add cert-manager v1.13.6 (#103)

tkestack · Oct 21, 2024 · 396ece0 · 396ece0
1 parent de49653
commit 396ece0
Show file tree

Hide file tree

Showing 39 changed files with 2,884 additions and 13,778 deletions.
diff --git a/incubator/cert-manager/Chart.yaml b/incubator/cert-manager/Chart.yaml
@@ -1,20 +1,25 @@
 annotations:
+  artifacthub.io/license: Apache-2.0
   artifacthub.io/prerelease: "false"
+  artifacthub.io/signKey: |
+    fingerprint: 1020CF3C033D4F35BAE1C19E1226061C665DF13E
+    url: https://cert-manager.io/public-keys/cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.gpg
 apiVersion: v1
-appVersion: v1.5.5
+appVersion: v1.13.6
 description: A Helm chart for cert-manager
-home: https://github.com/jetstack/cert-manager
+home: https://github.com/cert-manager/cert-manager
 icon: https://cloudcache.tencent-cloud.com/qcloud/ui/static/Industry_tke/44fcdbc2-7461-4025-99c7-54608dfe700d.png
 keywords:
   - cert-manager
   - kube-lego
   - letsencrypt
   - tls
+kubeVersion: ">= 1.22.0-0"
 maintainers:
   - email: [email protected]
     name: cert-manager-maintainers
+    url: https://cert-manager.io
 name: cert-manager
 sources:
-  - https://github.com/jetstack/cert-manager
-version: v1.5.5
-kubeVersion: ">= 1.16.0-0"
+  - https://github.com/cert-manager/cert-manager
+version: v1.13.6
diff --git a/incubator/cert-manager/README.md b/incubator/cert-manager/README.md
diff --git a/incubator/cert-manager/templates/_helpers.tpl b/incubator/cert-manager/templates/_helpers.tpl
@@ -58,7 +58,7 @@ If release name contains chart name it will be used as a full name.
 {{- end -}}
 
 {{- define "webhook.caRef" -}}
-{{ .Release.Namespace}}/{{ template "webhook.fullname" . }}-ca
+{{- template "cert-manager.namespace" }}/{{ template "webhook.fullname" . }}-ca
 {{- end -}}
 
 {{/*
@@ -156,4 +156,19 @@ app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 helm.sh/chart: {{ include "chartName" . }}
 {{- end -}}
+{{- if .Values.global.commonLabels}}
+{{ toYaml .Values.global.commonLabels }}
+{{- end }}
+{{- end -}}
+
+{{/*
+Namespace for all resources to be installed into
+If not defined in values file then the helm release namespace is used
+By default this is not set so the helm release namespace will be used
+
+This gets around an problem within helm discussed here
+https://github.com/helm/helm/issues/5358
+*/}}
+{{- define "cert-manager.namespace" -}}
+    {{ .Values.namespace | default .Release.Namespace }}
 {{- end -}}
diff --git a/incubator/cert-manager/templates/cainjector-deployment.yaml b/incubator/cert-manager/templates/cainjector-deployment.yaml
@@ -1,18 +1,18 @@
-{{- if .Values.cainjector.enabled -}}
+{{- if .Values.cainjector.enabled }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ include "cainjector.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "cert-manager.namespace" . }}
   labels:
     app: {{ include "cainjector.name" . }}
     app.kubernetes.io/name: {{ include "cainjector.name" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/component: "cainjector"
     {{- include "labels" . | nindent 4 }}
-  {{- if .Values.cainjector.deploymentAnnotations }}
+  {{- with .Values.cainjector.deploymentAnnotations }}
   annotations:
-{{ toYaml .Values.cainjector.deploymentAnnotations | indent 4 }}
+    {{- toYaml . | nindent 4 }}
   {{- end }}
 spec:
   replicas: {{ .Values.cainjector.replicaCount }}
@@ -23,7 +23,7 @@ spec:
       app.kubernetes.io/component: "cainjector"
   {{- with .Values.cainjector.strategy }}
   strategy:
-    {{- . | toYaml | nindent 4 }}
+    {{- toYaml . | nindent 4 }}
   {{- end }}
   template:
     metadata:
@@ -33,26 +33,30 @@ spec:
         app.kubernetes.io/instance: {{ .Release.Name }}
         app.kubernetes.io/component: "cainjector"
         {{- include "labels" . | nindent 8 }}
-{{- if .Values.cainjector.podLabels }}
-{{ toYaml .Values.cainjector.podLabels | indent 8 }}
-{{- end }}
-      {{- if .Values.cainjector.podAnnotations }}
+        {{- with .Values.cainjector.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- with .Values.cainjector.podAnnotations }}
       annotations:
-{{ toYaml .Values.cainjector.podAnnotations | indent 8 }}
+        {{- toYaml . | nindent 8 }}
       {{- end }}
     spec:
       serviceAccountName: {{ template "cainjector.serviceAccountName" . }}
-      {{- if .Values.global.priorityClassName }}
-      priorityClassName: {{ .Values.global.priorityClassName | quote }}
+      {{- if hasKey .Values.cainjector "automountServiceAccountToken" }}
+      automountServiceAccountToken: {{ .Values.cainjector.automountServiceAccountToken }}
+      {{- end }}
+      enableServiceLinks: {{ .Values.cainjector.enableServiceLinks }}
+      {{- with .Values.global.priorityClassName }}
+      priorityClassName: {{ . | quote }}
       {{- end }}
-      {{- if .Values.cainjector.securityContext}}
+      {{- with .Values.cainjector.securityContext }}
       securityContext:
-{{ toYaml .Values.cainjector.securityContext | indent 8 }}
+        {{- toYaml . | nindent 8 }}
       {{- end }}
       containers:
-        - name: {{ .Chart.Name }}
+        - name: {{ .Chart.Name }}-cainjector
           {{- with .Values.cainjector.image }}
-          image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{.digest}}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}"
+          image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}"
           {{- end }}
           imagePullPolicy: {{ .Values.cainjector.image.pullPolicy }}
           args:
@@ -71,30 +75,44 @@ spec:
           - --leader-election-retry-period={{ .retryPeriod }}
           {{- end }}
           {{- end }}
-          {{- if .Values.cainjector.extraArgs }}
-{{ toYaml .Values.cainjector.extraArgs | indent 10 }}
+          {{- with .Values.cainjector.extraArgs }}
+          {{- toYaml . | nindent 10 }}
           {{- end }}
           env:
           - name: POD_NAMESPACE
             valueFrom:
               fieldRef:
                 fieldPath: metadata.namespace
-          {{- if .Values.cainjector.containerSecurityContext }}
+          {{- with .Values.cainjector.containerSecurityContext }}
           securityContext:
-            {{- toYaml .Values.cainjector.containerSecurityContext | nindent 12 }}
+            {{- toYaml . | nindent 12 }}
           {{- end }}
+          {{- with .Values.cainjector.resources }}
           resources:
-{{ toYaml .Values.cainjector.resources | indent 12 }}
-    {{- with .Values.cainjector.nodeSelector }}
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.cainjector.volumeMounts }}
+          volumeMounts:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+      {{- with .Values.cainjector.nodeSelector }}
       nodeSelector:
-{{ toYaml . | indent 8 }}
-    {{- end }}
-    {{- with .Values.cainjector.affinity }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.cainjector.affinity }}
       affinity:
-{{ toYaml . | indent 8 }}
-    {{- end }}
-    {{- with .Values.cainjector.tolerations }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.cainjector.tolerations }}
       tolerations:
-{{ toYaml . | indent 8 }}
-    {{- end }}
-{{- end -}}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with  .Values.cainjector.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.cainjector.volumes }}
+      volumes:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+{{- end }}
diff --git a/incubator/cert-manager/templates/cainjector-poddisruptionbudget.yaml b/incubator/cert-manager/templates/cainjector-poddisruptionbudget.yaml
@@ -0,0 +1,29 @@
+{{- if .Values.cainjector.podDisruptionBudget.enabled }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "cainjector.fullname" . }}
+  namespace: {{ include "cert-manager.namespace" . }}
+  labels:
+    app: {{ include "cainjector.name" . }}
+    app.kubernetes.io/name: {{ include "cainjector.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "cainjector"
+    {{- include "labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "cainjector.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+      app.kubernetes.io/component: "cainjector"
+
+  {{- if not (or (hasKey .Values.cainjector.podDisruptionBudget "minAvailable") (hasKey .Values.cainjector.podDisruptionBudget "maxUnavailable")) }}
+  minAvailable: 1 # Default value because minAvailable and maxUnavailable are not set
+  {{- end }}
+  {{- if hasKey .Values.cainjector.podDisruptionBudget "minAvailable" }}
+  minAvailable: {{ .Values.cainjector.podDisruptionBudget.minAvailable }}
+  {{- end }}
+  {{- if hasKey .Values.cainjector.podDisruptionBudget "maxUnavailable" }}
+  maxUnavailable: {{ .Values.cainjector.podDisruptionBudget.maxUnavailable }}
+  {{- end }}
+{{- end }}
diff --git a/incubator/cert-manager/templates/cainjector-psp-clusterrole.yaml b/incubator/cert-manager/templates/cainjector-psp-clusterrole.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.cainjector.enabled -}}
+{{- if .Values.cainjector.enabled }}
 {{- if .Values.global.podSecurityPolicy.enabled }}
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1

diff --git a/incubator/cert-manager/templates/cainjector-psp-clusterrolebinding.yaml b/incubator/cert-manager/templates/cainjector-psp-clusterrolebinding.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.cainjector.enabled -}}
+{{- if .Values.cainjector.enabled }}
 {{- if .Values.global.podSecurityPolicy.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -17,6 +17,6 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: {{ template "cainjector.serviceAccountName" . }}
-    namespace: {{ .Release.Namespace }}
+    namespace: {{ include "cert-manager.namespace" . }}
 {{- end }}
 {{- end }}
diff --git a/incubator/cert-manager/templates/cainjector-psp.yaml b/incubator/cert-manager/templates/cainjector-psp.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.cainjector.enabled -}}
+{{- if .Values.cainjector.enabled }}
 {{- if .Values.global.podSecurityPolicy.enabled }}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
@@ -47,5 +47,5 @@ spec:
     ranges:
     - min: 1000
       max: 1000
-{{- end -}}
-{{- end -}}
+{{- end }}
+{{- end }}
diff --git a/incubator/cert-manager/templates/cainjector-rbac.yaml b/incubator/cert-manager/templates/cainjector-rbac.yaml
@@ -1,5 +1,5 @@
-{{- if .Values.cainjector.enabled -}}
-{{- if .Values.global.rbac.create -}}
+{{- if .Values.cainjector.enabled }}
+{{- if .Values.global.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -22,16 +22,13 @@ rules:
     verbs: ["get", "create", "update", "patch"]
   - apiGroups: ["admissionregistration.k8s.io"]
     resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
-    verbs: ["get", "list", "watch", "update"]
+    verbs: ["get", "list", "watch", "update", "patch"]
   - apiGroups: ["apiregistration.k8s.io"]
     resources: ["apiservices"]
-    verbs: ["get", "list", "watch", "update"]
+    verbs: ["get", "list", "watch", "update", "patch"]
   - apiGroups: ["apiextensions.k8s.io"]
     resources: ["customresourcedefinitions"]
-    verbs: ["get", "list", "watch", "update"]
-  - apiGroups: ["auditregistration.k8s.io"]
-    resources: ["auditsinks"]
-    verbs: ["get", "list", "watch", "update"]
+    verbs: ["get", "list", "watch", "update", "patch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -49,7 +46,7 @@ roleRef:
   name: {{ template "cainjector.fullname" . }}
 subjects:
   - name: {{ template "cainjector.serviceAccountName" . }}
-    namespace: {{ .Release.Namespace | quote }}
+    namespace: {{ include "cert-manager.namespace" . }}
     kind: ServiceAccount
 
 ---
@@ -71,14 +68,6 @@ rules:
   #   see cmd/cainjector/start.go#L113
   # cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller
   #   see cmd/cainjector/start.go#L137
-  # See also: https://github.com/kubernetes-sigs/controller-runtime/pull/1144#discussion_r480173688
-  - apiGroups: [""]
-    resources: ["configmaps"]
-    resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
-    verbs: ["get", "update", "patch"]
-  - apiGroups: [""]
-    resources: ["configmaps"]
-    verbs: ["create"]
   - apiGroups: ["coordination.k8s.io"]
     resources: ["leases"]
     resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
@@ -109,6 +98,6 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: {{ template "cainjector.serviceAccountName" . }}
-    namespace: {{ .Release.Namespace }}
-{{- end -}}
-{{- end -}}
+    namespace: {{ include "cert-manager.namespace" . }}
+{{- end }}
+{{- end }}
diff --git a/incubator/cert-manager/templates/cainjector-serviceaccount.yaml b/incubator/cert-manager/templates/cainjector-serviceaccount.yaml
@@ -1,23 +1,27 @@
-{{- if .Values.cainjector.enabled -}}
-{{- if .Values.cainjector.serviceAccount.create -}}
+{{- if .Values.cainjector.enabled }}
+{{- if .Values.cainjector.serviceAccount.create }}
 apiVersion: v1
 kind: ServiceAccount
 automountServiceAccountToken: {{ .Values.cainjector.serviceAccount.automountServiceAccountToken }}
 metadata:
   name: {{ template "cainjector.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace | quote }}
-  {{- if .Values.cainjector.serviceAccount.annotations }}
+  namespace: {{ include "cert-manager.namespace" . }}
+  {{- with .Values.cainjector.serviceAccount.annotations }}
   annotations:
-{{ toYaml .Values.cainjector.serviceAccount.annotations | indent 4 }}
+    {{- toYaml . | nindent 4 }}
   {{- end }}
   labels:
     app: {{ include "cainjector.name" . }}
     app.kubernetes.io/name: {{ include "cainjector.name" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/component: "cainjector"
     {{- include "labels" . | nindent 4 }}
-{{- if .Values.global.imagePullSecrets }}
-imagePullSecrets: {{ toYaml .Values.global.imagePullSecrets | nindent 2 }}
+    {{- with .Values.cainjector.serviceAccount.labels }}
+      {{ toYaml . | nindent 4 }}
+    {{- end }}
+{{- with .Values.global.imagePullSecrets }}
+imagePullSecrets:
+  {{- toYaml . | nindent 2 }}
+{{- end }}
+{{- end }}
 {{- end }}
-{{- end -}}
-{{- end -}}
diff --git a/incubator/cert-manager/templates/controller-config.yaml b/incubator/cert-manager/templates/controller-config.yaml
@@ -0,0 +1,25 @@
+{{- if .Values.config -}}
+  {{- if not .Values.config.apiVersion -}}
+    {{- fail "config.apiVersion must be set" -}}
+  {{- end -}}
+
+  {{- if not .Values.config.kind -}}
+    {{- fail "config.kind must be set" -}}
+  {{- end -}}
+{{- end -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "cert-manager.fullname" . }}
+  namespace: {{ include "cert-manager.namespace" . }}
+  labels:
+    app: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "controller"
+    {{- include "labels" . | nindent 4 }}
+data:
+  {{- if .Values.config }}
+  config.yaml: |
+    {{ .Values.config | toYaml | nindent 4 }}
+  {{- end }}