Merge pull request #6760 from inteon/add_crd_keep

Add `crds.keep` and `crds.enabled` Helm options
2024-02-20 12:09:35 +00:00 · 2024-02-20 12:09:35 +00:00 · 0b379e4b5c
commit 0b379e4b5c
parent 8c772fa89d 15d6949952
15 changed files with 100 additions and 11 deletions
--- a/deploy/charts/cert-manager/README.template.md
+++ b/deploy/charts/cert-manager/README.template.md
@ -170,7 +170,22 @@ The duration the clients should wait between attempting acquisition and renewal
 > false
 > ```

-Install the cert-manager CRDs, it is recommended to not use Helm to manage the CRDs.
+This option is equivalent to setting crds.enabled=true and crds.keep=true. Deprecated: use crds.enabled and crds.keep instead.
+#### **crds.enabled** ~ `bool`
+> Default value:
+> ```yaml
+> false
+> ```
+
+This option decides if the CRDs should be installed as part of the Helm installation.
+#### **crds.keep** ~ `bool`
+> Default value:
+> ```yaml
+> true
+> ```
+
+This option makes it so that the "helm.sh/resource-policy": keep annotation is added to the CRD. This will prevent Helm from uninstalling the CRD when the Helm release is uninstalled. WARNING: when the CRDs are removed, all cert-manager custom resources  
+(Certificates, Issuers, ...) will be removed too by the garbage collector.
 ### Controller

 #### **replicaCount** ~ `number`
--- a/deploy/charts/cert-manager/templates/NOTES.txt
+++ b/deploy/charts/cert-manager/templates/NOTES.txt
@ -1,3 +1,6 @@
+{{- if .Values.installCRDs }}
+⚠️  WARNING: `installCRDs` is deprecated, use `crds.enabled` instead.
+{{- end }}
 cert-manager {{ .Chart.AppVersion }} has been deployed successfully!

 In order to begin issuing certificates, you will need to set up a ClusterIssuer
--- a/deploy/charts/cert-manager/templates/_helpers.tpl
+++ b/deploy/charts/cert-manager/templates/_helpers.tpl
@ -186,3 +186,17 @@ See https://github.com/cert-manager/cert-manager/issues/6329 for a list of linke
 {{- if .digest -}}{{ printf "@%s" .digest }}{{- else -}}{{ printf ":%s" (default $defaultTag .tag) }}{{- end -}}
 {{- end }}
 {{- end }}
+
+{{/*
+Check that the user has not set both .installCRDs and .crds.enabled or
+set .installCRDs and disabled .crds.keep.
+.installCRDs is deprecated and users should use .crds.enabled and .crds.keep instead.
+*/}}
+{{- define "cert-manager.crd-check" -}}
+  {{- if and (.Values.installCRDs) (.Values.crds.enabled) }}
+    {{- fail "ERROR: the deprecated .installCRDs option cannot be enabled at the same time as its replacement .crds.enabled" }}
+  {{- end }}
+  {{- if and (.Values.installCRDs) (not .Values.crds.keep) }}
+    {{- fail "ERROR: .crds.keep is not compatible with .installCRDs, please use .crds.enabled and .crds.keep instead" }}
+  {{- end }}
+{{- end -}}
--- a/deploy/charts/cert-manager/values.yaml
+++ b/deploy/charts/cert-manager/values.yaml
@ -67,10 +67,22 @@ global:
    # +docs:property
    # retryPeriod: 15s

-# Install the cert-manager CRDs, it is recommended to not use Helm to manage
-# the CRDs.
+# This option is equivalent to setting crds.enabled=true and crds.keep=true.
+# Deprecated: use crds.enabled and crds.keep instead.
 installCRDs: false

+crds:
+  # This option decides if the CRDs should be installed
+  # as part of the Helm installation.
+  enabled: false
+
+  # This option makes it so that the "helm.sh/resource-policy": keep
+  # annotation is added to the CRD. This will prevent Helm from uninstalling
+  # the CRD when the Helm release is uninstalled.
+  # WARNING: when the CRDs are removed, all cert-manager custom resources
+  # (Certificates, Issuers, ...) will be removed too by the garbage collector.
+  keep: true
+
 # +docs:section=Controller

 # The number of replicas of the cert-manager controller to run.
--- a/deploy/crds/crd-certificaterequests.yaml
+++ b/deploy/crds/crd-certificaterequests.yaml
@ -1,7 +1,13 @@
+# {{- include "cert-manager.crd-check" . }}
+# START crd {{- if or .Values.crds.enabled .Values.installCRDs }}
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  name: certificaterequests.cert-manager.io
+  # START annotations {{- if .Values.crds.keep }}
+  annotations:
+    helm.sh/resource-policy: keep
+  # END annotations {{- end }}
  labels:
    app: '{{ template "cert-manager.name" . }}'
    app.kubernetes.io/name: '{{ template "cert-manager.name" . }}'
@ -193,3 +199,5 @@ spec:
                  format: date-time
      served: true
      storage: true
+
+# END crd {{- end }}
--- a/deploy/crds/crd-certificates.yaml
+++ b/deploy/crds/crd-certificates.yaml
@ -1,7 +1,12 @@
+# START crd {{- if or .Values.crds.enabled .Values.installCRDs }}
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  name: certificates.cert-manager.io
+  # START annotations {{- if .Values.crds.keep }}
+  annotations:
+    helm.sh/resource-policy: keep
+  # END annotations {{- end }}
  labels:
    app: '{{ template "cert-manager.name" . }}'
    app.kubernetes.io/name: '{{ template "cert-manager.name" . }}'
@ -440,3 +445,5 @@ spec:
                  type: integer
      served: true
      storage: true
+
+# END crd {{- end }}
--- a/deploy/crds/crd-challenges.yaml
+++ b/deploy/crds/crd-challenges.yaml
@ -1,7 +1,12 @@
+# START crd {{- if or .Values.crds.enabled .Values.installCRDs }}
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  name: challenges.acme.cert-manager.io
+  # START annotations {{- if .Values.crds.keep }}
+  annotations:
+    helm.sh/resource-policy: keep
+  # END annotations {{- end }}
  labels:
    app: '{{ template "cert-manager.name" . }}'
    app.kubernetes.io/name: '{{ template "cert-manager.name" . }}'
@ -1121,3 +1126,5 @@ spec:
      storage: true
      subresources:
        status: {}
+
+# END crd {{- end }}
--- a/deploy/crds/crd-clusterissuers.yaml
+++ b/deploy/crds/crd-clusterissuers.yaml
@ -1,11 +1,16 @@
+# START crd {{- if or .Values.crds.enabled .Values.installCRDs }}
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  name: clusterissuers.cert-manager.io
+  # START annotations {{- if .Values.crds.keep }}
+  annotations:
+    helm.sh/resource-policy: keep
+  # END annotations {{- end }}
  labels:
    app: '{{ template "cert-manager.name" . }}'
    app.kubernetes.io/name: '{{ template "cert-manager.name" . }}'
-    app.kubernetes.io/instance: "{{ .Release.Name }}"
+    app.kubernetes.io/instance: '{{ .Release.Name }}'
    # Generated labels {{- include "labels" . | nindent 4 }}
 spec:
  group: cert-manager.io
@ -1397,3 +1402,5 @@ spec:
                  x-kubernetes-list-type: map
      served: true
      storage: true
+
+# END crd {{- end }}
--- a/deploy/crds/crd-issuers.yaml
+++ b/deploy/crds/crd-issuers.yaml
@ -1,11 +1,17 @@
+# START crd {{- if or .Values.crds.enabled .Values.installCRDs }}
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  name: issuers.cert-manager.io
+  # START annotations {{- if .Values.crds.keep }}
+  annotations:
+    helm.sh/resource-policy: keep
+  # END annotations {{- end }}
  labels:
    app: '{{ template "cert-manager.name" . }}'
    app.kubernetes.io/name: '{{ template "cert-manager.name" . }}'
-    app.kubernetes.io/instance: "{{ .Release.Name }}"
+    app.kubernetes.io/instance: '{{ .Release.Name }}'
+    app.kubernetes.io/component: "crds"
    # Generated labels {{- include "labels" . | nindent 4 }}
 spec:
  group: cert-manager.io
@ -1397,3 +1403,5 @@ spec:
                  x-kubernetes-list-type: map
      served: true
      storage: true
+
+# END crd {{- end }}
--- a/deploy/crds/crd-orders.yaml
+++ b/deploy/crds/crd-orders.yaml
@ -1,11 +1,17 @@
+# START crd {{- if or .Values.crds.enabled .Values.installCRDs }}
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  name: orders.acme.cert-manager.io
+  # START annotations {{- if .Values.crds.keep }}
+  annotations:
+    helm.sh/resource-policy: keep
+  # END annotations {{- end }}
  labels:
    app: '{{ template "cert-manager.name" . }}'
    app.kubernetes.io/name: '{{ template "cert-manager.name" . }}'
    app.kubernetes.io/instance: '{{ .Release.Name }}'
+    app.kubernetes.io/component: "crds"
    # Generated labels {{- include "labels" . | nindent 4 }}
 spec:
  group: acme.cert-manager.io
@ -177,3 +183,5 @@ spec:
                  type: string
      served: true
      storage: true
+
+# END crd {{- end }}
--- a/hack/concat-yaml.sh
+++ b/hack/concat-yaml.sh
@ -38,6 +38,7 @@ while (($#)); do

 	# if there's at least one more file left, output the YAML file separator
 	if [[ $# -gt 0 ]]; then
+		echo ""
 		echo "---"
 	fi
 done
--- a/hack/verify-upgrade.sh
+++ b/hack/verify-upgrade.sh
@ -72,6 +72,7 @@ $helm repo update
 echo "+++ Installing cert-manager ${LATEST_RELEASE} Helm chart into the cluster..."

 # Upgrade or install latest published cert-manager Helm release
+# We use the deprecated installCRDs=true value, to make the install work for older versions of cert-manager
 $helm upgrade \
    --install \
    --wait \
--- a/make/e2e-setup.mk
+++ b/make/e2e-setup.mk
@ -294,7 +294,7 @@ e2e-setup-certmanager: $(bin_dir)/cert-manager.tgz $(foreach binaryname,controll
 		--set webhook.image.tag="$(TAG)" \
 		--set acmesolver.image.tag="$(TAG)" \
 		--set startupapicheck.image.tag="$(TAG)" \
-		--set installCRDs=true \
+		--set crds.enabled=true \
 		--set featureGates="$(feature_gates_controller)" \
 		--set "extraArgs={--kube-api-qps=9000,--kube-api-burst=9000,--concurrent-workers=200}" \
 		--set webhook.featureGates="$(feature_gates_webhook)" \
--- a/make/ko.mk
+++ b/make/ko.mk
@ -87,5 +87,5 @@ ko-deploy-certmanager: $(bin_dir)/cert-manager.tgz $(KO_IMAGE_REFS)
 		--set webhook.image.digest="$(shell $(YQ) .digest $(bin_dir)/scratch/ko/webhook.yaml)" \
 		--set startupapicheck.image.repository="$(shell $(YQ) .repository $(bin_dir)/scratch/ko/startupapicheck.yaml)" \
 		--set startupapicheck.image.digest="$(shell $(YQ) .digest $(bin_dir)/scratch/ko/startupapicheck.yaml)" \
-		--set installCRDs=true \
+		--set crds.enabled=true \
 		--set "extraArgs={--acme-http01-solver-image=$(ACME_HTTP01_SOLVER_IMAGE)}"
--- a/make/manifests.mk
+++ b/make/manifests.mk
@ -105,9 +105,7 @@ $(bin_dir)/helm/cert-manager/templates/NOTES.txt: deploy/charts/cert-manager/tem
 	cp $< $@

 $(bin_dir)/helm/cert-manager/templates/crds.yaml: $(CRDS_SOURCES) | $(bin_dir)/helm/cert-manager/templates
-	echo '{{- if .Values.installCRDs }}' > $@
-	./hack/concat-yaml.sh $^ >> $@
-	echo '{{- end }}' >> $@
+	./hack/concat-yaml.sh $^ > $@

 $(bin_dir)/helm/cert-manager/values.yaml: deploy/charts/cert-manager/values.yaml | $(bin_dir)/helm/cert-manager
 	cp $< $@
@ -140,7 +138,7 @@ $(bin_dir)/scratch/yaml/cert-manager.noncrd.unlicensed.yaml: $(bin_dir)/cert-man

 $(bin_dir)/scratch/yaml/cert-manager.all.unlicensed.yaml: $(bin_dir)/cert-manager-$(RELEASE_VERSION).tgz | $(NEEDS_HELM) $(bin_dir)/scratch/yaml
 	@# The sed command removes the first line but only if it matches "---", which helm adds
-	$(HELM) template --api-versions="" --namespace=cert-manager --set="installCRDs=true" --set="creator=static" --set="startupapicheck.enabled=false" cert-manager $< | \
+	$(HELM) template --api-versions="" --namespace=cert-manager --set="crds.enabled=true" --set="creator=static" --set="startupapicheck.enabled=false" cert-manager $< | \
 		sed -e "1{/^---$$/d;}" > $@

 $(bin_dir)/scratch/yaml/cert-manager.crds.unlicensed.yaml: $(bin_dir)/scratch/yaml/cert-manager.all.unlicensed.yaml | $(NEEDS_GO) $(bin_dir)/scratch/yaml