From 756183c6935a5d2d60266a0a928b79a12b007768 Mon Sep 17 00:00:00 2001 From: alejandroEsc Date: Thu, 23 Jan 2020 16:27:27 -0800 Subject: [PATCH] [cert-manager-setup] allow for multiple clusterissuers --- staging/cert-manager-setup/Chart.yaml | 2 +- .../cert-manager-setup/ci/test-values.yaml | 48 +++++++++++++++++-- .../templates/certificates.yaml | 33 +++++++++++++ .../templates/clusterissuer.yaml | 47 ++++++++++++++++++ .../templates/clusterissuers.yaml | 15 ++++++ .../templates/clusterrole.yaml | 4 ++ .../templates/clusterrolebinding.yaml | 4 ++ .../cert-manager-setup/templates/issuers.yaml | 47 ++++-------------- staging/cert-manager-setup/values.yaml | 45 +++++++++++++++++ 9 files changed, 202 insertions(+), 43 deletions(-) create mode 100644 staging/cert-manager-setup/templates/certificates.yaml create mode 100644 staging/cert-manager-setup/templates/clusterissuer.yaml create mode 100644 staging/cert-manager-setup/templates/clusterissuers.yaml diff --git a/staging/cert-manager-setup/Chart.yaml b/staging/cert-manager-setup/Chart.yaml index dcb114a2e..61a664a22 100644 --- a/staging/cert-manager-setup/Chart.yaml +++ b/staging/cert-manager-setup/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: cert-manager-setup home: https://github.com/mesosphere/charts -version: 0.1.7 +version: 0.1.8 appVersion: 0.10.1 description: Install cert-manager and optionally add a ClusterIssuer keywords: diff --git a/staging/cert-manager-setup/ci/test-values.yaml b/staging/cert-manager-setup/ci/test-values.yaml index d3d49424b..b82dec76a 100644 --- a/staging/cert-manager-setup/ci/test-values.yaml +++ b/staging/cert-manager-setup/ci/test-values.yaml @@ -1,5 +1,43 @@ -clusterissuer: - name: kubernetes-ca - spec: - ca: - secretName: kubernetes-intermediate-ca +issuers: + - name: kubernetes-root-issuer + secretName: kubernetes-root-ca + +certificates: + - name: kubernetes-intermediate-ca + # where to store this certificate + secretName: kubernetes-intermediate-ca + issuerRef: + name: kubernetes-root-issuer + kind: Issuer + # These are the default usages for reference + usages: + - "digital signature" + - "key encipherment" + commonName: cert-manager + duration: 87600h + dnsNames: [] + - name: my-certificate + # where to store this certificate + secretName: my-certificate-secret + issuerRef: + name: kubernetes-root-issuer + kind: Issuer + # These are the default usages for reference + usages: + - "digital signature" + - "key encipherment" + commonName: cert-manager + duration: 87600h + dnsNames: + - example.com + - www.example.com + +clusterissuers: + - name: kubernetes-ca + spec: + ca: + secretName: kubernetes-intermediate-ca + - name: my-ca + spec: + ca: + secretName: my-certificate-secret diff --git a/staging/cert-manager-setup/templates/certificates.yaml b/staging/cert-manager-setup/templates/certificates.yaml new file mode 100644 index 000000000..3fe894d01 --- /dev/null +++ b/staging/cert-manager-setup/templates/certificates.yaml @@ -0,0 +1,33 @@ +{{- if .Values.certificates }} +{{- range .Values.certificates }} +--- +apiVersion: certmanager.k8s.io/v1alpha1 +kind: Certificate +metadata: + name: {{ .name }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "-3" + "helm.sh/hook-delete-policy": before-hook-creation +spec: + isCA: true + commonName: cert-manager + duration: {{ .duration | default "87600h" | quote }} + secretName: {{ .secretName }} + issuerRef: + name: {{ .issuerRef.name }} + kind: {{ .issuerRef.kind }} +{{- if .issuerRef.usages }} + usages: + {{- range .issuerRef.usages }} + - {{ . | quote -}} + {{- end }} +{{- end }} +{{- if .dnsNames }} + dnsNames: + {{- range .dnsNames }} + - {{ . | quote -}} + {{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/staging/cert-manager-setup/templates/clusterissuer.yaml b/staging/cert-manager-setup/templates/clusterissuer.yaml new file mode 100644 index 000000000..a96f2af07 --- /dev/null +++ b/staging/cert-manager-setup/templates/clusterissuer.yaml @@ -0,0 +1,47 @@ +# DEPRECATED, this file should be deleted soon +{{ if .Values.clusterissuer }} +apiVersion: certmanager.k8s.io/v1alpha1 +kind: Issuer +metadata: + name: kubernetes-root-issuer + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "-4" + "helm.sh/hook-delete-policy": before-hook-creation +spec: + ca: + secretName: kubernetes-root-ca +--- +apiVersion: certmanager.k8s.io/v1alpha1 +kind: Certificate +metadata: + name: kubernetes-intermediate-ca + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "-3" + "helm.sh/hook-delete-policy": before-hook-creation +spec: + isCA: true + commonName: cert-manager + duration: 87600h + secretName: kubernetes-intermediate-ca + issuerRef: + name: kubernetes-root-issuer + kind: Issuer + # These are the default usages for reference + usages: + - "digital signature" + - "key encipherment" +--- +apiVersion: certmanager.k8s.io/v1alpha1 +kind: ClusterIssuer +metadata: + name: {{ required "clusterissuer must have a name" .Values.clusterissuer.name }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "-2" + "helm.sh/hook-delete-policy": before-hook-creation +spec: + {{ required "clusterissuer must have a spec" .Values.clusterissuer.spec | toYaml | indent 4 }} + {{ end }} \ No newline at end of file diff --git a/staging/cert-manager-setup/templates/clusterissuers.yaml b/staging/cert-manager-setup/templates/clusterissuers.yaml new file mode 100644 index 000000000..84813054a --- /dev/null +++ b/staging/cert-manager-setup/templates/clusterissuers.yaml @@ -0,0 +1,15 @@ +{{- if .Values.clusterissuers }} +{{- range .Values.clusterissuers }} +--- +apiVersion: certmanager.k8s.io/v1alpha1 +kind: ClusterIssuer +metadata: + name: {{ required "clusterissuer must have a name" .name }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "-2" + "helm.sh/hook-delete-policy": before-hook-creation +spec: +{{ required "clusterissuer must have a spec" .spec | toYaml | indent 4 }} +{{- end }} +{{- end }} diff --git a/staging/cert-manager-setup/templates/clusterrole.yaml b/staging/cert-manager-setup/templates/clusterrole.yaml index 3c8eb6801..d66bba43f 100644 --- a/staging/cert-manager-setup/templates/clusterrole.yaml +++ b/staging/cert-manager-setup/templates/clusterrole.yaml @@ -2,6 +2,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: read-apiservices + annotations: + helm.sh/hook: pre-install,pre-upgrade + helm.sh/hook-delete-policy: "before-hook-creation" + "helm.sh/hook-weight": "-4" rules: - apiGroups: ["apiregistration.k8s.io"] resources: ["apiservices"] diff --git a/staging/cert-manager-setup/templates/clusterrolebinding.yaml b/staging/cert-manager-setup/templates/clusterrolebinding.yaml index 1600d6049..2f169e396 100644 --- a/staging/cert-manager-setup/templates/clusterrolebinding.yaml +++ b/staging/cert-manager-setup/templates/clusterrolebinding.yaml @@ -3,6 +3,10 @@ kind: ClusterRoleBinding metadata: name: read-apiservices-rolebinding namespace: {{ .Release.Namespace }} + annotations: + helm.sh/hook: pre-install,pre-upgrade + helm.sh/hook-delete-policy: "before-hook-creation" + "helm.sh/hook-weight": "-3" subjects: - kind: ServiceAccount namespace: {{ .Release.Namespace }} diff --git a/staging/cert-manager-setup/templates/issuers.yaml b/staging/cert-manager-setup/templates/issuers.yaml index 9b57e9da6..235fac594 100644 --- a/staging/cert-manager-setup/templates/issuers.yaml +++ b/staging/cert-manager-setup/templates/issuers.yaml @@ -1,46 +1,19 @@ -{{ if .Values.clusterissuer }} +{{- if .Values.issuers }} +{{- $namespace := .Release.Namespace }} +{{- range .Values.issuers }} +--- apiVersion: certmanager.k8s.io/v1alpha1 kind: Issuer metadata: - name: kubernetes-root-issuer - namespace: {{ .Release.Namespace }} + name: {{ .name }} + namespace: {{ .namespace }} annotations: "helm.sh/hook": post-install,post-upgrade "helm.sh/hook-weight": "-4" "helm.sh/hook-delete-policy": before-hook-creation spec: ca: - secretName: kubernetes-root-ca ---- -apiVersion: certmanager.k8s.io/v1alpha1 -kind: Certificate -metadata: - name: kubernetes-intermediate-ca - annotations: - "helm.sh/hook": post-install,post-upgrade - "helm.sh/hook-weight": "-3" - "helm.sh/hook-delete-policy": before-hook-creation -spec: - isCA: true - commonName: cert-manager - duration: 87600h - secretName: kubernetes-intermediate-ca - issuerRef: - name: kubernetes-root-issuer - kind: Issuer - # These are the default usages for reference - usages: - - "digital signature" - - "key encipherment" ---- -apiVersion: certmanager.k8s.io/v1alpha1 -kind: ClusterIssuer -metadata: - name: {{ required "clusterissuer must have a name" .Values.clusterissuer.name }} - annotations: - "helm.sh/hook": post-install,post-upgrade - "helm.sh/hook-weight": "-2" - "helm.sh/hook-delete-policy": before-hook-creation -spec: -{{ required "clusterissuer must have a spec" .Values.clusterissuer.spec | toYaml | indent 4 }} -{{ end }} + secretName: {{ .secretName }} +{{- end }} +{{- end }} + diff --git a/staging/cert-manager-setup/values.yaml b/staging/cert-manager-setup/values.yaml index dbc678d53..3d951ae4c 100644 --- a/staging/cert-manager-setup/values.yaml +++ b/staging/cert-manager-setup/values.yaml @@ -5,6 +5,51 @@ nameOverride: "" fullnameOverride: "" +issuers: [] +# - name: kubernetes-root-issuer +# secretName: kubernetes-root-ca + +certificates: [] +# - name: kubernetes-intermediate-ca +# # where to store this certificate +# secretName: my-certificate-secret +# issuerRef: +# name: kubernetes-root-issuer +# kind: Issuer +# # These are the default usages for reference +# usages: +# - "digital signature" +# - "key encipherment" +# commonName: cert-manager +# duration: 87600h +# dnsNames: [] +# - name: my-certificate +# # where to store this certificate +# secretName: my-certificate-secret +# issuerRef: +# name: kubernetes-root-issuer +# kind: Issuer +# # These are the default usages for reference +# usages: +# - "digital signature" +# - "key encipherment" +# commonName: cert-manager +# duration: 87600h +# dnsNames: +# - example.com +# - www.example.com + +clusterissuers: [] +# - name: kubernetes-ca +# spec: +# ca: +# secretName: kubernetes-intermediate-ca +# - name: my-ca +# spec: +# ca: +# secretName: my-certificate-secret + +# DEPRECATED, please use the above issuers, certificates and clusterissuers clusterissuer: {} # name: kubernetes-ca # spec: