use cert manager for pipelines cache server instead

Signed-off-by: David van der Spek <[email protected]>

kubeflow/helm/katib/templates/controller/mutatingwebhookconfiguration.yaml

@@ -2,7 +2,7 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
   annotations:
-    cert-manager.io/inject-ca-from: kubeflow/{{ include "katib.fullname" . }}-controller-certs
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "katib.fullname" . }}-controller-certs
   name: katib.kubeflow.org
   labels: {{- include "katib.labels" . | nindent 4 }}
 webhooks:

kubeflow/helm/pipelines/templates/cache/server/certificate.yaml

@@ -0,0 +1,17 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ include "pipelines.fullname" . }}-cache-certs
+  labels:
+    {{- include "pipelines.labels" . | nindent 4 }}
+spec:
+  commonName: kfp-cache-cert
+  dnsNames:
+  - {{ include "pipelines.fullname" . }}-cache-server
+  - {{ include "pipelines.fullname" . }}-cache-server.{{ .Release.Namespace }}
+  - {{ include "pipelines.fullname" . }}-cache-server.{{ .Release.Namespace }}.svc
+  isCA: true
+  issuerRef:
+    kind: ClusterIssuer
+    name: kubeflow-self-signing-issuer
+  secretName: {{ include "pipelines.fullname" . }}-cache-server-tls

kubeflow/helm/pipelines/templates/cache/server/deployment.yaml

@@ -42,7 +42,9 @@ spec:
             - --db_user=$(DBCONFIG_USER)
             - --db_password=$(DBCONFIG_PASSWORD)
             - --namespace_to_watch=$(NAMESPACE_TO_WATCH)
-            - --listen_ports=$(WEBHOOK_PORT)
+            - --listen_port=$(WEBHOOK_PORT)
+            - --tls_cert_filename=tls.crt
+            - --tls_key_filename=tls.key
           env:
             - name: NAMESPACE_TO_WATCH
               value: ""
@@ -67,7 +69,7 @@ spec:
                   key: cacheNodeRestrictions
                   name: pipeline-install-config
             - name: DBCONFIG_DRIVER
-              value: mysql
+              value: mysql # TODO: make configurable
             - name: DBCONFIG_DB_NAME
               valueFrom:
                 configMapKeyRef:
@@ -107,7 +109,7 @@ spec:
               readOnly: true
       volumes:
         - secret:
-            secretName: webhook-server-tls
+            secretName: {{ include "pipelines.fullname" . }}-cache-server-tls
           name: webhook-tls-certs
       {{- with .Values.nodeSelector }}
       nodeSelector:

kubeflow/helm/pipelines/templates/cache/server/mutatingwebhookconfiguration.yaml

@@ -0,0 +1,32 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "pipelines.fullname" . }}-cache-cert
+  labels:
+    {{- include "pipelines.labels" . | nindent 4 }}
+  name: cache-webhook.pipelines.kubeflow.org
+webhooks:
+- admissionReviewVersions:
+  - v1beta1
+  clientConfig:
+    service:
+      name: {{ include "pipelines.fullname" . }}-cache-server
+      namespace: {{ .Release.Namespace }}
+      path: /mutate
+  failurePolicy: Ignore
+  name: {{ include "pipelines.fullname" . }}-cache-server.{{ .Release.Namespace }}.svc
+  objectSelector:
+    matchLabels:
+      pipelines.kubeflow.org/cache_enabled: "true"
+  rules:
+  - apiGroups:
+    - ""
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    resources:
+    - pods
+  sideEffects: None
+  timeoutSeconds: 5