Skip to content

Commit

Permalink
[kube-prometheus-stack] unify hostnames
Browse files Browse the repository at this point in the history 
Signed-off-by: Jan-Otto Kröpke <[email protected]>
  • Loading branch information
@jkroepke
jkroepke committed Nov 21, 2023
1 parent 738cea6 commit 9e8576b
Show file tree
Hide file tree
Showing 3 changed files with 28 additions and 22 deletions.
11 changes: 11 additions & 0 deletions charts/kube-prometheus-stack/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -286,3 +286,14 @@ global:
{{- end }}
{{- end }}
{{- end -}}

{{- define "kube-prometheus-stack.operator.admission-webhook.dnsNames" }}
{{- $fullname := include "kube-prometheus-stack.operator.fullname" . }}
{{- $namespace := include "kube-prometheus-stack.namespace" . }}
{{- $fullname }}
{{ $fullname }}.{{ $namespace }}.svc
{{- if .Values.prometheusOperator.admissionWebhooks.deployment.enabled }}
{{ $fullname }}-webhook
{{ $fullname }}-webhook.{{ $namespace }}.svc
{{- end }}
{{- end }}
2 changes: 1 addition & 1 deletion ...us-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-createSecret.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ spec:
imagePullPolicy: {{ .Values.prometheusOperator.admissionWebhooks.patch.image.pullPolicy }}
args:
- create
- --host={{ template "kube-prometheus-stack.operator.fullname" . }},{{ template "kube-prometheus-stack.operator.fullname" . }}.{{ template "kube-prometheus-stack.namespace" . }}.svc{{- if .Values.prometheusOperator.admissionWebhooks.deployment.enabled }},{{ template "kube-prometheus-stack.operator.fullname" . }}-webhook,{{ template "kube-prometheus-stack.operator.fullname" . }}-webhook.{{ template "kube-prometheus-stack.namespace" . }}.svc{{- end }}
- --host={{- include "kube-prometheus-stack.operator.admission-webhook.dnsNames" . | replace "\n" "," }}
- --namespace={{ template "kube-prometheus-stack.namespace" . }}
- --secret-name={{ template "kube-prometheus-stack.fullname" . }}-admission
{{- with .Values.prometheusOperator.admissionWebhooks.createSecretJob }}
Expand Down
37 changes: 16 additions & 21 deletions charts/kube-prometheus-stack/templates/prometheus-operator/certmanager.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,62 +1,57 @@
{{- if .Values.prometheusOperator.admissionWebhooks.certManager.enabled -}}
{{- $fullname := include "kube-prometheus-stack.operator.fullname" . }}
{{- $namespace := include "kube-prometheus-stack.namespace" . }}
{{- if not .Values.prometheusOperator.admissionWebhooks.certManager.issuerRef -}}
# Create a selfsigned Issuer, in order to create a root CA certificate for
# signing webhook serving certificates
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: {{ template "kube-prometheus-stack.fullname" . }}-self-signed-issuer
namespace: {{ template "kube-prometheus-stack.namespace" . }}
name: {{ $fullname }}-self-signed-issuer
namespace: {{ $namespace }}
spec:
selfSigned: {}
---
# Generate a CA Certificate used to sign certificates for the webhook
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ template "kube-prometheus-stack.fullname" . }}-root-cert
namespace: {{ template "kube-prometheus-stack.namespace" . }}
name: {{ $fullname }}-root-cert
namespace: {{ $namespace }}
spec:
secretName: {{ template "kube-prometheus-stack.fullname" . }}-root-cert
secretName: {{ $fullname }}-root-cert
duration: {{ .Values.prometheusOperator.admissionWebhooks.certManager.rootCert.duration | default "43800h0m0s" | quote }}
issuerRef:
name: {{ template "kube-prometheus-stack.fullname" . }}-self-signed-issuer
name: {{ $fullname }}-self-signed-issuer
commonName: "ca.webhook.kube-prometheus-stack"
isCA: true
---
# Create an Issuer that uses the above generated CA certificate to issue certs
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: {{ template "kube-prometheus-stack.fullname" . }}-root-issuer
namespace: {{ template "kube-prometheus-stack.namespace" . }}
name: {{ $fullname }}-root-issuer
namespace: {{ $namespace }}
spec:
ca:
secretName: {{ template "kube-prometheus-stack.fullname" . }}-root-cert
secretName: {{ $fullname }}-root-cert
{{- end }}
---
# generate a server certificate for the apiservices to use
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ template "kube-prometheus-stack.fullname" . }}-admission
namespace: {{ template "kube-prometheus-stack.namespace" . }}
name: {{ $fullname }}-admission
namespace: {{ $namespace }}
spec:
secretName: {{ template "kube-prometheus-stack.fullname" . }}-admission
secretName: {{ $fullname }}-admission
duration: {{ .Values.prometheusOperator.admissionWebhooks.certManager.admissionCert.duration | default "8760h0m0s" | quote }}
issuerRef:
{{- if .Values.prometheusOperator.admissionWebhooks.certManager.issuerRef }}
{{- toYaml .Values.prometheusOperator.admissionWebhooks.certManager.issuerRef | nindent 4 }}
{{- else }}
name: {{ template "kube-prometheus-stack.fullname" . }}-root-issuer
name: {{ $fullname }}-root-issuer
{{- end }}
dnsNames:
- {{ template "kube-prometheus-stack.operator.fullname" . }}
- {{ template "kube-prometheus-stack.operator.fullname" . }}.{{ template "kube-prometheus-stack.namespace" . }}
- {{ template "kube-prometheus-stack.operator.fullname" . }}.{{ template "kube-prometheus-stack.namespace" . }}.svc
{{- if .Values.prometheusOperator.admissionWebhooks.deployment.enabled }}
- {{ template "kube-prometheus-stack.operator.fullname" . }}-webhook
- {{ template "kube-prometheus-stack.operator.fullname" . }}-webhook.{{ template "kube-prometheus-stack.namespace" . }}
- {{ template "kube-prometheus-stack.operator.fullname" . }}-webhook.{{ template "kube-prometheus-stack.namespace" . }}.svc
{{- end -}}
{{- include "kube-prometheus-stack.operator.admission-webhook.dnsNames" . | splitList "\n" | toYaml | nindent 4 }}
{{- end -}}

0 comments on commit 9e8576b

Please sign in to comment.