cert-manager: fast-forward to upstream 3945595b (helm#7644)

* cert-manager: fast-forward to upstream bcffc635 * Update version numbers for v0.5.0 (cert-manager/cert-manager#885) * added affinity and tolerations (cert-manager/cert-manager#869) * Add validating webhook and webhook tls autoconfiguration (cert-manager/cert-manager#478) * chart: annotate all CRDs with "crd-install" hook (cert-manager/cert-manager#823) * helm chart: remove endpoints from rbac resources (cert-manager/cert-manager#769) Signed-off-by: James Munnelly <james@munnelly.eu> * Update image tag and add description Signed-off-by: James Munnelly <james@munnelly.eu> Signed-off-by: Jakob Niggel <info@jakobniggel.de>
Jnig · Nov 13, 2018 · 42fb445 · 42fb445
1 parent 5eab948
commit 42fb445
Show file tree

Hide file tree

Showing 24 changed files with 680 additions and 11 deletions.
diff --git a/stable/cert-manager/Chart.yaml b/stable/cert-manager/Chart.yaml
@@ -1,6 +1,6 @@
 name: cert-manager
-version: v0.4.1
-appVersion: v0.4.1
+version: v0.5.0
+appVersion: v0.5.0
 description: A Helm chart for cert-manager
 home: https://github.com/jetstack/cert-manager
 keywords:

diff --git a/stable/cert-manager/README.md b/stable/cert-manager/README.md
@@ -54,7 +54,7 @@ The following table lists the configurable parameters of the cert-manager chart
 | Parameter | Description | Default |
 | --------- | ----------- | ------- |
 | `image.repository` | Image repository | `quay.io/jetstack/cert-manager-controller` |
-| `image.tag` | Image tag | `v0.4.1` |
+| `image.tag` | Image tag | `v0.5.0` |
 | `image.pullPolicy` | Image pull policy | `IfNotPresent` |
 | `replicaCount`  | Number of cert-manager replicas  | `1` |
 | `createCustomResource` | Create CRD/TPR with this release | `true` |
@@ -66,7 +66,7 @@ The following table lists the configurable parameters of the cert-manager chart
 | `rbac.create` | If `true`, create and use RBAC resources | `true` |
 | `serviceAccount.create` | If `true`, create a new service account | `true` |
 | `serviceAccount.name` | Service account to be used. If not set and `serviceAccount.create` is `true`, a name is generated using the fullname template |  |
-| `resources` | CPU/memory resource requests/limits | `requests: {cpu: 10m, memory: 32Mi}` |
+| `resources` | CPU/memory resource requests/limits | |
 | `nodeSelector` | Node labels for pod assignment | `{}` |
 | `affinity` | Node affinity for pod assignment | `{}` |
 | `tolerations` | Node tolerations for pod assignment | `[]` |
@@ -81,6 +81,14 @@ The following table lists the configurable parameters of the cert-manager chart
 | `http_proxy` | Value of the `HTTP_PROXY` environment variable in the cert-manager pod | |
 | `https_proxy` | Value of the `HTTPS_PROXY` environment variable in the cert-manager pod | |
 | `no_proxy` | Value of the `NO_PROXY` environment variable in the cert-manager pod | |
+| `webhook.enabled` | Toggles whether the validating webhook component should be installed | `false` |
+| `webhook.replicaCount` | Number of cert-manager webhook replicas | `1` |
+| `webhook.podAnnotations` | Annotations to add to the webhook pods | `{}` |
+| `webhook.extraArgs` | Optional flags for cert-manager webhook component | `[]` |
+| `webhook.resources` | CPU/memory resource requests/limits for the webhook pods | |
+| `webhook.image.repository` | Webhook image repository | `quay.io/jetstack/cert-manager-webhook` |
+| `webhook.image.tag` | Webhook image tag | `v0.5.0` |
+| `webhook.image.pullPolicy` | Webhook image pull policy | `IfNotPresent` |
 
 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.
 

diff --git a/stable/cert-manager/requirements.lock b/stable/cert-manager/requirements.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: webhook
+  repository: file://webhook
+  version: v0.5.0
+digest: sha256:1a599fad18dc75842074c7ab10a66cebce521f27fa94ab6642d744479694200e
+generated: 2018-09-10T15:39:26.405370694+01:00
diff --git a/stable/cert-manager/requirements.yaml b/stable/cert-manager/requirements.yaml
@@ -0,0 +1,6 @@
+# requirements.yaml
+dependencies:
+- name: webhook
+  version: "v0.5.0"
+  repository: "file://webhook"
+  condition: webhook.enabled
diff --git a/stable/cert-manager/templates/00-namespace.yaml b/stable/cert-manager/templates/00-namespace.yaml
@@ -3,4 +3,7 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: {{ .Release.Namespace | quote }}
+  labels:
+    name: {{ .Release.Namespace | quote }}
+    certmanager.k8s.io/disable-validation: "true"
 {{- end }}
diff --git a/stable/cert-manager/templates/certificate-crd.yaml b/stable/cert-manager/templates/certificate-crd.yaml
@@ -3,6 +3,10 @@ apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
   name: certificates.certmanager.k8s.io
+{{- if semverCompare ">=2.10-0" .Capabilities.TillerVersion.SemVer }}
+  annotations:
+    "helm.sh/hook": crd-install
+{{- end }}
   labels:
     app: {{ template "cert-manager.name" . }}
     chart: {{ template "cert-manager.chart" . }}

diff --git a/stable/cert-manager/templates/clusterissuer-crd.yaml b/stable/cert-manager/templates/clusterissuer-crd.yaml
@@ -3,6 +3,10 @@ apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
   name: clusterissuers.certmanager.k8s.io
+{{- if semverCompare ">=2.10-0" .Capabilities.TillerVersion.SemVer }}
+  annotations:
+    "helm.sh/hook": crd-install
+{{- end }}
   labels:
     app: {{ template "cert-manager.name" . }}
     chart: {{ template "cert-manager.chart" . }}

diff --git a/stable/cert-manager/templates/deployment.yaml b/stable/cert-manager/templates/deployment.yaml
@@ -59,6 +59,14 @@ spec:
           {{- if .defaultACMEDNS01ChallengeProvider }}
           - --default-acme-issuer-dns01-provider-name={{ .defaultACMEDNS01ChallengeProvider }}
           {{- end }}
+          {{- end }}
+          {{- if .Values.affinity }}
+          affinity:
+{{ toYaml .Values.affinity | indent 10 }}
+          {{- end }}
+          {{- if .Values.tolerations }}
+          tolerations:
+{{ toYaml .Values.tolerations | indent 10 }}
           {{- end }}
           env:
           - name: POD_NAMESPACE

diff --git a/stable/cert-manager/templates/issuer-crd.yaml b/stable/cert-manager/templates/issuer-crd.yaml
@@ -3,6 +3,10 @@ apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
   name: issuers.certmanager.k8s.io
+{{- if semverCompare ">=2.10-0" .Capabilities.TillerVersion.SemVer }}
+  annotations:
+    "helm.sh/hook": crd-install
+{{- end }}
   labels:
     app: {{ template "cert-manager.name" . }}
     chart: {{ template "cert-manager.chart" . }}

diff --git a/stable/cert-manager/templates/rbac.yaml b/stable/cert-manager/templates/rbac.yaml
@@ -13,12 +13,7 @@ rules:
     resources: ["certificates", "issuers", "clusterissuers"]
     verbs: ["*"]
   - apiGroups: [""]
-    # TODO: remove endpoints once 0.4 is released. We include it here in case
-    # users use the 'master' version of the Helm chart with a 0.2.x release of
-    # cert-manager that still performs leader election with Endpoint resources.
-    # We advise users don't do this, but some will anyway and this will reduce
-    # friction.
-    resources: ["endpoints", "configmaps", "secrets", "events", "services", "pods"]
+    resources: ["configmaps", "secrets", "events", "services", "pods"]
     verbs: ["*"]
   - apiGroups: ["extensions"]
     resources: ["ingresses"]

diff --git a/stable/cert-manager/values.yaml b/stable/cert-manager/values.yaml
@@ -5,7 +5,7 @@ replicaCount: 1
 
 image:
   repository: quay.io/jetstack/cert-manager-controller
-  tag: v0.4.1
+  tag: v0.5.0
   pullPolicy: IfNotPresent
 
 createCustomResource: true
@@ -69,6 +69,9 @@ ingressShim: {}
   # defaultACMEChallengeType: ""
   # defaultACMEDNS01ChallengeProvider: ""
 
+webhook:
+  enabled: false
+
 # This is used by the static manifest generator in order to create a static
 # namespace manifest for the namespace that cert-manager is being installed
 # within. It should **not** be used if you are using Helm for deployment.
@@ -78,3 +81,25 @@ createNamespaceResource: false
 # http_proxy: "http://proxy:8080"
 # http_proxy: "http://proxy:8080"
 # no_proxy: 127.0.0.1,localhost
+
+# expects input structure as per specification https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#affinity-v1-core
+# for example:
+#   affinity:
+#     nodeAffinity:
+#      requiredDuringSchedulingIgnoredDuringExecution:
+#        nodeSelectorTerms:
+#        - matchExpressions:
+#          - key: foo.bar.com/role
+#            operator: In
+#            values:
+#            - master
+affinity: {}
+
+# expects input structure as per specification https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#toleration-v1-core
+# for example:
+#   tolerations:
+#   - key: foo.bar.com/role
+#     operator: Equal
+#     value: master
+#     effect: NoSchedule
+tolerations: []
diff --git a/stable/cert-manager/webhook/.helmignore b/stable/cert-manager/webhook/.helmignore
@@ -0,0 +1,21 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
diff --git a/stable/cert-manager/webhook/Chart.yaml b/stable/cert-manager/webhook/Chart.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+appVersion: "v0.5.0"
+description: A Helm chart for deploying the cert-manager webhook component
+name: webhook
+version: "v0.5.0"
diff --git a/stable/cert-manager/webhook/templates/NOTES.txt b/stable/cert-manager/webhook/templates/NOTES.txt
diff --git a/stable/cert-manager/webhook/templates/_helpers.tpl b/stable/cert-manager/webhook/templates/_helpers.tpl
@@ -0,0 +1,48 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "webhook.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "webhook.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "webhook.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "webhook.selfSignedIssuer" -}}
+{{ printf "%s-selfsign" (include "webhook.fullname" .) }}
+{{- end -}}
+
+{{- define "webhook.rootCAIssuer" -}}
+{{ printf "%s-ca" (include "webhook.fullname" .) }}
+{{- end -}}
+
+{{- define "webhook.rootCACertificate" -}}
+{{ printf "%s-ca" (include "webhook.fullname" .) }}
+{{- end -}}
+
+{{- define "webhook.servingCertificate" -}}
+{{ printf "%s-webhook-tls" (include "webhook.fullname" .) }}
+{{- end -}}
diff --git a/stable/cert-manager/webhook/templates/apiservice.yaml b/stable/cert-manager/webhook/templates/apiservice.yaml
@@ -0,0 +1,17 @@
+apiVersion: apiregistration.k8s.io/v1beta1
+kind: APIService
+metadata:
+  name: v1beta1.admission.certmanager.k8s.io
+  labels:
+    app: {{ include "webhook.name" . }}
+    chart: {{ include "webhook.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  group: admission.certmanager.k8s.io
+  groupPriorityMinimum: 1000
+  versionPriority: 15
+  service:
+    name: {{ include "webhook.fullname" . }}
+    namespace: "{{ .Release.Namespace }}"
+  version: v1beta1