Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[cert-manager-setup] allow for multiple clusterissuers #380

Merged
merged 3 commits into from
Jan 31, 2020
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion staging/cert-manager-setup/Chart.yaml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
apiVersion: v1
name: cert-manager-setup
home: https://github.com/mesosphere/charts
version: 0.1.7
version: 0.1.8
appVersion: 0.10.1
shaneutt marked this conversation as resolved.
Show resolved Hide resolved
description: Install cert-manager and optionally add a ClusterIssuer
keywords:
Expand Down
28 changes: 28 additions & 0 deletions staging/cert-manager-setup/ci/general-test-values.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
# This test ensures we can create an issuer, a certificate and a clusterissuer

issuers:
- name: my-root-issuer
secretName: kubernetes-root-ca

certificates:
- name: my-certificate
# where to store this certificate
secretName: my-certificate-secret
issuerRef:
name: my-root-issuer
kind: Issuer
# These are the default usages for reference
usages:
- "digital signature"
- "key encipherment"
commonName: cert-manager
duration: 87600h
dnsNames:
- example.com
- www.example.com

clusterissuers:
- name: my-ca
spec:
ca:
secretName: my-certificate-secret
shaneutt marked this conversation as resolved.
Show resolved Hide resolved
2 changes: 2 additions & 0 deletions staging/cert-manager-setup/ci/test-values.yaml
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
# These test values are used for chart testing
# DO NOT EDIT unless you know what you are doing
shaneutt marked this conversation as resolved.
Show resolved Hide resolved
clusterissuer:
name: kubernetes-ca
spec:
Expand Down
1 change: 0 additions & 1 deletion staging/cert-manager-setup/requirements.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,4 +3,3 @@ dependencies:
version: 0.10.1
repository: https://charts.jetstack.io
condition: installCertManager

33 changes: 33 additions & 0 deletions staging/cert-manager-setup/templates/certificates.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
{{- if .Values.certificates }}
{{- range .Values.certificates }}
---
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: {{ .name }}
annotations:
"helm.sh/hook": post-install,post-upgrade
"helm.sh/hook-weight": "-3"
"helm.sh/hook-delete-policy": before-hook-creation
spec:
isCA: true
commonName: cert-manager
duration: {{ .duration | default "87600h" | quote }}
secretName: {{ .secretName }}
issuerRef:
name: {{ .issuerRef.name }}
kind: {{ .issuerRef.kind }}
{{- if .issuerRef.usages }}
usages:
{{- range .issuerRef.usages }}
- {{ . | quote -}}
{{- end }}
{{- end }}
{{- if .dnsNames }}
dnsNames:
{{- range .dnsNames }}
- {{ . | quote -}}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
shaneutt marked this conversation as resolved.
Show resolved Hide resolved
47 changes: 47 additions & 0 deletions staging/cert-manager-setup/templates/clusterissuer.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
# DEPRECATED, this file should be deleted soon
shaneutt marked this conversation as resolved.
Show resolved Hide resolved
{{ if .Values.clusterissuer }}
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
name: kubernetes-root-issuer
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/hook": post-install,post-upgrade
"helm.sh/hook-weight": "-4"
"helm.sh/hook-delete-policy": before-hook-creation
spec:
ca:
secretName: kubernetes-root-ca
---
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: kubernetes-intermediate-ca
annotations:
"helm.sh/hook": post-install,post-upgrade
"helm.sh/hook-weight": "-3"
"helm.sh/hook-delete-policy": before-hook-creation
spec:
isCA: true
commonName: cert-manager
duration: 87600h
secretName: kubernetes-intermediate-ca
issuerRef:
name: kubernetes-root-issuer
kind: Issuer
# These are the default usages for reference
usages:
- "digital signature"
- "key encipherment"
---
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: {{ required "clusterissuer must have a name" .Values.clusterissuer.name }}
annotations:
"helm.sh/hook": post-install,post-upgrade
"helm.sh/hook-weight": "-2"
"helm.sh/hook-delete-policy": before-hook-creation
spec:
{{ required "clusterissuer must have a spec" .Values.clusterissuer.spec | toYaml | indent 4 }}
{{ end }}
15 changes: 15 additions & 0 deletions staging/cert-manager-setup/templates/clusterissuers.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
{{- if .Values.clusterissuers }}
{{- range .Values.clusterissuers }}
---
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: {{ required "clusterissuer must have a name" .name }}
annotations:
"helm.sh/hook": post-install,post-upgrade
"helm.sh/hook-weight": "-2"
"helm.sh/hook-delete-policy": before-hook-creation
spec:
{{ required "clusterissuer must have a spec" .spec | toYaml | indent 4 }}
{{- end }}
{{- end }}
17 changes: 13 additions & 4 deletions staging/cert-manager-setup/templates/clusterrole.yaml
Original file line number Diff line number Diff line change
@@ -1,8 +1,17 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: read-apiservices
name: cert-manager-setup-apiservices
annotations:
helm.sh/hook: pre-install,pre-upgrade
helm.sh/hook-delete-policy: before-hook-creation
helm.sh/hook-weight: "-7"
rules:
- apiGroups: ["apiregistration.k8s.io"]
resources: ["apiservices"]
verbs: ["get", "watch", "list"]
- apiGroups:
- "apiregistration.k8s.io"
resources:
- "apiservices"
verbs:
- "get"
- "watch"
- "list"
Original file line number Diff line number Diff line change
@@ -1,13 +1,17 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: read-apiservices-rolebinding
name: cert-manager-setup-apiservices
namespace: {{ .Release.Namespace }}
annotations:
helm.sh/hook: pre-install,pre-upgrade
helm.sh/hook-delete-policy: before-hook-creation
"helm.sh/hook-weight": "-7"
subjects:
- kind: ServiceAccount
namespace: {{ .Release.Namespace }}
name: default
roleRef:
kind: ClusterRole
name: read-apiservices
name: cert-manager-setup-apiservices
apiGroup: rbac.authorization.k8s.io
47 changes: 10 additions & 37 deletions staging/cert-manager-setup/templates/issuers.yaml
Original file line number Diff line number Diff line change
@@ -1,46 +1,19 @@
{{ if .Values.clusterissuer }}
{{- if .Values.issuers }}
{{- $namespace := .Release.Namespace }}
{{- range .Values.issuers }}
---
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
name: kubernetes-root-issuer
namespace: {{ .Release.Namespace }}
name: {{ .name }}
namespace: {{ .namespace }}
annotations:
"helm.sh/hook": post-install,post-upgrade
"helm.sh/hook-weight": "-4"
"helm.sh/hook-delete-policy": before-hook-creation
spec:
ca:
secretName: kubernetes-root-ca
---
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: kubernetes-intermediate-ca
annotations:
"helm.sh/hook": post-install,post-upgrade
"helm.sh/hook-weight": "-3"
"helm.sh/hook-delete-policy": before-hook-creation
spec:
isCA: true
commonName: cert-manager
duration: 87600h
secretName: kubernetes-intermediate-ca
issuerRef:
name: kubernetes-root-issuer
kind: Issuer
# These are the default usages for reference
usages:
- "digital signature"
- "key encipherment"
---
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: {{ required "clusterissuer must have a name" .Values.clusterissuer.name }}
annotations:
"helm.sh/hook": post-install,post-upgrade
"helm.sh/hook-weight": "-2"
"helm.sh/hook-delete-policy": before-hook-creation
spec:
{{ required "clusterissuer must have a spec" .Values.clusterissuer.spec | toYaml | indent 4 }}
{{ end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}

26 changes: 3 additions & 23 deletions staging/cert-manager-setup/templates/post-install-hook-job.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "cert-manager-setup.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{ include "cert-manager-setup.labels" . | indent 4 }}
annotations:
Expand All @@ -13,31 +14,10 @@ spec:
metadata:
name: "wait-for-cert-manager-webhook"
spec:
serviceAccountName: default
restartPolicy: Never
containers:
- name: {{ .Chart.Name }}
image: bitnami/kubectl:latest
imagePullPolicy: IfNotPresent
command: ["kubectl", "wait", "--for=condition=Available", "--timeout=300s", "apiservice", "v1beta1.webhook.certmanager.k8s.io"]
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "cert-manager-setup.fullname" . }}-sleep
labels:
{{ include "cert-manager-setup.labels" . | indent 4 }}
annotations:
"helm.sh/hook": post-install,post-upgrade
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
spec:
template:
metadata:
name: "sleep"
spec:
restartPolicy: Never
containers:
- name: {{ .Chart.Name }}
image: ubuntu:xenial
imagePullPolicy: IfNotPresent
command: ["sleep", "30"]
command: ["kubectl", "wait", "--for=condition=Available", "--timeout=360s", "apiservice", "v1beta1.webhook.certmanager.k8s.io"]
shaneutt marked this conversation as resolved.
Show resolved Hide resolved
45 changes: 45 additions & 0 deletions staging/cert-manager-setup/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,51 @@
nameOverride: ""
fullnameOverride: ""

issuers: []
# - name: kubernetes-root-issuer
# secretName: kubernetes-root-ca

certificates: []
# - name: kubernetes-intermediate-ca
# # where to store this certificate
# secretName: kubernetes-intermediate-ca
# issuerRef:
# name: kubernetes-root-issuer
# kind: Issuer
# # These are the default usages for reference
# usages:
# - "digital signature"
# - "key encipherment"
# commonName: cert-manager
# duration: 87600h
# dnsNames: []
# - name: my-certificate
# # where to store this certificate
# secretName: my-certificate-secret
# issuerRef:
# name: kubernetes-root-issuer
# kind: Issuer
# # These are the default usages for reference
# usages:
# - "digital signature"
# - "key encipherment"
# commonName: cert-manager
# duration: 87600h
# dnsNames:
# - example.com
# - www.example.com

clusterissuers: []
# - name: kubernetes-ca
# spec:
# ca:
# secretName: kubernetes-intermediate-ca
# - name: my-ca
# spec:
# ca:
# secretName: my-certificate-secret

# DEPRECATED, please use the above issuers, certificates and clusterissuers
clusterissuer: {}
# name: kubernetes-ca
# spec:
Expand Down