add option to reuse previously auto-generated cert

open-telemetry · Oct 29, 2023 · 1e9c02b · 1e9c02b
1 parent d8a3e0e
commit 1e9c02b
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 44 deletions.
diff --git a/charts/opentelemetry-operator/templates/admission-webhooks/operator-webhook.yaml b/charts/opentelemetry-operator/templates/admission-webhooks/operator-webhook.yaml
@@ -1,7 +1,27 @@
 {{- if and (.Values.admissionWebhooks.create) (not .Values.admissionWebhooks.certManager.enabled) }}
 {{- $altNames := list ( printf "%s-webhook.%s" (include "opentelemetry-operator.fullname" .) .Release.Namespace ) ( printf "%s-webhook.%s.svc" (include "opentelemetry-operator.fullname" .) .Release.Namespace ) -}}
-{{- $ca := genCA "opentelemetry-operator-operator-ca" 365 -}}
-{{- $cert := genSignedCert (include "opentelemetry-operator.fullname" .) nil $altNames 365 $ca -}}
+{{- $caCertEnc := "" }}
+{{- $certCrtEnc := "" }}
+{{- $certKeyEnc := "" }}
+{{- if .Values.admissionWebhooks.autoGenerateCert }}
+{{- $prevSecret := (lookup "v1" "Secret" .Release.Namespace (default (printf "%s-controller-manager-service-cert" (include "opentelemetry-operator.fullname" .)) .Values.admissionWebhooks.secretName )) }}
+{{- $prevHook := (lookup "admissionregistration.k8s.io/v1" "MutatingWebhookConfiguration" .Release.Namespace (print (include "opentelemetry-operator.MutatingWebhookName" . ) "-mutation")) }}
+{{- if and .Values.admissionWebhooks.autoGenerateReuseCert $prevSecret $prevHook }}
+{{- $certCrtEnc = index $prevSecret "data" "tls.crt" }}
+{{- $certKeyEnc = index $prevSecret "data" "tls.key" }}
+{{- $caCertEnc = (first $prevHook.webhooks).clientConfig.caBundle }}
+{{- else }}
+{{- $ca := genCA "opentelemetry-operator-operator-ca" 365 }}
+{{- $cert := genSignedCert (include "opentelemetry-operator.fullname" .) nil $altNames 365 $ca }}
+{{- $certCrtEnc = b64enc $cert.Cert }}
+{{- $certKeyEnc = b64enc $cert.Key }}
+{{- $caCertEnc = b64enc $ca.Cert }}
+{{- end }}
+{{- else }}
+{{- $certCrtEnc = b64enc .Values.admissionWebhooks.cert_file }}
+{{- $certKeyEnc = b64enc .Values.admissionWebhooks.key_file }}
+{{- $caCertEnc = b64enc .Values.admissionWebhooks.ca_file }}
+{{- end }}
 apiVersion: v1
 kind: Secret
 type: kubernetes.io/tls
@@ -21,13 +41,8 @@ metadata:
   name: {{ default (printf "%s-controller-manager-service-cert" (include "opentelemetry-operator.fullname" .)) .Values.admissionWebhooks.secretName }}
   namespace: {{ .Release.Namespace }}
 data:
-  {{- if .Values.admissionWebhooks.autoGenerateCert }}
-  tls.crt: {{ $cert.Cert | b64enc }}
-  tls.key: {{ $cert.Key | b64enc }}
-  {{- else }}
-  tls.crt: {{ .Values.admissionWebhooks.cert_file | b64enc }}
-  tls.key: {{ .Values.admissionWebhooks.key_file | b64enc }}
-  {{- end }}
+  tls.crt: {{ $certCrtEnc }}
+  tls.key: {{ $certKeyEnc }}
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
@@ -40,11 +55,7 @@ webhooks:
   - admissionReviewVersions:
       - v1
     clientConfig:
-      {{- if .Values.admissionWebhooks.autoGenerateCert }}
-      caBundle: {{ $ca.Cert | b64enc }}
-      {{- else }}
-      caBundle: {{ .Values.admissionWebhooks.ca_file | b64enc }}
-      {{- end }}
+      caBundle: {{ $caCertEnc }}
       service:
         name: {{ template "opentelemetry-operator.fullname" . }}-webhook
         namespace: {{ .Release.Namespace }}
@@ -74,11 +85,7 @@ webhooks:
   - admissionReviewVersions:
       - v1
     clientConfig:
-      {{- if .Values.admissionWebhooks.autoGenerateCert }}
-      caBundle: {{ $ca.Cert | b64enc }}
-      {{- else }}
-      caBundle: {{ .Values.admissionWebhooks.ca_file | b64enc }}
-      {{- end }}
+      caBundle: {{ $caCertEnc }}
       service:
         name: {{ template "opentelemetry-operator.fullname" . }}-webhook
         namespace: {{ .Release.Namespace }}
@@ -108,11 +115,7 @@ webhooks:
   - admissionReviewVersions:
       - v1
     clientConfig:
-      {{- if .Values.admissionWebhooks.autoGenerateCert }}
-      caBundle: {{ $ca.Cert | b64enc }}
-      {{- else }}
-      caBundle: {{ .Values.admissionWebhooks.ca_file | b64enc }}
-      {{- end }}
+      caBundle: {{ $caCertEnc }}
       service:
         name: {{ template "opentelemetry-operator.fullname" . }}-webhook
         namespace: {{ .Release.Namespace }}
@@ -153,11 +156,7 @@ webhooks:
   - admissionReviewVersions:
       - v1
     clientConfig:
-      {{- if .Values.admissionWebhooks.autoGenerateCert }}
-      caBundle: {{ $ca.Cert | b64enc }}
-      {{- else }}
-      caBundle: {{ .Values.admissionWebhooks.ca_file | b64enc }}
-      {{- end }}
+      caBundle: {{ $caCertEnc }}
       service:
         name: {{ template "opentelemetry-operator.fullname" . }}-webhook
         namespace: {{ .Release.Namespace }}
@@ -187,11 +186,7 @@ webhooks:
   - admissionReviewVersions:
       - v1
     clientConfig:
-      {{- if .Values.admissionWebhooks.autoGenerateCert }}
-      caBundle: {{ $ca.Cert | b64enc }}
-      {{- else }}
-      caBundle: {{ .Values.admissionWebhooks.ca_file | b64enc }}
-      {{- end }}
+      caBundle: {{ $caCertEnc }}
       service:
         name: {{ template "opentelemetry-operator.fullname" . }}-webhook
         namespace: {{ .Release.Namespace }}
@@ -220,11 +215,7 @@ webhooks:
   - admissionReviewVersions:
       - v1
     clientConfig:
-      {{- if .Values.admissionWebhooks.autoGenerateCert }}
-      caBundle: {{ $ca.Cert | b64enc }}
-      {{- else }}
-      caBundle: {{ .Values.admissionWebhooks.ca_file | b64enc }}
-      {{- end }}
+      caBundle: {{ $caCertEnc }}
       service:
         name: {{ template "opentelemetry-operator.fullname" . }}-webhook
         namespace: {{ .Release.Namespace }}
@@ -254,11 +245,7 @@ webhooks:
   - admissionReviewVersions:
       - v1
     clientConfig:
-      {{- if .Values.admissionWebhooks.autoGenerateCert }}
-      caBundle: {{ $ca.Cert | b64enc }}
-      {{- else }}
-      caBundle: {{ .Values.admissionWebhooks.ca_file | b64enc }}
-      {{- end }}
+      caBundle: {{ $caCertEnc }}
       service:
         name: {{ template "opentelemetry-operator.fullname" . }}-webhook
         namespace: {{ .Release.Namespace }}

diff --git a/charts/opentelemetry-operator/values.yaml b/charts/opentelemetry-operator/values.yaml
@@ -220,6 +220,9 @@ admissionWebhooks:
   ## If true and certManager.enabled is false, Helm will automatically create a self-signd cert and secret for you.
   autoGenerateCert: true
 
+  # Set true to reuse existing cert, autoGenerateCert must be enabled too
+  autoGenerateCertIfNotExists: true
+
   ## TLS Certificate Option 3: Use your own self-signed certificate.
   ## certManager and autoGenerateCert must be disabled and cert_file, key_file, and ca_file must be set.
   ## Path to your own PEM-encoded certificate.