update cert manifests

Signed-off-by: Kagaya <kagaya85@outlook.com>
2025-06-22 14:39:54 +08:00 · 2025-06-22 14:39:54 +08:00 · b5b835cf3e
parent a5c5255ab6
commit b5b835cf3e
8 changed files with 103 additions and 13 deletions
--- a/versions/kruise-game/next/Chart.yaml
+++ b/versions/kruise-game/next/Chart.yaml
@ -8,4 +8,5 @@ sources:
  - https://github.com/openkruise/kruise-game
 annotations:
  artifacthub.io/changes: |
-    - "[Changed]: https://github.com/openkruise/kruise-game/blob/master/CHANGELOG.md"
+    - "[Changed]: https://github.com/openkruise/kruise-game/blob/master/CHANGELOG.md"
+    - "[Added]: Support for cert-manager with CA injection"
--- a/versions/kruise-game/next/templates/cert-manager/okg-tls-certificate.yaml
+++ b/versions/kruise-game/next/templates/cert-manager/okg-tls-certificate.yaml
@ -2,19 +2,20 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: {{ .Values.kruiseGame.fullname }}-tls-certificates
+  name: {{ .Values.kruiseGame.fullname }}-cert
  namespace: {{ .Values.installation.namespace }}
 spec:
  commonName: {{ .Values.kruiseGame.fullname }}
  dnsNames:
-  - {{ ..Values.kruiseGame.webhook.serviceName }}.{{ .Values.installation.namespace }}
-  - {{ ..Values.kruiseGame.webhook.serviceName }}.{{ .Values.installation.namespace }}.svc
-  - {{ ..Values.kruiseGame.webhook.serviceName }}.{{ .Values.installation.namespace }}.svc.{{ .Values.clusterDomain }}
+  - {{ .Values.kruiseGame.webhook.serviceName }}.{{ .Values.installation.namespace }}
+  - {{ .Values.kruiseGame.webhook.serviceName }}.{{ .Values.installation.namespace }}.svc
+  - {{ .Values.kruiseGame.webhook.serviceName }}.{{ .Values.installation.namespace }}.svc.{{ .Values.clusterDomain }}
  secretName: {{ .Values.certificates.secretName }}
  usages:
    - server auth
    - client auth
  privateKey:
+    rotationPolicy: Always
    algorithm: RSA
    size: 2048
  duration: {{ .Values.certificates.certManager.duration }}
--- a/versions/kruise-game/next/templates/cert-manager/self-ca.yaml
+++ b/versions/kruise-game/next/templates/cert-manager/self-ca.yaml
@ -9,12 +9,13 @@ spec:
  commonName: {{ .Values.kruiseGame.fullname }}
  secretName: {{ .Values.certificates.certManager.caSecretName }}
  privateKey:
+    rotationPolicy: Always
    algorithm: RSA
    size: 2048
  duration: 8760h0m0s # 1 year
  renewBefore: 720h0m0s # 1 month
  issuerRef:
-    name: {{ .Values.operator.name }}-selfsigned-issuer
+    name: {{ .Values.kruiseGame.fullname }}-selfsigned-issuer
    kind: Issuer
    group: cert-manager.io
 {{- end }}
--- a/versions/kruise-game/next/templates/manager.yaml
+++ b/versions/kruise-game/next/templates/manager.yaml
@ -60,6 +60,9 @@ spec:
            - --api-server-qps={{ .Values.kruiseGame.apiServerQps }}
            - --api-server-qps-burst={{ .Values.kruiseGame.apiServerQpsBurst }}
            - --scale-server-bind-address=:{{ .Values.scale.service.targetPort }}
+            {{- if not .Values.certificates.autoGenerated }}
+            - --enable-cert-generation={{ .Values.certificates.autoGenerated }}
+            {{- end }}
            {{- if .Values.prometheus.enabled }}
            - --metrics-bind-address=:{{ .Values.prometheus.monitorService.port }}
            {{- end }}
@ -98,6 +101,8 @@ spec:
          volumeMounts:
            - mountPath: /etc/kruise-game
              name: provider-config
+            - mountPath: {{ .Values.certificates.mountPath }}
+              name: certificates
      topologySpreadConstraints:
      - labelSelector:
          matchLabels:
@ -108,7 +113,7 @@ spec:
 {{- end }}
        maxSkew: 1
        topologyKey: topology.kubernetes.io/zone
-        whenUnsatisfiable:  ScheduleAnyway
+        whenUnsatisfiable: ScheduleAnyway
      serviceAccountName: {{ .Values.kruiseGame.fullname }}
      terminationGracePeriodSeconds: 10
      volumes:
@ -119,3 +124,8 @@ spec:
                path: config.toml
            name: kruise-game-manager-config
          name: provider-config
+        - name: certificates
+          secret:
+            defaultMode: 420
+            secretName: {{ .Values.certificates.secretName}}
+            optional: {{ and .Values.certificates.autoGenerated ( not .Values.certificates.certManager.enabled ) }}
--- a/versions/kruise-game/next/templates/webhooks/mutatingconfiguration.yaml
+++ b/versions/kruise-game/next/templates/webhooks/mutatingconfiguration.yaml
@ -0,0 +1,42 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  annotations:
+    {{- if .Values.certificates.certManager.enabled }}
+    {{- if and (not .Values.certificates.certManager.generateCA) .Values.certificates.certManager.issuer.generate }}
+    cert-manager.io/inject-ca-from-secret: {{ .Values.installation.namespace }}/{{ .Values.certificates.certManager.caSecretName }}
+    {{- else }}
+    cert-manager.io/inject-ca-from: {{ .Values.installation.namespace }}/{{ .Values.kruiseGame.fullname }}-cert
+    {{- end }}
+    {{- end }}
+  labels:
+    app.kubernetes.io/name: {{ .Values.kruiseGame.fullname }}
+  name: kruise-game-mutating-webhook
+webhooks:
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: {{ .Values.kruiseGame.webhook.serviceName }}
+      namespace: {{ .Values.installation.namespace }}
+      path: /mutate-v1-pod
+  failurePolicy: {{ .Values.kruiseGame.webhook.failurePolicy }}
+  matchPolicy: Equivalent
+  name: mgameserverset.kb.io
+  rules:
+  - operations:
+    - CREATE
+    - UPDATE
+    - DELETE
+    apiGroups:
+    - ""
+    apiVersions:
+    - v1
+    resources:
+    - pods
+  objectSelector:
+    matchExpressions:
+    - key: game.kruise.io/owner-gss
+      operator: Exists
+  sideEffects: None
--- a/versions/kruise-game/next/templates/webhooks/service.yaml
+++ b/versions/kruise-game/next/templates/webhooks/service.yaml
--- a/versions/kruise-game/next/templates/webhooks/validatingconfiguration.yaml
+++ b/versions/kruise-game/next/templates/webhooks/validatingconfiguration.yaml
@ -0,0 +1,40 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  annotations:
+    {{- if .Values.certificates.certManager.enabled }}
+    {{- if and (not .Values.certificates.certManager.generateCA) .Values.certificates.certManager.issuer.generate }}
+    cert-manager.io/inject-ca-from-secret: {{ .Values.installation.namespace }}/{{ .Values.certificates.certManager.caSecretName }}
+    {{- else }}
+    cert-manager.io/inject-ca-from: {{ .Values.installation.namespace }}/{{ .Values.kruiseGame.fullname }}-cert
+    {{- end }}
+    {{- end }}
+  labels:
+    app.kubernetes.io/name: {{ .Values.kruiseGame.fullname }}
+  name: kruise-game-validating-webhook
+webhooks:
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: {{ .Values.kruiseGame.webhook.serviceName }}
+      namespace: {{ .Values.installation.namespace }}
+      path: /validate-v1alpha1-gss
+  failurePolicy: {{ .Values.kruiseGame.webhook.failurePolicy }}
+  matchPolicy: Equivalent
+  name: vgameserverset.kb.io
+  namespaceSelector: {}
+  objectSelector: {}
+  rules:
+  - apiGroups:
+    - game.kruise.io
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - gameserversets
+  sideEffects: None
+  timeoutSeconds: 10
--- a/versions/kruise-game/next/values.yaml
+++ b/versions/kruise-game/next/values.yaml
@ -14,6 +14,7 @@ kruiseGame:
    serviceName: kruise-game-webhook-service
    port: 443
    targetPort: 9876
+    failurePolicy: Fail
  apiServerQps: 5
  apiServerQpsBurst: 10

@ -80,12 +81,6 @@ certificates:
    renewBefore: 5840h0m0s # 8 months
    generateCA: true
    caSecretName: "kruise-game-ca"
-    secretTemplate: {}
-      # annotations:
-      #   my-secret-annotation-1: "foo"
-      #   my-secret-annotation-2: "bar"
-      # labels:
-      #   my-secret-label: foo
    # -- Reference to custom Issuer. If issuer.generate is false, then issuer.group, issuer.kind and issuer.name are required
    issuer:
      generate: true