EPMDEDP-16582: feat: replace self-signed cert generation with cert-manager

Remove the custom TLS certificate lifecycle logic (CertService,
PopulateCertificates) that regenerated self-signed certs on every
restart. Delegate certificate issuance and CA injection to cert-manager
via a Helm-managed Issuer and Certificate, and the
cert-manager.io/inject-ca-from annotation on ValidatingWebhookConfiguration.

Drop cluster-scoped RBAC rules that were required solely for cert
generation (ValidatingWebhookConfiguration patch, Secrets create/update).
Gate all webhook resources behind the new enableWebhooks Helm value.

Author: zmotso

cmd/main.go

@@ -1,7 +1,6 @@
 package main
 
 import (
-	"context"
 	"crypto/tls"
 	"flag"
 	"os"
@@ -101,8 +100,6 @@ func main() {
 
 	v := buildInfo.Get()
 
-	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))
-
 	// if the enable-http2 flag is false (the default), http/2 should be disabled
 	// due to its vulnerabilities. More specifically, disabling http/2 will
 	// prevent from being vulnerable to the HTTP/2 Stream Cancellation and
@@ -287,7 +284,7 @@ func main() {
 	}
 
 	if os.Getenv("ENABLE_WEBHOOKS") != "false" {
-		if err = webhook.RegisterValidationWebHook(context.Background(), mgr, ns); err != nil {
+		if err = webhook.RegisterValidationWebHook(mgr); err != nil {
 			setupLog.Error(err, "failed to create webhook", "webhook", "Codebase")
 			os.Exit(1)
 		}

deploy-templates/README.md

@@ -23,6 +23,7 @@ A Helm chart for KubeRocketCI Codebase Operator
 |-----|------|---------|-------------|
 | affinity | object | `{}` |  |
 | annotations | object | `{}` |  |
+| enableWebhooks | bool | `true` | Enable webhook and cert-manager certificate resources. Webhooks require cert-manager to be installed in the cluster. |
 | envs[0].name | string | `"RECONCILATION_PERIOD"` |  |
 | envs[0].value | string | `"360"` |  |
 | envs[1] | object | `{"name":"CODEBASE_BRANCH_MAX_CONCURRENT_RECONCILES","value":"3"}` | Maximum number of parallel reconciliation codebasebranches |

deploy-templates/templates/cert_secret.yaml

@@ -34,6 +34,9 @@ spec:
       containers:
         - name: {{ .Values.name }}
           image: {{ if .Values.image.registry }}{{ .Values.image.registry }}/{{ end }}{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}
+          {{- if .Values.enableWebhooks }}
+          args:
+            - --webhook-cert-path=/tmp/k8s-webhook-server/serving-certs
           ports:
             - containerPort: 9443
               name: webhook-server
@@ -42,6 +45,7 @@ spec:
             - mountPath: /tmp/k8s-webhook-server/serving-certs
               name: cert
               readOnly: true
+          {{- end }}
           imagePullPolicy: "{{ .Values.imagePullPolicy }}"
           {{- if .Values.securityContext }}
           securityContext: {{ toYaml .Values.securityContext | nindent 12 }}
@@ -61,6 +65,8 @@ spec:
               value: "{{ .Values.global.platform }}"
             - name: TELEMETRY_ENABLED
               value: "{{ .Values.telemetryEnabled }}"
+            - name: ENABLE_WEBHOOKS
+              value: {{ .Values.enableWebhooks | quote }}
 {{ toYaml .Values.envs | indent 12 }}
           resources:
 {{ toYaml .Values.resources | indent 12 }}
@@ -76,8 +82,10 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if .Values.enableWebhooks }}
       volumes:
         - name: cert
           secret:
             defaultMode: 420
-            secretName: edp-codebase-operator-webhook-certs
+            secretName: {{ .Values.name }}-webhook-certs
+      {{- end }}

deploy-templates/templates/clusterrole_kubernetes.yaml

@@ -87,7 +87,6 @@ rules:
     - list
     - patch
     - update
-    - create
   resources:
     - secrets
 - apiGroups:

deploy-templates/templates/clusterrole_openshift.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.enableWebhooks }}
 apiVersion: v1
 kind: Service
 metadata:
@@ -10,4 +11,5 @@ spec:
       protocol: TCP
       targetPort: 9443
   selector:
-    name: {{ .Values.name }}
+    name: {{ .Values.name }}
+{{- end }}