Use cert-rotator for API extension service

Add cert-rotator to the setup for the new resource list extension to remove the dependency on cert-manager.
mochizuki875 · Mar 15, 2024 · 75fcae7 · 75fcae7
1 parent fcebcbe
commit 75fcae7
Showing 1 changed file with 33 additions and 9 deletions.
diff --git a/internal/setup/webhooks.go b/internal/setup/webhooks.go
@@ -19,22 +19,26 @@ import (
 )
 
 const (
-	serviceName    = "hnc-webhook-service"
-	vwhName        = "hnc-validating-webhook-configuration"
-	mwhName        = "hnc-mutating-webhook-configuration"
-	caName         = "hnc-ca"
-	caOrganization = "hnc"
-	secretName     = "hnc-webhook-server-cert"
-	certDir        = "/tmp/k8s-webhook-server/serving-certs"
+	serviceName       = "hnc-webhook-service"
+	vwhName           = "hnc-validating-webhook-configuration"
+	mwhName           = "hnc-mutating-webhook-configuration"
+	caName            = "hnc-ca"
+	caOrganization    = "hnc"
+	secretName        = "hnc-webhook-server-cert"
+	certDir           = "/tmp/k8s-webhook-server/serving-certs"
+	apiExtCertDir     = "/certs"
+	apiExtServiceName = "hnc-resourcelist"
+	apiExtSecretName  = "hnc-resourcelist"
+	apiExtName        = "v1alpha2.resources.hnc.x-k8s.io"
 )
 
-// ManageCerts creates all certs for webhooks. This function is called from main.go.
+// ManageCerts creates all certs for webhooks and apiservices. This function is called from main.go.
 func ManageCerts(mgr ctrl.Manager, setupFinished chan struct{}, restartOnSecretRefresh bool) error {
 	hncNamespace := config.GetHNCNamespace()
 	// DNSName is <service name>.<hncNamespace>.svc
 	dnsName := fmt.Sprintf("%s.%s.svc", serviceName, hncNamespace)
 
-	return cert.AddRotator(mgr, &cert.CertRotator{
+	err := cert.AddRotator(mgr, &cert.CertRotator{
 		SecretKey: types.NamespacedName{
 			Namespace: hncNamespace,
 			Name:      secretName,
@@ -53,6 +57,26 @@ func ManageCerts(mgr ctrl.Manager, setupFinished chan struct{}, restartOnSecretR
 		}},
 		RestartOnSecretRefresh: restartOnSecretRefresh,
 	})
+	if err != nil {
+		return err
+	}
+	apiExtDNSName := fmt.Sprintf("%s.%s.svc", apiExtServiceName, hncNamespace)
+	return cert.AddRotator(mgr, &cert.CertRotator{
+		SecretKey: types.NamespacedName{
+			Namespace: hncNamespace,
+			Name:      apiExtSecretName,
+		},
+		CertDir:        apiExtCertDir,
+		CAName:         caName,
+		CAOrganization: caOrganization,
+		DNSName:        apiExtDNSName,
+		IsReady:        setupFinished,
+		Webhooks: []cert.WebhookInfo{{
+			Type: cert.APIService,
+			Name: apiExtName,
+		}},
+		RestartOnSecretRefresh: restartOnSecretRefresh,
+	})
 }
 
 // createWebhooks creates all mutators and validators.