cluster/kube: minor cert-manager cleanups, disable webhooks by default

2019-04-02 14:43:34 +02:00 · 2019-04-02 14:43:34 +02:00 · 2afe604595
commit 2afe604595
parent 79ddbc57d9
1 changed files with 10 additions and 21 deletions
--- a/cluster/kube/lib/cert-manager.libsonnet
+++ b/cluster/kube/lib/cert-manager.libsonnet
@ -10,6 +10,7 @@ local kube = import "../../../kube/kube.libsonnet";

        cfg:: {
            namespace: "cert-manager",
+            enableWebhook: false,
        },

        metadata:: {
@ -518,7 +519,7 @@ local kube = import "../../../kube/kube.libsonnet";
                metadata+: env.metadata,
                spec: {
                    secretName: "cert-manager-webhook-ca",
-                    duration: "43800h", // 5 years
+                    duration: "43800h0m0s", // 5 years
                    issuerRef: {
                        name: env.issuers.webhookSelfsign.metadata.name,
                    },
@ -530,7 +531,7 @@ local kube = import "../../../kube/kube.libsonnet";
                metadata+: env.metadata,
                spec: {
                    secretName: "cert-manager-webhook-webhook-tls",
-                    duration: "8760h", // 1 year
+                    duration: "8760h0m0s", // 1 year
                    issuerRef: {
                        name: env.issuers.webhookSelfsign.metadata.name,
                    },
@ -545,11 +546,10 @@ local kube = import "../../../kube/kube.libsonnet";
        admission: kube._Object("admissionregistration.k8s.io/v1beta1", "ValidatingWebhookConfiguration", "cert-manager-webhook") {
            metadata+: {
                annotations: {
-                    "certmanager.k8s.io/inject-apiserver-ca": "true",
                },
            },
-            webhooks: [
-                // Copied from official yaml
+            // Copied from official yaml
+            webhooks: if cfg.enableWebhook then [
                {
                    "name": "certificates.admission.certmanager.k8s.io",
                    "namespaceSelector": {
@ -691,29 +691,18 @@ local kube = import "../../../kube/kube.libsonnet";
                        "caBundle": "",
                    }
                }
-            ],
+            ] else [],
        },
    },

-    /*
-    Issuer(name):: {
-        local cfg = self,
-        spec:: error "spec must be specified",
-        metadata:: {
-            namespace: "cert-manager",
-        },
-
-        issuer: kube._Object("certmanager.k8s.io/v1alpha1", "Issuer", name) {
-            metadata+: cfg.metadata,
-            spec: cfg.spec,
-        },
-    },
-    */
-
    Issuer(name): kube._Object("certmanager.k8s.io/v1alpha1", "Issuer", name) {
        spec: error "spec must be specified",
    },

+    ClusterIssuer(name): kube._Object("certmanager.k8s.io/v1alpha1", "ClusterIssuer", name) {
+        spec: error "spec must be specified",
+    },
+
    Certificate(name): kube._Object("certmanager.k8s.io/v1alpha1", "Certificate", name) {
        spec: error "spec must be specified",
    },