Merge pull request #70 from damsien/main

🌱 Prevent impersonation on RU + refactor cert-injection architecture

.gitignore

@@ -28,8 +28,10 @@ go.work
 *~
 
 # cert-injector on manifests
-**/*.bak
-config/local/dev-webhook.yaml
+config/local/deploy/crd
+config/local/deploy/webhook/webhook.yaml
+config/local/run/crd
+config/local/run/webhook/webhook.yaml
 
 # developer's specific tests
 config/samples/test

Makefile

@@ -26,8 +26,10 @@ SHELL = /usr/bin/env bash -o pipefail
 
 # WEBHOOK_PATH is the path to the cluster webhook directory.
 WEBHOOK_PATH ?= config/webhook
-# DEV_WEBHOOK_PATH is the path to the local webhook directory.
-DEV_WEBHOOK_PATH ?= config/local
+# CRD_PATH is the path to the cluster crd directory.
+CRD_PATH ?= config/crd
+# DEV_LOCAL_PATH is the path to the local dev env directory.
+DEV_LOCAL_PATH ?= config/local
 
 # DYNAMIC_WEBHOOK_NAME is the name of the webhook that handle the interception logic of RemoteSyncers
 DYNAMIC_WEBHOOK_NAME ?= syngit-dynamic-remotesyncer-webhook
@@ -57,37 +59,34 @@ pre-commit-check: cleanup-tests manifests generate test lint ## Run all the test
 
 ##@ Dev environment
 
-# DEV_WEBHOOK_HOST is a IP:PORT combination. The static & dynamic webhooks will be served on this host.
-DEV_WEBHOOK_HOST ?= "172.17.0.1:9443" # 172.17.0.1 is the default docker0 bridge IP.
+# LOCALHOST_BRIDGE is a IP:PORT combination. The static & dynamic webhooks will be served on this host.
+LOCALHOST_BRIDGE ?= $(shell docker network inspect bridge --format='{{(index .IPAM.Config 0).Gateway}}') # 172.17.0.1 is the default docker0 bridge IP.for linux user
+# SYNGIT_SERVICE_NAME is the name of the Service object to serve the webhook server
+SYNGIT_SERVICE_NAME="syngit-webhook-service.syngit.svc"
+# TEMP_CERT_DIR is the path to the certificate that will be used by the webhook server.
+TEMP_CERT_DIR ?= "/tmp/k8s-webhook-server/serving-certs"
 # DEV_WEBHOOK_CERT is the path to the certificate that will be used by the webhook server.
-DEV_WEBHOOK_CERT ?= "/tmp/k8s-webhook-server/serving-certs/tls.crt"
+DEV_WEBHOOK_CERT ?= $(TEMP_CERT_DIR)/tls.crt
 
 .PHONY: run-fast
-run-fast: manifests generate fmt vet ## Run a controller from your host. No resources are installed. No resources are deleted when killed (meant to be run often).
-	export MANAGER_NAMESPACE=syngit DYNAMIC_WEBHOOK_NAME=$(DYNAMIC_WEBHOOK_NAME) DEV_MODE="true" DEV_WEBHOOK_HOST=$(DEV_WEBHOOK_HOST) DEV_WEBHOOK_CERT=$(DEV_WEBHOOK_CERT) && go run cmd/main.go
+run-fast: manifests generate fmt vet ## Run a controller from your host. Install CRDs & webhooks if does not exists. No resources are deleted when killed (meant to be run often).
+	@if ! kubectl get crd remoteusers.syngit.io &> /dev/null; then \
+		make install-crds && make setup-webhooks-for-run; \
+	fi
+	export MANAGER_NAMESPACE=syngit DYNAMIC_WEBHOOK_NAME=$(DYNAMIC_WEBHOOK_NAME) DEV_MODE="true" DEV_WEBHOOK_HOST=$(LOCALHOST_BRIDGE) DEV_WEBHOOK_PORT=9443 DEV_WEBHOOK_CERT=$(DEV_WEBHOOK_CERT) && go run cmd/main.go
 
 .PHONY: run
-run: manifests generate fmt vet install-crds install-dev-webhooks ## Install CRDs, webhooks & run a controller from your host. All resources are deleted when killed.
-	export MANAGER_NAMESPACE=syngit DYNAMIC_WEBHOOK_NAME=$(DYNAMIC_WEBHOOK_NAME) DEV_MODE="true" DEV_WEBHOOK_HOST=$(DEV_WEBHOOK_HOST) DEV_WEBHOOK_CERT=$(DEV_WEBHOOK_CERT) && \
+run: manifests generate fmt vet install-crds setup-webhooks-for-run ## Install CRDs, webhooks & run a controller from your host. All resources are deleted when killed.
+	export MANAGER_NAMESPACE=syngit DYNAMIC_WEBHOOK_NAME=$(DYNAMIC_WEBHOOK_NAME) DEV_MODE="true" DEV_WEBHOOK_HOST=$(LOCALHOST_BRIDGE) DEV_WEBHOOK_PORT=9443 DEV_WEBHOOK_CERT=$(DEV_WEBHOOK_CERT) && \
 	{ \
 		trap 'echo "Cleanup resources"; make cleanup-run; exit' SIGINT; \
 		go run cmd/main.go; \
 	}
 
-.PHONY: run-full
-run-full: manifests generate fmt vet install-crds install-dev-webhooks ## Install CRDs, webhooks & run a controller from your host. No resources are deleted when killed (meant to be run often).
-	export MANAGER_NAMESPACE=syngit DYNAMIC_WEBHOOK_NAME=$(DYNAMIC_WEBHOOK_NAME) DEV_MODE="true" DEV_WEBHOOK_HOST=$(DEV_WEBHOOK_HOST) DEV_WEBHOOK_CERT=$(DEV_WEBHOOK_CERT) && go run cmd/main.go
-
 .PHONY: cleanup-run
-cleanup-run: uninstall-crds uninstall-dev-webhooks ## Cleanup the resources created by run-fast or run-full.
+cleanup-run: uninstall-crds cleanup-webhooks-for-run ## Cleanup the resources created by run-fast.
 	kubectl delete validatingwebhookconfigurations.admissionregistration.k8s.io syngit-dynamic-remotesyncer-webhook || true
 
-.PHONY: delete-certs
-delete-certs: ## Delete the temporary certificates for the webhook (/tmp/k8s-webhook-server/serving-certs).
-	cd $(WEBHOOK_PATH) && ./cleanup-injector.sh . || true
-	cd $(DEV_WEBHOOK_PATH) && ./cleanup-injector.sh . || true
-	rm -rf /tmp/k8s-webhook-server/serving-certs
-
 ##@ Development
 
 .PHONY: manifests
@@ -112,9 +111,9 @@ vet: ## Run go vet against code.
 test: test-controller test-build-deploy test-behavior test-chart-install test-chart-upgrade ## Run all the tests.
 
 .PHONY: test-controller
-test-controller: manifests generate fmt vet envtest install-dev-webhooks ## Run tests embeded in the controller package & webhook package.
+test-controller: manifests generate fmt vet envtest setup-webhooks-for-run ## Run tests embeded in the controller package & webhook package.
 	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" go test $$(go list ./... | grep -v /e2e) -coverprofile cover.out
-	make cleanup-run
+	make cleanup-webhooks-for-run
 
 .PHONY: test-build-deploy
 test-build-deploy: ## Run tests to build the Docker image and deploy all the manifests.
@@ -126,19 +125,20 @@ DEPREACTED_API_VERSIONS = $(shell go list ./... | grep -oP 'v\d+\w+\d+' | sort -
 COVERPKG = $(shell go list ./... | grep -v 'test' | grep -v -E "$(DEPREACTED_API_VERSIONS)" | paste -sd "," -)
 
 .PHONY: test-behavior
-test-behavior: ## Install the test env (gitea). Run the behavior tests against a Kind k8s instance that is spun up. Cleanup when finished.
+test-behavior: cleanup-tests ## Install the test env (gitea). Run the behavior tests against a Kind k8s instance that is spun up. Cleanup when finished.
 	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" go test ./test/e2e/syngit -v -ginkgo.v -cover -coverpkg=$(COVERPKG)
 
 .PHONY: fast-behavior
 fast-behavior: ## Install the test env if not already installed. Run the behavior tests against a Kind k8s instance that is spun up. Does not cleanup when finished (meant to be run often).
 	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" go test ./test/e2e/syngit -v -ginkgo.v -cover -coverpkg=$(COVERPKG) -setup fast
 
 .PHONY: cleanup-tests
-cleanup-tests: cleanup-run ## Uninstall all the charts needed for the tests.
+cleanup-tests: ## Uninstall all the charts needed for the tests.
 	helm uninstall -n syngit syngit || true
 	helm uninstall -n cert-manager cert-manager || true
 	helm uninstall -n saturn gitea || true
 	helm uninstall -n jupyter gitea || true
+	./hack/webhooks/cleanup-injector.sh $(TEMP_CERT_DIR) || true
 
 .PHONY: test-chart-install
 test-chart-install: ## Run tests to install the chart.
@@ -210,36 +210,55 @@ endif
 install-crds: manifests kustomize ## Install CRDs into the K8s cluster specified in ~/.kube/config.
 	$(KUSTOMIZE) build config/crd | $(KUBECTL) apply -f -
 
-.PHONY: install-dev-webhooks
-install-dev-webhooks: manifests kustomize ## Deploy dev webhooks using the docker bridge host into the K8s cluster specified in ~/.kube/config.
-	./$(DEV_WEBHOOK_PATH)/generate-dev-webhook.sh $(WEBHOOK_PATH)/manifests.yaml $(DEV_WEBHOOK_PATH)/dev-webhook.yaml $(DEV_WEBHOOK_HOST)
-	cd $(DEV_WEBHOOK_PATH) && ./cert-injector.sh .
-	$(KUSTOMIZE) build $(DEV_WEBHOOK_PATH) | $(KUBECTL) apply -f -
-
 .PHONY: uninstall-crds
 uninstall-crds: manifests kustomize ## Uninstall CRDs from the K8s cluster specified in ~/.kube/config.
 	$(KUSTOMIZE) build config/crd | $(KUBECTL) delete --ignore-not-found=$(ignore-not-found) -f -
 
-.PHONY: uninstall-dev-webhooks
-uninstall-dev-webhooks: manifests kustomize ## Undeploy dev webhooks using the docker bridge host into the K8s cluster specified in ~/.kube/config.
-	cd $(DEV_WEBHOOK_PATH) && ./cleanup-injector.sh . || true
-	$(KUSTOMIZE) build $(DEV_WEBHOOK_PATH) | $(KUBECTL) delete -f - || true
-	rm $(DEV_WEBHOOK_PATH)/dev-webhook.yaml || true
-
 .PHONY: deploy
 deploy: manifests kustomize ## Deploy syngit to the K8s cluster specified in ~/.kube/config.
 	cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
-	cd $(WEBHOOK_PATH) && ./cert-injector.sh .
 	$(KUSTOMIZE) build config/default | $(KUBECTL) apply -f -
+	make setup-webhooks-for-deploy
 
 .PHONY: undeploy
-undeploy: kustomize ## Undeploy syngit from the K8s cluster specified in ~/.kube/config. Can be use after deploy or deploy-all.
-	cd $(WEBHOOK_PATH) && ./cleanup-injector.sh . || true
+undeploy: kustomize cleanup-webhooks-for-deploy ## Undeploy syngit from the K8s cluster specified in ~/.kube/config. Can be use after deploy or deploy-all.
 	$(KUSTOMIZE) build config/default | $(KUBECTL) delete --ignore-not-found=$(ignore-not-found) -f -
 
 .PHONY: deploy-all
 deploy-all: kind-create-cluster docker-build kind-load-image cleanup-tests deploy # Create the dev cluster, build the image, load it in the cluster and deploy syngit.
 
+##@ Webhook injection
+
+.PHONY: setup-webhooks-for-run
+setup-webhooks-for-run: manifests kustomize ## Setup webhooks using auto-generated certs & docker bridge host (make run).
+	./hack/webhooks/cert-injector.sh $(WEBHOOK_PATH) $(CRD_PATH) $(DEV_LOCAL_PATH)/run $(TEMP_CERT_DIR) $(LOCALHOST_BRIDGE)
+	./hack/webhooks/run/inject-for-run.sh $(LOCALHOST_BRIDGE)
+	$(KUSTOMIZE) build $(DEV_LOCAL_PATH)/run | $(KUBECTL) apply -f -
+
+.PHONY: cleanup-webhooks-for-run
+cleanup-webhooks-for-run: manifests kustomize ## Cleanup webhooks using auto-generated certs & docker bridge host (make run).
+	$(KUSTOMIZE) build $(DEV_LOCAL_PATH)/run | $(KUBECTL) delete --ignore-not-found=$(ignore-not-found) -f -
+	./hack/webhooks/cleanup-injector.sh $(TEMP_CERT_DIR) || true
+
+.PHONY: setup-webhooks-for-deploy
+setup-webhooks-for-deploy: manifests kustomize ## Setup webhooks using auto-generated certs (make deploy).
+	./hack/webhooks/cert-injector.sh $(WEBHOOK_PATH) $(CRD_PATH) $(DEV_LOCAL_PATH)/deploy $(TEMP_CERT_DIR) $(SYNGIT_SERVICE_NAME)
+	./hack/webhooks/deploy/inject-for-deploy.sh $(TEMP_CERT_DIR) $(WEBHOOK_PATH)
+	$(KUSTOMIZE) build $(DEV_LOCAL_PATH)/deploy | $(KUBECTL) apply -f -
+
+.PHONY: cleanup-webhooks-for-deploy
+cleanup-webhooks-for-deploy: manifests kustomize ## Cleanup webhooks using auto-generated certs (make deploy).
+	$(KUSTOMIZE) build $(DEV_LOCAL_PATH)/deploy | $(KUBECTL) delete --ignore-not-found=$(ignore-not-found) -f -
+	./hack/webhooks/cleanup-injector.sh $(TEMP_CERT_DIR) || true
+
+.PHONY: force-cleanup
+force-cleanup: ## Force cleanup of the resources (for dev purpose)
+	$(KUBECTL) delete crd remotesyncers.syngit.io --ignore-not-found=$(ignore-not-found)
+	$(KUBECTL) delete crd remoteusers.syngit.io --ignore-not-found=$(ignore-not-found)
+	$(KUBECTL) delete crd remoteuserbindings.syngit.io --ignore-not-found=$(ignore-not-found)
+	$(KUBECTL) delete validatingwebhookconfigurations.admissionregistration.k8s.io syngit-dynamic-remotesyncer-webhook --ignore-not-found=$(ignore-not-found)
+	./hack/webhooks/cleanup-injector.sh $(TEMP_CERT_DIR) || true
+
 ##@ KinD & Helm
 
 # BEFORE_LATEST_CHART is the chart version before the latest one listed in the charts/ folder.

config/default/manager_webhook_patch.yaml

@@ -20,4 +20,4 @@ spec:
       - name: cert
         secret:
           defaultMode: 420
-          secretName: webhook-server-cert
+          secretName: syngit-webhook-server-cert

config/local/deploy/kustomization.yaml

@@ -0,0 +1,8 @@
+resources:
+- crd
+- webhook
+- service.yaml
+
+namespace: syngit
+
+namePrefix: syngit-

config/local/deploy/service.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/name: service
+    app.kubernetes.io/instance: webhook-service
+    app.kubernetes.io/component: webhook
+    app.kubernetes.io/created-by: syngit
+    app.kubernetes.io/part-of: syngit
+    app.kubernetes.io/managed-by: kustomize
+  name: webhook-service
+  namespace: system
+spec:
+  ports:
+    - port: 443
+      protocol: TCP
+      targetPort: 9443
+  selector:
+    control-plane: controller-manager

config/local/deploy/webhook/kustomization.yaml

@@ -0,0 +1,3 @@
+resources:
+- webhook.yaml
+- secret.yaml

config/local/deploy/webhook/secret.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: webhook-server-cert
+  namespace: system
+type: kubernetes.io/tls
+data:
+  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURHRENDQWdDZ0F3SUJBZ0lVR1A5QXJDLytXQmRKeFB4ejZJdEd1dU9qNWhZd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0RURUxNQWtHQTFVRUJoTUNRVlV3SGhjTk1qVXdNVEV5TWpFME5UVTRXaGNOTWpZd01URXlNakUwTlRVNApXakFOTVFzd0NRWURWUVFHRXdKQlZUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCCkFKRzdXL3V1akJjeHpLUUwxditRc3FOTk9CT2NMYU9rV21pWmlEemVPYUJWNHh3bjRQT0RuTVFNT0I5MW5WUEoKayt1blFOUHd1QUFTL2lPYzZZeit4M1lSMUZ2Z01xTHBGTU1aOXJFQjRzcjdKbHNQSlhoWWN1aEJTQXBzdnV6cgpJM1V3eEZUQVBGVE15MjJFcGp2cFlXSG9YV1lQem9xNnlub1BhWkhsWGI1d1E3SUZqMWlBWng4aTFMN3hVM0pCCkZzZHRGTk9BaEx3UUt2NUhGM24vK3gyRU5nMVhJcnR6dWZvMXBFTzR2N1B0TlI5eW53bjV1c1poTHB3SWxPVnoKSlp5aDFBK3p0amhVZFdXa0RkR21yRFpvb3gxbzh2YzQ5czlmRDZhNm05dmtWWm11dFdrM0lveGlvcmlWcTFYWQoyR2ptUlNKQzR1ZEtJTGpHZi9zcVQ1a0NBd0VBQWFOd01HNHdMQVlEVlIwUkJDVXdJNEloYzNsdVoybDBMWGRsClltaHZiMnN0YzJWeWRtbGpaUzV6ZVc1bmFYUXVjM1pqTUIwR0ExVWREZ1FXQkJRQUZoTHBuYmh3VzFQMEYxbFUKbDZPcWpEZkhmREFmQmdOVkhTTUVHREFXZ0JSdXRqNzdpV2xOcWNveFc0TUhOSStTN3BvZXlqQU5CZ2txaGtpRwo5dzBCQVFzRkFBT0NBUUVBWWZJbWUwQnBMN1Z5RWNtYUJMK1VEVU0rNmpwR2M2TkN0ZVhjUkI0UkhmZm83OVdKCi9rMmI0eCt0K0pGb0EybUh5b2Z2b0huUVVKdkhqS0xSRklNR2hHVXJmQ1lKRmRQUWo0YmNrSmlpQnN1R3JSTG4KM2VkZWhYVklSUFBpeWN2ZUc0bGNCcUNBck5mZFVRUHg5aTl6KzkxN2h4bGl3NGRxZ2IrTWMyWk96L3RMWEtqOApUK2xBdUxZOFQ5cytOVTZWZnpXb3VqQ05lMzdTak4weUl1ZEQ2TFd5MWdDZi9ZaS9xcjRwUnBrT3J6cTF0aGFLCjZDTHZnVFZtSk9WWFJDN3dnai90YTYyQ0Y0d0lENWF3dmhtYzM4NmpnYzNMbjZXSlVCMkhxc0JjdWl2eTFSbUoKZHBZZVNFVGxvUy9KWjdZVnpId011bG4yMmQ0cmc4bDkvTjdneUE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ1J1MXY3cm93WE1jeWsKQzliL2tMS2pUVGdUbkMyanBGcG9tWWc4M2ptZ1ZlTWNKK0R6ZzV6RUREZ2ZkWjFUeVpQcnAwRFQ4TGdBRXY0agpuT21NL3NkMkVkUmI0REtpNlJUREdmYXhBZUxLK3laYkR5VjRXSExvUVVnS2JMN3M2eU4xTU1SVXdEeFV6TXR0CmhLWTc2V0ZoNkYxbUQ4Nkt1c3A2RDJtUjVWMitjRU95Qlk5WWdHY2ZJdFMrOFZOeVFSYkhiUlRUZ0lTOEVDcisKUnhkNS8vc2RoRFlOVnlLN2M3bjZOYVJEdUwrejdUVWZjcDhKK2JyR1lTNmNDSlRsY3lXY29kUVBzN1k0VkhWbApwQTNScHF3MmFLTWRhUEwzT1BiUFh3K211cHZiNUZXWnJyVnBOeUtNWXFLNGxhdFYyTmhvNWtVaVF1TG5TaUM0CnhuLzdLaytaQWdNQkFBRUNnZ0VBQldrMjRqNlNCRXIwc1pzZ2I2TU9aUGFaS0U0K1doTUFTZDI0ZzZVUEwvTTgKY0dkUktJMkltTFZvOEk4WUNUeEU5aVVpeUxQSml6UXBWRVp2WEEwNk4vbXp3RGtQL0VGS0JHLytlMFpLQnRZaQpMNU9kaFMxSWovUGJra3FGSU13ZXlBdElZT3ExMnNLelkzUy9UTjV1bjVsbWZXT0ZIRnpRNTQwU3N3aDRqWGwwCmhVWjRMTko4aks4RXhmTStqT0ZlNGR4RzhGcXlEZERNbldtMm5ubjRUc0dOWWZUVnErK1hwc0xybGJEbTJrQUYKQ1VxbkRHTXVEL0V0TzlhSlFieUkrcStwemt6em1uL3hmR1RUZHJwVjVpbEVIUGVvTk9uSEczNWYvcWFEakdHRgplRkpTUGIzK0VoWUVQRVJiQzZ5QmdUMU9vdEdRYzQ3ZjNnN0w4Zld4c1FLQmdRRE5RMGVRdFJLWmx6K2lyYjdYCjhhZkhDWXVab2FnMG1BVTFRczNFOCthOEdOcTN4Z3Zwc0haaWIrVTJyRjBRUFRCaFd4OXczK3NzUHBJdGdNNmMKRjNtSDlnQTQyY3J1SWZwNWk5MzVaRUhoYUlnRFVUNXRPYy93bExESlVwVWZQaWs4bFJpOWJtdXpaQXlJYnV2Mgo1WEdMSjdud1V1NDBNYlJhUExzQjgrSThDUUtCZ1FDMXdRMU1FN3JneDBDYm1sZHNDWlVXditiL3phTXg0V0txCjZRRjNPRTNsb3haV2s0c3NWbUUxNC9kcWFRZk9wQWN3Y2VRZzNXNXhLblJrYmlOVWVWeFFTaTZEcVhMT1JlekkKckU1Y0hqSkxVdkZWL0ZqbUlCZktzZURkb3AxRVBPK21SVGRLdXBVck5zcnNnZWszQ0g4UEd5S3hJNkZtYjBaVAovWmxmVHV4N0VRS0JnRSsvVWZDZ3lRY3ZRaVA4Q09keEZkUTRteW9uS21pMG4yRmdBUDRDSEtUN3F3NDNQYTJmClIzOWJKZHlsL3NvdVc3dVhZWkhERFdWMU1lbkgzMzI1aVJnUHRXcGhBM3lkYXVrS05FV09kQ0lWTUxMSlA4M0QKNWt2OEdPcyswSDBBODVoNy9NNnNOZC9PZ1NnSW9GaWVNQXoyZEVFd2x5ZGtJRVBtMEdranpjT3hBb0dBZUphLwpsY3c1WDAyVUJpbGUrMlZZTDZIZlI3Vk9JNWdnZUxqanFoQUhUdWJudVVWblAyR0lXZE1Jb3VkUXNMK1ByWXJECkN6TWZSYUlmVzByZjBmbzdUMklJZm41OGwzTTVhT001a2xET21iOU1NL3FibVFPT0JZUURaOG11Z2tuVHp3TjUKYmZGaGF5eU5jbUczTkRaRTV1YmdHNXRDU001bllPNlBSZmI5VzZFQ2dZRUFzZmswNXRvLzJZKzczSDJNZjJPZAp5YXBtZkZEMldFckg3WXozb3ZadGQxTXBFdllHcUZlTEtJemJ6aCswUG5GdC9qTm1renhhRmxVZ0s2YlMza0dGCjFsTUhEL2Uyb2NRR3Y5VXJDcmNOR1lUTGhXYjd4cTB6UzJoM1VLc1pPdWxnK1pjTXZ2VWw5YzZXN0RUYjZFMTIKcFpheklGZWtyRHVwREhYNE5POFdZM289Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K

config/local/run/kustomization.yaml

@@ -0,0 +1,3 @@
+resources:
+- crd
+- webhook

config/local/run/webhook/kustomization.yaml

@@ -0,0 +1,2 @@
+resources:
+- webhook.yaml