cluster/kube: minor cert-manager cleanups, disable webhooks by default
diff --git a/cluster/kube/lib/cert-manager.libsonnet b/cluster/kube/lib/cert-manager.libsonnet
index 5809d73..8ec72fd 100644
--- a/cluster/kube/lib/cert-manager.libsonnet
+++ b/cluster/kube/lib/cert-manager.libsonnet
@@ -10,6 +10,7 @@
cfg:: {
namespace: "cert-manager",
+ enableWebhook: false,
},
metadata:: {
@@ -518,7 +519,7 @@
metadata+: env.metadata,
spec: {
secretName: "cert-manager-webhook-ca",
- duration: "43800h", // 5 years
+ duration: "43800h0m0s", // 5 years
issuerRef: {
name: env.issuers.webhookSelfsign.metadata.name,
},
@@ -530,7 +531,7 @@
metadata+: env.metadata,
spec: {
secretName: "cert-manager-webhook-webhook-tls",
- duration: "8760h", // 1 year
+ duration: "8760h0m0s", // 1 year
issuerRef: {
name: env.issuers.webhookSelfsign.metadata.name,
},
@@ -545,11 +546,10 @@
admission: kube._Object("admissionregistration.k8s.io/v1beta1", "ValidatingWebhookConfiguration", "cert-manager-webhook") {
metadata+: {
annotations: {
- "certmanager.k8s.io/inject-apiserver-ca": "true",
},
},
- webhooks: [
- // Copied from official yaml
+ // Copied from official yaml
+ webhooks: if cfg.enableWebhook then [
{
"name": "certificates.admission.certmanager.k8s.io",
"namespaceSelector": {
@@ -691,29 +691,18 @@
"caBundle": "",
}
}
- ],
+ ] else [],
},
},
- /*
- Issuer(name):: {
- local cfg = self,
- spec:: error "spec must be specified",
- metadata:: {
- namespace: "cert-manager",
- },
-
- issuer: kube._Object("certmanager.k8s.io/v1alpha1", "Issuer", name) {
- metadata+: cfg.metadata,
- spec: cfg.spec,
- },
- },
- */
-
Issuer(name): kube._Object("certmanager.k8s.io/v1alpha1", "Issuer", name) {
spec: error "spec must be specified",
},
+ ClusterIssuer(name): kube._Object("certmanager.k8s.io/v1alpha1", "ClusterIssuer", name) {
+ spec: error "spec must be specified",
+ },
+
Certificate(name): kube._Object("certmanager.k8s.io/v1alpha1", "Certificate", name) {
spec: error "spec must be specified",
},