diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..f611e45 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,43 @@ +name: helm_release +on: + pull_request: + branches: + - 'v*' + types: + - closed +jobs: + helm: + runs-on: ubuntu-latest + if: github.event.pull_request.merged == true + steps: + - name: Extract Version Tag + id: extract_version + run: /bin/bash -c 'echo ::set-output name=VERSION::$(echo ${GITHUB_REF##*/} | cut -c2-)' + + - name: Checkout + uses: actions/checkout@v3 + + # Change version and appVersion in Chart.yaml to the tag in the closed PR + - name: Update Helm App/Chart Version + shell: bash + run: | + sed -i "s/^version: .*/version: ${{ steps.extract_version.outputs.VERSION }}/g" deploy/charts/ejbca-cert-manager-issuer/Chart.yaml + sed -i "s/^appVersion: .*/appVersion: \"${{ steps.extract_version.outputs.VERSION }}\"/g" deploy/charts/ejbca-cert-manager-issuer/Chart.yaml + + - name: Configure Git + run: | + git config user.name "$GITHUB_ACTOR" + git config user.email "$GITHUB_ACTOR@users.noreply.github.com" + + - name: Install Helm + uses: azure/setup-helm@v3 + + - name: Run chart-releaser + uses: helm/chart-releaser-action@v1.5.0 + env: + CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + with: + pages_branch: gh-pages + charts_dir: deploy/charts + mark_as_latest: true + packages_with_index: true \ No newline at end of file diff --git a/.gitignore b/.gitignore index 4f151bb..ef9e7e2 100644 --- a/.gitignore +++ b/.gitignore @@ -16,6 +16,7 @@ vendor/ .idea bin -# q: How to remove staged directory from git -# a: git rm -r --cached . +# Helm +*.tgz + .DS_Store \ No newline at end of file diff --git a/Makefile b/Makefile index b6ec83b..4e70ccc 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,6 @@ # The version which will be reported by the --version argument of each binary # and which will be used as the Docker image tag -VERSION ?= 1.0.2 +VERSION ?= 1.0.3 # The Docker repository name, overridden in CI. DOCKER_REGISTRY ?= m8rmclarenkf DOCKER_IMAGE_NAME ?= command-cert-manager-external-issuer-controller diff --git a/deploy/charts/command-cert-manager-issuer/.helmignore b/deploy/charts/command-cert-manager-issuer/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/deploy/charts/command-cert-manager-issuer/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/deploy/charts/command-cert-manager-issuer/Chart.yaml b/deploy/charts/command-cert-manager-issuer/Chart.yaml new file mode 100644 index 0000000..262a38c --- /dev/null +++ b/deploy/charts/command-cert-manager-issuer/Chart.yaml @@ -0,0 +1,14 @@ +apiVersion: v2 + +name: command-cert-manager-issuer +description: A helm chart to deploy the cert-manager issuer for the Keyfactor Command platform for Certificate Lifecycle Management +type: application + +home: https://github.com/Keyfactor/command-cert-manager-issuer +maintainers: + - name: Hayden Roszell + email: 49427552+m8rmclaren@users.noreply.github.com +sources: ["https://github.com/Keyfactor/command-cert-manager-issuer"] + +version: 0.1.0 +appVersion: "1.0.3" diff --git a/deploy/charts/command-cert-manager-issuer/README.md b/deploy/charts/command-cert-manager-issuer/README.md new file mode 100644 index 0000000..4f2408b --- /dev/null +++ b/deploy/charts/command-cert-manager-issuer/README.md @@ -0,0 +1,40 @@ + + Terraform logo + + +# Keyfactor Command Issuer for cert-manager + +[![Go Report Card](https://goreportcard.com/badge/github.com/Keyfactor/command-cert-manager-issuer)](https://goreportcard.com/report/github.com/Keyfactor/command-cert-manager-issuer) +[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://img.shields.io/badge/License-Apache%202.0-blue.svg) +![Version: v0.1.0](https://img.shields.io/badge/Version-v0.1.0-informational?style=flat-square) +![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![AppVersion: v1.0.3](https://img.shields.io/badge/AppVersion-v1.0.3-informational?style=flat-square) + +A Helm chart for the Keyfactor Command External Issuer for cert-manager. + +The Command external issuer for cert-manager allows users to enroll certificates from Keyfactor Command using cert-manager. + +## Configuration + +The following table lists the configurable parameters of the `command-cert-manager-issuer` chart and their default values. + +| Parameter | Description | Default | +|-----------------------------------|-----------------------------------------------------|--------------------------------------------------------------| +| `replicaCount` | Number of replica command-cert-manager-issuers to run | `1` | +| `image.repository` | Image repository | `m8rmclarenkf/command-cert-manager-external-issuer-controller` | +| `image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `image.tag` | Image tag | `v1.3.1` | +| `imagePullSecrets` | Image pull secrets | `[]` | +| `nameOverride` | Name override | `""` | +| `fullnameOverride` | Full name override | `""` | +| `crd.create` | Specifies if CRDs will be created | `true` | +| `crd.annotations` | Annotations to add to the CRD | `{}` | +| `serviceAccount.create` | Specifies if a service account should be created | `true` | +| `serviceAccount.annotations` | Annotations to add to the service account | `{}` | +| `serviceAccount.name` | Name of the service account to use | `""` (uses the fullname template if `create` is true) | +| `podAnnotations` | Annotations for the pod | `{}` | +| `podSecurityContext.runAsNonRoot` | Run pod as non-root | `true` | +| `securityContext` | Security context for the pod | `{}` (with commented out options) | +| `resources` | CPU/Memory resource requests/limits | `{}` (with commented out options) | +| `nodeSelector` | Node labels for pod assignment | `{}` | +| `tolerations` | Tolerations for pod assignment | `[]` | diff --git a/deploy/charts/command-cert-manager-issuer/templates/_helpers.tpl b/deploy/charts/command-cert-manager-issuer/templates/_helpers.tpl new file mode 100644 index 0000000..79828ec --- /dev/null +++ b/deploy/charts/command-cert-manager-issuer/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "command-cert-manager-issuer.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "command-cert-manager-issuer.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "command-cert-manager-issuer.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "command-cert-manager-issuer.labels" -}} +helm.sh/chart: {{ include "command-cert-manager-issuer.chart" . }} +{{ include "command-cert-manager-issuer.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "command-cert-manager-issuer.selectorLabels" -}} +app.kubernetes.io/name: {{ include "command-cert-manager-issuer.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "command-cert-manager-issuer.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "command-cert-manager-issuer.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/deploy/charts/command-cert-manager-issuer/templates/clusterrole.yaml b/deploy/charts/command-cert-manager-issuer/templates/clusterrole.yaml new file mode 100644 index 0000000..0a238b9 --- /dev/null +++ b/deploy/charts/command-cert-manager-issuer/templates/clusterrole.yaml @@ -0,0 +1,87 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + {{- include "command-cert-manager-issuer.labels" . | nindent 4 }} + name: {{ include "command-cert-manager-issuer.name" . }}-manager-role +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - apiGroups: + - cert-manager.io + resources: + - certificaterequests + verbs: + - get + - list + - watch + - apiGroups: + - cert-manager.io + resources: + - certificaterequests/status + verbs: + - get + - patch + - update + - apiGroups: + - command-issuer.keyfactor.com + resources: + - clusterissuers + - issuers + verbs: + - get + - list + - watch + - apiGroups: + - command-issuer.keyfactor.com + resources: + - clusterissuers/status + - issuers/status + verbs: + - get + - patch + - update + - apiGroups: + - command-issuer.keyfactor.com + resources: + - issuers/finalizers + verbs: + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + {{- include "command-cert-manager-issuer.labels" . | nindent 4 }} + name: {{ include "command-cert-manager-issuer.name" . }}-proxy-role +rules: + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + {{- include "command-cert-manager-issuer.labels" . | nindent 4 }} + name: {{ include "command-cert-manager-issuer.name" . }}-metrics-reader +rules: + - nonResourceURLs: + - /metrics + verbs: + - get \ No newline at end of file diff --git a/deploy/charts/command-cert-manager-issuer/templates/clusterrolebinding.yaml b/deploy/charts/command-cert-manager-issuer/templates/clusterrolebinding.yaml new file mode 100644 index 0000000..391282b --- /dev/null +++ b/deploy/charts/command-cert-manager-issuer/templates/clusterrolebinding.yaml @@ -0,0 +1,29 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + {{- include "command-cert-manager-issuer.labels" . | nindent 4 }} + name: {{ include "command-cert-manager-issuer.name" . }}-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "command-cert-manager-issuer.name" . }}-manager-role +subjects: + - kind: ServiceAccount + name: {{ include "command-cert-manager-issuer.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + {{- include "command-cert-manager-issuer.labels" . | nindent 4 }} + name: {{ include "command-cert-manager-issuer.name" . }}-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "command-cert-manager-issuer.name" . }}-proxy-role +subjects: + - kind: ServiceAccount + name: {{ include "command-cert-manager-issuer.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} \ No newline at end of file diff --git a/deploy/charts/command-cert-manager-issuer/templates/crds/clusterissuers.yaml b/deploy/charts/command-cert-manager-issuer/templates/crds/clusterissuers.yaml new file mode 100644 index 0000000..5d08de0 --- /dev/null +++ b/deploy/charts/command-cert-manager-issuer/templates/crds/clusterissuers.yaml @@ -0,0 +1,99 @@ +{{- if .Values.crd.create -}} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + {{- with .Values.crd.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + name: clusterissuers.command-issuer.keyfactor.com +spec: + group: command-issuer.keyfactor.com + names: + kind: ClusterIssuer + listKind: ClusterIssuerList + plural: clusterissuers + singular: clusterissuer + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterIssuer is the Schema for the clusterissuers API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IssuerSpec defines the desired state of Issuer + properties: + caBundleSecretName: + description: The name of the secret containing the CA bundle to use when verifying command's server certificate. If specified, the CA bundle will be added to the client trust roots for the command issuer. + type: string + certificateAuthorityName: + type: string + certificateProfileName: + type: string + commandSecretName: + description: A reference to a Secret in the same namespace as the referent. If the referent is a ClusterIssuer, the reference instead refers to the resource with the given name in the configured 'cluster resource namespace', which is set as a flag on the controller component (and defaults to the namespace that the controller runs in). + type: string + endEntityName: + description: 'Optional field that overrides the default for how the command issuer should determine the name of the end entity to reference or create when signing certificates. The options are: * cn: Use the CommonName from the CertificateRequest''s DN * dns: Use the first DNSName from the CertificateRequest''s DNSNames SANs * uri: Use the first URI from the CertificateRequest''s URI Sans * ip: Use the first IPAddress from the CertificateRequest''s IPAddresses SANs * certificateName: Use the value of the CertificateRequest''s certificateName annotation If none of the above options are used but endEntityName is populated, the value of endEntityName will be used as the end entity name. If endEntityName is not populated, the default tree listed in the command documentation will be used.' + type: string + endEntityProfileName: + type: string + hostname: + description: Hostname is the hostname of the command server + type: string + required: + - certificateAuthorityName + - certificateProfileName + - commandSecretName + - endEntityProfileName + - hostname + type: object + status: + description: IssuerStatus defines the observed state of Issuer + properties: + conditions: + description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`. + items: + description: IssuerCondition contains condition information for an Issuer. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the details of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation for the condition's last transition. + type: string + status: + description: Status of the condition, one of ('True', 'False', 'Unknown'). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, known values are ('Ready'). + type: string + required: + - status + - type + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} \ No newline at end of file diff --git a/deploy/charts/command-cert-manager-issuer/templates/crds/issuers.yaml b/deploy/charts/command-cert-manager-issuer/templates/crds/issuers.yaml new file mode 100644 index 0000000..73012cc --- /dev/null +++ b/deploy/charts/command-cert-manager-issuer/templates/crds/issuers.yaml @@ -0,0 +1,99 @@ +{{- if .Values.crd.create -}} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + {{- with .Values.crd.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + name: issuers.command-issuer.keyfactor.com +spec: + group: command-issuer.keyfactor.com + names: + kind: Issuer + listKind: IssuerList + plural: issuers + singular: issuer + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Issuer is the Schema for the issuers API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IssuerSpec defines the desired state of Issuer + properties: + caBundleSecretName: + description: The name of the secret containing the CA bundle to use when verifying command's server certificate. If specified, the CA bundle will be added to the client trust roots for the command issuer. + type: string + certificateAuthorityName: + type: string + certificateProfileName: + type: string + commandSecretName: + description: A reference to a Secret in the same namespace as the referent. If the referent is a ClusterIssuer, the reference instead refers to the resource with the given name in the configured 'cluster resource namespace', which is set as a flag on the controller component (and defaults to the namespace that the controller runs in). + type: string + endEntityName: + description: 'Optional field that overrides the default for how the command issuer should determine the name of the end entity to reference or create when signing certificates. The options are: * cn: Use the CommonName from the CertificateRequest''s DN * dns: Use the first DNSName from the CertificateRequest''s DNSNames SANs * uri: Use the first URI from the CertificateRequest''s URI Sans * ip: Use the first IPAddress from the CertificateRequest''s IPAddresses SANs * certificateName: Use the value of the CertificateRequest''s certificateName annotation If none of the above options are used but endEntityName is populated, the value of endEntityName will be used as the end entity name. If endEntityName is not populated, the default tree listed in the command documentation will be used.' + type: string + endEntityProfileName: + type: string + hostname: + description: Hostname is the hostname of the command server + type: string + required: + - certificateAuthorityName + - certificateProfileName + - commandSecretName + - endEntityProfileName + - hostname + type: object + status: + description: IssuerStatus defines the observed state of Issuer + properties: + conditions: + description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`. + items: + description: IssuerCondition contains condition information for an Issuer. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the details of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation for the condition's last transition. + type: string + status: + description: Status of the condition, one of ('True', 'False', 'Unknown'). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, known values are ('Ready'). + type: string + required: + - status + - type + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} \ No newline at end of file diff --git a/deploy/charts/command-cert-manager-issuer/templates/deployment.yaml b/deploy/charts/command-cert-manager-issuer/templates/deployment.yaml new file mode 100644 index 0000000..cbc5763 --- /dev/null +++ b/deploy/charts/command-cert-manager-issuer/templates/deployment.yaml @@ -0,0 +1,101 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "command-cert-manager-issuer.fullname" . }} + labels: + {{- include "command-cert-manager-issuer.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "command-cert-manager-issuer.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "command-cert-manager-issuer.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "command-cert-manager-issuer.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=0 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.1 + name: kube-rbac-proxy + ports: + - containerPort: 8443 + name: https + protocol: TCP + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 5m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - args: + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + command: + - /manager + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: {{ .Chart.Name }} + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + {{- toYaml .Values.resources | nindent 12 }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - ppc64le + - s390x + - key: kubernetes.io/os + operator: In + values: + - linux + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: 10 diff --git a/deploy/charts/command-cert-manager-issuer/templates/role.yaml b/deploy/charts/command-cert-manager-issuer/templates/role.yaml new file mode 100644 index 0000000..bd3d437 --- /dev/null +++ b/deploy/charts/command-cert-manager-issuer/templates/role.yaml @@ -0,0 +1,38 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + {{- include "command-cert-manager-issuer.labels" . | nindent 4 }} + name: {{ include "command-cert-manager-issuer.name" . }}-leader-election-role +rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch \ No newline at end of file diff --git a/deploy/charts/command-cert-manager-issuer/templates/rolebinding.yaml b/deploy/charts/command-cert-manager-issuer/templates/rolebinding.yaml new file mode 100644 index 0000000..1900997 --- /dev/null +++ b/deploy/charts/command-cert-manager-issuer/templates/rolebinding.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + {{- include "command-cert-manager-issuer.labels" . | nindent 4 }} + name: {{ include "command-cert-manager-issuer.name" . }}-leader-election-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "command-cert-manager-issuer.name" . }}-leader-election-role +subjects: + - kind: ServiceAccount + name: {{ include "command-cert-manager-issuer.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} \ No newline at end of file diff --git a/deploy/charts/command-cert-manager-issuer/templates/service.yaml b/deploy/charts/command-cert-manager-issuer/templates/service.yaml new file mode 100644 index 0000000..6f4f739 --- /dev/null +++ b/deploy/charts/command-cert-manager-issuer/templates/service.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + {{- include "command-cert-manager-issuer.labels" . | nindent 4 }} + name: {{ include "command-cert-manager-issuer.name" . }}-metrics-service +spec: + ports: + - name: https + port: 8443 + protocol: TCP + targetPort: https + selector: + {{- include "command-cert-manager-issuer.selectorLabels" . | nindent 4 }} \ No newline at end of file diff --git a/deploy/charts/command-cert-manager-issuer/templates/serviceaccount.yaml b/deploy/charts/command-cert-manager-issuer/templates/serviceaccount.yaml new file mode 100644 index 0000000..e7a7604 --- /dev/null +++ b/deploy/charts/command-cert-manager-issuer/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "command-cert-manager-issuer.serviceAccountName" . }} + labels: + {{- include "command-cert-manager-issuer.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/deploy/charts/command-cert-manager-issuer/values.yaml b/deploy/charts/command-cert-manager-issuer/values.yaml new file mode 100644 index 0000000..1130491 --- /dev/null +++ b/deploy/charts/command-cert-manager-issuer/values.yaml @@ -0,0 +1,58 @@ +# Default values for ejbca-cert-manager-issuer chart. + +# The number of replica ejbca-cert-manager-issuers to run +replicaCount: 1 + +image: + repository: m8rmclarenkf/command-cert-manager-external-issuer-controller + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "" + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +crd: + # Specifies whether CRDs will be created + create: true + # Annotations to add to the CRD + annotations: {} + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +podAnnotations: {} + +podSecurityContext: + runAsNonRoot: true + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +nodeSelector: {} + +tolerations: []