chore: Use the same secret name for a webhook service (#1566)

* chore: Use the same secret name for a webhook service for both Kubernetes and OpenShift platforms
Signed-off-by: Anatolii Bazko <abazko@redhat.com>

.github/workflows/build-next-images.yaml

@@ -1,47 +0,0 @@
-#
-# Copyright (c) 2019-2021 Red Hat, Inc.
-# This program and the accompanying materials are made
-# available under the terms of the Eclipse Public License 2.0
-# which is available at https://www.eclipse.org/legal/epl-2.0/
-#
-# SPDX-License-Identifier: EPL-2.0
-#
-# Contributors:
-#   Red Hat, Inc. - initial API and implementation
-#
-
-name: Build next images
-
-on:
-  # manual trigger if required
-  workflow_dispatch:
-    inputs:
-      reason:
-        description: 'Reason to trigger a build'
-        required: false
-  push:
-    branches:
-      - main
-jobs:
-  build-images:
-    runs-on: ubuntu-20.04
-    steps:
-    - name: Checkout source code
-      uses: actions/checkout@v2
-    - name: Set up QEMU
-      uses: docker/setup-qemu-action@v1
-    - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v1
-    - name: Login to quay.io
-      uses: docker/login-action@v1
-      with:
-        username: ${{ secrets.QUAY_USERNAME }}
-        password: ${{ secrets.QUAY_PASSWORD }}
-        registry: quay.io
-    - name: Build and push images to quay.io
-      uses: docker/build-push-action@v2
-      with:
-        file: Dockerfile
-        platforms: linux/amd64,linux/ppc64le
-        push: true
-        tags: quay.io/eclipse/che-operator:next

.github/workflows/release-next-catalog-and-operator-image.yaml

@@ -0,0 +1,50 @@
+#
+# Copyright (c) 2019-2021 Red Hat, Inc.
+# This program and the accompanying materials are made
+# available under the terms of the Eclipse Public License 2.0
+# which is available at https://www.eclipse.org/legal/epl-2.0/
+#
+# SPDX-License-Identifier: EPL-2.0
+#
+# Contributors:
+#   Red Hat, Inc. - initial API and implementation
+#
+
+name: Release next catalog
+on:
+  # manual trigger if required
+  workflow_dispatch:
+    inputs:
+      reason:
+        description: 'Reason to trigger a build'
+        required: false
+  push:
+    branches:
+      - main
+jobs:
+  build-images:
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@v2
+      - name: Install yq
+        run: sudo pip install yq
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+      - name: Login to quay.io
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.QUAY_USERNAME }}
+          password: ${{ secrets.QUAY_PASSWORD }}
+          registry: quay.io
+      - name: Build operator image
+        uses: docker/build-push-action@v2
+        with:
+          file: Dockerfile
+          platforms: linux/amd64,linux/ppc64le
+          push: true
+          tags: quay.io/eclipse/che-operator:next
+      - name: Build catalog source
+        run: ${GITHUB_WORKSPACE}/build/scripts/olm/release-catalog.sh --channel 'next' --catalog-image quay.io/eclipse/eclipse-che-olm-catalog:next

.github/workflows/release-next-catalog.yaml

@@ -1,39 +0,0 @@
-#
-# Copyright (c) 2019-2021 Red Hat, Inc.
-# This program and the accompanying materials are made
-# available under the terms of the Eclipse Public License 2.0
-# which is available at https://www.eclipse.org/legal/epl-2.0/
-#
-# SPDX-License-Identifier: EPL-2.0
-#
-# Contributors:
-#   Red Hat, Inc. - initial API and implementation
-#
-
-name: Release next catalog
-on:
-  # manual trigger if required
-  workflow_dispatch:
-    inputs:
-      reason:
-        description: 'Reason to trigger a build'
-        required: false
-  push:
-    branches:
-      - main
-jobs:
-  release-next-catalog:
-    name: Build
-    runs-on: ubuntu-20.04
-    steps:
-    - uses: actions/checkout@v2
-    - name: Install yq
-      run: sudo pip install yq
-    - name: Docker login
-      uses: azure/docker-login@v1
-      with:
-        login-server: quay.io
-        username: ${{ secrets.QUAY_USERNAME }}
-        password: ${{ secrets.QUAY_PASSWORD }}
-    - name: Release next catalog
-      run: ${GITHUB_WORKSPACE}/build/scripts/olm/release-catalog.sh --channel 'next' --catalog-image quay.io/eclipse/eclipse-che-olm-catalog:next

Makefile

@@ -392,8 +392,8 @@ download-gateway-resources:
 # Store `che-operator-webhook-server-cert` secret locally
 store_tls_cert:
 	mkdir -p /tmp/k8s-webhook-server/serving-certs/
-	$(K8S_CLI) get secret che-operator-webhook-server-cert -n $(ECLIPSE_CHE_NAMESPACE) -o json | jq -r '.data["tls.crt"]' | base64 -d > /tmp/k8s-webhook-server/serving-certs/tls.crt
-	$(K8S_CLI) get secret che-operator-webhook-server-cert -n $(ECLIPSE_CHE_NAMESPACE) -o json | jq -r '.data["tls.key"]' | base64 -d > /tmp/k8s-webhook-server/serving-certs/tls.key
+	$(K8S_CLI) get secret che-operator-service-cert -n $(ECLIPSE_CHE_NAMESPACE) -o json | jq -r '.data["tls.crt"]' | base64 -d > /tmp/k8s-webhook-server/serving-certs/tls.crt
+	$(K8S_CLI) get secret che-operator-service-cert -n $(ECLIPSE_CHE_NAMESPACE) -o json | jq -r '.data["tls.key"]' | base64 -d > /tmp/k8s-webhook-server/serving-certs/tls.key
 
 ##@ OLM catalog
 

build/scripts/olm/test-catalog-from-sources.sh

@@ -85,8 +85,6 @@ exposeOpenShiftRegistry() {
 
   oc policy add-role-to-user system:image-builder system:anonymous -n "${NAMESPACE}"
   oc policy add-role-to-user system:image-builder system:unauthenticated -n "${NAMESPACE}"
-  oc policy add-role-to-user system:image-builder system:anonymous -n "openshift-marketplace"
-  oc policy add-role-to-user system:image-builder system:unauthenticated -n "openshift-marketplace"
 }
 
 buildOperatorFromSources() {
@@ -154,7 +152,7 @@ run() {
     make create-operatorgroup NAME=eclipse-che NAMESPACE="${NAMESPACE}" VERBOSE=${VERBOSE}
   fi
   make create-subscription \
-    NAME=eclipse-che-subscription \
+    NAME=eclipse-che \
     NAMESPACE="${NAMESPACE}" \
     PACKAGE_NAME="${ECLIPSE_CHE_PACKAGE_NAME}" \
     SOURCE="${ECLIPSE_CHE_CATALOG_SOURCE_NAME}" \

build/scripts/release/buildDigestMap.sh

@@ -39,7 +39,7 @@ excludedImages=(
 
 usage () {
 	echo "Usage:   $0 [-w WORKDIR] -c [/path/to/csv.yaml] -t [IMAGE_TAG]"
-	echo "Example: $0 -w $(pwd) -c $(pwd)/bundle/next/eclipse-che-preview-kubernetes/manifests/che-operator.clusterserviceversion.yaml -t 7.26.0"
+	echo "Example: $0 -w $(pwd) -c $(pwd)/bundle/next/eclipse-che/manifests/che-operator.clusterserviceversion.yaml -t 7.26.0"
 }
 
 setImagesFromDeploymentEnv() {

bundle/next/eclipse-che/manifests/che-operator.clusterserviceversion.yaml

@@ -77,7 +77,7 @@ metadata:
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
     repository: https://github.com/eclipse-che/che-operator
     support: Eclipse Foundation
-  name: eclipse-che.v7.57.0-729.next
+  name: eclipse-che.v7.57.0-736.next
   namespace: placeholder
 spec:
   apiservicedefinitions: {}
@@ -994,21 +994,12 @@ spec:
                           - ALL
                       privileged: false
                       readOnlyRootFilesystem: false
-                    volumeMounts:
-                      - mountPath: /tmp/k8s-webhook-server/serving-certs
-                        name: webhook-tls-certs
-                        readOnly: true
                 hostIPC: false
                 hostNetwork: false
                 hostPID: false
                 restartPolicy: Always
                 serviceAccountName: che-operator
                 terminationGracePeriodSeconds: 20
-                volumes:
-                  - name: webhook-tls-certs
-                    secret:
-                      defaultMode: 420
-                      secretName: che-operator-webhook-server-cert
       permissions:
         - rules:
             - apiGroups:
@@ -1241,7 +1232,7 @@ spec:
   minKubeVersion: 1.19.0
   provider:
     name: Eclipse Foundation
-  version: 7.57.0-729.next
+  version: 7.57.0-736.next
   webhookdefinitions:
     - admissionReviewVersions:
         - v1

config/certmanager/certificate.yaml

@@ -44,4 +44,4 @@ spec:
   issuerRef:
     kind: Issuer
     name: che-operator-selfsigned-issuer
-  secretName: che-operator-webhook-server-cert # this secret will not be prefixed, since it's not managed by kustomize
+  secretName: che-operator-service-cert # this secret will not be prefixed, since it's not managed by kustomize

config/kubernetes/kustomization.yaml

@@ -22,6 +22,7 @@ resources:
 patchesStrategicMerge:
   - patches/cainjection_in_checlusters.yaml
   - patches/cainjection_in_webhook.yaml
+  - patches/service_cert_patch.yaml
   - patches/manager_pod_security_context.yaml
 
 vars:

config/kubernetes/patches/service_cert_patch.yaml

@@ -0,0 +1,31 @@
+#
+# Copyright (c) 2019-2021 Red Hat, Inc.
+# This program and the accompanying materials are made
+# available under the terms of the Eclipse Public License 2.0
+# which is available at https://www.eclipse.org/legal/epl-2.0/
+#
+# SPDX-License-Identifier: EPL-2.0
+#
+# Contributors:
+#   Red Hat, Inc. - initial API and implementation
+#
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: che-operator
+  namespace: eclipse-che
+spec:
+  template:
+    spec:
+      containers:
+        - name: che-operator
+          volumeMounts:
+            - mountPath: /tmp/k8s-webhook-server/serving-certs
+              name: webhook-tls-certs
+              readOnly: true
+      volumes:
+        - name: webhook-tls-certs
+          secret:
+            defaultMode: 420
+            secretName: che-operator-service-cert

config/manager/kustomization.yaml

@@ -14,7 +14,7 @@ resources:
 - manager.yaml
 
 patchesStrategicMerge:
-- patches/manager_webhook_patch.yaml
+- patches/manager_webhook_service_patch.yaml
 
 generatorOptions:
   disableNameSuffixHash: true

config/manager/patches/manager_webhook_service_patch.yaml

@@ -24,12 +24,3 @@ spec:
         - containerPort: 9443
           name: webhook-server
           protocol: TCP
-        volumeMounts:
-        - mountPath: /tmp/k8s-webhook-server/serving-certs
-          name: webhook-tls-certs
-          readOnly: true
-      volumes:
-      - name: webhook-tls-certs
-        secret:
-          defaultMode: 420
-          secretName: che-operator-webhook-server-cert

config/openshift/patches/cainjection_in_webhook.yaml

@@ -9,10 +9,17 @@
 # Contributors:
 #   Red Hat, Inc. - initial API and implementation
 #
-
+---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   name: org.eclipse.che
   annotations:
-    service.beta.openshift.io/inject-cabundle: "true"
+    service.beta.openshift.io/inject-cabundle: "true"
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: org.eclipse.che
+  annotations:
+    service.beta.openshift.io/inject-cabundle: "true"

config/openshift/patches/service_cert_patch.yaml

@@ -16,4 +16,4 @@ metadata:
   name: che-operator-service
   namespace: eclipse-che
   annotations:
-    service.beta.openshift.io/serving-cert-secret-name: che-operator-webhook-server-cert
+    service.beta.openshift.io/serving-cert-secret-name: che-operator-service-cert

deploy/deployment/kubernetes/combined.yaml

@@ -5849,7 +5849,7 @@ spec:
       - name: webhook-tls-certs
         secret:
           defaultMode: 420
-          secretName: che-operator-webhook-server-cert
+          secretName: che-operator-service-cert
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
@@ -5868,7 +5868,7 @@ spec:
   issuerRef:
     kind: Issuer
     name: che-operator-selfsigned-issuer
-  secretName: che-operator-webhook-server-cert
+  secretName: che-operator-service-cert
 ---
 apiVersion: cert-manager.io/v1
 kind: Issuer

deploy/deployment/kubernetes/objects/che-operator-serving-cert.Certificate.yaml

@@ -27,4 +27,4 @@ spec:
   issuerRef:
     kind: Issuer
     name: che-operator-selfsigned-issuer
-  secretName: che-operator-webhook-server-cert
+  secretName: che-operator-service-cert

deploy/deployment/kubernetes/objects/che-operator.Deployment.yaml

@@ -155,4 +155,4 @@ spec:
       - name: webhook-tls-certs
         secret:
           defaultMode: 420
-          secretName: che-operator-webhook-server-cert
+          secretName: che-operator-service-cert

deploy/deployment/openshift/combined.yaml

@@ -5691,7 +5691,7 @@ apiVersion: v1
 kind: Service
 metadata:
   annotations:
-    service.beta.openshift.io/serving-cert-secret-name: che-operator-webhook-server-cert
+    service.beta.openshift.io/serving-cert-secret-name: che-operator-service-cert
   labels:
     app.kubernetes.io/component: che-operator
     app.kubernetes.io/instance: che
@@ -5834,25 +5834,18 @@ spec:
             - ALL
           privileged: false
           readOnlyRootFilesystem: false
-        volumeMounts:
-        - mountPath: /tmp/k8s-webhook-server/serving-certs
-          name: webhook-tls-certs
-          readOnly: true
       hostIPC: false
       hostNetwork: false
       hostPID: false
       restartPolicy: Always
       serviceAccountName: che-operator
       terminationGracePeriodSeconds: 20
-      volumes:
-      - name: webhook-tls-certs
-        secret:
-          defaultMode: 420
-          secretName: che-operator-webhook-server-cert
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
+  annotations:
+    service.beta.openshift.io/inject-cabundle: "true"
   labels:
     app.kubernetes.io/component: che-operator
     app.kubernetes.io/instance: che

deploy/deployment/openshift/objects/che-operator-service.Service.yaml

@@ -14,7 +14,7 @@ apiVersion: v1
 kind: Service
 metadata:
   annotations:
-    service.beta.openshift.io/serving-cert-secret-name: che-operator-webhook-server-cert
+    service.beta.openshift.io/serving-cert-secret-name: che-operator-service-cert
   labels:
     app.kubernetes.io/component: che-operator
     app.kubernetes.io/instance: che

deploy/deployment/openshift/objects/che-operator.Deployment.yaml

@@ -138,18 +138,9 @@ spec:
             - ALL
           privileged: false
           readOnlyRootFilesystem: false
-        volumeMounts:
-        - mountPath: /tmp/k8s-webhook-server/serving-certs
-          name: webhook-tls-certs
-          readOnly: true
       hostIPC: false
       hostNetwork: false
       hostPID: false
       restartPolicy: Always
       serviceAccountName: che-operator
       terminationGracePeriodSeconds: 20
-      volumes:
-      - name: webhook-tls-certs
-        secret:
-          defaultMode: 420
-          secretName: che-operator-webhook-server-cert

deploy/deployment/openshift/objects/org.eclipse.che.MutatingWebhookConfiguration.yaml

@@ -13,6 +13,8 @@
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
+  annotations:
+    service.beta.openshift.io/inject-cabundle: "true"
   labels:
     app.kubernetes.io/component: che-operator
     app.kubernetes.io/instance: che

helmcharts/next/templates/che-operator-serving-cert.Certificate.yaml

@@ -27,4 +27,4 @@ spec:
   issuerRef:
     kind: Issuer
     name: che-operator-selfsigned-issuer
-  secretName: che-operator-webhook-server-cert
+  secretName: che-operator-service-cert

helmcharts/next/templates/che-operator.Deployment.yaml

@@ -155,4 +155,4 @@ spec:
       - name: webhook-tls-certs
         secret:
           defaultMode: 420
-          secretName: che-operator-webhook-server-cert
+          secretName: che-operator-service-cert