update doc

Author: kagaya85

versions/kruise-game/next/README.md

@@ -31,10 +31,56 @@ The following table lists the configurable parameters of the kruise-game chart a
 | `network.totalWaitTime`          | Maximum time to wait for network ready, the unit is seconds                 | `60`                             |
 | `network.probeIntervalTime`      | Time interval for detecting network status, the unit is seconds             | `5`                              |
 | `cloudProvider.installCRD`       | Whether to install CloudProvider CRD                                        | `true`                           |
+| `certificates.autoGenerated`     | Whether to auto-generate webhook certificates                                | `true`                           |
+| `certificates.secretName`        | Name of the secret containing webhook certificates                           | `kruise-game-certs`              |
+| `certificates.mountPath`         | Path to mount webhook certificates in container                              | `/tmp/webhook-certs/`            |
+| `certificates.certManager.enabled` | Whether to use cert-manager for certificate management                   | `false`                          |
+| `certificates.certManager.duration` | Certificate validity duration                                            | `8760h0m0s`                      |
+| `certificates.certManager.renewBefore` | Time before expiry to renew certificate                               | `5840h0m0s`                      |
+| `certificates.certManager.generateCA` | Whether to generate a Certificate Authority                             | `true`                           |
+| `certificates.certManager.caSecretName` | Name of the secret containing the CA certificate                      | `kruise-game-ca`                 |
+| `certificates.certManager.issuer.generate` | Whether to generate the issuer automatically                         | `true`                           |
+| `certificates.certManager.issuer.name` | Name of the certificate issuer                                        | `kruise-ca`                      |
+| `certificates.certManager.issuer.kind` | Type of the certificate issuer                                        | `ClusterIssuer`                  |
+| `certificates.certManager.issuer.group` | API group of the certificate issuer                                  | `cert-manager.io`                |
 
 
 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
 
+### Certificate Management
+
+> **Important**: Kruise Game webhook requires TLS certificates for secure communication. Regardless of which certificate management method you choose, you must ensure that the webhook certificate is signed by a trusted CA certificate, and that the CA certificate is properly configured in the Kubernetes cluster so that the API Server can verify the webhook's identity.
+
+Kruise Game supports two methods for webhook certificate management:
+
+#### Auto-generated Certificates (Default)
+
+By default, kruise-game uses auto-generated certificates for webhook TLS:
+
+```bash
+$ helm install kruise-game https://... --set certificates.autoGenerated=true
+```
+
+#### cert-manager Integration
+
+For production environments, you can use cert-manager to manage webhook certificates:
+
+```bash
+$ helm install kruise-game https://... \
+  --set certificates.autoGenerated=false \
+  --set certificates.certManager.enabled=true \
+```
+
+You can also use a custom issuer instead of generating one:
+
+```bash
+$ helm install kruise-game https://... \
+  --set certificates.certManager.enabled=true \
+  --set certificates.certManager.issuer.generate=false \
+  --set certificates.certManager.issuer.name=my-custom-issuer \
+  --set certificates.certManager.issuer.kind=Issuer
+```
+
 ### Optional: the local image for China
 
 If you are in China and have problem to pull image from official DockerHub, you can use the registry hosted on Alibaba Cloud:

versions/kruise-game/next/templates/manager.yaml

@@ -101,8 +101,10 @@ spec:
           volumeMounts:
             - mountPath: /etc/kruise-game
               name: provider-config
+            {{- if not .Values.certificates.autoGenerated}}
             - mountPath: {{ .Values.certificates.mountPath }}
               name: certificates
+            {{- end }}
       topologySpreadConstraints:
       - labelSelector:
           matchLabels:
@@ -124,8 +126,10 @@ spec:
                 path: config.toml
             name: kruise-game-manager-config
           name: provider-config
+        {{- if not .Values.certificates.autoGenerated }}
         - name: certificates
           secret:
             defaultMode: 420
             secretName: {{ .Values.certificates.secretName}}
             optional: {{ and .Values.certificates.autoGenerated ( not .Values.certificates.certManager.enabled ) }}
+        {{- end }}

versions/kruise-game/next/templates/webhooks/mutatingconfiguration.yaml

@@ -1,3 +1,4 @@
+{{- if not .Values.certificates.autoGenerated }}
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
@@ -39,4 +40,5 @@ webhooks:
     matchExpressions:
     - key: game.kruise.io/owner-gss
       operator: Exists
-  sideEffects: None
+  sideEffects: None
+{{- end}}

versions/kruise-game/next/templates/webhooks/validatingconfiguration.yaml

@@ -1,3 +1,4 @@
+{{- if not .Values.certificates.autoGenerated }}
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
@@ -37,4 +38,5 @@ webhooks:
     resources:
     - gameserversets
   sideEffects: None
-  timeoutSeconds: 10
+  timeoutSeconds: 10
+{{- end}}