finish cert-manager update

components/cert-manager/controller/action

@@ -22,12 +22,6 @@ webhookready()
     K8S_setKubeConfig "$field_path" "$GENDIR/$field_path/kubeconfig"
 
     getRequiredValue namespace "namespace" PLUGINCONFIGJSON
-    getValue webhook "webhook" PLUGINCONFIGJSON
-
-    if [[ ${webhook:-""} == "false" ]]; then
-      debug "webhook disabled, no check needed"
-      return
-    fi
 
     local starttime
     local endtime

components/cert-manager/controller/component.yaml

@@ -11,14 +11,8 @@ component:
     - lib/templates/state.yaml
 
   plugins:
-    - git
     - chart-checkout
 
-git:
-  <<: (( landscape.versions.cert-manager.controller ))
-  files:
-    - "deploy/manifests/00-crds.yaml"
-
 chart-checkout:
   repo: (( landscape.versions.cert-manager.controller.helm_repo ))
   name: cert-manager

components/cert-manager/controller/deployment.yaml

@@ -49,7 +49,6 @@ namespace:
 webhookready:
   kubeconfig: (( .landscape.clusters.[0].kubeconfig ))
   namespace: (( .settings.namespace ))
-  webhook: (( .temp_webhook_state ))
 
 issuer: (( .settings.self-signed ? *ca_issuer :*acme_issuer ))
 
@@ -134,14 +133,8 @@ helm:
     serviceAccount:
       create: true
       name: (( .settings.serviceAccountName ))
-    webhook:
-      enabled: (( .temp_webhook_state ))
-    cainjector:
-      enabled: (( .temp_webhook_state ))
     installCRDs: true
 
-temp_webhook_state: (( &temporary ( valid( .landscape.cert-manager.enableWebhook ) ? .landscape.cert-manager.enableWebhook :true ) ))
-
 state:
   <<: (( &state(merge none) ))
   ca: (( .settings.self-signed -and ( ! .settings.ca.given ) ? ( utilities.certs.selfSignedCA("self-signed-ca", false) ) :~~ ))

docs/extended/cert-manager.md

@@ -25,6 +25,4 @@ If `url` is `self-signed` and `ca.crt` and `ca.key` contain a CA certificate and
 
 If `url` points to an ACME server that produces untrusted certificates (as the letsencrypt staging server, for example), *the root CA and all intermediate CAs that are used by that ACME server to sign certificates* have to be given in `ca.crt` (simply appended to each other). Otherwise, the deployed kube-apiserver won't be able to verify the dashboard certificate and thus won't accept it. There is one exception to this - if `server.url` is set to `staging`, the required letsencrypt certificates (root CA and intermediate CA) are automatically downloaded and do not have to be provided.
 
-If `url` is `live` or points to an ACME server generating publicly trusted certificates, the `ca` node must not be there at all. You can just use the simplified notation and put the acme server URL directly into `landscape.cert-manager.server`.
-
-The cert-manager comes with a webhook that validates custom resources so that a wrongly specified resource won't stop the cert-manager from working. Usually, this works fine, but on some infrastructures the webhook seems to cause troubles. It is therefore possible to deactivate it by setting `landscape.cert-manager.enableWebhook` to `false`.
+If `url` is `live` or points to an ACME server generating publicly trusted certificates, the `ca` node must not be there at all. You can just use the simplified notation and put the acme server URL directly into `landscape.cert-manager.server`.