Merge pull request #368 from czomo/certs

[jaeger-operator] Add cert machinery
jaegertracing · Jun 7, 2022 · 944d0c4 · 944d0c4
2 parents 84e63ad + 666f4bc
commit 944d0c4
Show file tree

Hide file tree

Showing 12 changed files with 1,740 additions and 92 deletions.
diff --git a/.github/workflows/lint-test.yaml b/.github/workflows/lint-test.yaml
@@ -43,5 +43,30 @@ jobs:
         uses: helm/kind-action@v1.2.0
         if: steps.list-changed.outputs.changed == 'true'
 
+      - name: Install kubectl
+        uses: azure/setup-kubectl@v2.0
+        with:
+          version: 'v1.22.0'
+        id: install
+
+      - name: Set up cert-manager
+        run: |
+          kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml --namespace ingress-nginx
+          kubectl label node --all ingress-ready=true
+          kubectl describe pod --selector=app.kubernetes.io/component=controller -n ingress-nginx
+          kubectl wait --namespace ingress-nginx --for=condition=ready pod --selector=app.kubernetes.io/component=controller --timeout=5m
+          kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.6.1/cert-manager.yaml
+
+      - name: Set up cmctl
+        run: |
+          curl -sSL -o cmctl.tar.gz https://github.com/cert-manager/cert-manager/releases/download/v1.6.1/cmctl-linux-amd64.tar.gz
+          tar xzf cmctl.tar.gz
+          sudo mv cmctl /usr/local/bin
+          cmctl version
+
+      - name: Check if cert-manager is up
+        run: |
+          cmctl check api --wait=5m
+
       - name: Run chart-testing (install)
         run: ct install --config ct.yaml
diff --git a/charts/jaeger-operator/Chart.yaml b/charts/jaeger-operator/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v1
 description: jaeger-operator Helm chart for Kubernetes
 name: jaeger-operator
-version: 2.30.0
+version: 2.31.0
 appVersion: 1.32.0
 home: https://www.jaegertracing.io/
 icon: https://www.jaegertracing.io/img/jaeger-icon-reverse-color.svg

diff --git a/charts/jaeger-operator/README.md b/charts/jaeger-operator/README.md
@@ -15,6 +15,9 @@ This chart bootstraps a jaeger-operator deployment on a [Kubernetes](http://kube
 ## Prerequisites
 
 - Kubernetes 1.19+
+- cert-manager 1.6.1+ instaled 
+
+> **Caution**: Versions `2.28.0` and `2.29.0` are corrupted. Please do not use them, see [link](https://github.com/jaegertracing/helm-charts/issues/351)
 
 ## Installing the Chart
 
@@ -24,10 +27,10 @@ Add the Jaeger Tracing Helm repository:
 $ helm repo add jaegertracing https://jaegertracing.github.io/helm-charts
 ```
 
-To install the chart with the release name `my-release`:
+To install the chart with the release name `my-release` in `observability` namespace: 
 
 ```console
-$ helm install --name my-release jaegertracing/jaeger-operator
+$ helm install my-release jaegertracing/jaeger-operator -n observability
 ```
 
 The command deploys jaeger-operator on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation.

diff --git a/charts/jaeger-operator/crds/crd.yaml → charts/jaeger-operator/crd/crd.yaml b/charts/jaeger-operator/crds/crd.yaml → charts/jaeger-operator/crd/crd.yaml
diff --git a/charts/jaeger-operator/templates/certificate.yaml b/charts/jaeger-operator/templates/certificate.yaml
@@ -0,0 +1,18 @@
+{{- if .Values.certs.certificate.create }}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ default "jaeger-operator-service-cert" .Values.certs.certificate.secretName }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  dnsNames:
+  - "{{ default "jaeger-operator-webhook-service" .Values.webhooks.service.name }}.{{ .Release.Namespace }}.svc"
+  - "{{ default "jaeger-operator-webhook-service" .Values.webhooks.service.name }}.{{ .Release.Namespace }}.svc.cluster.local"
+  issuerRef:
+    kind: Issuer
+    name: {{ default "selfsigned-issuer" .Values.certs.issuer.name }}
+  secretName: {{ default "jaeger-operator-service-cert" .Values.certs.certificate.secretName }}
+  subject:
+    organizationalUnits:
+      - "{{ include "jaeger-operator.name" . }}"
+{{- end }}
diff --git a/charts/jaeger-operator/templates/deployment.yaml b/charts/jaeger-operator/templates/deployment.yaml
@@ -45,6 +45,13 @@ spec:
           ports:
           - containerPort: 8383
             name: metrics
+          - containerPort: 9443
+            name: webhook-server
+            protocol: TCP  
+          volumeMounts:
+          - mountPath: /tmp/k8s-webhook-server/serving-certs
+            name: cert
+            readOnly: true
           args: ["start"]
           env:
             - name: WATCH_NAMESPACE
@@ -70,6 +77,11 @@ spec:
             {{- end }}
           resources:
 {{ toYaml .Values.resources | indent 12 }}
+      volumes:
+      - name: cert
+        secret:
+          defaultMode: 420
+          secretName: {{ default "jaeger-operator-service-cert" .Values.certs.certificate.secretName }}
     {{- with .Values.nodeSelector }}
       nodeSelector:
 {{ toYaml . | indent 8 }}

diff --git a/charts/jaeger-operator/templates/issuer.yaml b/charts/jaeger-operator/templates/issuer.yaml
@@ -0,0 +1,9 @@
+{{- if .Values.certs.issuer.create }}
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ default "selfsigned-issuer" .Values.certs.issuer.name }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  selfSigned: {}
+{{- end }}
diff --git a/charts/jaeger-operator/templates/mutating-webhook.yaml b/charts/jaeger-operator/templates/mutating-webhook.yaml
@@ -0,0 +1,57 @@
+{{- if and (.Values.webhooks.mutatingWebhook.create) (.Values.webhooks.service.create) }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: {{ default .Release.Namespace .Values.certs.certificate.namespace }}/{{ default "jaeger-operator-service-cert" .Values.certs.certificate.secretName }}
+  labels:
+{{ include "jaeger-operator.labels" . | indent 4 }}
+  name: jaeger-operator-mutating-webhook-configuration
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: {{ default "jaeger-operator-webhook-service" .Values.webhooks.service.name }}
+      namespace: {{ .Release.Namespace }}
+      path: /mutate-v1-deployment
+  failurePolicy: Ignore
+  name: deployment.sidecar-injector.jaegertracing.io
+  objectSelector:
+    matchExpressions:
+    - key: app.kubernetes.io/name
+      operator: NotIn
+      values:
+      - {{ include "jaeger-operator.name" . }}
+  rules:
+  - apiGroups:
+    - apps
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - deployments
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: {{ default "jaeger-operator-webhook-service" .Values.webhooks.service.name }}
+      namespace: {{ .Release.Namespace }}
+      path: /mutate-jaegertracing-io-v1-jaeger
+  failurePolicy: Fail
+  name: mjaeger.kb.io
+  rules:
+  - apiGroups:
+    - jaegertracing.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - jaegers
+  sideEffects: None
+{{- end }}