Why I can't find webhook related crd in helm install.

yxxchange commented 1 year ago

---
# Source: alidns-webhook/templates/rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: release-name-alidns-webhook
  labels:
    app: alidns-webhook
    chart: alidns-webhook-0.7.0
    release: release-name
    heritage: Helm
---
# Source: alidns-webhook/templates/rbac.yaml
# Grant permissions to read secrets inside the cluster to allow to have issuer in another namespace than the webhook
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: release-name-alidns-webhook:secrets-reader
  labels:
    app: alidns-webhook
    chart: alidns-webhook-0.7.0
    release: release-name
    heritage: Helm
rules:
  - apiGroups:
      - ''
    resources:
      - 'secrets'
    verbs:
      - 'get'
---
# Source: alidns-webhook/templates/rbac.yaml
# Grant cert-manager permission to validate using our apiserver
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: release-name-alidns-webhook:domain-solver
  labels:
    app: alidns-webhook
    chart: alidns-webhook-0.7.0
    release: release-name
    heritage: Helm
rules:
  - apiGroups:
      - example.com
    resources:
      - '*'
    verbs:
      - 'create'
---
# Source: alidns-webhook/templates/rbac.yaml
# Bind the previously created role to the webhook service account to allow reading from secrets in all namespaces
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: release-name-alidns-webhook:secrets-reader
  labels:
    app: alidns-webhook
    chart: alidns-webhook-0.7.0
    release: release-name
    heritage: Helm
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: release-name-alidns-webhook:secrets-reader
subjects:
  - apiGroup: ""
    kind: ServiceAccount
    name: release-name-alidns-webhook
    namespace: default
---
# Source: alidns-webhook/templates/rbac.yaml
# apiserver gets the auth-delegator role to delegate auth decisions to
# the core apiserver
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: release-name-alidns-webhook:auth-delegator
  labels:
    app: alidns-webhook
    chart: alidns-webhook-0.7.0
    release: release-name
    heritage: Helm
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:auth-delegator
subjects:
  - apiGroup: ""
    kind: ServiceAccount
    name: release-name-alidns-webhook
    namespace: default
---
# Source: alidns-webhook/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: release-name-alidns-webhook:domain-solver
  labels:
    app: alidns-webhook
    chart: alidns-webhook-0.7.0
    release: release-name
    heritage: Helm
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: release-name-alidns-webhook:domain-solver
subjects:
  - apiGroup: ""
    kind: ServiceAccount
    name: cert-manager
    namespace: cert-manager
---
# Source: alidns-webhook/templates/rbac.yaml
# Grant the webhook permission to read the ConfigMap containing the Kubernetes
# apiserver's requestheader-ca-certificate.
# This ConfigMap is automatically created by the Kubernetes apiserver.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: release-name-alidns-webhook:webhook-authentication-reader
  namespace: kube-system
  labels:
    app: alidns-webhook
    chart: alidns-webhook-0.7.0
    release: release-name
    heritage: Helm
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: extension-apiserver-authentication-reader
subjects:
  - apiGroup: ""
    kind: ServiceAccount
    name: release-name-alidns-webhook
    namespace: default
---
# Source: alidns-webhook/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
  name: release-name-alidns-webhook
  labels:
    app: alidns-webhook
    chart: alidns-webhook-0.7.0
    release: release-name
    heritage: Helm
spec:
  type: ClusterIP
  ports:
    - port: 443
      targetPort: https
      protocol: TCP
      name: https
  selector:
    app: alidns-webhook
    release: release-name
---
# Source: alidns-webhook/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: release-name-alidns-webhook
  labels:
    app: alidns-webhook
    chart: alidns-webhook-0.7.0
    release: release-name
    heritage: Helm
spec:
  replicas:
  selector:
    matchLabels:
      app: alidns-webhook
      release: release-name
  template:
    metadata:
      labels:
        app: alidns-webhook
        release: release-name
    spec:
      serviceAccountName: release-name-alidns-webhook
      containers:
        - name: alidns-webhook
          image: "ghcr.io/devmachine-fr/cert-manager-alidns-webhook/cert-manager-alidns-webhook:0.2.0"
          imagePullPolicy: IfNotPresent
          args:
            - --tls-cert-file=/tls/tls.crt
            - --tls-private-key-file=/tls/tls.key
            - --secure-port=443
          env:
            - name: GROUP_NAME
              value: "example.com"
          ports:
            - name: https
              containerPort: 443
              protocol: TCP
          livenessProbe:
            httpGet:
              scheme: HTTPS
              path: /healthz
              port: https
          readinessProbe:
            httpGet:
              scheme: HTTPS
              path: /healthz
              port: https
          volumeMounts:
            - name: certs
              mountPath: /tls
              readOnly: true
          resources:
            {}

      volumes:
        - name: certs
          secret:
            secretName: release-name-alidns-webhook-webhook-tls
---
# Source: alidns-webhook/templates/apiservice.yaml
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
  name: v1alpha1.example.com
  labels:
    app: alidns-webhook
    chart: alidns-webhook-0.7.0
    release: release-name
    heritage: Helm
  annotations:
    cert-manager.io/inject-ca-from: "default/release-name-alidns-webhook-webhook-tls"
spec:
  group: example.com
  groupPriorityMinimum: 1000
  versionPriority: 15
  service:
    name: release-name-alidns-webhook
    namespace: default
  version: v1alpha1
---
# Source: alidns-webhook/templates/pki.yaml
# Generate a CA Certificate used to sign certificates for the webhook
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: release-name-alidns-webhook-ca
  namespace: "default"
  labels:
    app: alidns-webhook
    chart: alidns-webhook-0.7.0
    release: release-name
    heritage: Helm
spec:
  secretName: release-name-alidns-webhook-ca
  duration: 43800h0m0s # 5y
  issuerRef:
    name: release-name-alidns-webhook-selfsign
  commonName: "ca.alidns-webhook.cert-manager"
  isCA: true
---
# Source: alidns-webhook/templates/pki.yaml
# Finally, generate a serving certificate for the webhook to use
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: release-name-alidns-webhook-webhook-tls
  namespace: "default"
  labels:
    app: alidns-webhook
    chart: alidns-webhook-0.7.0
    release: release-name
    heritage: Helm
spec:
  secretName: release-name-alidns-webhook-webhook-tls
  duration: 8760h0m0s # 1y
  issuerRef:
    name: release-name-alidns-webhook-ca
  dnsNames:
  - release-name-alidns-webhook
  - release-name-alidns-webhook.default
  - release-name-alidns-webhook.default.svc
---
# Source: alidns-webhook/templates/pki.yaml
# Create a selfsigned Issuer, in order to create a root CA certificate for
# signing webhook serving certificates
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: release-name-alidns-webhook-selfsign
  namespace: "default"
  labels:
    app: alidns-webhook
    chart: alidns-webhook-0.7.0
    release: release-name
    heritage: Helm
spec:
  selfSigned: {}
---
# Source: alidns-webhook/templates/pki.yaml
# Create an Issuer that uses the above generated CA certificate to issue certs
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: release-name-alidns-webhook-ca
  namespace: "default"
  labels:
    app: alidns-webhook
    chart: alidns-webhook-0.7.0
    release: release-name
    heritage: Helm
spec:
  ca:
    secretName: release-name-alidns-webhook-ca

Helm installs a series of supporting resources for webhooks, but where are the webhook?

olivierboudet commented 1 year ago

Not sure to correctly understand your question, but you have to install cert-manager first. (https://cert-manager.io/docs/installation/helm/#installing-with-helm)

yxxchange commented 1 year ago

Not sure to correctly understand your question, but you have to install cert-manager first. (https://cert-manager.io/docs/installation/helm/#installing-with-helm)

Not sure to correctly understand your question, but you have to install cert-manager first. (https://cert-manager.io/docs/installation/helm/#installing-with-helm)

I have installed certmanager, but I am not clear about the working principle of cert-manager-alidns-webhook. It seems that it does not register any webhook to my cluster. How does it work? Is the injected pod equivalent to a controller?

olivierboudet commented 1 year ago

Did you create an Issuer ? (https://github.com/DEVmachine-fr/cert-manager-alidns-webhook#create-an-issuer) It is the issuer which instruct cert-manager to use the alidns-solver

DEVmachine-fr / cert-manager-alidns-webhook

Why I can't find webhook related crd in helm install. #24