(kustomize/v2, go/v4): Fix ca injection for conversion webhooks

The CA injection patch has **not** worked for `go/v4` and `kustomize/v2` (release `3.5.0`) due to the need to replace `vars` with `replacements`, as `vars` are no longer supported in the latest major versions of Kustomize.

However, since webhook `--conversion` was an incomplete feature until the upcoming Kubebuilder future release `v4.4.0` (where [PR #4254](#4254) is expected to be merged), users likely didn’t encounter this issue or addressed it manually by fixing the scaffold.

**Note:** This change only affects projects that require a **conversion webhook**.

Author: camilamacedo86

.github/workflows/test-e2e-samples.yml

@@ -41,7 +41,9 @@ jobs:
         run: |
           KUSTOMIZATION_FILE_PATH="testdata/project-v4/config/default/kustomization.yaml"
           sed -i '25s/^#//' $KUSTOMIZATION_FILE_PATH
-          sed -i '50,177s/^#//' $KUSTOMIZATION_FILE_PATH
+          # Uncomment all cert-manager injections
+          sed -i '50,172s/^#//' $KUSTOMIZATION_FILE_PATH
+          sed -i '174,198s/^#//' $KUSTOMIZATION_FILE_PATH
           cd testdata/project-v4/
           go mod tidy
 
@@ -81,9 +83,12 @@ jobs:
           KUSTOMIZATION_FILE_PATH="testdata/project-v4-with-plugins/config/default/kustomization.yaml"
           sed -i '25s/^#//' $KUSTOMIZATION_FILE_PATH
           # Uncomment only ValidatingWebhookConfiguration
-          # from cert-manager replaces
-          sed -i '50,116s/^#//' $KUSTOMIZATION_FILE_PATH
-          sed -i '148,177s/^#//' $KUSTOMIZATION_FILE_PATH
+          # from cert-manager replaces; we are leaving defaulting uncommented
+          # since this sample has no defaulting webhooks
+          sed -i '50,155s/^#//' $KUSTOMIZATION_FILE_PATH
+          # Uncomment only --conversion webhooks CA injection
+          sed -i '144,163s/^#//' $KUSTOMIZATION_FILE_PATH
+          sed -i '165,180s/^#//' $KUSTOMIZATION_FILE_PATH
           cd testdata/project-v4-with-plugins/
           go mod tidy
 

docs/book/src/cronjob-tutorial/testdata/project/config/crd/kustomization.yaml

@@ -6,15 +6,11 @@ resources:
 # +kubebuilder:scaffold:crdkustomizeresource
 
 patches:
-# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix.
+# [WEBHOOK] To enable webhooks, uncomment all the sections with [WEBHOOK] prefix.
 # patches here are for enabling the conversion webhook for each CRD
 # +kubebuilder:scaffold:crdkustomizewebhookpatch
 
-# [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix.
-# patches here are for enabling the CA injection for each CRD
-# +kubebuilder:scaffold:crdkustomizecainjectionpatch
-
 # [WEBHOOK] To enable webhook, uncomment the following section
 # the following config is for teaching kustomize how to do kustomization for CRDs.
-#configurations:
-#- kustomizeconfig.yaml
+configurations:
+- kustomizeconfig.yaml

docs/book/src/cronjob-tutorial/testdata/project/config/default/kustomization.yaml

@@ -151,27 +151,13 @@ replacements:
 #     version: v1
 #     name: serving-cert # This name should match the one in certificate.yaml
 #     fieldPath: .metadata.namespace # Namespace of the certificate CR
-#   targets:
-#     - select:
-#         kind: CustomResourceDefinition
-#       fieldPaths:
-#         - .metadata.annotations.[cert-manager.io/inject-ca-from]
-#       options:
-#         delimiter: '/'
-#         index: 0
-#         create: true
+#   targets: # Do not remove or uncomment the following scaffold marker; required to generate code for target CRD.
+# +kubebuilder:scaffold:crdkustomizecainjectionns
 # - source:
 #     kind: Certificate
 #     group: cert-manager.io
 #     version: v1
 #     name: serving-cert # This name should match the one in certificate.yaml
 #     fieldPath: .metadata.name
-#   targets:
-#     - select:
-#         kind: CustomResourceDefinition
-#       fieldPaths:
-#         - .metadata.annotations.[cert-manager.io/inject-ca-from]
-#       options:
-#         delimiter: '/'
-#         index: 1
-#         create: true
+#   targets: # Do not remove or uncomment the following scaffold marker; required to generate code for target CRD.
+# +kubebuilder:scaffold:crdkustomizecainjectionname

docs/book/src/getting-started/testdata/project/config/crd/kustomization.yaml

@@ -6,15 +6,11 @@ resources:
 # +kubebuilder:scaffold:crdkustomizeresource
 
 patches:
-# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix.
+# [WEBHOOK] To enable webhooks, uncomment all the sections with [WEBHOOK] prefix.
 # patches here are for enabling the conversion webhook for each CRD
 # +kubebuilder:scaffold:crdkustomizewebhookpatch
 
-# [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix.
-# patches here are for enabling the CA injection for each CRD
-# +kubebuilder:scaffold:crdkustomizecainjectionpatch
-
 # [WEBHOOK] To enable webhook, uncomment the following section
 # the following config is for teaching kustomize how to do kustomization for CRDs.
-#configurations:
-#- kustomizeconfig.yaml
+configurations:
+- kustomizeconfig.yaml

docs/book/src/getting-started/testdata/project/config/default/kustomization.yaml

@@ -151,27 +151,13 @@ patches:
 #     version: v1
 #     name: serving-cert # This name should match the one in certificate.yaml
 #     fieldPath: .metadata.namespace # Namespace of the certificate CR
-#   targets:
-#     - select:
-#         kind: CustomResourceDefinition
-#       fieldPaths:
-#         - .metadata.annotations.[cert-manager.io/inject-ca-from]
-#       options:
-#         delimiter: '/'
-#         index: 0
-#         create: true
+#   targets: # Do not remove or uncomment the following scaffold marker; required to generate code for target CRD.
+# +kubebuilder:scaffold:crdkustomizecainjectionns
 # - source:
 #     kind: Certificate
 #     group: cert-manager.io
 #     version: v1
 #     name: serving-cert # This name should match the one in certificate.yaml
 #     fieldPath: .metadata.name
-#   targets:
-#     - select:
-#         kind: CustomResourceDefinition
-#       fieldPaths:
-#         - .metadata.annotations.[cert-manager.io/inject-ca-from]
-#       options:
-#         delimiter: '/'
-#         index: 1
-#         create: true
+#   targets: # Do not remove or uncomment the following scaffold marker; required to generate code for target CRD.
+# +kubebuilder:scaffold:crdkustomizecainjectionname

docs/book/src/multiversion-tutorial/testdata/project/config/crd/kustomization.yaml

@@ -6,16 +6,11 @@ resources:
 # +kubebuilder:scaffold:crdkustomizeresource
 
 patches:
-# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix.
+# [WEBHOOK] To enable webhooks, uncomment all the sections with [WEBHOOK] prefix.
 # patches here are for enabling the conversion webhook for each CRD
 - path: patches/webhook_in_cronjobs.yaml
 # +kubebuilder:scaffold:crdkustomizewebhookpatch
 
-# [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix.
-# patches here are for enabling the CA injection for each CRD
-#- path: patches/cainjection_in_cronjobs.yaml
-# +kubebuilder:scaffold:crdkustomizecainjectionpatch
-
 # [WEBHOOK] To enable webhook, uncomment the following section
 # the following config is for teaching kustomize how to do kustomization for CRDs.
 configurations:

docs/book/src/multiversion-tutorial/testdata/project/config/crd/patches/cainjection_in_cronjobs.yaml

@@ -144,34 +144,38 @@ replacements:
          delimiter: '/'
          index: 1
          create: true
-
+#
  - source: # Uncomment the following block if you have a ConversionWebhook (--conversion)
      kind: Certificate
      group: cert-manager.io
      version: v1
      name: serving-cert # This name should match the one in certificate.yaml
      fieldPath: .metadata.namespace # Namespace of the certificate CR
-   targets:
+   targets: # Do not remove or uncomment the following scaffold marker; required to generate code for target CRD.
      - select:
          kind: CustomResourceDefinition
+         name: cronjobs.batch.tutorial.kubebuilder.io
        fieldPaths:
          - .metadata.annotations.[cert-manager.io/inject-ca-from]
        options:
          delimiter: '/'
          index: 0
          create: true
+# +kubebuilder:scaffold:crdkustomizecainjectionns
  - source:
      kind: Certificate
      group: cert-manager.io
      version: v1
      name: serving-cert # This name should match the one in certificate.yaml
      fieldPath: .metadata.name
-   targets:
+   targets: # Do not remove or uncomment the following scaffold marker; required to generate code for target CRD.
      - select:
          kind: CustomResourceDefinition
+         name: cronjobs.batch.tutorial.kubebuilder.io
        fieldPaths:
          - .metadata.annotations.[cert-manager.io/inject-ca-from]
        options:
          delimiter: '/'
          index: 1
          create: true
+# +kubebuilder:scaffold:crdkustomizecainjectionname

docs/book/src/multiversion-tutorial/testdata/project/config/default/kustomization.yaml

@@ -95,17 +95,74 @@ properly registered with the manager, so that the controller can reconcile the r
 
 ## List of `+kubebuilder:scaffold` Markers
 
-| Marker                                     | Usual Location               | Function                                                                        |
-|--------------------------------------------|------------------------------|---------------------------------------------------------------------------------|
-| `+kubebuilder:scaffold:imports`            | `main.go`                    | Marks where imports for new controllers, webhooks, or APIs should be injected.   |
-| `+kubebuilder:scaffold:scheme`             | `init()` in `main.go`         | Used to add API versions to the scheme for runtime.                             |
-| `+kubebuilder:scaffold:builder`            | `main.go`                    | Marks where new controllers should be registered with the manager.              |
-| `+kubebuilder:scaffold:webhook`            | `webhooks suite tests` files  | Marks where webhook setup functions are added.                                  |
-| `+kubebuilder:scaffold:crdkustomizeresource`| `config/crd`                 | Marks where CRD custom resource patches are added.                              |
-| `+kubebuilder:scaffold:crdkustomizewebhookpatch` | `config/crd`              | Marks where CRD webhook patches are added.                                      |
-| `+kubebuilder:scaffold:crdkustomizecainjectionpatch` | `config/crd`           | Marks where CA injection patches are added for the webhook.                     |
-| `+kubebuilder:scaffold:manifestskustomizesamples` | `config/samples`           | Marks where Kustomize sample manifests are injected.                            |
-| `+kubebuilder:scaffold:e2e-webhooks-checks` | `test/e2e`                   | Adds e2e checks for webhooks depending on the types of webhooks scaffolded.      |
+| Marker                                                                         | Usual Location               | Function                                                                                                                                                                               |
+|--------------------------------------------------------------------------------|------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `+kubebuilder:scaffold:imports`                                                | `main.go`                    | Marks where imports for new controllers, webhooks, or APIs should be injected.                                                                                                         |
+| `+kubebuilder:scaffold:scheme`                                                 | `init()` in `main.go`        | Used to add API versions to the scheme for runtime.                                                                                                                                    |
+| `+kubebuilder:scaffold:builder`                                                | `main.go`                    | Marks where new controllers should be registered with the manager.                                                                                                                     |
+| `+kubebuilder:scaffold:webhook`                                                | `webhooks suite tests` files | Marks where webhook setup functions are added.                                                                                                                                         |
+| `+kubebuilder:scaffold:crdkustomizeresource`                                   | `config/crd`                 | Marks where CRD custom resource patches are added.                                                                                                                                     |
+| `+kubebuilder:scaffold:crdkustomizewebhookpatch`                               | `config/crd`                 | Marks where CRD webhook patches are added.                                                                                                                                             |
+| `+kubebuilder:scaffold:crdkustomizecainjectionns`                            | `config/default`             | Marks where CA injection patches are added for the conversion webhooks.                                                                                                                |
+| `+kubebuilder:scaffold:crdkustomizecainjectioname`                           | `config/default`             | Marks where CA injection patches are added for the conversion webhooks.                                                                                                                |
+| `+kubebuilder:scaffold:manifestskustomizesamples`                              | `config/samples`             | Marks where Kustomize sample manifests are injected.                                                                                                                                   |
+| `+kubebuilder:scaffold:e2e-webhooks-checks`                                    | `test/e2e`                   | Adds e2e checks for webhooks depending on the types of webhooks scaffolded.                                                                                                            |
+| **(No longer supported)** `+kubebuilder:scaffold:crdkustomizecainjectionpatch` | `config/crd`                 | Marks where CA injection patches are added for the webhooks. Replaced by `+kubebuilder:scaffold:crdkustomizecainjectionns` and `+kubebuilder:scaffold:crdkustomizecainjectioname`  |
+
+<aside class="note warning">
+<h1> **(No longer supported)** `+kubebuilder:scaffold:crdkustomizecainjectionpatch` </h1>
+
+If you find this marker in your code please:
+
+1. **Remove the CERTMANAGER Section from `config/crd/kustomization.yaml`:**
+
+   Delete the `CERTMANAGER` section to prevent unintended CA injection patches for CRDs. Ensure the following lines are removed or commented out:
+
+   ```yaml
+   # [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix.
+   # patches here are for enabling the CA injection for each CRD
+   #- path: patches/cainjection_in_firstmates.yaml
+   # +kubebuilder:scaffold:crdkustomizecainjectionpatch
+   ```
+
+2. **Ensure CA Injection Configuration in `config/default/kustomization.yaml`:**
+
+   Under the `[CERTMANAGER]` replacement in `config/default/kustomization.yaml`, add the following code for proper CA injection generation:
+
+   **NOTE:** You must ensure that the code contains the following target markers:
+    - `+kubebuilder:scaffold:crdkustomizecainjectionns`
+    - `+kubebuilder:scaffold:crdkustomizecainjectioname`
+
+   ```yaml
+   # - source: # Uncomment the following block if you have a ConversionWebhook (--conversion)
+   #     kind: Certificate
+   #     group: cert-manager.io
+   #     version: v1
+   #     name: serving-cert # This name should match the one in certificate.yaml
+   #     fieldPath: .metadata.namespace # Namespace of the certificate CR
+   #   targets: # Do not remove or uncomment the following scaffold marker; required to generate code for target CRD.
+   # +kubebuilder:scaffold:crdkustomizecainjectionns
+   # - source:
+   #     kind: Certificate
+   #     group: cert-manager.io
+   #     version: v1
+   #     name: serving-cert # This name should match the one in certificate.yaml
+   #     fieldPath: .metadata.name
+   #   targets: # Do not remove or uncomment the following scaffold marker; required to generate code for target CRD.
+   # +kubebuilder:scaffold:crdkustomizecainjectioname
+   ```
+
+3. **Ensure Only Conversion Webhook Patches in `config/crd/patches`:**
+
+   The `config/crd/patches` directory and the corresponding entries in `config/crd/kustomization.yaml` should only contain files for conversion webhooks. Previously, a bug caused the patch file to be generated for any webhook, but only patches for webhooks scaffolded with the `--conversion` option should be included.
+
+For further guidance, you can refer to examples in the `testdata/` directory in the Kubebuilder repository.
+
+> **Alternatively**: You can use the [`alpha generate`](./../rescaffold.md) command to re-generate the project from scratch
+> using the latest release available. Afterward, you can re-add only your code implementation on top to ensure your project
+> includes all the latest bug fixes and enhancements.
+
+</aside>
 
 <aside class="note">
 <h1>Creating Your Own Markers</h1>

docs/book/src/reference/markers/scaffold.md

@@ -87,7 +87,13 @@ func (sp *Sample) updateDefaultKustomize() {
 	// Enable CA for Conversion Webhook
 	err := pluginutil.UncommentCode(
 		filepath.Join(sp.ctx.Dir, "config/default/kustomization.yaml"),
-		caConversionCRDDefaultKustomize, `#`)
+		caInjectionNamespace, `#`)
+	hackutils.CheckError("fixing default/kustomization", err)
+
+	// Enable CA for Conversion Webhook
+	err = pluginutil.UncommentCode(
+		filepath.Join(sp.ctx.Dir, "config/default/kustomization.yaml"),
+		caInjectionCert, `#`)
 	hackutils.CheckError("fixing default/kustomization", err)
 }