update cert manifests

kagaya85 · kagaya85 · commit 44b8308b50af · 2025-07-09T20:52:22.000+08:00
Signed-off-by: Kagaya &lt;kagaya85@outlook.com&gt;
diff --git a/versions/kruise-game/next/Chart.yaml b/versions/kruise-game/next/Chart.yaml
@@ -8,4 +8,5 @@ sources:
   - https://github.com/openkruise/kruise-game
 annotations:
   artifacthub.io/changes: |
-    - "[Changed]: https://github.com/openkruise/kruise-game/blob/master/CHANGELOG.md"
+    - "[Changed]: https://github.com/openkruise/kruise-game/blob/master/CHANGELOG.md"
+    - "[Added]: Support for cert-manager with CA injection"
diff --git a/versions/kruise-game/next/templates/cert-manager/okg-tls-certificate.yaml b/versions/kruise-game/next/templates/cert-manager/okg-tls-certificate.yaml
@@ -2,19 +2,20 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: {{ .Values.kruiseGame.fullname }}-tls-certificates
+  name: {{ .Values.kruiseGame.fullname }}-cert
   namespace: {{ .Values.installation.namespace }}
 spec:
   commonName: {{ .Values.kruiseGame.fullname }}
   dnsNames:
-  - {{ ..Values.kruiseGame.webhook.serviceName }}.{{ .Values.installation.namespace }}
-  - {{ ..Values.kruiseGame.webhook.serviceName }}.{{ .Values.installation.namespace }}.svc
-  - {{ ..Values.kruiseGame.webhook.serviceName }}.{{ .Values.installation.namespace }}.svc.{{ .Values.clusterDomain }}
+  - {{ .Values.kruiseGame.webhook.serviceName }}.{{ .Values.installation.namespace }}
+  - {{ .Values.kruiseGame.webhook.serviceName }}.{{ .Values.installation.namespace }}.svc
+  - {{ .Values.kruiseGame.webhook.serviceName }}.{{ .Values.installation.namespace }}.svc.{{ .Values.clusterDomain }}
   secretName: {{ .Values.certificates.secretName }}
   usages:
     - server auth
     - client auth
   privateKey:
+    rotationPolicy: Always
     algorithm: RSA
     size: 2048
   duration: {{ .Values.certificates.certManager.duration }}
diff --git a/versions/kruise-game/next/templates/cert-manager/self-ca.yaml b/versions/kruise-game/next/templates/cert-manager/self-ca.yaml
@@ -9,12 +9,13 @@ spec:
   commonName: {{ .Values.kruiseGame.fullname }}
   secretName: {{ .Values.certificates.certManager.caSecretName }}
   privateKey:
+    rotationPolicy: Always
     algorithm: RSA
     size: 2048
   duration: 8760h0m0s # 1 year
   renewBefore: 720h0m0s # 1 month
   issuerRef:
-    name: {{ .Values.operator.name }}-selfsigned-issuer
+    name: {{ .Values.kruiseGame.fullname }}-selfsigned-issuer
     kind: Issuer
     group: cert-manager.io
 {{- end }}
diff --git a/versions/kruise-game/next/templates/manager.yaml b/versions/kruise-game/next/templates/manager.yaml
@@ -60,6 +60,9 @@ spec:
             - --api-server-qps={{ .Values.kruiseGame.apiServerQps }}
             - --api-server-qps-burst={{ .Values.kruiseGame.apiServerQpsBurst }}
             - --scale-server-bind-address=:{{ .Values.scale.service.targetPort }}
+            {{- if not .Values.certificates.autoGenerated }}
+            - --enable-cert-generation={{ .Values.certificates.autoGenerated }}
+            {{- end }}
             {{- if .Values.prometheus.enabled }}
             - --metrics-bind-address=:{{ .Values.prometheus.monitorService.port }}
             {{- end }}
@@ -98,6 +101,8 @@ spec:
           volumeMounts:
             - mountPath: /etc/kruise-game
               name: provider-config
+            - mountPath: {{ .Values.certificates.mountPath }}
+              name: certificates
       topologySpreadConstraints:
       - labelSelector:
           matchLabels:
@@ -108,7 +113,7 @@ spec:
 {{- end }}
         maxSkew: 1
         topologyKey: topology.kubernetes.io/zone
-        whenUnsatisfiable:  ScheduleAnyway
+        whenUnsatisfiable: ScheduleAnyway
       serviceAccountName: {{ .Values.kruiseGame.fullname }}
       terminationGracePeriodSeconds: 10
       volumes:
@@ -119,3 +124,8 @@ spec:
                 path: config.toml
             name: kruise-game-manager-config
           name: provider-config
+        - name: certificates
+          secret:
+            defaultMode: 420
+            secretName: {{ .Values.certificates.secretName}}
+            optional: {{ and .Values.certificates.autoGenerated ( not .Values.certificates.certManager.enabled ) }}
diff --git a/versions/kruise-game/next/templates/webhooks/mutatingconfiguration.yaml b/versions/kruise-game/next/templates/webhooks/mutatingconfiguration.yaml
@@ -0,0 +1,42 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  annotations:
+    {{- if .Values.certificates.certManager.enabled }}
+    {{- if and (not .Values.certificates.certManager.generateCA) .Values.certificates.certManager.issuer.generate }}
+    cert-manager.io/inject-ca-from-secret: {{ .Values.installation.namespace }}/{{ .Values.certificates.certManager.caSecretName }}
+    {{- else }}
+    cert-manager.io/inject-ca-from: {{ .Values.installation.namespace }}/{{ .Values.kruiseGame.fullname }}-cert
+    {{- end }}
+    {{- end }}
+  labels:
+    app.kubernetes.io/name: {{ .Values.kruiseGame.fullname }}
+  name: kruise-game-mutating-webhook
+webhooks:
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: {{ .Values.kruiseGame.webhook.serviceName }}
+      namespace: {{ .Values.installation.namespace }}
+      path: /mutate-v1-pod
+  failurePolicy: {{ .Values.kruiseGame.webhook.failurePolicy }}
+  matchPolicy: Equivalent
+  name: mgameserverset.kb.io
+  rules:
+  - operations:
+    - CREATE
+    - UPDATE
+    - DELETE
+    apiGroups:
+    - ""
+    apiVersions:
+    - v1
+    resources:
+    - pods
+  objectSelector:
+    matchExpressions:
+    - key: game.kruise.io/owner-gss
+      operator: Exists
+  sideEffects: None
diff --git a/versions/kruise-game/next/templates/webhooks/service.yaml b/versions/kruise-game/next/templates/webhooks/service.yaml
diff --git a/versions/kruise-game/next/templates/webhooks/validatingconfiguration.yaml b/versions/kruise-game/next/templates/webhooks/validatingconfiguration.yaml
@@ -0,0 +1,40 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  annotations:
+    {{- if .Values.certificates.certManager.enabled }}
+    {{- if and (not .Values.certificates.certManager.generateCA) .Values.certificates.certManager.issuer.generate }}
+    cert-manager.io/inject-ca-from-secret: {{ .Values.installation.namespace }}/{{ .Values.certificates.certManager.caSecretName }}
+    {{- else }}
+    cert-manager.io/inject-ca-from: {{ .Values.installation.namespace }}/{{ .Values.kruiseGame.fullname }}-cert
+    {{- end }}
+    {{- end }}
+  labels:
+    app.kubernetes.io/name: {{ .Values.kruiseGame.fullname }}
+  name: kruise-game-validating-webhook
+webhooks:
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: {{ .Values.kruiseGame.webhook.serviceName }}
+      namespace: {{ .Values.installation.namespace }}
+      path: /validate-v1alpha1-gss
+  failurePolicy: {{ .Values.kruiseGame.webhook.failurePolicy }}
+  matchPolicy: Equivalent
+  name: vgameserverset.kb.io
+  namespaceSelector: {}
+  objectSelector: {}
+  rules:
+  - apiGroups:
+    - game.kruise.io
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - gameserversets
+  sideEffects: None
+  timeoutSeconds: 10
diff --git a/versions/kruise-game/next/values.yaml b/versions/kruise-game/next/values.yaml
@@ -14,6 +14,7 @@ kruiseGame:
     serviceName: kruise-game-webhook-service
     port: 443
     targetPort: 9876
+    failurePolicy: Fail
   apiServerQps: 5
   apiServerQpsBurst: 10
 
@@ -80,12 +81,6 @@ certificates:
     renewBefore: 5840h0m0s # 8 months
     generateCA: true
     caSecretName: "kruise-game-ca"
-    secretTemplate: {}
-      # annotations:
-      #   my-secret-annotation-1: "foo"
-      #   my-secret-annotation-2: "bar"
-      # labels:
-      #   my-secret-label: foo
     # -- Reference to custom Issuer. If issuer.generate is false, then issuer.group, issuer.kind and issuer.name are required
     issuer:
       generate: true
