shiftstack
diff --git a/‎config/certmanager/certificate.yaml
+4-4 b/‎config/certmanager/certificate.yaml
+4-4
diff --git a/‎config/crd/kustomization.yaml
-8 b/‎config/crd/kustomization.yaml
-8
diff --git a/‎config/crd/patches/cainjection_in_openstackclusters.yaml
-8 b/‎config/crd/patches/cainjection_in_openstackclusters.yaml
-8
diff --git a/‎config/crd/patches/cainjection_in_openstackclustertemplates.yaml
-8 b/‎config/crd/patches/cainjection_in_openstackclustertemplates.yaml
-8
diff --git a/‎config/crd/patches/cainjection_in_openstackmachines.yaml
-8 b/‎config/crd/patches/cainjection_in_openstackmachines.yaml
-8
diff --git a/‎config/crd/patches/cainjection_in_openstackmachinetemplates.yaml
-8 b/‎config/crd/patches/cainjection_in_openstackmachinetemplates.yaml
-8
diff --git a/‎config/default/kustomization.yaml
+115-13 b/‎config/default/kustomization.yaml
+115-13
diff --git a/‎config/default/manager_webhook_patch.yaml
+2-1 b/‎config/default/manager_webhook_patch.yaml
+2-1
diff --git a/‎config/webhook/cainjection_patch.yaml
-3 b/‎config/webhook/cainjection_patch.yaml
-3
diff --git a/‎config/webhook/kustomization.yaml
-8 b/‎config/webhook/kustomization.yaml
-8
@@ -14,11 +14,11 @@ metadata:
   name: serving-cert  # this name should match the one appeared in kustomizeconfig.yaml
   namespace: system
 spec:
-  # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize
+  # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize
   dnsNames:
-  - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc
-  - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local
+  - SERVICE_NAME.SERVICE_NAMESPACE.svc
+  - SERVICE_NAME.SERVICE_NAMESPACE.svc.cluster.local
   issuerRef:
     kind: Issuer
     name: selfsigned-issuer
-  secretName: $(SERVICE_NAME)-cert # this secret will not be prefixed, since it's not managed by kustomize
+  secretName: SERVICE_NAME-cert # this secret will not be prefixed, since it's not managed by kustomize
@@ -20,14 +20,6 @@ patches:
 - path: patches/webhook_in_openstackclustertemplates.yaml
 # +kubebuilder:scaffold:crdkustomizewebhookpatch
 
-# [CERTMANAGER] To enable webhook, uncomment all the sections with [CERTMANAGER] prefix.
-# patches here are for enabling the CA injection for each CRD
-- path: patches/cainjection_in_openstackclusters.yaml
-- path: patches/cainjection_in_openstackmachines.yaml
-- path: patches/cainjection_in_openstackmachinetemplates.yaml
-- path: patches/cainjection_in_openstackclustertemplates.yaml
-# +kubebuilder:scaffold:crdkustomizecainjectionpatch
-
 # the following config is for teaching kustomize how to do kustomization for CRDs.
 configurations:
 - kustomizeconfig.yaml
@@ -20,33 +20,135 @@ patches:
   # Enable webhook.
 - path: manager_webhook_patch.yaml
 
-vars:
-  - name: CERTIFICATE_NAMESPACE # namespace of the certificate CR
-    objref:
+replacements:
+  - source: # Add cert-manager annotation to ValidatingWebhookConfiguration, MutatingWebhookConfiguration and CRDs
       kind: Certificate
       group: cert-manager.io
       version: v1
       name: serving-cert # this name should match the one in certificate.yaml
-    fieldref:
-      fieldpath: metadata.namespace
-  - name: CERTIFICATE_NAME
-    objref:
+      fieldPath: .metadata.namespace # namespace of the certificate CR
+    targets:
+      - select:
+          kind: ValidatingWebhookConfiguration
+        fieldPaths:
+          - .metadata.annotations.[cert-manager.io/inject-ca-from]
+        options:
+          delimiter: '/'
+          index: 0
+          create: true
+      - select:
+          kind: MutatingWebhookConfiguration
+        fieldPaths:
+          - .metadata.annotations.[cert-manager.io/inject-ca-from]
+        options:
+          delimiter: '/'
+          index: 0
+          create: true
+      - select:
+          kind: CustomResourceDefinition
+        fieldPaths:
+          - .metadata.annotations.[cert-manager.io/inject-ca-from]
+        options:
+          delimiter: '/'
+          index: 0
+          create: true
+  - source:
       kind: Certificate
       group: cert-manager.io
       version: v1
       name: serving-cert # this name should match the one in certificate.yaml
-  - name: SERVICE_NAMESPACE # namespace of the service
-    objref:
+      fieldPath: .metadata.name
+    targets:
+      - select:
+          kind: ValidatingWebhookConfiguration
+        fieldPaths:
+          - .metadata.annotations.[cert-manager.io/inject-ca-from]
+        options:
+          delimiter: '/'
+          index: 1
+          create: true
+      - select:
+          kind: MutatingWebhookConfiguration
+        fieldPaths:
+          - .metadata.annotations.[cert-manager.io/inject-ca-from]
+        options:
+          delimiter: '/'
+          index: 1
+          create: true
+      - select:
+          kind: CustomResourceDefinition
+        fieldPaths:
+          - .metadata.annotations.[cert-manager.io/inject-ca-from]
+        options:
+          delimiter: '/'
+          index: 1
+          create: true
+  - source: # Add cert-manager annotation to the webhook Service
       kind: Service
       version: v1
       name: webhook-service
-    fieldref:
-      fieldpath: metadata.namespace
-  - name: SERVICE_NAME
-    objref:
+      fieldPath: .metadata.name # namespace of the service
+    targets:
+      - select:
+          kind: Certificate
+          group: cert-manager.io
+          version: v1
+          name: serving-cert
+        fieldPaths:
+          - .spec.dnsNames.0
+          - .spec.dnsNames.1
+        options:
+          delimiter: '.'
+          index: 0
+          create: false
+  - source:
       kind: Service
       version: v1
       name: webhook-service
+      fieldPath: .metadata.namespace # namespace of the service
+    targets:
+      - select:
+          kind: Certificate
+          group: cert-manager.io
+          version: v1
+          name: serving-cert
+        fieldPaths:
+          - .spec.dnsNames.0
+          - .spec.dnsNames.1
+        options:
+          delimiter: '.'
+          index: 1
+          create: false
+  - source: # Prefix the certificate secret name with the name of service
+      kind: Service
+      version: v1
+      name: webhook-service
+      fieldPath: .metadata.name # namespace of the service
+    targets:
+      - select:
+          kind: Certificate
+          group: cert-manager.io
+          version: v1
+        fieldPaths:
+          - .spec.secretName
+        options:
+          delimiter: '-'
+          index: 0
+          create: false
+  - source: # Certificate secret name
+      kind: Certificate
+      group: cert-manager.io
+      version: v1
+      name: serving-cert
+      fieldPath: .spec.secretName
+    targets:
+      - select:
+          kind: Deployment
+          group: apps
+          version: v1
+          name: controller-manager
+        fieldPaths:
+          - .spec.template.spec.volumes.[name=cert].secret.secretName
 
 configurations:
   - kustomizeconfig.yaml
@@ -20,4 +20,5 @@ spec:
       - name: cert
         secret:
           defaultMode: 420
-          secretName: $(SERVICE_NAME)-cert
+          # kustomize will populate this from the Certificate secretName
+          secretName: CERT_SECRET_NAME
@@ -4,11 +4,3 @@ resources:
 
 configurations:
 - kustomizeconfig.yaml
-
-patches:
-# Inject certificate in the webhook definition.
-- target:
-    group: admissionregistration.k8s.io
-    version: v1
-    name: mutating-webhook-configuration|validating-webhook-configuration
-  path: cainjection_patch.yaml