EPMDEDP-16582: feat: replace self-signed cert generation with cert-manager

cmd/main.go

@@ -1,7 +1,6 @@
 package main
 
 import (
-	"context"
 	"crypto/tls"
 	"flag"
 	"os"
@@ -101,8 +100,6 @@ func main() {
 
 	v := buildInfo.Get()
 
-	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))
-
 	// if the enable-http2 flag is false (the default), http/2 should be disabled
 	// due to its vulnerabilities. More specifically, disabling http/2 will
 	// prevent from being vulnerable to the HTTP/2 Stream Cancellation and
@@ -287,7 +284,7 @@ func main() {
 	}
 
 	if os.Getenv("ENABLE_WEBHOOKS") != "false" {
-		if err = webhook.RegisterValidationWebHook(context.Background(), mgr, ns); err != nil {
+		if err = webhook.RegisterValidationWebHook(mgr); err != nil {
 			setupLog.Error(err, "failed to create webhook", "webhook", "Codebase")
 			os.Exit(1)
 		}

deploy-templates/README.md

@@ -23,6 +23,7 @@ A Helm chart for KubeRocketCI Codebase Operator
 |-----|------|---------|-------------|
 | affinity | object | `{}` |  |
 | annotations | object | `{}` |  |
+| enableWebhooks | bool | `true` | Enable webhook and cert-manager certificate resources. Webhooks require cert-manager to be installed in the cluster. |
 | envs[0].name | string | `"RECONCILATION_PERIOD"` |  |
 | envs[0].value | string | `"360"` |  |
 | envs[1] | object | `{"name":"CODEBASE_BRANCH_MAX_CONCURRENT_RECONCILES","value":"3"}` | Maximum number of parallel reconciliation codebasebranches |

deploy-templates/templates/deployment.yaml

@@ -34,6 +34,9 @@ spec:
       containers:
         - name: {{ .Values.name }}
           image: {{ if .Values.image.registry }}{{ .Values.image.registry }}/{{ end }}{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}
+          {{- if .Values.enableWebhooks }}
+          args:
+            - --webhook-cert-path=/tmp/k8s-webhook-server/serving-certs
           ports:
             - containerPort: 9443
               name: webhook-server
@@ -42,6 +45,7 @@ spec:
             - mountPath: /tmp/k8s-webhook-server/serving-certs
               name: cert
               readOnly: true
+          {{- end }}
           imagePullPolicy: "{{ .Values.imagePullPolicy }}"
           {{- if .Values.securityContext }}
           securityContext: {{ toYaml .Values.securityContext | nindent 12 }}
@@ -61,6 +65,8 @@ spec:
               value: "{{ .Values.global.platform }}"
             - name: TELEMETRY_ENABLED
               value: "{{ .Values.telemetryEnabled }}"
+            - name: ENABLE_WEBHOOKS
+              value: {{ .Values.enableWebhooks | quote }}
 {{ toYaml .Values.envs | indent 12 }}
           resources:
 {{ toYaml .Values.resources | indent 12 }}
@@ -76,8 +82,10 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if .Values.enableWebhooks }}
       volumes:
         - name: cert
           secret:
             defaultMode: 420
-            secretName: edp-codebase-operator-webhook-certs
+            secretName: {{ .Values.name }}-webhook-certs
+      {{- end }}

deploy-templates/templates/role_kubernetes.yaml

@@ -87,7 +87,6 @@ rules:
     - list
     - patch
     - update
-    - create
   resources:
     - secrets
 - apiGroups:

deploy-templates/templates/service.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.enableWebhooks }}
 apiVersion: v1
 kind: Service
 metadata:
@@ -10,4 +11,5 @@ spec:
       protocol: TCP
       targetPort: 9443
   selector:
-    name: {{ .Values.name }}
+    name: {{ .Values.name }}
+{{- end }}

deploy-templates/templates/validation_webhook.yaml

@@ -1,8 +1,11 @@
+{{- if .Values.enableWebhooks }}
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
     {{- include "codebase-operator.labels" . | nindent 4 }}
+  annotations:
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Values.name }}-serving-cert
   name: edp-codebase-operator-validating-webhook-configuration-{{ .Release.Namespace }}
 webhooks:
   - admissionReviewVersions:
@@ -115,3 +118,4 @@ webhooks:
           - codebases
         scope: Namespaced
     sideEffects: None
+{{- end }}

deploy-templates/templates/validation_webhook_rbac.yaml

@@ -0,0 +1,34 @@
+{{- if .Values.enableWebhooks }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    {{- include "codebase-operator.labels" . | nindent 4 }}
+  name: edp-{{ .Values.name }}-{{ .Release.Namespace }}-validation-webhook
+rules:
+- apiGroups:
+    - ""
+  resources:
+    - namespaces
+  verbs:
+    - get
+    - list
+    - watch
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    {{- include "codebase-operator.labels" . | nindent 4 }}
+  name: edp-{{ .Values.name }}-{{ .Release.Namespace }}-validation-webhook
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: edp-{{ .Values.name }}-{{ .Release.Namespace }}-validation-webhook
+subjects:
+  - kind: ServiceAccount
+    name: edp-{{ .Values.name }}
+    namespace: {{ .Release.Namespace }}
+{{- end }}

deploy-templates/templates/webhook/certmanager.yaml

@@ -0,0 +1,25 @@
+{{- if .Values.enableWebhooks }}
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  labels:
+    {{- include "codebase-operator.labels" . | nindent 4 }}
+  name: {{ .Values.name }}-selfsigned-issuer
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  labels:
+    {{- include "codebase-operator.labels" . | nindent 4 }}
+  name: {{ .Values.name }}-serving-cert
+spec:
+  dnsNames:
+  - edp-{{ .Values.name }}-webhook-service.{{ .Release.Namespace }}.svc
+  - edp-{{ .Values.name }}-webhook-service.{{ .Release.Namespace }}.svc.cluster.local
+  issuerRef:
+    kind: Issuer
+    name: {{ .Values.name }}-selfsigned-issuer
+  secretName: {{ .Values.name }}-webhook-certs
+{{- end }}

deploy-templates/values.yaml

@@ -70,3 +70,7 @@ jira:
 # Read more about KubeRocketCI telemetry here: https://docs.kuberocketci.io/docs/developer-guide/telemetry
 # -- Flag to enable/disable telemetry
 telemetryEnabled: true
+
+# -- Enable webhook and cert-manager certificate resources.
+# Webhooks require cert-manager to be installed in the cluster.
+enableWebhooks: true

go.mod

@@ -25,7 +25,6 @@ require (
 	k8s.io/apimachinery v0.33.7
 	k8s.io/client-go v0.33.7
 	k8s.io/utils v0.0.0-20241210054802-24370beab758
-	knative.dev/pkg v0.0.0-20250415155312-ed3e2158b883
 	sigs.k8s.io/controller-runtime v0.21.0
 )
 
@@ -146,6 +145,7 @@ require (
 	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff // indirect
 	knative.dev/eventing v0.30.3 // indirect
+	knative.dev/pkg v0.0.0-20250415155312-ed3e2158b883 // indirect
 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 // indirect
 	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect