cert-manager-webhook-pdns: render from helm in main cluster

already doing this in the new cluster, might as well have a way to update it here too

helm/render-all.sh

@@ -14,7 +14,7 @@ render_helm() {
 }
 
 # main k8s cluster operators
-for component in openbao external-secrets secrets-store-csi-driver; do
+for component in openbao external-secrets secrets-store-csi-driver cert-manager-webhook-pdns; do
     render_helm ../k8s/operators "${component}"
 done
 

k8s/operators/cert-manager-webhook-pdns/bundle.yaml

@@ -1,345 +1,311 @@
----
-# Source: cert-manager-webhook-pdns/templates/serviceaccount.yaml
+# DO NOT EDIT: This file has been automatically generated by the script in helm/render-all.sh, edits may get overwritten
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: cert-manager-webhook-pdns
-  namespace: cert-manager
   labels:
-    helm.sh/chart: cert-manager-webhook-pdns-3.1.3
-    app.kubernetes.io/name: cert-manager-webhook-pdns
     app.kubernetes.io/instance: cert-manager-webhook-pdns
-    app.kubernetes.io/version: "v2.5.1"
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: cert-manager-webhook-pdns
+    app.kubernetes.io/version: v2.5.1
+    helm.sh/chart: cert-manager-webhook-pdns-3.2.2
+  name: cert-manager-webhook-pdns
 ---
-# Source: cert-manager-webhook-pdns/templates/rbac.yaml
-# Grant cert-manager permission to validate using our apiserver
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: cert-manager-webhook-pdns
   labels:
-    helm.sh/chart: cert-manager-webhook-pdns-3.1.3
-    app.kubernetes.io/name: cert-manager-webhook-pdns
     app.kubernetes.io/instance: cert-manager-webhook-pdns
-    app.kubernetes.io/version: "v2.5.1"
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: cert-manager-webhook-pdns
+    app.kubernetes.io/version: v2.5.1
+    helm.sh/chart: cert-manager-webhook-pdns-3.2.2
+  name: cert-manager-webhook-pdns
 rules:
-  - apiGroups:
-      - ''
-    resources:
-      - 'secrets'
-    verbs:
-      - 'get'
-  - apiGroups:
-      - 'flowcontrol.apiserver.k8s.io'
-    resources:
-      - 'flowschemas'
-      - 'prioritylevelconfigurations'
-    verbs:
-      - 'watch'
-      - 'list'
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+- apiGroups:
+  - flowcontrol.apiserver.k8s.io
+  resources:
+  - flowschemas
+  - prioritylevelconfigurations
+  verbs:
+  - watch
+  - list
 ---
-# Source: cert-manager-webhook-pdns/templates/rbac.yaml
-# Grant cert-manager permission to validate using our apiserver
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: cert-manager-webhook-pdns:domain-solver
   labels:
-    helm.sh/chart: cert-manager-webhook-pdns-3.1.3
-    app.kubernetes.io/name: cert-manager-webhook-pdns
     app.kubernetes.io/instance: cert-manager-webhook-pdns
-    app.kubernetes.io/version: "v2.5.1"
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: cert-manager-webhook-pdns
+    app.kubernetes.io/version: v2.5.1
+    helm.sh/chart: cert-manager-webhook-pdns-3.2.2
+  name: cert-manager-webhook-pdns:domain-solver
 rules:
-  - apiGroups:
-      - acme.zacharyseguin.ca
-    resources:
-      - '*'
-    verbs:
-      - 'create'
+- apiGroups:
+  - acme.zacharyseguin.ca
+  resources:
+  - '*'
+  verbs:
+  - create
 ---
-# Source: cert-manager-webhook-pdns/templates/rbac.yaml
-# Grant the webhook permission to read the ConfigMap containing the Kubernetes
-# apiserver's requestheader-ca-certificate.
-# This ConfigMap is automatically created by the Kubernetes apiserver.
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: cert-manager-webhook-pdns
-  labels:
-    helm.sh/chart: cert-manager-webhook-pdns-3.1.3
-    app.kubernetes.io/name: cert-manager-webhook-pdns
-    app.kubernetes.io/instance: cert-manager-webhook-pdns
-    app.kubernetes.io/version: "v2.5.1"
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cert-manager-webhook-pdns
-subjects:
-  - apiGroup: ""
-    kind: ServiceAccount
-    name: cert-manager-webhook-pdns
-    namespace: cert-manager
----
-# Source: cert-manager-webhook-pdns/templates/rbac.yaml
-# apiserver gets the auth-delegator role to delegate auth decisions to
-# the core apiserver
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: cert-manager-webhook-pdns:auth-delegator
-  labels:
-    helm.sh/chart: cert-manager-webhook-pdns-3.1.3
-    app.kubernetes.io/name: cert-manager-webhook-pdns
-    app.kubernetes.io/instance: cert-manager-webhook-pdns
-    app.kubernetes.io/version: "v2.5.1"
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:auth-delegator
-subjects:
-  - apiGroup: ""
-    kind: ServiceAccount
-    name: cert-manager-webhook-pdns
-    namespace: cert-manager
----
-# Source: cert-manager-webhook-pdns/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: cert-manager-webhook-pdns:domain-solver
-  labels:
-    helm.sh/chart: cert-manager-webhook-pdns-3.1.3
-    app.kubernetes.io/name: cert-manager-webhook-pdns
-    app.kubernetes.io/instance: cert-manager-webhook-pdns
-    app.kubernetes.io/version: "v2.5.1"
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cert-manager-webhook-pdns:domain-solver
-subjects:
-  - apiGroup: ""
-    kind: ServiceAccount
-    name: cert-manager
-    namespace: cert-manager
----
-# Source: cert-manager-webhook-pdns/templates/rbac.yaml
-# Grant the webhook permission to read the ConfigMap containing the Kubernetes
-# apiserver's requestheader-ca-certificate.
-# This ConfigMap is automatically created by the Kubernetes apiserver.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
+  labels:
+    app.kubernetes.io/instance: cert-manager-webhook-pdns
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: cert-manager-webhook-pdns
+    app.kubernetes.io/version: v2.5.1
+    helm.sh/chart: cert-manager-webhook-pdns-3.2.2
   name: cert-manager-webhook-pdns:webhook-authentication-reader
   namespace: kube-system
-  labels:
-    helm.sh/chart: cert-manager-webhook-pdns-3.1.3
-    app.kubernetes.io/name: cert-manager-webhook-pdns
-    app.kubernetes.io/instance: cert-manager-webhook-pdns
-    app.kubernetes.io/version: "v2.5.1"
-    app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
   name: extension-apiserver-authentication-reader
 subjects:
-  - apiGroup: ""
-    kind: ServiceAccount
-    name: cert-manager-webhook-pdns
-    namespace: cert-manager
+- apiGroup: ""
+  kind: ServiceAccount
+  name: cert-manager-webhook-pdns
+  namespace: cert-manager
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/instance: cert-manager-webhook-pdns
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: cert-manager-webhook-pdns
+    app.kubernetes.io/version: v2.5.1
+    helm.sh/chart: cert-manager-webhook-pdns-3.2.2
+  name: cert-manager-webhook-pdns
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-webhook-pdns
+subjects:
+- apiGroup: ""
+  kind: ServiceAccount
+  name: cert-manager-webhook-pdns
+  namespace: cert-manager
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/instance: cert-manager-webhook-pdns
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: cert-manager-webhook-pdns
+    app.kubernetes.io/version: v2.5.1
+    helm.sh/chart: cert-manager-webhook-pdns-3.2.2
+  name: cert-manager-webhook-pdns:auth-delegator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+- apiGroup: ""
+  kind: ServiceAccount
+  name: cert-manager-webhook-pdns
+  namespace: cert-manager
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/instance: cert-manager-webhook-pdns
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: cert-manager-webhook-pdns
+    app.kubernetes.io/version: v2.5.1
+    helm.sh/chart: cert-manager-webhook-pdns-3.2.2
+  name: cert-manager-webhook-pdns:domain-solver
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-webhook-pdns:domain-solver
+subjects:
+- apiGroup: ""
+  kind: ServiceAccount
+  name: cert-manager
+  namespace: cert-manager
 ---
-# Source: cert-manager-webhook-pdns/templates/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
-  name: cert-manager-webhook-pdns
-  namespace: cert-manager
   labels:
-    helm.sh/chart: cert-manager-webhook-pdns-3.1.3
-    app.kubernetes.io/name: cert-manager-webhook-pdns
     app.kubernetes.io/instance: cert-manager-webhook-pdns
-    app.kubernetes.io/version: "v2.5.1"
     app.kubernetes.io/managed-by: Helm
-spec:
-  type: ClusterIP
-  ports:
-    - port: 443
-      targetPort: https
-      protocol: TCP
-      name: https
-  selector:
     app.kubernetes.io/name: cert-manager-webhook-pdns
+    app.kubernetes.io/version: v2.5.1
+    helm.sh/chart: cert-manager-webhook-pdns-3.2.2
+  name: cert-manager-webhook-pdns
+spec:
+  ports:
+  - name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
+  selector:
     app.kubernetes.io/instance: cert-manager-webhook-pdns
+    app.kubernetes.io/name: cert-manager-webhook-pdns
+  type: ClusterIP
 ---
-# Source: cert-manager-webhook-pdns/templates/deployment.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: cert-manager-webhook-pdns
-  namespace: cert-manager
   labels:
-    helm.sh/chart: cert-manager-webhook-pdns-3.1.3
-    app.kubernetes.io/name: cert-manager-webhook-pdns
     app.kubernetes.io/instance: cert-manager-webhook-pdns
-    app.kubernetes.io/version: "v2.5.1"
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: cert-manager-webhook-pdns
+    app.kubernetes.io/version: v2.5.1
+    helm.sh/chart: cert-manager-webhook-pdns-3.2.2
+  name: cert-manager-webhook-pdns
 spec:
-  replicas: 1
+  replicas: null
   selector:
     matchLabels:
-      app.kubernetes.io/name: cert-manager-webhook-pdns
       app.kubernetes.io/instance: cert-manager-webhook-pdns
+      app.kubernetes.io/name: cert-manager-webhook-pdns
   template:
     metadata:
       labels:
-        helm.sh/chart: cert-manager-webhook-pdns-3.1.3
-        app.kubernetes.io/name: cert-manager-webhook-pdns
         app.kubernetes.io/instance: cert-manager-webhook-pdns
-        app.kubernetes.io/version: "v2.5.1"
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: cert-manager-webhook-pdns
+        app.kubernetes.io/version: v2.5.1
+        helm.sh/chart: cert-manager-webhook-pdns-3.2.2
     spec:
-      serviceAccountName: cert-manager-webhook-pdns
       containers:
-        - name: cert-manager-webhook-pdns
-          image: docker.io/zachomedia/cert-manager-webhook-pdns:v2.5.1
-          imagePullPolicy: IfNotPresent
-          args:
-            - --tls-cert-file=/tls/tls.crt
-            - --tls-private-key-file=/tls/tls.key
-            - --secure-port=8443
-          env:
-            - name: GROUP_NAME
-              value: "acme.zacharyseguin.ca"
-          ports:
-            - name: https
-              containerPort: 8443
-              protocol: TCP
-          securityContext:
-            runAsGroup: 100
-            runAsUser: 100
-          livenessProbe:
-            httpGet:
-              scheme: HTTPS
-              path: /healthz
-              port: https
-          readinessProbe:
-            httpGet:
-              scheme: HTTPS
-              path: /healthz
-              port: https
-          volumeMounts:
-            - name: certs
-              mountPath: /tls
-              readOnly: true
-          resources:
-            {}
+      - args:
+        - --tls-cert-file=/tls/tls.crt
+        - --tls-private-key-file=/tls/tls.key
+        - --secure-port=8443
+        env:
+        - name: GROUP_NAME
+          value: acme.zacharyseguin.ca
+        image: zachomedia/cert-manager-webhook-pdns:v2.5.1
+        imagePullPolicy: IfNotPresent
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: https
+            scheme: HTTPS
+        name: cert-manager-webhook-pdns
+        ports:
+        - containerPort: 8443
+          name: https
+          protocol: TCP
+        readinessProbe:
+          httpGet:
+            path: /healthz
+            port: https
+            scheme: HTTPS
+        resources: {}
+        securityContext:
+          runAsGroup: 100
+          runAsUser: 100
+        volumeMounts:
+        - mountPath: /tls
+          name: certs
+          readOnly: true
+      serviceAccountName: cert-manager-webhook-pdns
       volumes:
-        - name: certs
-          secret:
-            secretName: cert-manager-webhook-pdns-webhook-tls
+      - name: certs
+        secret:
+          secretName: cert-manager-webhook-pdns-webhook-tls
 ---
-# Source: cert-manager-webhook-pdns/templates/apiservice.yaml
 apiVersion: apiregistration.k8s.io/v1
 kind: APIService
 metadata:
-  name: v1alpha1.acme.zacharyseguin.ca
-  namespace: cert-manager
-  labels:
-    helm.sh/chart: cert-manager-webhook-pdns-3.1.3
-    app.kubernetes.io/name: cert-manager-webhook-pdns
-    app.kubernetes.io/instance: cert-manager-webhook-pdns
-    app.kubernetes.io/version: "v2.5.1"
-    app.kubernetes.io/managed-by: Helm
   annotations:
-    cert-manager.io/inject-ca-from: "cert-manager/cert-manager-webhook-pdns-webhook-tls"
+    cert-manager.io/inject-ca-from: cert-manager/cert-manager-webhook-pdns-webhook-tls
+  labels:
+    app.kubernetes.io/instance: cert-manager-webhook-pdns
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: cert-manager-webhook-pdns
+    app.kubernetes.io/version: v2.5.1
+    helm.sh/chart: cert-manager-webhook-pdns-3.2.2
+  name: v1alpha1.acme.zacharyseguin.ca
 spec:
   group: acme.zacharyseguin.ca
   groupPriorityMinimum: 1000
-  versionPriority: 15
   service:
     name: cert-manager-webhook-pdns
     namespace: cert-manager
   version: v1alpha1
+  versionPriority: 15
 ---
-# Source: cert-manager-webhook-pdns/templates/pki.yaml
-# Generate a CA Certificate used to sign certificates for the webhook
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: cert-manager-webhook-pdns-ca
-  namespace: "cert-manager"
   labels:
-    helm.sh/chart: cert-manager-webhook-pdns-3.1.3
-    app.kubernetes.io/name: cert-manager-webhook-pdns
     app.kubernetes.io/instance: cert-manager-webhook-pdns
-    app.kubernetes.io/version: "v2.5.1"
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: cert-manager-webhook-pdns
+    app.kubernetes.io/version: v2.5.1
+    helm.sh/chart: cert-manager-webhook-pdns-3.2.2
+  name: cert-manager-webhook-pdns-ca
+  namespace: cert-manager
 spec:
-  secretName: cert-manager-webhook-pdns-ca
-  duration: 43800h0m0s # 5y
+  commonName: ca.cert-manager-webhook-pdns.cert-manager
+  duration: 43800h0m0s
+  isCA: true
   issuerRef:
     name: cert-manager-webhook-pdns-selfsign
-  commonName: "ca.cert-manager-webhook-pdns.cert-manager"
-  isCA: true
+  secretName: cert-manager-webhook-pdns-ca
 ---
-# Source: cert-manager-webhook-pdns/templates/pki.yaml
-# Finally, generate a serving certificate for the webhook to use
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: cert-manager-webhook-pdns-webhook-tls
-  namespace: "cert-manager"
   labels:
-    helm.sh/chart: cert-manager-webhook-pdns-3.1.3
-    app.kubernetes.io/name: cert-manager-webhook-pdns
     app.kubernetes.io/instance: cert-manager-webhook-pdns
-    app.kubernetes.io/version: "v2.5.1"
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: cert-manager-webhook-pdns
+    app.kubernetes.io/version: v2.5.1
+    helm.sh/chart: cert-manager-webhook-pdns-3.2.2
+  name: cert-manager-webhook-pdns-webhook-tls
+  namespace: cert-manager
 spec:
-  secretName: cert-manager-webhook-pdns-webhook-tls
-  duration: 8760h0m0s # 1y
-  issuerRef:
-    name: cert-manager-webhook-pdns-ca
   dnsNames:
   - cert-manager-webhook-pdns
   - cert-manager-webhook-pdns.cert-manager
   - cert-manager-webhook-pdns.cert-manager.svc
+  duration: 8760h0m0s
+  issuerRef:
+    name: cert-manager-webhook-pdns-ca
+  secretName: cert-manager-webhook-pdns-webhook-tls
 ---
-# Source: cert-manager-webhook-pdns/templates/pki.yaml
-# Create a selfsigned Issuer, in order to create a root CA certificate for
-# signing webhook serving certificates
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
-  name: cert-manager-webhook-pdns-selfsign
-  namespace: "cert-manager"
   labels:
-    helm.sh/chart: cert-manager-webhook-pdns-3.1.3
-    app.kubernetes.io/name: cert-manager-webhook-pdns
     app.kubernetes.io/instance: cert-manager-webhook-pdns
-    app.kubernetes.io/version: "v2.5.1"
     app.kubernetes.io/managed-by: Helm
-spec:
-  selfSigned: {}
----
-# Source: cert-manager-webhook-pdns/templates/pki.yaml
-# Create an Issuer that uses the above generated CA certificate to issue certs
-apiVersion: cert-manager.io/v1
-kind: Issuer
-metadata:
+    app.kubernetes.io/name: cert-manager-webhook-pdns
+    app.kubernetes.io/version: v2.5.1
+    helm.sh/chart: cert-manager-webhook-pdns-3.2.2
   name: cert-manager-webhook-pdns-ca
-  namespace: "cert-manager"
-  labels:
-    helm.sh/chart: cert-manager-webhook-pdns-3.1.3
-    app.kubernetes.io/name: cert-manager-webhook-pdns
-    app.kubernetes.io/instance: cert-manager-webhook-pdns
-    app.kubernetes.io/version: "v2.5.1"
-    app.kubernetes.io/managed-by: Helm
+  namespace: cert-manager
 spec:
   ca:
     secretName: cert-manager-webhook-pdns-ca
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  labels:
+    app.kubernetes.io/instance: cert-manager-webhook-pdns
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: cert-manager-webhook-pdns
+    app.kubernetes.io/version: v2.5.1
+    helm.sh/chart: cert-manager-webhook-pdns-3.2.2
+  name: cert-manager-webhook-pdns-selfsign
+  namespace: cert-manager
+spec:
+  selfSigned: {}

k8s/operators/cert-manager-webhook-pdns/kustomization.yaml

@@ -0,0 +1,18 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - bundle.yaml
+  - letsencrypt.yaml
+patches:
+  - path: namespace-patch.yaml
+    target:
+      kind: Deployment
+      name: cert-manager-webhook-pdns
+  - path: namespace-patch.yaml
+    target:
+      kind: ServiceAccount
+      name: cert-manager-webhook-pdns
+  - path: namespace-patch.yaml
+    target:
+      kind: Service
+      name: cert-manager-webhook-pdns

k8s/operators/cert-manager-webhook-pdns/namespace-patch.yaml

@@ -0,0 +1,3 @@
+- op: add
+  path: /metadata/namespace
+  value: cert-manager

k8s/operators/cert-manager/kustomization.yaml

@@ -3,8 +3,8 @@ kind: Kustomization
 # namespace: cert-manager
 resources:
   - https://github.com/cert-manager/cert-manager/releases/download/v1.15.2/cert-manager.yaml
-  - pdns-hook.yaml
-  - letsencrypt.yaml
+  # - pdns-hook.yaml
+  # - letsencrypt.yaml
   - selfsigned.yaml
 patches:
   - path: controller-patches.yaml