issue #200 TLS errors when updating kube-fledged helm chart

deploy/kubefledged-operator/helm-charts/kubefledged/templates/_helpers.tpl

@@ -89,27 +89,19 @@ Create the name of the cluster role binding to use
 Create the name of the validating webhook configuration to use
 */}}
 {{- define "kubefledged.validatingWebhookName" -}}
-{{- if .Values.validatingWebhook.create -}}
-    {{ default (include "kubefledged.fullname" .) .Values.validatingWebhook.name }}
-{{- else -}}
-    {{ default "default" .Values.validatingWebhook.name }}
-{{- end -}}
+{{- printf "%s-webhook-configuration" (include "kubefledged.fullname" .) -}}
 {{- end -}}
 
 {{/*
 Create the name of the service for the webhook server to use
 */}}
 {{- define "kubefledged.webhookServiceName" -}}
-{{- if .Values.webhookService.create -}}
-    {{ default ( printf "%s-webhook-server" (include "kubefledged.fullname" .)) .Values.webhookService.name }}
-{{- else -}}
-    {{ default "default" .Values.webhookService.name }}
-{{- end -}}
+{{- printf "%s-webhook-server" (include "kubefledged.fullname" .) -}}
 {{- end -}}
 
 {{/*
 Create the name of the secret containing the webhook server's keypair
 */}}
-{{- define "kubefledged.secretName" -}}
-{{ default (include "kubefledged.fullname" .) .Values.secret.name }}
+{{- define "kubefledged.webhookServerCertSecretName" -}}
+{{- printf "%s-webhook-server-cert" (include "kubefledged.fullname" .) -}}
 {{- end -}}

deploy/kubefledged-operator/helm-charts/kubefledged/templates/deployment-webhook-server.yaml

@@ -1,4 +1,3 @@
-{{- if .Values.webhookServer.enable -}}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -14,6 +13,8 @@ spec:
     metadata:
       labels:
         {{- include "kubefledged.selectorLabels" . | nindent 8 }}-webhook-server
+      annotations:
+        enforceRestartHackTimestamp: {{ now }}
     spec:
     {{- if .Values.webhookServer.hostNetwork -}}
       hostNetwork: true
@@ -25,31 +26,8 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
     {{- end }}
-      serviceAccountName: {{ include "kubefledged.fullname" . }}-webhook-server
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
-      initContainers:
-        - image: {{ .Values.image.kubefledgedWebhookServerRepository }}:{{ .Chart.AppVersion }}
-          command: {{ .Values.command.kubefledgedWebhookServerCommand }}
-          args:
-          - "--stderrthreshold=INFO"
-          - "--init-server"
-          imagePullPolicy: Always
-          name: init
-          env:
-          - name: KUBEFLEDGED_NAMESPACE
-            valueFrom:
-              fieldRef:
-                fieldPath: metadata.namespace
-          - name: WEBHOOK_SERVER_SERVICE
-            value: {{ include "kubefledged.fullname" . }}-webhook-server
-          - name: VALIDATING_WEBHOOK_CONFIG
-            value: {{ include "kubefledged.fullname" . }}-webhook-server
-          - name: CERT_KEY_PATH
-            value: "/var/run/secrets/webhook-server/"
-          volumeMounts:
-          - name: certkey-volume
-            mountPath: "/var/run/secrets/webhook-server"
       containers:
         - name: {{ .Chart.Name }}
           securityContext:
@@ -75,7 +53,9 @@ spec:
             readOnly: true
       volumes:
       - name: certkey-volume
-        emptyDir: {}             
+        secret:
+          defaultMode: 420
+          secretName: {{ include "kubefledged.webhookServerCertSecretName" . | quote }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -88,4 +68,3 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
     {{- end }}
-{{- end }}

deploy/kubefledged-operator/helm-charts/kubefledged/templates/service-webhook-server.yaml

@@ -1,9 +1,7 @@
-{{- if .Values.webhookServer.enable -}}
-{{- if .Values.webhookService.create -}}
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ include "kubefledged.fullname" . }}-webhook-server
+  name: {{ include "kubefledged.webhookServiceName" . }}
   labels:
     {{ include "kubefledged.labels" . | nindent 4 }}
 spec:
@@ -15,5 +13,3 @@ spec:
   selector:
     {{- include "kubefledged.selectorLabels" . | nindent 4 }}-webhook-server
   type: ClusterIP
-{{- end -}}
-{{- end -}}

deploy/kubefledged-operator/helm-charts/kubefledged/templates/validatingwebhook.yaml

@@ -1,9 +1,30 @@
-{{- if .Values.webhookServer.enable -}}
-{{- if .Values.validatingWebhook.create -}}
+{{- $kubefledgedWebhookSvc := (include "kubefledged.webhookServiceName" . ) -}}
+{{- $kubefledgedWebhookSvcFullName := ( printf "%s.%s.svc" $kubefledgedWebhookSvc .Release.Namespace )  -}}
+{{- $altNames := list $kubefledgedWebhookSvc $kubefledgedWebhookSvcFullName  -}}
+{{- $ca := genCA (include "kubefledged.webhookServiceName" . | quote) 365 -}}
+{{- $cert := genSignedCert $kubefledgedWebhookSvc nil $altNames 365 $ca -}}
+---
+
+apiVersion: v1
+data:
+  ca.crt: '{{ $ca.Cert | b64enc }}'
+  tls.crt: '{{ $cert.Cert | b64enc }}'
+  tls.key: '{{ $cert.Key | b64enc }}'
+kind: Secret
+metadata:
+  name: {{ include "kubefledged.webhookServerCertSecretName" . | quote }}
+  labels:
+    {{ include "kubefledged.labels" . | nindent 4 }}
+  annotations:
+    meta.helm.sh/release-name: {{ .Release.Name }}
+    meta.helm.sh/release-namespace: {{ .Release.Namespace }}
+type: kubernetes.io/tls
+---
+
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
-  name: {{ include "kubefledged.fullname" . }}-webhook-server
+  name: {{ include "kubefledged.validatingWebhookName" . }}
   labels:
     {{ include "kubefledged.labels" . | nindent 4 }}  
   annotations:
@@ -21,12 +42,10 @@ webhooks:
         name: {{ include "kubefledged.webhookServiceName" . }}
         path: "/validate-image-cache"
         port: {{ .Values.webhookService.port }}
-      caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZCVENDQXUyZ0F3SUJBZ0lDQitVd0RRWUpLb1pJaHZjTkFRRUxCUUF3R1RFWE1CVUdBMVVFQ2hNT2EzVmkKWldac1pXUm5aV1F1YVc4d0hoY05NakV3TnpJeU1EZ3hPVFEwV2hjTk1qSXdOekl5TURneE9UUTBXakFaTVJjdwpGUVlEVlFRS0V3NXJkV0psWm14bFpHZGxaQzVwYnpDQ0FpSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnSVBBRENDCkFnb0NnZ0lCQU93dDNjWm12SnRNN1NKUGx4QlRHUGtSY3lxZGlzUXNEKzRBbTdYYjVnOVhZd3FyanZwanZVdkMKTS9FVkZiK1p1aGd5R2I5b3dEb0IxOFJ1VGd2WFMrNTZ4VlNQYTE0WENoTi92U2ZZaTAydzhaZGcxdy8wNTBFRwplMXQ4ZytTL2hXZlhxUnFORnRONTk0N25jNFcxUllJYUN5WVhjc3dGbHNMdG9xRU95aFR3ZmhyTURRY1lvaDFvCmVZRmZ1bHdiSGltdlJKYlR0QXh2b2o3OVl5MHEzTVdGWXArZ3JvR1dadk1ZeFRRSjZKT0F6bjdIUEFqY3ZqdjIKRmdRSTBVNDlDcUdpUzZWR0ZlOHFBSm15b3BYcHBJZ2l3ODUrbHBnYVA1Y3p6UjVjWHp6anBUczl1T2pWdllzLwpZSm5JS05nUlNJWnJkaE9oUzdJcllhM1JhTU5la3NSOWsrMm5LYXdwSkJBVy91VmszRmcrZFFWWHk2YTE0Yk5ZCmxnTis3SXptd21QTk1BVGVVOTZ5UWVrQ1R3UUlGWVkwZmlxd0ZjamlzZlJ6U1FHY1dUbk91bkV0MWlKbWlXckkKZzUvWEI5ZDhHQ3FGWkJEdnpNUjU5S1RwRlhacjNPYmxONkFIQ3VQa0xKNGZPMklDZWdoeGQ4TUsrTExkaERLMwo3N01qV1dXMkV4L1RDT2pQbUNIalFzWjNCeTVFR2hFTGdIczV6NGxTQSsrZGRFR1AvamptL3FQOUJWVmFBNXJJCkRuSCs1bHNuZkNEQXJYaE5HckVhaVA4a3JjVmF1SlRQNXdJMElORFFoeE1XMUFqdHA0SmgxSVZ1bHNuZU9CME4KempGMVIvempCbDhUTlN3Y2RnN3dCbm1lVWhDbGVvZ1MwZ1J0ejREZDEzeGwrOFc0ZGNDL0FnTUJBQUdqVnpCVgpNQTRHQTFVZER3RUIvd1FFQXdJQ2hEQVRCZ05WSFNVRUREQUtCZ2dyQmdFRkJRY0RBVEFQQmdOVkhSTUJBZjhFCkJUQURBUUgvTUIwR0ExVWREZ1FXQkJRUmo4WUFSS09Vb213Z0Z6WGNrandBRFpEU2VqQU5CZ2txaGtpRzl3MEIKQVFzRkFBT0NBZ0VBQ0RRb1JFbllsd2pOb0tFTUlqUGJ5Wk1MdUQ5Smt6ZFhldzlESTBCNUtTaHkySFZBc0E2MgpiYzFZM25lYXRyQWcyUXJ5dklhYzZCUVhQbW4zUmF2V084blNuQnJDbHJkYk8vSXc2RnFtZVBVaDZSQVQzNyt6CitoWVdpL3JwL1U5bVBidm4yc2xOMVRlK3R6a1BsN01KeGxwMXRSWTU0RjB6Q0ZOdnFwUXBMUDdiS1VTVVVITmQKUW1WcWVQaHBucC9XV1dQNklXNVJ2VE8rSmhhTFpSV3hNaUxiWWtxN1lOZkI4SHhCam92T1NDMEE4TVRCRGVuTgpaV2lWcjN2K1kyOW9qZFY5R29VSzNPaDN0YVZNbStXWUxBdGxOcmpVdGxzU0NWN1dGbFhpNTZVd2xPZXd4ZGhmClcvMGdrTFkyaDNKNHdHUDZ6c09XbGgzVlVMV0w3WUZUYWllTEhpT0N3VzVaZ1FoWVRFNFAvcWdaQkZVVXRqNGUKbGRXeVFZWlBUR2dNelVxdm0wM3NDRHByRTM1eStSY0hFcEpwU2NXcy9yeW5VaXVJYnVGU3dhZUY2RktFZG5hSwpIMnRvdnpjMlBvMDJyWVFFOVhDNHdKUFpSaEpFYldocVROZ3JuL2NPRGZuNFovUVRyMGoxbGU1V3BacXE4Y1hWCjl5UHNVclVRL1g1WDNsMURtejlMcXhDd1ErZG5YU2xxczdRYnY5dDhPbUNZUEdnQVJaRU1qejFDUmJIbDZTaGkKaVAzY1JUTVRFV2hUMTJRZGZPd3djYUVCanNoQ0doVDAwZ3lUdFFzNm9wSzZLQm11RXF0cXV1TlFyMUdmaTl5bQp5WW1pNGg4RFdIdERpTEFrQW1DZWZuQXZoTWpiRXF3SzN6bmROdW1GTTAvbEtyZTBtekgvU3ZJPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+      caBundle: '{{ $ca.Cert | b64enc }}'
     rules:
       - operations: ["CREATE", "UPDATE"]
         apiGroups: ["kubefledged.io"]
         apiVersions: ["v1alpha2"]
         resources: ["imagecaches"]
         scope: "Namespaced"
-{{- end -}}
-{{- end -}}

deploy/kubefledged-operator/helm-charts/kubefledged/values.yaml

@@ -8,7 +8,6 @@ controller:
   hostNetwork: false
   priorityClassName: ""
 webhookServer:
-  enable: true
   hostNetwork: false
   priorityClassName: ""
 image: