helm: add ability to use a custom issuer

[allenmun197]

This PR adds in the ability to use a custom Issuer when creating the certs for NFD in the helm chart. This is useful when there are cluster/enterprise policies that deny creating a self-signed CA.

Fixes #1597

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: allenmun197 / name: allenmun (8bd5259)

[k8s-ci-robot]

Welcome @allenmun197!

It looks like this is your first PR to kubernetes-sigs/node-feature-discovery 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/node-feature-discovery has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @allenmun197. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[netlify]

✅ Deploy Preview for kubernetes-sigs-nfd ready!

Name	Link
🔨 Latest commit	8bd5259
🔍 Latest deploy log	https://app.netlify.com/sites/kubernetes-sigs-nfd/deploys/65de18aa64367500082f3994
😎 Deploy Preview	https://deploy-preview-1598--kubernetes-sigs-nfd.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[marquiz]

Thanks @allenmun197. I think we could take the patch, even though all of this is deprecated functionality. In more detail: note that the gRPC communication (and everything related, like TLS and cert-manager support) has been deprecated since NFD v0.13, disabled since NFD v0.14 and likely to be dropped in NFD v0.17. So, unless you specifically enable gRPC with enableNodeFeatureApi: true the TLS/cert-manager settings will not be used.

When adding new helm params, we also need to document those in docs/deployment/helm.md.

[marquiz]

We shouldn't break existing users

Suggested change

	certManager:
	enable: false
	issuerKind:
	issuerName:
	certManager: false
	certManageIssuerKind:
	certManageIssuerName:

OR

Suggested change

	certManager:
	enable: false
	issuerKind:
	issuerName:
	certManager: false
	certManagerCertificate:
	issuerKind:
	issuerName:

[allenmun197]

@marquiz

Ok, I moved the fields into certManagerCertificate as suggested. Also added the documentation for the new helm fields in docs/deployment/helm.md. I also added an additional check to make sure if .tls.certManagerCertificate.issuerKind is set but .tls.certManagerCertificate.issuerName is not set, it will not use .tls.certManagerCertificate.issuerKind and just default to Issuer. This fixes an issue when you have a values file that looks like

tls:
  certManager: enable
  certManagerCertificate:
    #issuerName: example-issuer
    issuerKind: ClusterIssuer

[marquiz]

This is quite cryptic to read, at least for me 😇

How about a bit longer but more explicit:

    {{- if and .Values.tls.certManagerCertificate.issuerName .Values.tls.certManagerCertificate.issuerKind }}
    kind: {{ .Values.tls.certManagerCertificate.issuerKind }}
    {{- else }}
    kind: Issuer
    {{- end }}

[allenmun197]

Got it. Updated the PR to use more simplified logic with regards to the issuer kind.

[marquiz]

/ok-to-test

[marquiz]

Thanks @allenmun197. I haven't tested this but looks good to me 👍
/assign @ArangoGutierrez

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: allenmun197, marquiz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [marquiz]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[allenmun197]

@marquiz @ArangoGutierrez

Is this PR still in review?

[jjacobelli]

/lgtm

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: 9198179a3adc871c6a751445c8e1da6598a85d34

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 30.04%. Comparing base (2914bff) to head (8bd5259).
Report is 2 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #1598      +/-   ##
==========================================
- Coverage   30.28%   30.04%   -0.24%     
==========================================
  Files         101      102       +1     
  Lines        9361     9422      +61     
==========================================
- Hits         2835     2831       -4     
- Misses       6260     6324      +64     
- Partials      266      267       +1     

see 2 files with indirect coverage changes