diff --git a/Makefile b/Makefile index 09ad09331..636df3cdc 100644 --- a/Makefile +++ b/Makefile @@ -97,7 +97,7 @@ $(CONTROLLER_GEN): # Build controller-gen from tools folder. KUSTOMIZE := $(abspath $(TOOLS_BIN_DIR)/kustomize) kustomize: $(KUSTOMIZE) ## Build a local copy of kustomize $(KUSTOMIZE): # Build kustomize from tools folder. - go install sigs.k8s.io/kustomize/kustomize/v4@v4.5.7 + go install sigs.k8s.io/kustomize/kustomize/v5@v5.4.2 TILT := $(abspath $(TOOLS_BIN_DIR)/tilt) tilt: $(TILT) ## Build a local copy of tilt diff --git a/config/certmanager/certificate.yaml b/config/certmanager/certificate.yaml index c5a164c8a..6a613bb8d 100644 --- a/config/certmanager/certificate.yaml +++ b/config/certmanager/certificate.yaml @@ -15,10 +15,10 @@ metadata: name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml namespace: system spec: - # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize + # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize dnsNames: - - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc - - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local + - SERVICE_NAME.SERVICE_NAMESPACE.svc + - SERVICE_NAME.SERVICE_NAMESPACE.svc.cluster.local issuerRef: kind: Issuer name: selfsigned-issuer diff --git a/config/certmanager/kustomization.yaml b/config/certmanager/kustomization.yaml index bebea5a59..b2ce72a69 100644 --- a/config/certmanager/kustomization.yaml +++ b/config/certmanager/kustomization.yaml @@ -3,3 +3,5 @@ resources: configurations: - kustomizeconfig.yaml +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml index 95e226235..76dda7d04 100644 --- a/config/crd/kustomization.yaml +++ b/config/crd/kustomization.yaml @@ -1,5 +1,3 @@ -commonlabels: - cluster.x-k8s.io/v1beta1: v1beta1 # This kustomization.yaml is not intended to be run by itself, # since it depends on service name and namespace that are out of this kustomize package. @@ -10,7 +8,6 @@ resources: - bases/clusterstack.x-k8s.io_clusteraddons.yaml #+kubebuilder:scaffold:crdkustomizeresource -patchesStrategicMerge: # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix. # patches here are for enabling the conversion webhook for each CRD #- patches/webhook_in_clusterstacks.yaml @@ -28,3 +25,9 @@ patchesStrategicMerge: # the following config is for teaching kustomize how to do kustomization for CRDs. configurations: - kustomizeconfig.yaml +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +labels: +- includeSelectors: true + pairs: + cluster.x-k8s.io/v1beta1: v1beta1 diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index e54777540..bd8f85230 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -2,45 +2,102 @@ namespace: cso-system namePrefix: cso- -commonLabels: - cluster.x-k8s.io/provider: "cluster-stack-operator" resources: - - ../crd - - ../rbac - - ../manager - - ../webhook - - ../certmanager +- ../crd +- ../rbac +- ../manager +- ../webhook +- ../certmanager -patchesStrategicMerge: - - manager_config_patch.yaml - - manager_webhook_patch.yaml - - webhookcainjection_patch.yaml - - manager_pull_policy.yaml -vars: - - name: CERTIFICATE_NAMESPACE # namespace of the certificate CR - objref: - kind: Certificate +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +labels: +- includeSelectors: true + pairs: + cluster.x-k8s.io/provider: cluster-stack-operator +patches: +- path: manager_config_patch.yaml +- path: manager_webhook_patch.yaml +- path: webhookcainjection_patch.yaml +- path: manager_pull_policy.yaml +replacements: +- source: + fieldPath: metadata.namespace + kind: Certificate + name: serving-cert + targets: + - fieldPaths: + - metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: / + select: {} +- source: + kind: Certificate + name: serving-cert + targets: + - fieldPaths: + - metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: / + index: 1 + select: {} +- source: + fieldPath: metadata.namespace + kind: Service + name: webhook-service + targets: + - fieldPaths: + - |- + spec.# $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize + dnsNames.0 + options: + delimiter: . + index: 1 + select: group: cert-manager.io - version: v1 - name: serving-cert # this name should match the one in certificate.yaml - fieldref: - fieldpath: metadata.namespace - - name: CERTIFICATE_NAME - objref: kind: Certificate + name: serving-cert + namespace: system + version: v1 + - fieldPaths: + - |- + spec.# $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize + dnsNames.1 + options: + delimiter: . + index: 1 + select: group: cert-manager.io + kind: Certificate + name: serving-cert + namespace: system version: v1 - name: serving-cert # this name should match the one in certificate.yaml - - name: SERVICE_NAMESPACE # namespace of the service - objref: - kind: Service +- source: + kind: Service + name: webhook-service + targets: + - fieldPaths: + - |- + spec.# $(SERVICE_NAME) and SERVICE_NAMESPACE will be substituted by kustomize + dnsNames.0 + options: + delimiter: . + select: + group: cert-manager.io + kind: Certificate + name: serving-cert + namespace: system version: v1 - name: webhook-service - fieldref: - fieldpath: metadata.namespace - - name: SERVICE_NAME - objref: - kind: Service + - fieldPaths: + - |- + spec.# $(SERVICE_NAME) and SERVICE_NAMESPACE will be substituted by kustomize + dnsNames.1 + options: + delimiter: . + select: + group: cert-manager.io + kind: Certificate + name: serving-cert + namespace: system version: v1 - name: webhook-service diff --git a/config/default/webhookcainjection_patch.yaml b/config/default/webhookcainjection_patch.yaml index f5e23673e..ed9c90749 100644 --- a/config/default/webhookcainjection_patch.yaml +++ b/config/default/webhookcainjection_patch.yaml @@ -1,9 +1,9 @@ # This patch add annotation to admission webhook config and -# the variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) will be substituted by kustomize. +# the variables CERTIFICATE_NAMESPACE and CERTIFICATE_NAME will be substituted by kustomize. --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: name: validating-webhook-configuration annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME diff --git a/config/localmode/kustomization.yaml b/config/localmode/kustomization.yaml index e54777540..bd8f85230 100644 --- a/config/localmode/kustomization.yaml +++ b/config/localmode/kustomization.yaml @@ -2,45 +2,102 @@ namespace: cso-system namePrefix: cso- -commonLabels: - cluster.x-k8s.io/provider: "cluster-stack-operator" resources: - - ../crd - - ../rbac - - ../manager - - ../webhook - - ../certmanager +- ../crd +- ../rbac +- ../manager +- ../webhook +- ../certmanager -patchesStrategicMerge: - - manager_config_patch.yaml - - manager_webhook_patch.yaml - - webhookcainjection_patch.yaml - - manager_pull_policy.yaml -vars: - - name: CERTIFICATE_NAMESPACE # namespace of the certificate CR - objref: - kind: Certificate +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +labels: +- includeSelectors: true + pairs: + cluster.x-k8s.io/provider: cluster-stack-operator +patches: +- path: manager_config_patch.yaml +- path: manager_webhook_patch.yaml +- path: webhookcainjection_patch.yaml +- path: manager_pull_policy.yaml +replacements: +- source: + fieldPath: metadata.namespace + kind: Certificate + name: serving-cert + targets: + - fieldPaths: + - metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: / + select: {} +- source: + kind: Certificate + name: serving-cert + targets: + - fieldPaths: + - metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: / + index: 1 + select: {} +- source: + fieldPath: metadata.namespace + kind: Service + name: webhook-service + targets: + - fieldPaths: + - |- + spec.# $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize + dnsNames.0 + options: + delimiter: . + index: 1 + select: group: cert-manager.io - version: v1 - name: serving-cert # this name should match the one in certificate.yaml - fieldref: - fieldpath: metadata.namespace - - name: CERTIFICATE_NAME - objref: kind: Certificate + name: serving-cert + namespace: system + version: v1 + - fieldPaths: + - |- + spec.# $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize + dnsNames.1 + options: + delimiter: . + index: 1 + select: group: cert-manager.io + kind: Certificate + name: serving-cert + namespace: system version: v1 - name: serving-cert # this name should match the one in certificate.yaml - - name: SERVICE_NAMESPACE # namespace of the service - objref: - kind: Service +- source: + kind: Service + name: webhook-service + targets: + - fieldPaths: + - |- + spec.# $(SERVICE_NAME) and SERVICE_NAMESPACE will be substituted by kustomize + dnsNames.0 + options: + delimiter: . + select: + group: cert-manager.io + kind: Certificate + name: serving-cert + namespace: system version: v1 - name: webhook-service - fieldref: - fieldpath: metadata.namespace - - name: SERVICE_NAME - objref: - kind: Service + - fieldPaths: + - |- + spec.# $(SERVICE_NAME) and SERVICE_NAMESPACE will be substituted by kustomize + dnsNames.1 + options: + delimiter: . + select: + group: cert-manager.io + kind: Certificate + name: serving-cert + namespace: system version: v1 - name: webhook-service diff --git a/config/localmode/webhookcainjection_patch.yaml b/config/localmode/webhookcainjection_patch.yaml index f5e23673e..ed9c90749 100644 --- a/config/localmode/webhookcainjection_patch.yaml +++ b/config/localmode/webhookcainjection_patch.yaml @@ -1,9 +1,9 @@ # This patch add annotation to admission webhook config and -# the variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) will be substituted by kustomize. +# the variables CERTIFICATE_NAMESPACE and CERTIFICATE_NAME will be substituted by kustomize. --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: name: validating-webhook-configuration annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml index d797a472c..83217abb4 100644 --- a/config/manager/kustomization.yaml +++ b/config/manager/kustomization.yaml @@ -1,3 +1,5 @@ resources: - manager.yaml - credentials.yaml +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml index e88276c83..7f4e2bcf6 100644 --- a/config/rbac/kustomization.yaml +++ b/config/rbac/kustomization.yaml @@ -1,12 +1,13 @@ -resources: # All RBAC will be applied under this service account in # the deployment namespace. You may comment out this resource # if your manager will use a service account that exists at # runtime. Be sure to update RoleBinding and ClusterRoleBinding # subjects if changing service account names. +resources: - service_account.yaml - role.yaml - role_binding.yaml - leader_election_role.yaml - leader_election_role_binding.yaml - +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization diff --git a/config/webhook/kustomization.yaml b/config/webhook/kustomization.yaml index 9cf26134e..3334392e4 100644 --- a/config/webhook/kustomization.yaml +++ b/config/webhook/kustomization.yaml @@ -4,3 +4,5 @@ resources: configurations: - kustomizeconfig.yaml +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization