Delete the cert manager dependencies and generate the self-signed CA …

…for webhook. (#1707)

Fixes #1680

Signed-off-by: Ye Cao <[email protected]>

charts/vineyard-operator/Chart.yaml

@@ -30,9 +30,3 @@ version: 0.19.3
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 appVersion: 0.19.3
-
-dependencies:
-  - name: cert-manager
-    repository: https://charts.jetstack.io
-    version: v1.8.0
-    condition: cert-manager.enabled

charts/vineyard-operator/templates/backup-crd.yaml

@@ -3,8 +3,6 @@ kind: CustomResourceDefinition
 metadata:
   name: backups.k8s.v6d.io
   annotations:
-    cert-manager.io/inject-ca-from: '{{ .Release.Namespace }}/{{ include "vineyard-operator.fullname"
-      . }}-serving-cert'
     controller-gen.kubebuilder.io/version: v0.8.0
   labels:
   {{- include "vineyard-operator.labels" . | nindent 4 }}

charts/vineyard-operator/templates/csidriver-crd.yaml

@@ -3,8 +3,6 @@ kind: CustomResourceDefinition
 metadata:
   name: csidrivers.k8s.v6d.io
   annotations:
-    cert-manager.io/inject-ca-from: '{{ .Release.Namespace }}/{{ include "vineyard-operator.fullname"
-      . }}-serving-cert'
     controller-gen.kubebuilder.io/version: v0.8.0
   labels:
   {{- include "vineyard-operator.labels" . | nindent 4 }}

charts/vineyard-operator/templates/deployment.yaml

@@ -32,6 +32,9 @@ spec:
       - args:
         - manager
         - --verbose
+        - --namespace
+        - {{ .Release.Namespace }}
+
         command:
         - /vineyardctl
         env:
@@ -59,10 +62,6 @@ spec:
           periodSeconds: 10
         resources: {{- toYaml .Values.controllerManager.manager.resources | nindent 10
           }}
-        volumeMounts:
-        - mountPath: /tmp/k8s-webhook-server/serving-certs
-          name: cert
-          readOnly: true
       - args:
         - --secure-listen-address=0.0.0.0:8443
         - --upstream=http://127.0.0.1:8080/
@@ -83,9 +82,4 @@ spec:
         securityContext: {{- toYaml .Values.controllerManager.kubeRbacProxy.containerSecurityContext
           | nindent 10 }}
       serviceAccountName: {{ include "vineyard-operator.fullname" . }}-manager
-      terminationGracePeriodSeconds: 10
-      volumes:
-      - name: cert
-        secret:
-          defaultMode: 420
-          secretName: vineyard-operator-webhook-server-cert
+      terminationGracePeriodSeconds: 10

charts/vineyard-operator/templates/globalobject-crd.yaml

@@ -3,8 +3,6 @@ kind: CustomResourceDefinition
 metadata:
   name: globalobjects.k8s.v6d.io
   annotations:
-    cert-manager.io/inject-ca-from: '{{ .Release.Namespace }}/{{ include "vineyard-operator.fullname"
-      . }}-serving-cert'
     controller-gen.kubebuilder.io/version: v0.8.0
   labels:
   {{- include "vineyard-operator.labels" . | nindent 4 }}

charts/vineyard-operator/templates/localobject-crd.yaml

@@ -3,8 +3,6 @@ kind: CustomResourceDefinition
 metadata:
   name: localobjects.k8s.v6d.io
   annotations:
-    cert-manager.io/inject-ca-from: '{{ .Release.Namespace }}/{{ include "vineyard-operator.fullname"
-      . }}-serving-cert'
     controller-gen.kubebuilder.io/version: v0.8.0
   labels:
   {{- include "vineyard-operator.labels" . | nindent 4 }}

charts/vineyard-operator/templates/mutating-webhook-configuration.yaml

@@ -3,7 +3,7 @@ kind: MutatingWebhookConfiguration
 metadata:
   name: {{ include "vineyard-operator.fullname" . }}-mutating-webhook-configuration
   annotations:
-    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "vineyard-operator.fullname" . }}-serving-cert
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "vineyard-operator.fullname" . }}-
   labels:
   {{- include "vineyard-operator.labels" . | nindent 4 }}
 webhooks:

charts/vineyard-operator/templates/operation-crd.yaml

@@ -3,8 +3,6 @@ kind: CustomResourceDefinition
 metadata:
   name: operations.k8s.v6d.io
   annotations:
-    cert-manager.io/inject-ca-from: '{{ .Release.Namespace }}/{{ include "vineyard-operator.fullname"
-      . }}-serving-cert'
     controller-gen.kubebuilder.io/version: v0.8.0
   labels:
   {{- include "vineyard-operator.labels" . | nindent 4 }}

charts/vineyard-operator/templates/recover-crd.yaml

@@ -3,8 +3,6 @@ kind: CustomResourceDefinition
 metadata:
   name: recovers.k8s.v6d.io
   annotations:
-    cert-manager.io/inject-ca-from: '{{ .Release.Namespace }}/{{ include "vineyard-operator.fullname"
-      . }}-serving-cert'
     controller-gen.kubebuilder.io/version: v0.8.0
   labels:
   {{- include "vineyard-operator.labels" . | nindent 4 }}

charts/vineyard-operator/templates/scheduler-plugin-rbac.yaml

@@ -40,6 +40,28 @@ rules:
   - list
   - get
   - watch
+- apiGroups:
+  - admissionregistration.k8s.io
+  resourceNames:
+  - vineyard-mutating-webhook-configuration
+  resources:
+  - mutatingwebhookconfigurations
+  verbs:
+  - get
+  - list
+  - watch
+  - patch
+- apiGroups:
+  - admissionregistration.k8s.io
+  resourceNames:
+  - vineyard-validating-webhook-configuration
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - list
+  - watch
+  - patch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

charts/vineyard-operator/templates/sidecar-crd.yaml

@@ -3,8 +3,6 @@ kind: CustomResourceDefinition
 metadata:
   name: sidecars.k8s.v6d.io
   annotations:
-    cert-manager.io/inject-ca-from: '{{ .Release.Namespace }}/{{ include "vineyard-operator.fullname"
-      . }}-serving-cert'
     controller-gen.kubebuilder.io/version: v0.8.0
   labels:
   {{- include "vineyard-operator.labels" . | nindent 4 }}

charts/vineyard-operator/templates/validating-webhook-configuration.yaml

@@ -3,7 +3,7 @@ kind: ValidatingWebhookConfiguration
 metadata:
   name: {{ include "vineyard-operator.fullname" . }}-validating-webhook-configuration
   annotations:
-    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "vineyard-operator.fullname" . }}-serving-cert
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "vineyard-operator.fullname" . }}-
   labels:
   {{- include "vineyard-operator.labels" . | nindent 4 }}
 webhooks:

charts/vineyard-operator/templates/vineyardd-crd.yaml

@@ -3,8 +3,6 @@ kind: CustomResourceDefinition
 metadata:
   name: vineyardds.k8s.v6d.io
   annotations:
-    cert-manager.io/inject-ca-from: '{{ .Release.Namespace }}/{{ include "vineyard-operator.fullname"
-      . }}-serving-cert'
     controller-gen.kubebuilder.io/version: v0.8.0
   labels:
   {{- include "vineyard-operator.labels" . | nindent 4 }}

charts/vineyard-operator/values.yaml

@@ -1,8 +1,3 @@
-cert-manager:
-  enabled: true
-  installCRDs: true
-  extraArgs:
-    - --enable-certificate-owner-ref=true
 controllerManager:
   kubeRbacProxy:
     containerSecurityContext:
@@ -23,6 +18,7 @@ controllerManager:
   manager:
     image:
       repository: vineyardcloudnative/vineyard-operator
+      tag: latest
     imagePullPolicy: IfNotPresent
     resources:
       limits:
@@ -45,3 +41,4 @@ webhookService:
     protocol: TCP
     targetPort: 9443
   type: ClusterIP
+fullnameOverride: vineyard

docs/notes/cloud-native/deploy-kubernetes.rst

@@ -37,8 +37,6 @@ installing directly from the source code.
     Prior to installing the vineyard operator, ensure that you have a Kubernetes cluster and kubectl
     installed. In this guide, we will use `kind`_ to create a cluster.
 
-Before proceeding with the vineyard installation, it is essential to install cert-manager, as it is required
-by the webhook components within the vineyard operator:
 
 Option #1: Install from helm chart (recommended)
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
@@ -77,18 +75,7 @@ Option #2: Install form source code
 
           $ kind load docker-image vineyardcloudnative/vineyard-operator:latest
 
-3. Install the cert-manager
-
-   .. code:: bash
-
-       $ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.8.0/cert-manager.yaml
-
-   .. note::
-
-       Please wait the cert-manager for a while until it is ready before installing the
-       vineyard operator.
-
-4. Next, deploy the vineyard operator:
+3. Next, deploy the vineyard operator:
 
    .. code:: bash
 

docs/notes/developers/faq.rst

@@ -117,6 +117,5 @@ concerns, please feel free to `open an issue`_ or `post it to discussions`_.
 
 .. _open an issue: https://github.com/v6d-io/v6d/issues/new
 .. _post it to discussions: https://github.com/v6d-io/v6d/discussions/new
-.. _cert-manager: https://cert-manager.io/
 .. _guide: ../../tutorials/kubernetes/using-vineyard-operator.rst
 .. _command line tool: ../../notes/cloud-native/vineyardctl.md

docs/tutorials/kubernetes/ml-pipeline-mars-pytorch.rst

@@ -20,7 +20,7 @@ with 3 worker nodes.
 
 .. code:: bash
 
-    $ cd k8s && make install-vineyard
+    $ cd k8s && make -C k8s/test/e2e install-vineyard-cluster
 
 .. admonition:: Expected output
    :class: admonition-details
@@ -45,57 +45,6 @@ with 3 worker nodes.
 
         Thanks for using kind! 😊
         configmap/local-registry-hosting created
-        Installing cert-manager...
-        namespace/cert-manager created
-        customresourcedefinition.apiextensions.k8s.io/certificaterequests.cert-manager.io created
-        customresourcedefinition.apiextensions.k8s.io/certificates.cert-manager.io created
-        customresourcedefinition.apiextensions.k8s.io/challenges.acme.cert-manager.io created
-        customresourcedefinition.apiextensions.k8s.io/clusterissuers.cert-manager.io created
-        customresourcedefinition.apiextensions.k8s.io/issuers.cert-manager.io created
-        customresourcedefinition.apiextensions.k8s.io/orders.acme.cert-manager.io created
-        serviceaccount/cert-manager-cainjector created
-        serviceaccount/cert-manager created
-        serviceaccount/cert-manager-webhook created
-        configmap/cert-manager-webhook created
-        clusterrole.rbac.authorization.k8s.io/cert-manager-cainjector created
-        clusterrole.rbac.authorization.k8s.io/cert-manager-controller-issuers created
-        clusterrole.rbac.authorization.k8s.io/cert-manager-controller-clusterissuers created
-        clusterrole.rbac.authorization.k8s.io/cert-manager-controller-certificates created
-        clusterrole.rbac.authorization.k8s.io/cert-manager-controller-orders created
-        clusterrole.rbac.authorization.k8s.io/cert-manager-controller-challenges created
-        clusterrole.rbac.authorization.k8s.io/cert-manager-controller-ingress-shim created
-        clusterrole.rbac.authorization.k8s.io/cert-manager-view created
-        clusterrole.rbac.authorization.k8s.io/cert-manager-edit created
-        clusterrole.rbac.authorization.k8s.io/cert-manager-controller-approve:cert-manager-io created
-        clusterrole.rbac.authorization.k8s.io/cert-manager-controller-certificatesigningrequests created
-        clusterrole.rbac.authorization.k8s.io/cert-manager-webhook:subjectaccessreviews created
-        clusterrolebinding.rbac.authorization.k8s.io/cert-manager-cainjector created
-        clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-issuers created
-        clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-clusterissuers created
-        clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-certificates created
-        clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-orders created
-        clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-challenges created
-        clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-ingress-shim created
-        clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-approve:cert-manager-io created
-        clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-certificatesigningrequests created
-        clusterrolebinding.rbac.authorization.k8s.io/cert-manager-webhook:subjectaccessreviews created
-        role.rbac.authorization.k8s.io/cert-manager-cainjector:leaderelection created
-        role.rbac.authorization.k8s.io/cert-manager:leaderelection created
-        role.rbac.authorization.k8s.io/cert-manager-webhook:dynamic-serving created
-        rolebinding.rbac.authorization.k8s.io/cert-manager-cainjector:leaderelection created
-        rolebinding.rbac.authorization.k8s.io/cert-manager:leaderelection created
-        rolebinding.rbac.authorization.k8s.io/cert-manager-webhook:dynamic-serving created
-        service/cert-manager created
-        service/cert-manager-webhook created
-        deployment.apps/cert-manager-cainjector created
-        deployment.apps/cert-manager created
-        deployment.apps/cert-manager-webhook created
-        mutatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook created
-        validatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook created
-        pod/cert-manager-5dd59d9d9b-k9hkm condition met
-        pod/cert-manager-cainjector-8696fc9f89-bmjzh condition met
-        pod/cert-manager-webhook-7d4b5b8c56-fvmc2 condition met
-        Cert-Manager ready.
         Installing vineyard-operator...
         The push refers to repository [localhost:5001/vineyard-operator]
         c3a672704524: Pushed
@@ -131,8 +80,6 @@ with 3 worker nodes.
         service/vineyard-controller-manager-metrics-service created
         service/vineyard-webhook-service created
         deployment.apps/vineyard-controller-manager created
-        certificate.cert-manager.io/vineyard-serving-cert created
-        issuer.cert-manager.io/vineyard-selfsigned-issuer created
         mutatingwebhookconfiguration.admissionregistration.k8s.io/vineyard-mutating-webhook-configuration created
         validatingwebhookconfiguration.admissionregistration.k8s.io/vineyard-validating-webhook-configuration created
         make[1]: Leaving directory '/opt/caoye/v6d/k8s'

docs/tutorials/kubernetes/using-vineyard-operator.rst

@@ -118,9 +118,7 @@ Create a dedicated namespace for the Vineyard Operator.
 
         namespace/vineyard-system created
 
-The operator needs a certificate created by cert-manager for webhook(https),
-and the cert-manager is a sub chart of the vineyard operator chart. Also, the
-Vineyard CRDs、Controllers、Webhooks and Scheduler are packaged by `helm`_, you could
+The Vineyard CRDs、Controllers、Webhooks and Scheduler are packaged by `helm`_, you could
 deploy all resources as follows.
 
 .. note::
@@ -198,27 +196,16 @@ Check the status of all vineyard resources created by helm:
     .. code:: bash
 
         NAME                                                            READY   STATUS    RESTARTS   AGE
-        pod/vineyard-operator-cert-manager-cainjector-b865888cc-xj8x9   1/1     Running   0          2m30s
-        pod/vineyard-operator-cert-manager-d99dcb884-gq9j5              1/1     Running   0          2m30s
-        pod/vineyard-operator-cert-manager-webhook-5bc8fd5d48-vh4bg     1/1     Running   0          2m30s
         pod/vineyard-operator-controller-manager-5bcbb75fb6-cfdpk       2/2     Running   0          2m30s
 
         NAME                                                           TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
-        service/vineyard-operator-cert-manager                         ClusterIP   10.96.166.147   <none>        9402/TCP   2m30s
-        service/vineyard-operator-cert-manager-webhook                 ClusterIP   10.96.111.112   <none>        443/TCP    2m30s
         service/vineyard-operator-controller-manager-metrics-service   ClusterIP   10.96.153.134   <none>        8443/TCP   2m30s
         service/vineyard-operator-webhook-service                      ClusterIP   10.96.9.101     <none>        443/TCP    2m30s
 
         NAME                                                        READY   UP-TO-DATE   AVAILABLE   AGE
-        deployment.apps/vineyard-operator-cert-manager              1/1     1            1           2m30s
-        deployment.apps/vineyard-operator-cert-manager-cainjector   1/1     1            1           2m30s
-        deployment.apps/vineyard-operator-cert-manager-webhook      1/1     1            1           2m30s
         deployment.apps/vineyard-operator-controller-manager        1/1     1            1           2m30s
 
         NAME                                                                  DESIRED   CURRENT   READY   AGE
-        replicaset.apps/vineyard-operator-cert-manager-cainjector-b865888cc   1         1         1       2m30s
-        replicaset.apps/vineyard-operator-cert-manager-d99dcb884              1         1         1       2m30s
-        replicaset.apps/vineyard-operator-cert-manager-webhook-5bc8fd5d48     1         1         1       2m30s
         replicaset.apps/vineyard-operator-controller-manager-5bcbb75fb6       1         1         1       2m30s
 
 Step 2: Deploy a Vineyard Cluster

k8s/Makefile

@@ -284,9 +284,8 @@ bundle-build:
 # Build all bundle operator
 .PHONY: generate-helm-chart
 generate-helm-chart: helmify kustomize
-	cd ../charts && $(KUSTOMIZE) build ../k8s/config/default | $(HELMIFY) --cert-manager-as-subchart vineyard-operator && \
+	cd ../charts && $(KUSTOMIZE) build ../k8s/config/default | $(HELMIFY) vineyard-operator && \
 	sed -i 's/\/var\/run\/vineyard-kubernetes\/{{.Namespace}}\/{{.Name}}/\/var\/run\/vineyard-kubernetes\/{{ \"{{.Namespace}}\/{{.Name}}\" }}/g' \
 	vineyard-operator/templates/vineyardd-crd.yaml && \
-	sed -i '/tag: latest/d' vineyard-operator/values.yaml && \
-	sed -i 's/certManager/cert-manager/g' vineyard-operator/values.yaml && \
-	sed -i '4i\  extraArgs:\n    - --enable-certificate-owner-ref=true' vineyard-operator/values.yaml
+	sed -i '/- --verbose/a \        - --namespace\n        - {{ .Release.Namespace }}\n' vineyard-operator/templates/deployment.yaml && \
+	echo 'fullnameOverride: vineyard' >> vineyard-operator/values.yaml