feat: remove cert-manager as dependency

dash0hq · Aug 9, 2024 · 18136a4 · 18136a4
1 parent a7006d3
commit 18136a4
Show file tree

Hide file tree

Showing 32 changed files with 489 additions and 722 deletions.
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -11,16 +11,6 @@ Contributing
 
 ## Deploying to a Local Cluster for Testing Purposes
 
-Make sure your cluster has cert-manager running. If not, refer to https://cert-manager.io/docs/installation/.
-
-E.g.:
-
-```
-helm repo add jetstack https://charts.jetstack.io --force-update
-helm repo update
-helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --version v1.14.5 --set installCRDs=true
-```
-
 This approach is suitable for deploying the operator to a cluster running locally on your machine, for example
 via the Kubernetes support included in Docker Desktop.
 

diff --git a/README.md b/README.md
@@ -4,7 +4,7 @@
 [![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/dash0-operator)](https://artifacthub.io/packages/search?repo=dash0-operator)
 
 The Dash0 Kubernetes Operator makes observability for Kubernetes _easy_.
-Simply install the operator into your cluster to get OpenTelemetry data flowing from your applications and
+Install the operator into your cluster and create just custom resource to get OpenTelemetry data flowing from your applications and
 infrastructure to Dash0.
 
 ## Description

diff --git a/helm-chart/dash0-operator/templates/_helpers.tpl b/helm-chart/dash0-operator/templates/_helpers.tpl
@@ -39,7 +39,7 @@ helm.sh/chart: {{ include "dash0-operator.chartNameWithVersion" . }}
 
 {{/* service account name */}}
 {{- define "dash0-operator.serviceAccountName" -}}
-{{- default (printf "%s-controller-manager" (include "dash0-operator.chartName" .)) .Values.operator.serviceAccount.name }}
+{{- default (printf "%s-controller" (include "dash0-operator.chartName" .)) .Values.operator.serviceAccount.name }}
 {{- end }}
 
 {{/* the controller manager container image */}}

diff --git a/helm-chart/dash0-operator/templates/operator/cluster-role-bindings.yaml b/helm-chart/dash0-operator/templates/operator/cluster-role-bindings.yaml
@@ -3,9 +3,9 @@ kind: ClusterRoleBinding
 metadata:
   name: {{ template "dash0-operator.chartName" . }}-manager-rolebinding
   labels:
-    app.kubernetes.io/name: clusterrolebinding
-    app.kubernetes.io/instance: manager-rolebinding
-    app.kubernetes.io/component: rbac
+    app.kubernetes.io/name: dash0-operator
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: role-binding
     {{- include "dash0-operator.labels" . | nindent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -21,9 +21,9 @@ kind: ClusterRoleBinding
 metadata:
   name: {{ template "dash0-operator.chartName" . }}-proxy-rolebinding
   labels:
-    app.kubernetes.io/name: clusterrolebinding
-    app.kubernetes.io/instance: proxy-rolebinding
-    app.kubernetes.io/component: kube-rbac-proxy
+    app.kubernetes.io/name: dash0-operator
+    app.kubernetes.io/component: proxy
+    app.kubernetes.io/instance: role-binding
     {{- include "dash0-operator.labels" . | nindent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io

diff --git a/helm-chart/dash0-operator/templates/operator/cluster-roles.yaml b/helm-chart/dash0-operator/templates/operator/cluster-roles.yaml
@@ -3,9 +3,9 @@ kind: ClusterRole
 metadata:
   name: {{ template "dash0-operator.chartName" . }}-manager-role
   labels:
-    app.kubernetes.io/name: clusterrole
+    app.kubernetes.io/name: dash0-operator
+    app.kubernetes.io/component: controller
     app.kubernetes.io/instance: manager-role
-    app.kubernetes.io/component: kube-rbac-proxy
     {{- include "dash0-operator.labels" . | nindent 4 }}
 
 rules:
@@ -179,9 +179,9 @@ kind: ClusterRole
 metadata:
   name: {{ template "dash0-operator.chartName" . }}-metrics-reader
   labels:
-    app.kubernetes.io/name: clusterrole
-    app.kubernetes.io/instance: metrics-reader
-    app.kubernetes.io/component: kube-rbac-proxy
+    app.kubernetes.io/name: dash0-operator
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: metrics-role
     {{- include "dash0-operator.labels" . | nindent 4 }}
 rules:
 - nonResourceURLs:
@@ -194,9 +194,9 @@ kind: ClusterRole
 metadata:
   name: {{ template "dash0-operator.chartName" . }}-proxy-role
   labels:
-    app.kubernetes.io/name: clusterrole
+    app.kubernetes.io/name: dash0-operator
+    app.kubernetes.io/component: controller
     app.kubernetes.io/instance: proxy-role
-    app.kubernetes.io/component: kube-rbac-proxy
     {{- include "dash0-operator.labels" . | nindent 4 }}
 rules:
 - apiGroups:

diff --git a/helm-chart/dash0-operator/templates/operator/custom-resource-definition-dash0.yaml b/helm-chart/dash0-operator/templates/operator/custom-resource-definition-dash0.yaml
@@ -2,7 +2,6 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ template "dash0-operator.chartName" . }}-serving-cert
     controller-gen.kubebuilder.io/version: v0.14.0
   name: dash0monitorings.operator.dash0.com
 spec:

diff --git a/...erator/templates/operator/deployment.yaml → ...ates/operator/deployment-and-webhook.yaml b/...erator/templates/operator/deployment.yaml → ...ates/operator/deployment-and-webhook.yaml
@@ -1,14 +1,45 @@
+{{- /*
+   * Helm does not have a way to share generated values between files.
+   * And it does _actually_ create resources in pre-install / pre-upgrade hooks
+   * before rendering the rest of the chart. So, we do not have another way to
+   * generate a self-signed cert and use it across deployment, webhook and service
+   * other than lumping all these resourceds in the same file.
+  */ -}}
+{{- $altNames := list ( printf "%s-injector.%s.svc" (include "dash0-operator.chartName" . ) .Release.Namespace ) ( printf "%s-metrics.%s.svc" (include "dash0-operator.chartName" . ) .Release.Namespace ) -}}
+{{- $ca := genCA "dash0-operator-ca" 365 -}}
+{{- $cert := genSignedCert ( include "dash0-operator.chartName" . ) nil $altNames 365 $ca -}}
+{{- /*
+   * On upgrade, we want to avoid the injector service from routing to older
+   * pod, which will use a different certificate. Therefore, we add a digest
+   * of the cert as a label of the controller pods, which we can use in service
+   * selector to ensure routing to the newer controller pods.
+   */ -}}
+{{- $certFingerprint := $cert.Cert | b64enc | substr 10 25 | quote }}
+---
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/tls
+metadata:
+  name: {{ include "dash0-operator.chartName" . }}-certificates
+  labels:
+    app.kubernetes.io/name: dash0-operator
+    app.kubernetes.io/component: certificates
+    app.kubernetes.io/instance: secret
+data:
+  ca.crt: {{ $ca.Cert | b64enc }}
+  tls.crt: {{ $cert.Cert | b64enc }}
+  tls.key: {{ $cert.Key | b64enc }}
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: {{ include "dash0-operator.chartName" . }}-controller-manager
+  name: {{ include "dash0-operator.chartName" . }}-controller
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: deployment
-    app.kubernetes.io/instance: controller-manager
-    app.kubernetes.io/component: manager
+    app.kubernetes.io/name: dash0-operator
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: deployment
     {{- include "dash0-operator.labels" . | nindent 4 }}
-    control-plane: controller-manager
     dash0.com/enable: "false"
   {{- with .Values.operator.deploymentAnnotations }}
   annotations:
@@ -18,7 +49,8 @@ spec:
   replicas: {{ .Values.operator.replicaCount }}
   selector:
     matchLabels:
-      control-plane: controller-manager
+      app.kubernetes.io/name: dash0-operator
+      app.kubernetes.io/component: controller
   template:
     metadata:
       annotations:
@@ -27,7 +59,9 @@ spec:
         {{- include "dash0-operator.podAnnotations" . | nindent 8 }}
         {{- end }}
       labels:
-        control-plane: controller-manager
+        app.kubernetes.io/name: dash0-operator
+        app.kubernetes.io/component: controller
+        dash0.cert-digest: {{ $certFingerprint }}
         {{- if .Values.operator.podLabels }}
         {{- include "dash0-operator.podLabels" . | nindent 8 }}
         {{- end }}
@@ -98,7 +132,7 @@ spec:
         {{ include "dash0-operator.restrictiveContainerSecurityContext" . | nindent 8 }}
         volumeMounts:
         - mountPath: /tmp/k8s-webhook-server/serving-certs
-          name: cert
+          name: certificates
           readOnly: true
         livenessProbe:
           httpGet:
@@ -142,7 +176,115 @@ spec:
       automountServiceAccountToken: true
       terminationGracePeriodSeconds: 10
       volumes:
-      - name: cert
+      - name: certificates
         secret:
           defaultMode: 420
-          secretName: webhook-server-cert
+          secretName: {{ include "dash0-operator.chartName" . }}-certificates
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "dash0-operator.chartName" . }}-injector
+  labels:
+    app.kubernetes.io/name: dash0-operator
+    app.kubernetes.io/component: injector
+    app.kubernetes.io/instance: mutating-webhook-service
+    {{- include "dash0-operator.labels" . | nindent 4 }}
+spec:
+  ports:
+  - port: {{ .Values.operator.webhookPort }}
+    protocol: TCP
+    targetPort: 9443
+  selector:
+    app.kubernetes.io/name: dash0-operator
+    app.kubernetes.io/component: controller
+    dash0.cert-digest: {{ $certFingerprint }}
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: {{ template "dash0-operator.chartName" . }}-injector
+  labels:
+    app.kubernetes.io/name: dash0-operator
+    app.kubernetes.io/component: injector
+    app.kubernetes.io/instance: mutating-webhook
+    {{- include "dash0-operator.labels" . | nindent 4 }}
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    caBundle: {{ default "" ( $ca.Cert | b64enc ) }}
+    service:
+      name: {{ template "dash0-operator.chartName" . }}-injector
+      namespace: {{ .Release.Namespace }}
+      path: /v1alpha1/inject/dash0
+  failurePolicy: Ignore
+  name: inject.dash0.kb.io
+  rules:
+  - apiGroups:
+    - apps
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - daemonsets
+    - deployments
+    - replicasets
+    - statefulsets
+  - apiGroups:
+    - batch
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - cronjobs
+  - apiGroups:
+      - batch
+    apiVersions:
+      - v1
+    operations:
+      # do not listen to UPDATE for jobs, we cannot revert instrumentation or do anything on UPDATE requests, since jobs
+      # are immutable
+      - CREATE
+    resources:
+      - jobs
+  - apiGroups: [""]
+    apiVersions:
+    - v1
+    operations:
+    # do not listen to UPDATE for pods, we cannot revert instrumentation or do anything on UPDATE requests, since pods
+    # are effectively immutable (we cannot restart ownerless pods)
+      - CREATE
+    resources:
+    - pods
+  sideEffects: None
+  timeoutSeconds: 5
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "dash0-operator.chartName" . }}-metrics
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: dash0-operator
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: metrics-service
+    {{- include "dash0-operator.labels" . | nindent 4 }}
+  {{- with .Values.operator.serviceAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  ports:
+  - name: https
+    port: {{ .Values.operator.metricsPort }}
+    protocol: TCP
+    targetPort: https
+  selector:
+    app.kubernetes.io/name: dash0-operator
+    app.kubernetes.io/component: controller
+    dash0.cert-digest: {{ $certFingerprint }}
diff --git a/helm-chart/dash0-operator/templates/operator/pre-delete-hook.yaml b/helm-chart/dash0-operator/templates/operator/pre-delete-hook.yaml
@@ -4,9 +4,9 @@ metadata:
   name: {{ include "dash0-operator.chartName" . }}-pre-delete
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: job
+    app.kubernetes.io/name: dash0-operator
+    app.kubernetes.io/component: uninstallation-process
     app.kubernetes.io/instance: pre-delete-hook
-    app.kubernetes.io/component: pre-delete
     {{- include "dash0-operator.labels" . | nindent 4 }}
     dash0.com/enable: "false"
   annotations:
@@ -17,7 +17,8 @@ spec:
     metadata:
       name: {{ .Release.Name }}-pre-delete-job
       labels:
-        app.kubernetes.io/instance: pre-delete-hook
+        app.kubernetes.io/name: dash0-operator
+        app.kubernetes.io/component: pre-delete
         app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
         helm.sh/chart: {{ include "dash0-operator.chartNameWithVersion" . }}
     spec:

diff --git a/helm-chart/dash0-operator/templates/operator/role-binding.yaml b/helm-chart/dash0-operator/templates/operator/role-binding.yaml
@@ -4,9 +4,9 @@ metadata:
   name: {{ template "dash0-operator.chartName" . }}-leader-election-rolebinding
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: rolebinding
+    app.kubernetes.io/name: dash0-operator
+    app.kubernetes.io/component: controller
     app.kubernetes.io/instance: leader-election-rolebinding
-    app.kubernetes.io/component: rbac
     {{- include "dash0-operator.labels" . | nindent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io

diff --git a/helm-chart/dash0-operator/templates/operator/role.yaml b/helm-chart/dash0-operator/templates/operator/role.yaml
@@ -4,9 +4,9 @@ metadata:
   name: {{ template "dash0-operator.chartName" . }}-leader-election-role
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: role
+    app.kubernetes.io/name: dash0-operator
+    app.kubernetes.io/component: controller
     app.kubernetes.io/instance: leader-election-role
-    app.kubernetes.io/component: rbac
     {{- include "dash0-operator.labels" . | nindent 4 }}
 rules:
 - apiGroups:

diff --git a/helm-chart/dash0-operator/templates/operator/service-account.yaml b/helm-chart/dash0-operator/templates/operator/service-account.yaml
@@ -5,8 +5,8 @@ metadata:
   name: {{ template "dash0-operator.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: serviceaccount
-    app.kubernetes.io/instance: controller-manager-sa
-    app.kubernetes.io/component: rbac
+    app.kubernetes.io/name: dash0-operator
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: service-account
     {{- include "dash0-operator.labels" . | nindent 4 }}
 {{- end }}
diff --git a/helm-chart/dash0-operator/templates/operator/service.yaml b/helm-chart/dash0-operator/templates/operator/service.yaml