From b5b835cf3ed1885e2fdca84330b320300a56424d Mon Sep 17 00:00:00 2001 From: Kagaya Date: Sun, 22 Jun 2025 14:39:54 +0800 Subject: [PATCH] update cert manifests Signed-off-by: Kagaya --- versions/kruise-game/next/Chart.yaml | 3 +- .../cert-manager/okg-tls-certificate.yaml | 9 ++-- .../next/templates/cert-manager/self-ca.yaml | 3 +- .../kruise-game/next/templates/manager.yaml | 12 +++++- .../webhooks/mutatingconfiguration.yaml | 42 +++++++++++++++++++ .../service.yaml} | 0 .../webhooks/validatingconfiguration.yaml | 40 ++++++++++++++++++ versions/kruise-game/next/values.yaml | 7 +--- 8 files changed, 103 insertions(+), 13 deletions(-) create mode 100644 versions/kruise-game/next/templates/webhooks/mutatingconfiguration.yaml rename versions/kruise-game/next/templates/{webhook_service.yaml => webhooks/service.yaml} (100%) create mode 100644 versions/kruise-game/next/templates/webhooks/validatingconfiguration.yaml diff --git a/versions/kruise-game/next/Chart.yaml b/versions/kruise-game/next/Chart.yaml index 533c6cd..a5f9fb3 100644 --- a/versions/kruise-game/next/Chart.yaml +++ b/versions/kruise-game/next/Chart.yaml @@ -8,4 +8,5 @@ sources: - https://github.com/openkruise/kruise-game annotations: artifacthub.io/changes: | - - "[Changed]: https://github.com/openkruise/kruise-game/blob/master/CHANGELOG.md" \ No newline at end of file + - "[Changed]: https://github.com/openkruise/kruise-game/blob/master/CHANGELOG.md" + - "[Added]: Support for cert-manager with CA injection" \ No newline at end of file diff --git a/versions/kruise-game/next/templates/cert-manager/okg-tls-certificate.yaml b/versions/kruise-game/next/templates/cert-manager/okg-tls-certificate.yaml index 1a84754..cb441ff 100644 --- a/versions/kruise-game/next/templates/cert-manager/okg-tls-certificate.yaml +++ b/versions/kruise-game/next/templates/cert-manager/okg-tls-certificate.yaml @@ -2,19 +2,20 @@ apiVersion: cert-manager.io/v1 kind: Certificate metadata: - name: {{ .Values.kruiseGame.fullname }}-tls-certificates + name: {{ .Values.kruiseGame.fullname }}-cert namespace: {{ .Values.installation.namespace }} spec: commonName: {{ .Values.kruiseGame.fullname }} dnsNames: - - {{ ..Values.kruiseGame.webhook.serviceName }}.{{ .Values.installation.namespace }} - - {{ ..Values.kruiseGame.webhook.serviceName }}.{{ .Values.installation.namespace }}.svc - - {{ ..Values.kruiseGame.webhook.serviceName }}.{{ .Values.installation.namespace }}.svc.{{ .Values.clusterDomain }} + - {{ .Values.kruiseGame.webhook.serviceName }}.{{ .Values.installation.namespace }} + - {{ .Values.kruiseGame.webhook.serviceName }}.{{ .Values.installation.namespace }}.svc + - {{ .Values.kruiseGame.webhook.serviceName }}.{{ .Values.installation.namespace }}.svc.{{ .Values.clusterDomain }} secretName: {{ .Values.certificates.secretName }} usages: - server auth - client auth privateKey: + rotationPolicy: Always algorithm: RSA size: 2048 duration: {{ .Values.certificates.certManager.duration }} diff --git a/versions/kruise-game/next/templates/cert-manager/self-ca.yaml b/versions/kruise-game/next/templates/cert-manager/self-ca.yaml index 4639ab9..82fc605 100644 --- a/versions/kruise-game/next/templates/cert-manager/self-ca.yaml +++ b/versions/kruise-game/next/templates/cert-manager/self-ca.yaml @@ -9,12 +9,13 @@ spec: commonName: {{ .Values.kruiseGame.fullname }} secretName: {{ .Values.certificates.certManager.caSecretName }} privateKey: + rotationPolicy: Always algorithm: RSA size: 2048 duration: 8760h0m0s # 1 year renewBefore: 720h0m0s # 1 month issuerRef: - name: {{ .Values.operator.name }}-selfsigned-issuer + name: {{ .Values.kruiseGame.fullname }}-selfsigned-issuer kind: Issuer group: cert-manager.io {{- end }} diff --git a/versions/kruise-game/next/templates/manager.yaml b/versions/kruise-game/next/templates/manager.yaml index 6e56313..c5abd29 100644 --- a/versions/kruise-game/next/templates/manager.yaml +++ b/versions/kruise-game/next/templates/manager.yaml @@ -60,6 +60,9 @@ spec: - --api-server-qps={{ .Values.kruiseGame.apiServerQps }} - --api-server-qps-burst={{ .Values.kruiseGame.apiServerQpsBurst }} - --scale-server-bind-address=:{{ .Values.scale.service.targetPort }} + {{- if not .Values.certificates.autoGenerated }} + - --enable-cert-generation={{ .Values.certificates.autoGenerated }} + {{- end }} {{- if .Values.prometheus.enabled }} - --metrics-bind-address=:{{ .Values.prometheus.monitorService.port }} {{- end }} @@ -98,6 +101,8 @@ spec: volumeMounts: - mountPath: /etc/kruise-game name: provider-config + - mountPath: {{ .Values.certificates.mountPath }} + name: certificates topologySpreadConstraints: - labelSelector: matchLabels: @@ -108,7 +113,7 @@ spec: {{- end }} maxSkew: 1 topologyKey: topology.kubernetes.io/zone - whenUnsatisfiable: ScheduleAnyway + whenUnsatisfiable: ScheduleAnyway serviceAccountName: {{ .Values.kruiseGame.fullname }} terminationGracePeriodSeconds: 10 volumes: @@ -119,3 +124,8 @@ spec: path: config.toml name: kruise-game-manager-config name: provider-config + - name: certificates + secret: + defaultMode: 420 + secretName: {{ .Values.certificates.secretName}} + optional: {{ and .Values.certificates.autoGenerated ( not .Values.certificates.certManager.enabled ) }} diff --git a/versions/kruise-game/next/templates/webhooks/mutatingconfiguration.yaml b/versions/kruise-game/next/templates/webhooks/mutatingconfiguration.yaml new file mode 100644 index 0000000..9568cc1 --- /dev/null +++ b/versions/kruise-game/next/templates/webhooks/mutatingconfiguration.yaml @@ -0,0 +1,42 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + {{- if .Values.certificates.certManager.enabled }} + {{- if and (not .Values.certificates.certManager.generateCA) .Values.certificates.certManager.issuer.generate }} + cert-manager.io/inject-ca-from-secret: {{ .Values.installation.namespace }}/{{ .Values.certificates.certManager.caSecretName }} + {{- else }} + cert-manager.io/inject-ca-from: {{ .Values.installation.namespace }}/{{ .Values.kruiseGame.fullname }}-cert + {{- end }} + {{- end }} + labels: + app.kubernetes.io/name: {{ .Values.kruiseGame.fullname }} + name: kruise-game-mutating-webhook +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: {{ .Values.kruiseGame.webhook.serviceName }} + namespace: {{ .Values.installation.namespace }} + path: /mutate-v1-pod + failurePolicy: {{ .Values.kruiseGame.webhook.failurePolicy }} + matchPolicy: Equivalent + name: mgameserverset.kb.io + rules: + - operations: + - CREATE + - UPDATE + - DELETE + apiGroups: + - "" + apiVersions: + - v1 + resources: + - pods + objectSelector: + matchExpressions: + - key: game.kruise.io/owner-gss + operator: Exists + sideEffects: None \ No newline at end of file diff --git a/versions/kruise-game/next/templates/webhook_service.yaml b/versions/kruise-game/next/templates/webhooks/service.yaml similarity index 100% rename from versions/kruise-game/next/templates/webhook_service.yaml rename to versions/kruise-game/next/templates/webhooks/service.yaml diff --git a/versions/kruise-game/next/templates/webhooks/validatingconfiguration.yaml b/versions/kruise-game/next/templates/webhooks/validatingconfiguration.yaml new file mode 100644 index 0000000..00c6b52 --- /dev/null +++ b/versions/kruise-game/next/templates/webhooks/validatingconfiguration.yaml @@ -0,0 +1,40 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + {{- if .Values.certificates.certManager.enabled }} + {{- if and (not .Values.certificates.certManager.generateCA) .Values.certificates.certManager.issuer.generate }} + cert-manager.io/inject-ca-from-secret: {{ .Values.installation.namespace }}/{{ .Values.certificates.certManager.caSecretName }} + {{- else }} + cert-manager.io/inject-ca-from: {{ .Values.installation.namespace }}/{{ .Values.kruiseGame.fullname }}-cert + {{- end }} + {{- end }} + labels: + app.kubernetes.io/name: {{ .Values.kruiseGame.fullname }} + name: kruise-game-validating-webhook +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: {{ .Values.kruiseGame.webhook.serviceName }} + namespace: {{ .Values.installation.namespace }} + path: /validate-v1alpha1-gss + failurePolicy: {{ .Values.kruiseGame.webhook.failurePolicy }} + matchPolicy: Equivalent + name: vgameserverset.kb.io + namespaceSelector: {} + objectSelector: {} + rules: + - apiGroups: + - game.kruise.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - gameserversets + sideEffects: None + timeoutSeconds: 10 \ No newline at end of file diff --git a/versions/kruise-game/next/values.yaml b/versions/kruise-game/next/values.yaml index 9537c91..9075842 100644 --- a/versions/kruise-game/next/values.yaml +++ b/versions/kruise-game/next/values.yaml @@ -14,6 +14,7 @@ kruiseGame: serviceName: kruise-game-webhook-service port: 443 targetPort: 9876 + failurePolicy: Fail apiServerQps: 5 apiServerQpsBurst: 10 @@ -80,12 +81,6 @@ certificates: renewBefore: 5840h0m0s # 8 months generateCA: true caSecretName: "kruise-game-ca" - secretTemplate: {} - # annotations: - # my-secret-annotation-1: "foo" - # my-secret-annotation-2: "bar" - # labels: - # my-secret-label: foo # -- Reference to custom Issuer. If issuer.generate is false, then issuer.group, issuer.kind and issuer.name are required issuer: generate: true