Allow custom signer signingCA to specify namespace in addOnTemplate (#350)

zhujian7 · web-flow · commit b62746ae96d4 · 2024-12-09T02:52:32.000Z
Signed-off-by: zhujian &lt;jiazhu@redhat.com&gt;
diff --git a/addon/v1alpha1/0000_03_addon.open-cluster-management.io_addontemplates.crd.yaml b/addon/v1alpha1/0000_03_addon.open-cluster-management.io_addontemplates.crd.yaml
@@ -372,15 +372,19 @@ spec:
                         signingCA:
                           description: |-
                             SigningCA represents the reference of the secret on the hub cluster to sign the CSR
-                            the secret must be in the namespace where the addon-manager is located, and the secret
-                            type must be "kubernetes.io/tls"
+                            the secret type must be "kubernetes.io/tls"
                             Note: The addon manager will not have permission to access the secret by default, so
-                            the user must grant the permission to the addon manager(by creating rolebinding for
-                            the addon-manager serviceaccount "addon-manager-controller-sa").
+                            the user must grant the permission to the addon manager(by creating rolebinding/clusterrolebinding
+                            for the addon-manager serviceaccount "addon-manager-controller-sa").
                           properties:
                             name:
                               description: Name of the signing CA secret
                               type: string
+                            namespace:
+                              description: Namespace of the signing CA secret, the
+                                namespace of the addon-manager will be used if it
+                                is not set.
+                              type: string
                           required:
                           - name
                           type: object
diff --git a/addon/v1alpha1/types_addontemplate.go b/addon/v1alpha1/types_addontemplate.go
@@ -170,11 +170,10 @@ type CustomSignerRegistrationConfig struct {
 	Subject *Subject `json:"subject,omitempty"`
 
 	// SigningCA represents the reference of the secret on the hub cluster to sign the CSR
-	// the secret must be in the namespace where the addon-manager is located, and the secret
-	// type must be "kubernetes.io/tls"
+	// the secret type must be "kubernetes.io/tls"
 	// Note: The addon manager will not have permission to access the secret by default, so
-	// the user must grant the permission to the addon manager(by creating rolebinding for
-	// the addon-manager serviceaccount "addon-manager-controller-sa").
+	// the user must grant the permission to the addon manager(by creating rolebinding/clusterrolebinding
+	// for the addon-manager serviceaccount "addon-manager-controller-sa").
 	// +kubebuilder:validation:Required
 	SigningCA SigningCARef `json:"signingCA"`
 }
@@ -185,6 +184,9 @@ type SigningCARef struct {
 	// Name of the signing CA secret
 	// +kubebuilder:validation:Required
 	Name string `json:"name"`
+	// Namespace of the signing CA secret, the namespace of the addon-manager will be used if it is not set.
+	// +optional
+	Namespace string `json:"namespace,omitempty"`
 }
 
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
diff --git a/addon/v1alpha1/zz_generated.swagger_doc_generated.go b/addon/v1alpha1/zz_generated.swagger_doc_generated.go
