the password is stored.
- namespace - String - Required - Namespace of the 'Secret' resource where the password is stored.
- key - String - Required - Name of the key in the secret.
- defaultValue - String - Required - Default value to use if the secret does not exist.

References:
- https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_secrets.tpl
*/}}
{{- define "secrets.lookup" -}}
{{- $value := "" -}}
{{- $namespace := .namespace | toString -}}
{{- $secretData := (lookup "v1" "Secret" $namespace .secret).data -}}
{{- if and $secretData (hasKey $secretData .key) -}}
{{- $value = index $secretData .key -}}
{{- else if .defaultValue -}}
{{- $value = .defaultValue | toString | b64enc -}}
{{- end -}}
{{- if $value -}}
{{- printf "%s" $value -}}
{{- end -}}
{{- end -}}
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@
{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace "controller-cert"}}
{{- $existingWebhook := lookup "admissionregistration.k8s.io/v1" "ValidatingWebhookConfiguration" .Release.Namespace "recipe-webhook.radapp.io"}}
{{- $ca := genCA "controller-ca" 3650 }}
{{- $cn := printf "controller" }}
{{- $altName1 := printf "controller.%s" .Release.Namespace }}
Expand All @@ -15,14 +13,11 @@ metadata:
labels:
app.kubernetes.io/name: controller
app.kubernetes.io/part-of: radius
type: kubernetes.io/tls
data:
{{ if $existingSecret }}tls.crt: {{ index $existingSecret.data "tls.crt" }}
{{ else }}tls.crt: {{ b64enc $cert.Cert }}
{{ end }}

{{ if $existingSecret }}tls.key: {{ index $existingSecret.data "tls.key" }}
{{ else }}tls.key: {{ b64enc $cert.Key }}
{{ end }}
tls.crt: {{ include "secrets.lookup" (dict "secret" "controller-cert" "namespace" .Release.Namespace "key" "tls.crt" "defaultValue" $cert.Cert) }}
tls.key: {{ include "secrets.lookup" (dict "secret" "controller-cert" "namespace" .Release.Namespace "key" "tls.key" "defaultValue" $cert.Key) }}
ca.crt: {{ include "secrets.lookup" (dict "secret" "controller-cert" "namespace" .Release.Namespace "key" "ca.crt" "defaultValue" $ca.Cert) }}
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
Expand All @@ -32,7 +27,7 @@ webhooks:
- admissionReviewVersions:
- v1
clientConfig:
caBundle: {{ b64enc $ca.Cert }}
caBundle: {{ include "secrets.lookup" (dict "secret" "controller-cert" "namespace" .Release.Namespace "key" "ca.crt" "defaultValue" $ca.Cert) }}
service:
name: controller
namespace: {{ .Release.Namespace }}
Expand Down
15 changes: 5 additions & 10 deletions deploy/Chart/templates/ucp/apiservice.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@
{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace "ucp-cert"}}
{{- $existingApiService := lookup "apiregistration.k8s.io/v1" "APIService" .Release.Namespace "v1alpha3.api.ucp.dev"}}
{{- $ca := genCA "ucp-ca" 3650 }}
{{- $cn := printf "ucp" }}
{{- $altName1 := printf "ucp.%s" .Release.Namespace }}
Expand All @@ -15,14 +13,11 @@ metadata:
labels:
app.kubernetes.io/name: ucp
app.kubernetes.io/part-of: radius
type: kubernetes.io/tls
data:
{{ if $existingSecret }}tls.crt: {{ index $existingSecret.data "tls.crt" }}
{{ else }}tls.crt: {{ b64enc $cert.Cert }}
{{ end }}

{{ if $existingSecret }}tls.key: {{ index $existingSecret.data "tls.key" }}
{{ else }}tls.key: {{ b64enc $cert.Key }}
{{ end }}
tls.crt: {{ include "secrets.lookup" (dict "secret" "ucp-cert" "namespace" .Release.Namespace "key" "tls.crt" "defaultValue" $cert.Cert) }}
tls.key: {{ include "secrets.lookup" (dict "secret" "ucp-cert" "namespace" .Release.Namespace "key" "tls.key" "defaultValue" $cert.Key) }}
ca.crt: {{ include "secrets.lookup" (dict "secret" "ucp-cert" "namespace" .Release.Namespace "key" "ca.crt" "defaultValue" $ca.Cert) }}
---
apiVersion: apiregistration.k8s.io/v1
kind: APIService
Expand All @@ -39,4 +34,4 @@ spec:
name: ucp
namespace: {{ .Release.Namespace }}
version: v1alpha3
caBundle: {{ if $existingApiService }}{{ $existingApiService.spec.caBundle }}{{ else }}{{ b64enc $ca.Cert }}{{ end }}
caBundle: {{ include "secrets.lookup" (dict "secret" "ucp-cert" "namespace" .Release.Namespace "key" "ca.crt" "defaultValue" $ca.Cert) }}

0 comments on commit d7cdbf2

Please sign in to comment.