[cert-manager-setup] allow for multiple clusterissuers

mesosphere · Jan 27, 2020 · 756183c · 756183c
1 parent 36ceabf
commit 756183c
Show file tree

Hide file tree

Showing 9 changed files with 202 additions and 43 deletions.
diff --git a/staging/cert-manager-setup/Chart.yaml b/staging/cert-manager-setup/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v1
 name: cert-manager-setup
 home: https://github.com/mesosphere/charts
-version: 0.1.7
+version: 0.1.8
 appVersion: 0.10.1
 description: Install cert-manager and optionally add a ClusterIssuer
 keywords:

diff --git a/staging/cert-manager-setup/ci/test-values.yaml b/staging/cert-manager-setup/ci/test-values.yaml
@@ -1,5 +1,43 @@
-clusterissuer:
-  name: kubernetes-ca
-  spec:
-    ca:
-      secretName: kubernetes-intermediate-ca
+issuers:
+  - name: kubernetes-root-issuer
+    secretName: kubernetes-root-ca
+
+certificates:
+  - name: kubernetes-intermediate-ca
+    # where to store this certificate
+    secretName: kubernetes-intermediate-ca
+    issuerRef:
+      name: kubernetes-root-issuer
+      kind: Issuer
+      # These are the default usages for reference
+      usages:
+        - "digital signature"
+        - "key encipherment"
+    commonName: cert-manager
+    duration: 87600h
+    dnsNames: []
+  - name: my-certificate
+    # where to store this certificate
+    secretName: my-certificate-secret
+    issuerRef:
+      name: kubernetes-root-issuer
+      kind: Issuer
+      # These are the default usages for reference
+      usages:
+        - "digital signature"
+        - "key encipherment"
+    commonName: cert-manager
+    duration: 87600h
+    dnsNames:
+      - example.com
+      - www.example.com
+
+clusterissuers:
+  - name: kubernetes-ca
+    spec:
+      ca:
+        secretName: kubernetes-intermediate-ca
+  - name: my-ca
+    spec:
+      ca:
+        secretName: my-certificate-secret
diff --git a/staging/cert-manager-setup/templates/certificates.yaml b/staging/cert-manager-setup/templates/certificates.yaml
@@ -0,0 +1,33 @@
+{{- if .Values.certificates }}
+{{- range .Values.certificates }}
+---
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: Certificate
+metadata:
+  name: {{ .name }}
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-weight": "-3"
+    "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+  isCA: true
+  commonName: cert-manager
+  duration: {{ .duration | default "87600h" | quote }}
+  secretName: {{ .secretName }}
+  issuerRef:
+    name: {{ .issuerRef.name }}
+    kind: {{ .issuerRef.kind }}
+{{- if .issuerRef.usages }}
+    usages:
+  {{- range .issuerRef.usages }}
+    - {{ . | quote -}}
+  {{- end }}
+{{- end }}
+{{- if .dnsNames }}
+  dnsNames:
+  {{- range .dnsNames }}
+    - {{ . | quote -}}
+  {{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/staging/cert-manager-setup/templates/clusterissuer.yaml b/staging/cert-manager-setup/templates/clusterissuer.yaml
@@ -0,0 +1,47 @@
+# DEPRECATED, this file should be deleted soon
+{{ if .Values.clusterissuer }}
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: Issuer
+metadata:
+  name: kubernetes-root-issuer
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-weight": "-4"
+    "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+  ca:
+    secretName: kubernetes-root-ca
+---
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: Certificate
+metadata:
+  name: kubernetes-intermediate-ca
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-weight": "-3"
+    "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+  isCA: true
+  commonName: cert-manager
+  duration: 87600h
+  secretName: kubernetes-intermediate-ca
+  issuerRef:
+    name: kubernetes-root-issuer
+    kind: Issuer
+    # These are the default usages for reference
+    usages:
+      - "digital signature"
+      - "key encipherment"
+---
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: ClusterIssuer
+metadata:
+  name: {{ required "clusterissuer must have a name" .Values.clusterissuer.name }}
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-weight": "-2"
+    "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+  {{ required "clusterissuer must have a spec" .Values.clusterissuer.spec | toYaml | indent 4 }}
+  {{ end }}
diff --git a/staging/cert-manager-setup/templates/clusterissuers.yaml b/staging/cert-manager-setup/templates/clusterissuers.yaml
@@ -0,0 +1,15 @@
+{{- if .Values.clusterissuers }}
+{{- range .Values.clusterissuers }}
+---
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: ClusterIssuer
+metadata:
+  name: {{ required "clusterissuer must have a name" .name }}
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-weight": "-2"
+    "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+{{ required "clusterissuer must have a spec" .spec | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
diff --git a/staging/cert-manager-setup/templates/clusterrole.yaml b/staging/cert-manager-setup/templates/clusterrole.yaml
@@ -2,6 +2,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: read-apiservices
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: "before-hook-creation"
+    "helm.sh/hook-weight": "-4"
 rules:
 - apiGroups: ["apiregistration.k8s.io"]
   resources: ["apiservices"]

diff --git a/staging/cert-manager-setup/templates/clusterrolebinding.yaml b/staging/cert-manager-setup/templates/clusterrolebinding.yaml
@@ -3,6 +3,10 @@ kind: ClusterRoleBinding
 metadata:
   name: read-apiservices-rolebinding
   namespace: {{ .Release.Namespace }}
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: "before-hook-creation"
+    "helm.sh/hook-weight": "-3"
 subjects:
 - kind: ServiceAccount
   namespace: {{ .Release.Namespace }}

diff --git a/staging/cert-manager-setup/templates/issuers.yaml b/staging/cert-manager-setup/templates/issuers.yaml
@@ -1,46 +1,19 @@
-{{ if .Values.clusterissuer }}
+{{- if .Values.issuers }}
+{{- $namespace := .Release.Namespace }}
+{{- range .Values.issuers }}
+---
 apiVersion: certmanager.k8s.io/v1alpha1
 kind: Issuer
 metadata:
-  name: kubernetes-root-issuer
-  namespace: {{ .Release.Namespace }}
+  name: {{ .name }}
+  namespace: {{ .namespace }}
   annotations:
     "helm.sh/hook": post-install,post-upgrade
     "helm.sh/hook-weight": "-4"
     "helm.sh/hook-delete-policy": before-hook-creation
 spec:
   ca:
-    secretName: kubernetes-root-ca
----
-apiVersion: certmanager.k8s.io/v1alpha1
-kind: Certificate
-metadata:
-  name: kubernetes-intermediate-ca
-  annotations:
-    "helm.sh/hook": post-install,post-upgrade
-    "helm.sh/hook-weight": "-3"
-    "helm.sh/hook-delete-policy": before-hook-creation
-spec:
-  isCA: true
-  commonName: cert-manager
-  duration: 87600h
-  secretName: kubernetes-intermediate-ca
-  issuerRef:
-    name: kubernetes-root-issuer
-    kind: Issuer
-    # These are the default usages for reference
-    usages: 
-    - "digital signature"
-    - "key encipherment"
----
-apiVersion: certmanager.k8s.io/v1alpha1
-kind: ClusterIssuer
-metadata:
-  name: {{ required "clusterissuer must have a name" .Values.clusterissuer.name }}
-  annotations:
-    "helm.sh/hook": post-install,post-upgrade
-    "helm.sh/hook-weight": "-2"
-    "helm.sh/hook-delete-policy": before-hook-creation
-spec:
-{{ required "clusterissuer must have a spec" .Values.clusterissuer.spec | toYaml | indent 4 }}
-{{ end }}
+    secretName: {{ .secretName }}
+{{- end }}
+{{- end }}
+
diff --git a/staging/cert-manager-setup/values.yaml b/staging/cert-manager-setup/values.yaml
@@ -5,6 +5,51 @@
 nameOverride: ""
 fullnameOverride: ""
 
+issuers: []
+#  - name: kubernetes-root-issuer
+#    secretName: kubernetes-root-ca
+
+certificates: []
+#  - name: kubernetes-intermediate-ca
+#    # where to store this certificate
+#    secretName: my-certificate-secret
+#    issuerRef:
+#      name: kubernetes-root-issuer
+#      kind: Issuer
+#      # These are the default usages for reference
+#      usages:
+#        - "digital signature"
+#        - "key encipherment"
+#    commonName: cert-manager
+#    duration: 87600h
+#    dnsNames: []
+#  - name: my-certificate
+#    # where to store this certificate
+#    secretName: my-certificate-secret
+#    issuerRef:
+#      name: kubernetes-root-issuer
+#      kind: Issuer
+#      # These are the default usages for reference
+#      usages:
+#        - "digital signature"
+#        - "key encipherment"
+#    commonName: cert-manager
+#    duration: 87600h
+#    dnsNames:
+#      - example.com
+#      - www.example.com
+
+clusterissuers: []
+#  - name: kubernetes-ca
+#    spec:
+#      ca:
+#        secretName: kubernetes-intermediate-ca
+#  - name: my-ca
+#    spec:
+#      ca:
+#        secretName: my-certificate-secret
+
+# DEPRECATED, please use the above issuers, certificates and clusterissuers
 clusterissuer: {}
   # name: kubernetes-ca
   # spec: