fix: use custom k8s label to inject certificates where needed

Makefile

@@ -28,7 +28,7 @@ HELMIFY ?=  $(LOCALBIN)/helmify
 .PHONY: helmify
 helmify: $(HELMIFY) ## Download helmify locally if necessary.
 $(HELMIFY): $(LOCALBIN)
-	test -s $(LOCALBIN)/helmify || GOBIN=$(LOCALBIN) go install github.com/keptn/helmify/cmd/helmify@b1da2bb756ec4328bac7645da037a6fb4e6f30cf
+	test -s $(LOCALBIN)/helmify || GOBIN=$(LOCALBIN) go install github.com/keptn/helmify/cmd/helmify@1060b5d08806e40bfd9f38c3e8a9a302ab38e71a
 
 .PHONY: integration-test #these tests should run on a real cluster!
 integration-test:	# to run a single test by name use --test eg. --test=expose-keptn-metric

helm/chart/README.md

@@ -42,15 +42,17 @@ checks
 
 ### Keptn Certificate Operator controller
 
-| Name                                                   | Description                                                       | Value                                      |
-| ------------------------------------------------------ | ----------------------------------------------------------------- | ------------------------------------------ |
-| `certificateOperator.manager.containerSecurityContext` | Sets security context for the cert manager                        |                                            |
-| `certificateOperator.manager.image.repository`         | specify repo for manager image                                    | `ghcr.keptn.sh/keptn/certificate-operator` |
-| `certificateOperator.manager.image.tag`                | select tag for manager container <!---x-release-please-version--> | `v0.7.0`                                   |
-| `certificateOperator.manager.imagePullPolicy`          | select image pull policy for manager container                    | `Always`                                   |
-| `certificateOperator.manager.livenessProbe`            | custom RBAC proxy liveness probe                                  |                                            |
-| `certificateOperator.manager.readinessProbe`           | custom manager readiness probe                                    |                                            |
-| `certificateOperator.manager.resources`                | custom limits and requests for manager container                  |                                            |
+| Name                                                   | Description                                                               | Value                                      |
+| ------------------------------------------------------ | ------------------------------------------------------------------------- | ------------------------------------------ |
+| `certificateOperator.manager.containerSecurityContext` | Sets security context for the cert manager                                |                                            |
+| `certificateOperator.manager.image.repository`         | specify repo for manager image                                            | `ghcr.keptn.sh/keptn/certificate-operator` |
+| `certificateOperator.manager.image.tag`                | select tag for manager container <!---x-release-please-version-->         | `v0.7.0`                                   |
+| `certificateOperator.manager.imagePullPolicy`          | select image pull policy for manager container                            | `Always`                                   |
+| `certificateOperator.manager.env.labelSelectorKey`     | specify the label selector to find resources to generate certificates for | `keptn.sh/inject-cert`                     |
+| `certificateOperator.manager.env.labelSelectorValue`   | specify the value for the label selector                                  | `true`                                     |
+| `certificateOperator.manager.livenessProbe`            | custom RBAC proxy liveness probe                                          |                                            |
+| `certificateOperator.manager.readinessProbe`           | custom manager readiness probe                                            |                                            |
+| `certificateOperator.manager.resources`                | custom limits and requests for manager container                          |                                            |
 
 ### Keptn Lifecycle Operator common
 

helm/chart/doc.yaml

@@ -69,6 +69,9 @@
 ## @param     certificateOperator.manager.image.tag select tag for manager container <!---x-release-please-version-->
 ## @param     certificateOperator.manager.imagePullPolicy select image pull policy for manager container
 
+## @param     certificateOperator.manager.env.labelSelectorKey specify the label selector to find resources to generate certificates for
+## @param     certificateOperator.manager.env.labelSelectorValue specify the value for the label selector
+
 ## @extra     certificateOperator.manager.livenessProbe custom RBAC proxy liveness probe
 ## @skip     certificateOperator.manager.livenessProbe.httpGet.path
 ## @skip     certificateOperator.manager.livenessProbe.httpGet.port

helm/chart/templates/_helpers.tpl

@@ -48,7 +48,6 @@ Selector labels
 {{- define "chart.selectorLabels" -}}
 app.kubernetes.io/name: {{ include "chart.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: keptn-lifecycle-toolkit
 {{- end }}
 
 {{/*

helm/chart/values.yaml

@@ -10,6 +10,9 @@ certificateOperator:
       runAsUser: 65532
       seccompProfile:
         type: RuntimeDefault
+    env:
+      labelSelectorKey: keptn.sh/inject-cert
+      labelSelectorValue: "true"
     image:
       repository: ghcr.keptn.sh/keptn/certificate-operator
       tag: v0.7.0

klt-cert-manager/config/manager/manager.yaml

@@ -9,7 +9,7 @@ metadata:
     app.kubernetes.io/instance: certificate-operator
     app.kubernetes.io/component: manager
     app.kubernetes.io/created-by: certificate-operator
-    app.kubernetes.io/part-of: certificate-operator
+    app.kubernetes.io/part-of: keptn-lifecycle-toolkit
     app.kubernetes.io/managed-by: kustomize
 spec:
   selector:
@@ -38,6 +38,10 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
+            - name: LABEL_SELECTOR_KEY
+              value: "keptn.sh/inject-cert"
+            - name: LABEL_SELECTOR_VALUE
+              value: "true"
           securityContext:
             seccompProfile:
               type: RuntimeDefault

klt-cert-manager/config/rbac/extra_role_binding.yaml

@@ -11,7 +11,7 @@ metadata:
     app.kubernetes.io/instance: certificate-operator-rolebinding
     app.kubernetes.io/component: rbac
     app.kubernetes.io/created-by: certificate-operator
-    app.kubernetes.io/part-of: certificate-operator
+    app.kubernetes.io/part-of: keptn-lifecycle-toolkit
     app.kubernetes.io/managed-by: kustomize
   name: certificate-operator-role-binding
 roleRef:

klt-cert-manager/config/rbac/leader_election_role.yaml

@@ -7,7 +7,7 @@ metadata:
     app.kubernetes.io/instance: leader-election-role
     app.kubernetes.io/component: rbac
     app.kubernetes.io/created-by: certificate-operator
-    app.kubernetes.io/part-of: certificate-operator
+    app.kubernetes.io/part-of: keptn-lifecycle-toolkit
     app.kubernetes.io/managed-by: kustomize
   name: leader-election-role
 rules:

klt-cert-manager/config/rbac/leader_election_role_binding.yaml

@@ -6,7 +6,7 @@ metadata:
     app.kubernetes.io/instance: certificate-operator-leader-election-rolebinding
     app.kubernetes.io/component: rbac
     app.kubernetes.io/created-by: certificate-operator
-    app.kubernetes.io/part-of: certificate-operator
+    app.kubernetes.io/part-of: keptn-lifecycle-toolkit
     app.kubernetes.io/managed-by: kustomize
   name: certificate-operator-leader-election-rolebinding
 roleRef:

klt-cert-manager/config/rbac/role_binding.yaml

@@ -6,7 +6,7 @@ metadata:
     app.kubernetes.io/instance: certificate-operator-rolebinding
     app.kubernetes.io/component: rbac
     app.kubernetes.io/created-by: certificate-operator
-    app.kubernetes.io/part-of: certificate-operator
+    app.kubernetes.io/part-of: keptn-lifecycle-toolkit
     app.kubernetes.io/managed-by: kustomize
   name: certificate-operator-rolebinding
 roleRef:

klt-cert-manager/config/rbac/service_account.yaml

@@ -6,7 +6,7 @@ metadata:
     app.kuberentes.io/instance: certificate-operator
     app.kubernetes.io/component: rbac
     app.kubernetes.io/created-by: certificate-operator
-    app.kubernetes.io/part-of: certificate-operator
+    app.kubernetes.io/part-of: keptn-lifecycle-toolkit
     app.kubernetes.io/managed-by: kustomize
   name: certificate-operator
   namespace: system

klt-cert-manager/controllers/keptnwebhookcontroller/webhook_cert_controller_test.go

@@ -377,7 +377,7 @@ func prepareFakeClient(withSecret bool, generateValidSecret bool) client.Client
 
 func getMatchLabel() map[string]string {
 	return map[string]string{
-		"app.kubernetes.io/part-of": "keptn-lifecycle-toolkit",
+		"keptn.sh/inject-cert": "true",
 	}
 }
 
@@ -414,7 +414,7 @@ func prepareController(t *testing.T, clt client.Client) (*KeptnWebhookCertificat
 		Client:      clt,
 		Log:         testr.New(t),
 		Namespace:   testnamespace,
-		MatchLabels: labels.Set(map[string]string{"app.kubernetes.io/part-of": "keptn-lifecycle-toolkit"}),
+		MatchLabels: labels.Set(map[string]string{"keptn.sh/inject-cert": "true"}),
 	}
 
 	request := reconcile.Request{

klt-cert-manager/main.go

@@ -36,8 +36,8 @@ func init() {
 
 type envConfig struct {
 	KLTNamespace          string `envconfig:"NAMESPACE" default:"keptn-lifecycle-toolkit-system"`
-	KLTLabelSelectorKey   string `envconfig:"LABEL_SELECTOR_KEY" default:"app.kubernetes.io/part-of"`
-	KLTLabelSelectorValue string `envconfig:"LABEL_SELECTOR_VALUE" default:"keptn-lifecycle-toolkit"`
+	KLTLabelSelectorKey   string `envconfig:"LABEL_SELECTOR_KEY" default:"keptn.sh/inject-cert"`
+	KLTLabelSelectorValue string `envconfig:"LABEL_SELECTOR_VALUE" default:"true"`
 }
 
 func main() {

metrics-operator/config/crd/kustomization.yaml

@@ -26,3 +26,4 @@ configurations:
 commonLabels:
   crdGroup: metrics.keptn.sh
   app.kubernetes.io/part-of: keptn-lifecycle-toolkit
+  keptn.sh/inject-cert: "true"

metrics-operator/config/manager/manager.yaml

@@ -13,6 +13,7 @@ metadata:
   labels:
     app.kubernetes.io/part-of: keptn-lifecycle-toolkit
     control-plane: metrics-operator
+    keptn.sh/inject-cert: "true"
 spec:
   selector:
     matchLabels:

metrics-operator/config/samples/metrics_v1alpha3_keptnmetric.yaml

@@ -4,7 +4,7 @@ metadata:
   labels:
     app.kubernetes.io/name: keptnmetric
     app.kubernetes.io/instance: keptnmetric-sample
-    app.kubernetes.io/part-of: metrics-operator
+    app.kubernetes.io/part-of: keptn-lifecycle-toolkit
     app.kuberentes.io/managed-by: kustomize
     app.kubernetes.io/created-by: metrics-operator
   name: keptnmetric-sample

metrics-operator/config/samples/metrics_v1alpha3_keptnmetricsprovider.yaml

@@ -4,7 +4,7 @@ metadata:
   labels:
     app.kubernetes.io/name: keptnmetricsprovider
     app.kubernetes.io/instance: keptnmetricsprovider-sample
-    app.kubernetes.io/part-of: metrics-operator
+    app.kubernetes.io/part-of: keptn-lifecycle-toolkit
     app.kuberentes.io/managed-by: kustomize
     app.kubernetes.io/created-by: metrics-operator
   name: keptnmetricsprovider-sample

operator/config/crd/kustomization.yaml

@@ -42,3 +42,4 @@ configurations:
 commonLabels:
   crdGroup: lifecycle.keptn.sh
   app.kubernetes.io/part-of: keptn-lifecycle-toolkit
+  keptn.sh/inject-cert: "true"

operator/config/manager/manager.yaml

@@ -6,6 +6,7 @@ metadata:
   labels:
     app.kubernetes.io/part-of: keptn-lifecycle-toolkit
     control-plane: lifecycle-operator
+    keptn.sh/inject-cert: "true"
 spec:
   selector:
     matchLabels:

operator/config/webhook/manifests.yaml

@@ -4,6 +4,8 @@ kind: MutatingWebhookConfiguration
 metadata:
   creationTimestamp: null
   name: lifecycle-mutating-webhook-configuration
+  labels:
+    keptn.sh/inject-cert: "true"
 webhooks:
   - admissionReviewVersions:
       - v1