Why I can't find webhook related crd in helm install.
Closed this issue · 3 comments
---
# Source: alidns-webhook/templates/rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: release-name-alidns-webhook
labels:
app: alidns-webhook
chart: alidns-webhook-0.7.0
release: release-name
heritage: Helm
---
# Source: alidns-webhook/templates/rbac.yaml
# Grant permissions to read secrets inside the cluster to allow to have issuer in another namespace than the webhook
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: release-name-alidns-webhook:secrets-reader
labels:
app: alidns-webhook
chart: alidns-webhook-0.7.0
release: release-name
heritage: Helm
rules:
- apiGroups:
- ''
resources:
- 'secrets'
verbs:
- 'get'
---
# Source: alidns-webhook/templates/rbac.yaml
# Grant cert-manager permission to validate using our apiserver
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: release-name-alidns-webhook:domain-solver
labels:
app: alidns-webhook
chart: alidns-webhook-0.7.0
release: release-name
heritage: Helm
rules:
- apiGroups:
- example.com
resources:
- '*'
verbs:
- 'create'
---
# Source: alidns-webhook/templates/rbac.yaml
# Bind the previously created role to the webhook service account to allow reading from secrets in all namespaces
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: release-name-alidns-webhook:secrets-reader
labels:
app: alidns-webhook
chart: alidns-webhook-0.7.0
release: release-name
heritage: Helm
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: release-name-alidns-webhook:secrets-reader
subjects:
- apiGroup: ""
kind: ServiceAccount
name: release-name-alidns-webhook
namespace: default
---
# Source: alidns-webhook/templates/rbac.yaml
# apiserver gets the auth-delegator role to delegate auth decisions to
# the core apiserver
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: release-name-alidns-webhook:auth-delegator
labels:
app: alidns-webhook
chart: alidns-webhook-0.7.0
release: release-name
heritage: Helm
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- apiGroup: ""
kind: ServiceAccount
name: release-name-alidns-webhook
namespace: default
---
# Source: alidns-webhook/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: release-name-alidns-webhook:domain-solver
labels:
app: alidns-webhook
chart: alidns-webhook-0.7.0
release: release-name
heritage: Helm
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: release-name-alidns-webhook:domain-solver
subjects:
- apiGroup: ""
kind: ServiceAccount
name: cert-manager
namespace: cert-manager
---
# Source: alidns-webhook/templates/rbac.yaml
# Grant the webhook permission to read the ConfigMap containing the Kubernetes
# apiserver's requestheader-ca-certificate.
# This ConfigMap is automatically created by the Kubernetes apiserver.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: release-name-alidns-webhook:webhook-authentication-reader
namespace: kube-system
labels:
app: alidns-webhook
chart: alidns-webhook-0.7.0
release: release-name
heritage: Helm
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: extension-apiserver-authentication-reader
subjects:
- apiGroup: ""
kind: ServiceAccount
name: release-name-alidns-webhook
namespace: default
---
# Source: alidns-webhook/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
name: release-name-alidns-webhook
labels:
app: alidns-webhook
chart: alidns-webhook-0.7.0
release: release-name
heritage: Helm
spec:
type: ClusterIP
ports:
- port: 443
targetPort: https
protocol: TCP
name: https
selector:
app: alidns-webhook
release: release-name
---
# Source: alidns-webhook/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: release-name-alidns-webhook
labels:
app: alidns-webhook
chart: alidns-webhook-0.7.0
release: release-name
heritage: Helm
spec:
replicas:
selector:
matchLabels:
app: alidns-webhook
release: release-name
template:
metadata:
labels:
app: alidns-webhook
release: release-name
spec:
serviceAccountName: release-name-alidns-webhook
containers:
- name: alidns-webhook
image: "ghcr.io/devmachine-fr/cert-manager-alidns-webhook/cert-manager-alidns-webhook:0.2.0"
imagePullPolicy: IfNotPresent
args:
- --tls-cert-file=/tls/tls.crt
- --tls-private-key-file=/tls/tls.key
- --secure-port=443
env:
- name: GROUP_NAME
value: "example.com"
ports:
- name: https
containerPort: 443
protocol: TCP
livenessProbe:
httpGet:
scheme: HTTPS
path: /healthz
port: https
readinessProbe:
httpGet:
scheme: HTTPS
path: /healthz
port: https
volumeMounts:
- name: certs
mountPath: /tls
readOnly: true
resources:
{}
volumes:
- name: certs
secret:
secretName: release-name-alidns-webhook-webhook-tls
---
# Source: alidns-webhook/templates/apiservice.yaml
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
name: v1alpha1.example.com
labels:
app: alidns-webhook
chart: alidns-webhook-0.7.0
release: release-name
heritage: Helm
annotations:
cert-manager.io/inject-ca-from: "default/release-name-alidns-webhook-webhook-tls"
spec:
group: example.com
groupPriorityMinimum: 1000
versionPriority: 15
service:
name: release-name-alidns-webhook
namespace: default
version: v1alpha1
---
# Source: alidns-webhook/templates/pki.yaml
# Generate a CA Certificate used to sign certificates for the webhook
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: release-name-alidns-webhook-ca
namespace: "default"
labels:
app: alidns-webhook
chart: alidns-webhook-0.7.0
release: release-name
heritage: Helm
spec:
secretName: release-name-alidns-webhook-ca
duration: 43800h0m0s # 5y
issuerRef:
name: release-name-alidns-webhook-selfsign
commonName: "ca.alidns-webhook.cert-manager"
isCA: true
---
# Source: alidns-webhook/templates/pki.yaml
# Finally, generate a serving certificate for the webhook to use
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: release-name-alidns-webhook-webhook-tls
namespace: "default"
labels:
app: alidns-webhook
chart: alidns-webhook-0.7.0
release: release-name
heritage: Helm
spec:
secretName: release-name-alidns-webhook-webhook-tls
duration: 8760h0m0s # 1y
issuerRef:
name: release-name-alidns-webhook-ca
dnsNames:
- release-name-alidns-webhook
- release-name-alidns-webhook.default
- release-name-alidns-webhook.default.svc
---
# Source: alidns-webhook/templates/pki.yaml
# Create a selfsigned Issuer, in order to create a root CA certificate for
# signing webhook serving certificates
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: release-name-alidns-webhook-selfsign
namespace: "default"
labels:
app: alidns-webhook
chart: alidns-webhook-0.7.0
release: release-name
heritage: Helm
spec:
selfSigned: {}
---
# Source: alidns-webhook/templates/pki.yaml
# Create an Issuer that uses the above generated CA certificate to issue certs
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: release-name-alidns-webhook-ca
namespace: "default"
labels:
app: alidns-webhook
chart: alidns-webhook-0.7.0
release: release-name
heritage: Helm
spec:
ca:
secretName: release-name-alidns-webhook-ca
Helm installs a series of supporting resources for webhooks, but where are the webhook?
Not sure to correctly understand your question, but you have to install cert-manager first. (https://cert-manager.io/docs/installation/helm/#installing-with-helm)
Not sure to correctly understand your question, but you have to install cert-manager first. (https://cert-manager.io/docs/installation/helm/#installing-with-helm)
Not sure to correctly understand your question, but you have to install cert-manager first. (https://cert-manager.io/docs/installation/helm/#installing-with-helm)
I have installed certmanager, but I am not clear about the working principle of cert-manager-alidns-webhook. It seems that it does not register any webhook to my cluster. How does it work? Is the injected pod equivalent to a controller?
Did you create an Issuer ? (https://github.com/DEVmachine-fr/cert-manager-alidns-webhook#create-an-issuer)
It is the issuer which instruct cert-manager to use the alidns-solver