Allow porch namespace in cert/webhook to be configured

pkg/apiserver/apiserver.go

@@ -1,4 +1,4 @@
-// Copyright 2022 The kpt and Nephio Authors
+// Copyright 2022,2024 The kpt and Nephio Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -18,6 +18,7 @@ import (
 	"context"
 	"fmt"
 	"os"
+	"strings"
 	"time"
 
 	"github.com/nephio-project/porch/api/porch/install"
@@ -281,9 +282,14 @@ func (c completedConfig) New() (*PorchServer, error) {
 
 func (s *PorchServer) Run(ctx context.Context) error {
 	porch.RunBackground(ctx, s.coreClient, s.cache)
+	webhookNs, found := os.LookupEnv("CERT_NAMESPACE")
+	if !found || strings.TrimSpace(webhookNs) == "" {
+		webhookNs = "porch-system"
+	}
+
 	certStorageDir, found := os.LookupEnv("CERT_STORAGE_DIR")
-	if found && certStorageDir != "" {
-		if err := setupWebhooks(ctx, certStorageDir); err != nil {
+	if found && strings.TrimSpace(certStorageDir) != "" {
+		if err := setupWebhooks(ctx, webhookNs, certStorageDir); err != nil {
 			klog.Errorf("%v\n", err)
 			return err
 		}

pkg/apiserver/webhooks.go

@@ -1,4 +1,4 @@
-// Copyright 2022 The kpt and Nephio Authors
+// Copyright 2022,2024 The kpt and Nephio Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -51,12 +51,12 @@ const (
 	serverEndpoint     = "/validate-deletion"
 )
 
-func setupWebhooks(ctx context.Context, certStorageDir string) error {
-	caBytes, err := createCerts(certStorageDir)
+func setupWebhooks(ctx context.Context, webhookNs string, certStorageDir string) error {
+	caBytes, err := createCerts(webhookNs, certStorageDir)
 	if err != nil {
 		return err
 	}
-	if err := createValidatingWebhook(ctx, caBytes); err != nil {
+	if err := createValidatingWebhook(ctx, webhookNs, caBytes); err != nil {
 		return err
 	}
 	if err := runWebhookServer(certStorageDir); err != nil {
@@ -65,11 +65,11 @@ func setupWebhooks(ctx context.Context, certStorageDir string) error {
 	return nil
 }
 
-func createCerts(certStorageDir string) ([]byte, error) {
-	klog.Infoln("creating self-signing TLS cert and key ")
+func createCerts(webhookNs string, certStorageDir string) ([]byte, error) {
+	klog.Infoln("creating self-signing TLS cert and key with namespace " + webhookNs + " in directory " + certStorageDir)
 	dnsNames := []string{"api",
-		"api.porch-system", "api.porch-system.svc"}
-	commonName := "api.porch-system.svc"
+		"api." + webhookNs, "api." + webhookNs + ".svc"}
+	commonName := "api." + webhookNs + ".svc"
 
 	var caPEM, serverCertPEM, serverPrivateKeyPEM *bytes.Buffer
 	// CA config
@@ -165,8 +165,8 @@ func WriteFile(filepath string, c []byte) error {
 	return nil
 }
 
-func createValidatingWebhook(ctx context.Context, caCert []byte) error {
-	klog.Infoln("Creating validating webhook")
+func createValidatingWebhook(ctx context.Context, webhookNs string, caCert []byte) error {
+	klog.Infoln("Creating validating webhook with namespace " + webhookNs)
 
 	cfg := ctrl.GetConfigOrDie()
 	kubeClient, err := kubernetes.NewForConfig(cfg)
@@ -175,7 +175,7 @@ func createValidatingWebhook(ctx context.Context, caCert []byte) error {
 	}
 
 	var (
-		webhookNamespace  = "porch-system"
+		webhookNamespace  = webhookNs
 		validationCfgName = "packagerev-deletion-validating-webhook"
 		webhookService    = "api"
 		path              = serverEndpoint

pkg/apiserver/webhooks_test.go

@@ -1,4 +1,4 @@
-// Copyright 2022 The kpt and Nephio Authors
+// Copyright 2022,2024 The kpt and Nephio Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -36,7 +36,7 @@ func TestCreateCerts(t *testing.T) {
 		require.NoError(t, os.RemoveAll(dir))
 	}()
 
-	caCert, err := createCerts(dir)
+	caCert, err := createCerts("", dir)
 	require.NoError(t, err)
 
 	caStr := strings.TrimSpace(string(caCert))