From 8cfb221d7ecb42093ee5c2f752fc3837e9d5a318 Mon Sep 17 00:00:00 2001 From: RealAnna <89971034+RealAnna@users.noreply.github.com> Date: Tue, 31 Jan 2023 09:00:05 +0100 Subject: [PATCH] docs: add keptn certificate manager infos (#652) --- README.md | 12 +++----- .../concepts/overview/how-it-works/_index.md | 2 +- .../overview/klc-cert-manager/_index.md | 20 +++++++++++++ .../content/en/docs/snippets/tasks/install.md | 28 +++++++++++++------ examples/Makefile | 9 +----- examples/support/argo/Makefile | 2 -- klt-cert-manager/README.md | 9 +++--- .../config/default/kustomization.yaml | 3 +- 8 files changed, 52 insertions(+), 33 deletions(-) create mode 100644 docs/content/en/docs/concepts/overview/klc-cert-manager/_index.md diff --git a/README.md b/README.md index 233023e2ee..5796565d80 100644 --- a/README.md +++ b/README.md @@ -24,14 +24,6 @@ Click to watch it on YouTube: **Installation** -The Lifecycle Toolkit includes a Mutating Webhook which requires TLS certificates to be mounted as a volume in its pod. The certificate creation -is handled automatically by [cert-manager](https://cert-manager.io). To install **cert-manager**, execute the following command: - -```console -kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.10.0/cert-manager.yaml -``` - -When *cert-manager* is installed, you can run @@ -47,6 +39,10 @@ The Lifecycle Toolkit uses the OpenTelemetry collector to provide a vendor-agnos process and export telemetry data. To install it, follow their [installation instructions](https://opentelemetry.io/docs/collector/getting-started/). We also provide some more information about this in our [observability example](./examples/support/observability/). +The Lifecycle Toolkit includes a Mutating Webhook which requires TLS certificates to be mounted as a volume in its pod. The certificate creation +is handled automatically by [klt-cert-manager](https://github.com/keptn/lifecycle-toolkit/blob/main/klt-cert-manager/README.md). Versions 0.5.0 and earlier have a hard dependency on the [cert-manager](https://cert-manager.io). +See [installation guideline](https://github.com/keptn/lifecycle-toolkit/blob/main/docs/content/docs/snippets/tasks/install.md) for more info. + ## Goals The Keptn Lifecycle Toolkit aims to support Cloud Native teams with: diff --git a/docs/content/en/docs/concepts/overview/how-it-works/_index.md b/docs/content/en/docs/concepts/overview/how-it-works/_index.md index b32b226c93..ab84523fa1 100644 --- a/docs/content/en/docs/concepts/overview/how-it-works/_index.md +++ b/docs/content/en/docs/concepts/overview/how-it-works/_index.md @@ -4,4 +4,4 @@ icon: concepts layout: quickstart weight: 5 hidechildren: true # this flag hides all sub-pages in the sidebar-multicard.html ---- +--- \ No newline at end of file diff --git a/docs/content/en/docs/concepts/overview/klc-cert-manager/_index.md b/docs/content/en/docs/concepts/overview/klc-cert-manager/_index.md new file mode 100644 index 0000000000..068d2d0399 --- /dev/null +++ b/docs/content/en/docs/concepts/overview/klc-cert-manager/_index.md @@ -0,0 +1,20 @@ +--- +title: Keptn Certificate Manager +icon: concepts +layout: quickstart +weight: 5 +hidechildren: true # this flag hides all sub-pages in the sidebar-multicard.html +--- + +### Keptn Cert Manager + +The Lifecycle Toolkit includes a Mutating Webhook which requires TLS certificates to be mounted as a volume in its pod. In version 0.6.0 and later, the certificate creation +is handled automatically by the [klt-cert-manager](https://github.com/keptn/lifecycle-toolkit/blob/main/klt-cert-manager/README.md). + +The certificate is created as a secret in the `keptn-lifecycle-toolkit-system` namespace with a renewal threshold of 12 hours. +If it expires, the [klt-cert-manager](https://github.com/keptn/lifecycle-toolkit/blob/main/klt-cert-manager/README.md) renews it. +The Lifecycle Toolkit operator waits for a valid certificate to be ready. +The certificate is mounted on an empty dir volume in the operator. + +When a certificate is left over from an older version, the webhook or the operator may generate errors because of an invalid certificate. To solve this, delete the certificate and restart the operator. + diff --git a/docs/content/en/docs/snippets/tasks/install.md b/docs/content/en/docs/snippets/tasks/install.md index 39551799d6..5a833e555a 100644 --- a/docs/content/en/docs/snippets/tasks/install.md +++ b/docs/content/en/docs/snippets/tasks/install.md @@ -1,4 +1,19 @@ -At the moment, the lifecycle controller needs *cert-manager* to be installed. Therefore, you can install cert-manager using: + +## Install version 0.6.0 and above + +In version 0.6.0 and later, you can install the Lifecycle Toolkit using the current release manifest: + +``` +kubectl apply -f https://github.com/keptn/lifecycle-toolkit/releases/download/v0.5.0/manifest.yaml +kubectl wait --for=condition=Available deployment/klc-controller-manager -n keptn-lifecycle-toolkit-system --timeout=120s +``` + + +The Lifecycle Toolkit and its dependencies are now installed and ready to use. + +## Install version 0.5.0 and earlier + +You must first install *cert-manager* with the following commands: +After that, you can install the Lifecycle Toolkit with: + ``` -kubectl apply -f https://github.com/keptn/lifecycle-toolkit/releases/download/v0.5.0/manifest.yaml +kubectl apply -f https://github.com/keptn/lifecycle-toolkit/releases/download//manifest.yaml kubectl wait --for=condition=Available deployment/klc-controller-manager -n keptn-lifecycle-toolkit-system --timeout=120s -``` - - -Now, the Lifecycle Toolkit and its dependency is installed and ready to use. \ No newline at end of file +``` \ No newline at end of file diff --git a/examples/Makefile b/examples/Makefile index 92a6c94788..ab91650181 100644 --- a/examples/Makefile +++ b/examples/Makefile @@ -3,11 +3,9 @@ JAEGER_VERSION ?= v1.39.0 TOOLKIT_NAMESPACE ?= keptn-lifecycle-toolkit-system PODTATO_NAMESPACE ?= podtato-kubectl GRAFANA_PORT_FORWARD ?= 3000 -# renovate: datasource=github-tags depName=cert-manager/cert-manager -CERT_MANAGER_VERSION ?= v1.11.0 .PHONY: install -install: install-cert-manager install-observability install-argo +install: install-observability install-argo @echo "-----------------------------------" @echo "Create Namespace and install Keptn-lifecycle-toolkit" @echo "-----------------------------------" @@ -23,11 +21,6 @@ install-observability: install-argo: make -C support/argo install -.PHONY: install-cert-manager -install-cert-manager: - kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/$(CERT_MANAGER_VERSION)/cert-manager.yaml - kubectl wait --for=condition=available deployment/cert-manager-webhook -n cert-manager --timeout=300s - .PHONY: port-forward-jaeger port-forward-jaeger: make -C support/observability port-forward-jaeger diff --git a/examples/support/argo/Makefile b/examples/support/argo/Makefile index 36aa02d5dc..b037709ba7 100644 --- a/examples/support/argo/Makefile +++ b/examples/support/argo/Makefile @@ -3,8 +3,6 @@ PODTATO_NAMESPACE ?= podtato-kubectl ARGO_NAMESPACE ?= argocd # renovate: datasource=github-tags depName=argoproj/argo-cd ARGO_VERSION ?= v2.5.7 -# renovate: datasource=github-tags depName=cert-manager/cert-manager -CERT_MANAGER_VERSION ?= v1.11.0 ARGO_SECRET = $(shell kubectl -n ${ARGO_NAMESPACE} get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d; echo) .PHONY: install diff --git a/klt-cert-manager/README.md b/klt-cert-manager/README.md index 7c0f462976..abec7b5b7a 100644 --- a/klt-cert-manager/README.md +++ b/klt-cert-manager/README.md @@ -1,8 +1,10 @@ -# cert-manager -// TODO(user): Add simple overview of use/purpose +# klt-cert-manager +The Keptn certificate manager ensures that the webhooks in the Lifecycle Toolkit operator can obtain a valid certificate to access the Kubernetes API server. ## Description -// TODO(user): An in-depth paragraph about your project and overview of use +This `klt-cert-manager` operator should only be installed when paired with the Lifecycle Toolkit operator. +The TLS certificate is mounted as a volume in the LT operator pod and is renewed every 12 hours or every time the LT operator deployment changes. + ## Getting Started You’ll need a Kubernetes cluster to run against. You can use [KIND](https://sigs.k8s.io/kind) to get a local cluster for testing, or run against a remote cluster. @@ -42,7 +44,6 @@ make undeploy ``` ## Contributing -// TODO(user): Add detailed information on how you would like others to contribute to this project ### How it works This project aims to follow the Kubernetes [Operator pattern](https://kubernetes.io/docs/concepts/extend-kubernetes/operator/) diff --git a/klt-cert-manager/config/default/kustomization.yaml b/klt-cert-manager/config/default/kustomization.yaml index fbdc9d16f3..ff3122cb82 100644 --- a/klt-cert-manager/config/default/kustomization.yaml +++ b/klt-cert-manager/config/default/kustomization.yaml @@ -18,8 +18,7 @@ bases: # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in # crd/kustomization.yaml #- ../webhook -# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required. -#- ../certmanager + # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. #- ../prometheus