feat: replace cert-manager webhook Certificate with CSI volume mount for TLS

Provision the webhook serving certificate through the cert-manager CSI
driver instead of a cert-manager Certificate + cainjection. The manager
mounts the cert directly from a csi.cert-manager.io volume, so there is no
standalone Certificate resource, no CA-injection wiring on the webhook
configurations, and no cluster-wide cert-manager Certificate dependency in
the production overlay.

- Remove the config/base/certmanager base (Issuer/Certificate + kustomize
  name-reference + CA-injection replacements).
- Add a generic config/components/csi-webhook-cert component that mounts
  the webhook-server-tls CSI volume on the manager Deployment. The issuer
  is intentionally left unset so each consuming overlay (or the infra repo)
  patches csi.cert-manager.io/issuer-kind and issuer-name for its
  environment.
- Drop the optional compute-webhook-cert Secret volume/mount from the base
  manager Deployment; the CSI volume now supplies serving-certs.
- single-cluster overlay: drop the certmanager base, the cainjection patch,
  and the dnsName/CA replacement blocks; wire in the csi-webhook-cert
  component instead.
- dev overlay: keep an inline self-signed Issuer + Certificate for the
  local host.docker.internal webhook (no CSI driver in the dev kind/docker
  setup) and annotate the webhook configs with inject-ca-from directly.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: scotwells

config/base/certmanager/certificate.yaml

@@ -66,20 +66,9 @@ spec:
         volumeMounts:
         - name: config
           mountPath: /config
-        - name: webhook-cert
-          mountPath: /tmp/k8s-webhook-server/serving-certs
-          readOnly: true
       serviceAccountName: compute
       terminationGracePeriodSeconds: 10
       volumes:
       - name: config
         configMap:
           name: compute-config
-      # Optional so the manager can run without admission webhooks: when
-      # `webhookServer:` is omitted from the server config, the binary
-      # skips the webhook server entirely and the missing Secret is fine.
-      - name: webhook-cert
-        secret:
-          secretName: compute-webhook-cert
-          defaultMode: 420
-          optional: true

config/base/certmanager/kustomization.yaml

@@ -0,0 +1,32 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+patches:
+  # Add the CSI webhook cert volume and volumeMount to the manager Deployment.
+  # The issuer (csi.cert-manager.io/issuer-kind and csi.cert-manager.io/issuer-name)
+  # must be patched in by the consuming overlay or infra repo.
+  - target:
+      kind: Deployment
+      name: compute-manager
+    patch: |-
+      apiVersion: apps/v1
+      kind: Deployment
+      metadata:
+        name: compute-manager
+      spec:
+        template:
+          spec:
+            containers:
+              - name: manager
+                volumeMounts:
+                  - name: webhook-server-tls
+                    mountPath: /tmp/k8s-webhook-server/serving-certs
+                    readOnly: true
+            volumes:
+              - name: webhook-server-tls
+                csi:
+                  driver: csi.cert-manager.io
+                  readOnly: true
+                  volumeAttributes:
+                    csi.cert-manager.io/fs-group: "65532"
+                    csi.cert-manager.io/dns-names: compute-webhook.compute-system.svc,compute-webhook.compute-system.svc.cluster.local

config/base/certmanager/kustomizeconfig.yaml

@@ -2,9 +2,4 @@ apiVersion: apiserver.config.datumapis.com/v1alpha1
 kind: WorkloadOperator
 metricsServer:
   bindAddress: "0"
-
-webhookServer:
-  tls:
-    secretRef:
-      name: compute-webhook-cert
-      namespace: kube-system
+webhookServer: {}

config/base/manager/manager.yaml

@@ -1,55 +1,29 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: compute-system
+
 resources:
   - ../../base/crd
   - ../../base/webhook
-  - ../../base/certmanager
+  - webhook-cert.yaml
 
-replacements:
-  - source:
-      kind: Certificate
-      group: cert-manager.io
-      version: v1
-      name: compute-serving-cert
-      fieldPath: .metadata.namespace
-    targets:
-      - select:
-          kind: ValidatingWebhookConfiguration
-        fieldPaths:
-          - .metadata.annotations.[cert-manager.io/inject-ca-from]
-        options:
-          delimiter: '/'
-          index: 0
-          create: true
-      - select:
-          kind: MutatingWebhookConfiguration
-        fieldPaths:
-          - .metadata.annotations.[cert-manager.io/inject-ca-from]
-        options:
-          delimiter: '/'
-          index: 0
-          create: true
-  - source:
-      kind: Certificate
-      group: cert-manager.io
-      version: v1
-      name: compute-serving-cert
-      fieldPath: .metadata.name
-    targets:
-      - select:
-          kind: ValidatingWebhookConfiguration
-        fieldPaths:
-          - .metadata.annotations.[cert-manager.io/inject-ca-from]
-        options:
-          delimiter: '/'
-          index: 1
-          create: true
-      - select:
-          kind: MutatingWebhookConfiguration
-        fieldPaths:
-          - .metadata.annotations.[cert-manager.io/inject-ca-from]
-        options:
-          delimiter: '/'
-          index: 1
-          create: true
+patches:
+  # Wire cainjector to the dev cert so the API server can verify the webhook.
+  - patch: |-
+      apiVersion: admissionregistration.k8s.io/v1
+      kind: MutatingWebhookConfiguration
+      metadata:
+        name: compute-mutating
+        annotations:
+          cert-manager.io/inject-ca-from: compute-system/compute-serving-cert
+  - patch: |-
+      apiVersion: admissionregistration.k8s.io/v1
+      kind: ValidatingWebhookConfiguration
+      metadata:
+        name: compute-validating
+        annotations:
+          cert-manager.io/inject-ca-from: compute-system/compute-serving-cert
 
 transformers:
   - webhook_patch.yaml

config/components/csi-webhook-cert/kustomization.yaml

@@ -0,0 +1,18 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: selfsigned-issuer
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: compute-serving-cert
+spec:
+  dnsNames:
+    - host.docker.internal
+  issuerRef:
+    kind: Issuer
+    name: selfsigned-issuer
+  secretName: compute-webhook-cert

config/overlays/dev/config.yaml

@@ -1,23 +1,6 @@
 ---
 apiVersion: builtin
 kind: PatchTransformer
-metadata:
-  name: webhook-cert-patch
-patch: |-
-  - op: replace
-    path: /spec/dnsNames
-    value: ["host.docker.internal"]
-  - op: replace
-    path: /spec/secretName
-    value: compute-webhook-cert
-target:
-  kind: Certificate
-  group: cert-manager.io
-  version: v1
-  name: compute-serving-cert
----
-apiVersion: builtin
-kind: PatchTransformer
 metadata:
   name: mutatingwebhook-url-patch
 patch: |-

config/overlays/dev/kustomization.yaml

@@ -9,100 +9,9 @@ resources:
   - ../../base/crd
   - ../../base/manager
   - ../../base/webhook
-  - ../../base/certmanager
 components:
   - ../../components/leader_election
   - ../../components/controller_rbac
   - ../../components/resource-metrics
   - ../../components/high-availability
-
-patches:
-- path: webhookcainjection_patch.yaml
-
-replacements:
-# Fill in SERVICE_NAME / SERVICE_NAMESPACE placeholders in the Certificate's
-# dnsNames so the cert is issued for the actual webhook Service location.
-- source:
-    kind: Service
-    version: v1
-    name: compute-webhook
-    fieldPath: .metadata.name
-  targets:
-  - select:
-      kind: Certificate
-      group: cert-manager.io
-      version: v1
-      name: compute-serving-cert
-    fieldPaths:
-    - .spec.dnsNames.0
-    - .spec.dnsNames.1
-    options:
-      delimiter: '.'
-      index: 0
-      create: true
-- source:
-    kind: Service
-    version: v1
-    name: compute-webhook
-    fieldPath: .metadata.namespace
-  targets:
-  - select:
-      kind: Certificate
-      group: cert-manager.io
-      version: v1
-      name: compute-serving-cert
-    fieldPaths:
-    - .spec.dnsNames.0
-    - .spec.dnsNames.1
-    options:
-      delimiter: '.'
-      index: 1
-      create: true
-# Wire the Certificate namespace + name into the cert-manager.io/inject-ca-from
-# annotation on the webhook configurations so cainjector populates caBundle.
-- source:
-    kind: Certificate
-    group: cert-manager.io
-    version: v1
-    name: compute-serving-cert
-    fieldPath: .metadata.namespace
-  targets:
-  - select:
-      kind: ValidatingWebhookConfiguration
-    fieldPaths:
-    - .metadata.annotations.[cert-manager.io/inject-ca-from]
-    options:
-      delimiter: '/'
-      index: 0
-      create: true
-  - select:
-      kind: MutatingWebhookConfiguration
-    fieldPaths:
-    - .metadata.annotations.[cert-manager.io/inject-ca-from]
-    options:
-      delimiter: '/'
-      index: 0
-      create: true
-- source:
-    kind: Certificate
-    group: cert-manager.io
-    version: v1
-    name: compute-serving-cert
-    fieldPath: .metadata.name
-  targets:
-  - select:
-      kind: ValidatingWebhookConfiguration
-    fieldPaths:
-    - .metadata.annotations.[cert-manager.io/inject-ca-from]
-    options:
-      delimiter: '/'
-      index: 1
-      create: true
-  - select:
-      kind: MutatingWebhookConfiguration
-    fieldPaths:
-    - .metadata.annotations.[cert-manager.io/inject-ca-from]
-    options:
-      delimiter: '/'
-      index: 1
-      create: true
+  - ../../components/csi-webhook-cert