Rename project to cert-completer

erwinvaneyk · Dec 23, 2019 · c82dc3c · c82dc3c
1 parent 16b83a0
commit c82dc3c
Show file tree

Hide file tree

Showing 11 changed files with 224 additions and 60 deletions.
diff --git a/Makefile b/Makefile
@@ -1,6 +1,6 @@
 
 # Image URL to use all building/pushing image targets
-IMG ?= erwinvaneyk/ca-completer:latest
+IMG ?= erwinvaneyk/cert-completer:latest
 # Produce CRDs that work back to Kubernetes 1.11 (no version conversion)
 CRD_OPTIONS ?= "crd:trivialVersions=true"
 
@@ -45,6 +45,7 @@ vet:
 # Generate code
 generate: controller-gen
 	$(CONTROLLER_GEN) object:headerFile=./hack/boilerplate.go.txt paths="./..."
+	./hack/generate-k8s-resources.sh
 
 # Build the docker image
 docker-build: test

diff --git a/PROJECT b/PROJECT
@@ -1,3 +1,3 @@
 version: "2"
 domain: erwinvaneyk.nl
-repo: github.com/erwinvaneyk/ca-completer
+repo: github.com/erwinvaneyk/cert-completer
diff --git a/cert-completer.yaml b/cert-completer.yaml
@@ -0,0 +1,155 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cert-completer-leader-election-role
+  namespace: default
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - configmaps/status
+  verbs:
+  - get
+  - update
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: cert-completer-manager-role
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - patch
+  - update
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cert-completer-proxy-role
+rules:
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
+- apiGroups:
+  - authorization.k8s.io
+  resources:
+  - subjectaccessreviews
+  verbs:
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cert-completer-leader-election-rolebinding
+  namespace: default
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cert-completer-leader-election-role
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: default
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cert-completer-manager-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-completer-manager-role
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: default
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cert-completer-proxy-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-completer-proxy-role
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: default
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    control-plane: controller-manager
+  name: cert-completer-controller-manager-metrics-service
+  namespace: default
+spec:
+  ports:
+  - name: https
+    port: 8443
+    targetPort: https
+  selector:
+    control-plane: controller-manager
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    control-plane: controller-manager
+  name: cert-completer-controller-manager
+  namespace: default
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      control-plane: controller-manager
+  template:
+    metadata:
+      labels:
+        control-plane: controller-manager
+    spec:
+      containers:
+      - args:
+        - --enable-leader-election
+        command:
+        - /manager
+        image: erwinvaneyk/cert-completer:latest
+        name: manager
+        resources:
+          limits:
+            cpu: 100m
+            memory: 30Mi
+          requests:
+            cpu: 100m
+            memory: 20Mi
+      terminationGracePeriodSeconds: 10
diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml
@@ -1,12 +1,12 @@
 # Adds namespace to all resources.
-namespace: ca-completer-system
+namespace: default
 
 # Value of this field is prepended to the
 # names of all resources, e.g. a deployment named
 # "wordpress" becomes "alices-wordpress".
 # Note that it should also match with the prefix (text before '-') of the namespace
 # field above.
-namePrefix: ca-completer-
+namePrefix: cert-completer-
 
 # Labels to add to all resources and selectors.
 #commonLabels:

diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml
@@ -4,5 +4,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 images:
 - name: controller
-  newName: erwinvaneyk/ca-completer
+  newName: erwinvaneyk/cert-completer
   newTag: latest
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -1,10 +1,3 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    control-plane: controller-manager
-  name: system
----
 apiVersion: apps/v1
 kind: Deployment
 metadata:

diff --git a/controllers/controller.go b/controllers/controller.go
@@ -17,15 +17,21 @@ import (
 
 const ErrInvalidCertChain = "failed to parse certificate chain in tls.crt"
 
-type CACompleter struct {
+// CertCompleter parses the TLS certificate chain in a secret with an empty
+// ca.tls, and updates the secret with the last (top-most) certificate in this
+// chain as the ca.crt.
+//
+// Although this does not guarantee that ca.crt contains a root CA, it does
+// guarantee that the CA present is valid for the TLS secret.
+type CertCompleter struct {
 	client.Client
 	Log    logr.Logger
 	Scheme *runtime.Scheme
 }
 
 // +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;update;patch
 
-func (c *CACompleter) Reconcile(req reconcile.Request) (reconcile.Result, error) {
+func (c *CertCompleter) Reconcile(req reconcile.Request) (reconcile.Result, error) {
 	ctx := context.Background()
 	log := c.Log.WithValues("secret", req.NamespacedName.String())
 
@@ -50,11 +56,10 @@ func (c *CACompleter) Reconcile(req reconcile.Request) (reconcile.Result, error)
 		log.Info("Updated the ca.crt of the TLS secret.")
 	}
 
-
 	return reconcile.Result{}, nil
 }
 
-func (c *CACompleter) SetupWithManager(mgr ctrl.Manager) error {
+func (c *CertCompleter) SetupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		For(&corev1.Secret{}).
 		Complete(c)
@@ -64,7 +69,7 @@ func (c *CACompleter) SetupWithManager(mgr ctrl.Manager) error {
 //
 // If the secret was updated, the updated result is returned. Otherwise, if
 // the secret was not updated, the return value is nil.
-func (c *CACompleter) reconcileSecret(secret *corev1.Secret) (updated *corev1.Secret, err error){
+func (c *CertCompleter) reconcileSecret(secret *corev1.Secret) (updated *corev1.Secret, err error) {
 	log := c.Log.WithValues("secret", fmt.Sprintf("%s/%s", secret.Namespace, secret.Name))
 	log.Info("Evaluating secret...")