Allow custom signer signingCA to specify namespace in addOnTemplate (o…

…pen-cluster-management-io#350) Signed-off-by: zhujian <[email protected]>
haoqing0110 · Dec 9, 2024 · b62746a · b62746a
1 parent 05ff7c1
commit b62746a
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 11 deletions.
diff --git a/addon/v1alpha1/0000_03_addon.open-cluster-management.io_addontemplates.crd.yaml b/addon/v1alpha1/0000_03_addon.open-cluster-management.io_addontemplates.crd.yaml
@@ -372,15 +372,19 @@ spec:
                         signingCA:
                           description: |-
                             SigningCA represents the reference of the secret on the hub cluster to sign the CSR
-                            the secret must be in the namespace where the addon-manager is located, and the secret
-                            type must be "kubernetes.io/tls"
+                            the secret type must be "kubernetes.io/tls"
                             Note: The addon manager will not have permission to access the secret by default, so
-                            the user must grant the permission to the addon manager(by creating rolebinding for
-                            the addon-manager serviceaccount "addon-manager-controller-sa").
+                            the user must grant the permission to the addon manager(by creating rolebinding/clusterrolebinding
+                            for the addon-manager serviceaccount "addon-manager-controller-sa").
                           properties:
                             name:
                               description: Name of the signing CA secret
                               type: string
+                            namespace:
+                              description: Namespace of the signing CA secret, the
+                                namespace of the addon-manager will be used if it
+                                is not set.
+                              type: string
                           required:
                           - name
                           type: object

diff --git a/addon/v1alpha1/types_addontemplate.go b/addon/v1alpha1/types_addontemplate.go
@@ -170,11 +170,10 @@ type CustomSignerRegistrationConfig struct {
 	Subject *Subject `json:"subject,omitempty"`
 
 	// SigningCA represents the reference of the secret on the hub cluster to sign the CSR
-	// the secret must be in the namespace where the addon-manager is located, and the secret
-	// type must be "kubernetes.io/tls"
+	// the secret type must be "kubernetes.io/tls"
 	// Note: The addon manager will not have permission to access the secret by default, so
-	// the user must grant the permission to the addon manager(by creating rolebinding for
-	// the addon-manager serviceaccount "addon-manager-controller-sa").
+	// the user must grant the permission to the addon manager(by creating rolebinding/clusterrolebinding
+	// for the addon-manager serviceaccount "addon-manager-controller-sa").
 	// +kubebuilder:validation:Required
 	SigningCA SigningCARef `json:"signingCA"`
 }
@@ -185,6 +184,9 @@ type SigningCARef struct {
 	// Name of the signing CA secret
 	// +kubebuilder:validation:Required
 	Name string `json:"name"`
+	// Namespace of the signing CA secret, the namespace of the addon-manager will be used if it is not set.
+	// +optional
+	Namespace string `json:"namespace,omitempty"`
 }
 
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

diff --git a/addon/v1alpha1/zz_generated.swagger_doc_generated.go b/addon/v1alpha1/zz_generated.swagger_doc_generated.go