diff --git a/deploy/charts/cert-manager/README.template.md b/deploy/charts/cert-manager/README.template.md index 94df384b9..289fdd211 100644 --- a/deploy/charts/cert-manager/README.template.md +++ b/deploy/charts/cert-manager/README.template.md @@ -170,7 +170,22 @@ The duration the clients should wait between attempting acquisition and renewal > false > ``` -Install the cert-manager CRDs, it is recommended to not use Helm to manage the CRDs. +This option is equivalent to setting crds.enabled=true and crds.keep=true. Deprecated: use crds.enabled and crds.keep instead. +#### **crds.enabled** ~ `bool` +> Default value: +> ```yaml +> false +> ``` + +This option decides if the CRDs should be installed as part of the Helm installation. +#### **crds.keep** ~ `bool` +> Default value: +> ```yaml +> true +> ``` + +This option makes it so that the "helm.sh/resource-policy": keep annotation is added to the CRD. This will prevent Helm from uninstalling the CRD when the Helm release is uninstalled. WARNING: when the CRDs are removed, all cert-manager custom resources +(Certificates, Issuers, ...) will be removed too by the garbage collector. ### Controller #### **replicaCount** ~ `number` diff --git a/deploy/charts/cert-manager/templates/NOTES.txt b/deploy/charts/cert-manager/templates/NOTES.txt index 102535460..341d10123 100644 --- a/deploy/charts/cert-manager/templates/NOTES.txt +++ b/deploy/charts/cert-manager/templates/NOTES.txt @@ -1,3 +1,6 @@ +{{- if .Values.installCRDs }} +⚠️ WARNING: `installCRDs` is deprecated, use `crds.enabled` instead. +{{- end }} cert-manager {{ .Chart.AppVersion }} has been deployed successfully! In order to begin issuing certificates, you will need to set up a ClusterIssuer diff --git a/deploy/charts/cert-manager/templates/_helpers.tpl b/deploy/charts/cert-manager/templates/_helpers.tpl index 067fe6a05..9902c089f 100644 --- a/deploy/charts/cert-manager/templates/_helpers.tpl +++ b/deploy/charts/cert-manager/templates/_helpers.tpl @@ -186,3 +186,17 @@ See https://github.com/cert-manager/cert-manager/issues/6329 for a list of linke {{- if .digest -}}{{ printf "@%s" .digest }}{{- else -}}{{ printf ":%s" (default $defaultTag .tag) }}{{- end -}} {{- end }} {{- end }} + +{{/* +Check that the user has not set both .installCRDs and .crds.enabled or +set .installCRDs and disabled .crds.keep. +.installCRDs is deprecated and users should use .crds.enabled and .crds.keep instead. +*/}} +{{- define "cert-manager.crd-check" -}} + {{- if and (.Values.installCRDs) (.Values.crds.enabled) }} + {{- fail "ERROR: the deprecated .installCRDs option cannot be enabled at the same time as its replacement .crds.enabled" }} + {{- end }} + {{- if and (.Values.installCRDs) (not .Values.crds.keep) }} + {{- fail "ERROR: .crds.keep is not compatible with .installCRDs, please use .crds.enabled and .crds.keep instead" }} + {{- end }} +{{- end -}} diff --git a/deploy/charts/cert-manager/values.yaml b/deploy/charts/cert-manager/values.yaml index cf04369e9..91397f1af 100644 --- a/deploy/charts/cert-manager/values.yaml +++ b/deploy/charts/cert-manager/values.yaml @@ -67,10 +67,22 @@ global: # +docs:property # retryPeriod: 15s -# Install the cert-manager CRDs, it is recommended to not use Helm to manage -# the CRDs. +# This option is equivalent to setting crds.enabled=true and crds.keep=true. +# Deprecated: use crds.enabled and crds.keep instead. installCRDs: false +crds: + # This option decides if the CRDs should be installed + # as part of the Helm installation. + enabled: false + + # This option makes it so that the "helm.sh/resource-policy": keep + # annotation is added to the CRD. This will prevent Helm from uninstalling + # the CRD when the Helm release is uninstalled. + # WARNING: when the CRDs are removed, all cert-manager custom resources + # (Certificates, Issuers, ...) will be removed too by the garbage collector. + keep: true + # +docs:section=Controller # The number of replicas of the cert-manager controller to run. diff --git a/deploy/crds/crd-certificaterequests.yaml b/deploy/crds/crd-certificaterequests.yaml index 3bec40300..2a23b4f8a 100644 --- a/deploy/crds/crd-certificaterequests.yaml +++ b/deploy/crds/crd-certificaterequests.yaml @@ -1,7 +1,13 @@ +# {{- include "cert-manager.crd-check" . }} +# START crd {{- if or .Values.crds.enabled .Values.installCRDs }} apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: certificaterequests.cert-manager.io + # START annotations {{- if .Values.crds.keep }} + annotations: + helm.sh/resource-policy: keep + # END annotations {{- end }} labels: app: '{{ template "cert-manager.name" . }}' app.kubernetes.io/name: '{{ template "cert-manager.name" . }}' @@ -193,3 +199,5 @@ spec: format: date-time served: true storage: true + +# END crd {{- end }} diff --git a/deploy/crds/crd-certificates.yaml b/deploy/crds/crd-certificates.yaml index e6e9938f2..fca9bec27 100644 --- a/deploy/crds/crd-certificates.yaml +++ b/deploy/crds/crd-certificates.yaml @@ -1,7 +1,12 @@ +# START crd {{- if or .Values.crds.enabled .Values.installCRDs }} apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: certificates.cert-manager.io + # START annotations {{- if .Values.crds.keep }} + annotations: + helm.sh/resource-policy: keep + # END annotations {{- end }} labels: app: '{{ template "cert-manager.name" . }}' app.kubernetes.io/name: '{{ template "cert-manager.name" . }}' @@ -440,3 +445,5 @@ spec: type: integer served: true storage: true + +# END crd {{- end }} diff --git a/deploy/crds/crd-challenges.yaml b/deploy/crds/crd-challenges.yaml index 3d18907d7..e4c63d6d7 100644 --- a/deploy/crds/crd-challenges.yaml +++ b/deploy/crds/crd-challenges.yaml @@ -1,7 +1,12 @@ +# START crd {{- if or .Values.crds.enabled .Values.installCRDs }} apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: challenges.acme.cert-manager.io + # START annotations {{- if .Values.crds.keep }} + annotations: + helm.sh/resource-policy: keep + # END annotations {{- end }} labels: app: '{{ template "cert-manager.name" . }}' app.kubernetes.io/name: '{{ template "cert-manager.name" . }}' @@ -1121,3 +1126,5 @@ spec: storage: true subresources: status: {} + +# END crd {{- end }} diff --git a/deploy/crds/crd-clusterissuers.yaml b/deploy/crds/crd-clusterissuers.yaml index 55af2abb5..70d026c5e 100644 --- a/deploy/crds/crd-clusterissuers.yaml +++ b/deploy/crds/crd-clusterissuers.yaml @@ -1,11 +1,16 @@ +# START crd {{- if or .Values.crds.enabled .Values.installCRDs }} apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: clusterissuers.cert-manager.io + # START annotations {{- if .Values.crds.keep }} + annotations: + helm.sh/resource-policy: keep + # END annotations {{- end }} labels: app: '{{ template "cert-manager.name" . }}' app.kubernetes.io/name: '{{ template "cert-manager.name" . }}' - app.kubernetes.io/instance: "{{ .Release.Name }}" + app.kubernetes.io/instance: '{{ .Release.Name }}' # Generated labels {{- include "labels" . | nindent 4 }} spec: group: cert-manager.io @@ -1397,3 +1402,5 @@ spec: x-kubernetes-list-type: map served: true storage: true + +# END crd {{- end }} diff --git a/deploy/crds/crd-issuers.yaml b/deploy/crds/crd-issuers.yaml index f303ee732..5482b03d1 100644 --- a/deploy/crds/crd-issuers.yaml +++ b/deploy/crds/crd-issuers.yaml @@ -1,11 +1,17 @@ +# START crd {{- if or .Values.crds.enabled .Values.installCRDs }} apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: issuers.cert-manager.io + # START annotations {{- if .Values.crds.keep }} + annotations: + helm.sh/resource-policy: keep + # END annotations {{- end }} labels: app: '{{ template "cert-manager.name" . }}' app.kubernetes.io/name: '{{ template "cert-manager.name" . }}' - app.kubernetes.io/instance: "{{ .Release.Name }}" + app.kubernetes.io/instance: '{{ .Release.Name }}' + app.kubernetes.io/component: "crds" # Generated labels {{- include "labels" . | nindent 4 }} spec: group: cert-manager.io @@ -1397,3 +1403,5 @@ spec: x-kubernetes-list-type: map served: true storage: true + +# END crd {{- end }} diff --git a/deploy/crds/crd-orders.yaml b/deploy/crds/crd-orders.yaml index 960699094..85018b6b9 100644 --- a/deploy/crds/crd-orders.yaml +++ b/deploy/crds/crd-orders.yaml @@ -1,11 +1,17 @@ +# START crd {{- if or .Values.crds.enabled .Values.installCRDs }} apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: orders.acme.cert-manager.io + # START annotations {{- if .Values.crds.keep }} + annotations: + helm.sh/resource-policy: keep + # END annotations {{- end }} labels: app: '{{ template "cert-manager.name" . }}' app.kubernetes.io/name: '{{ template "cert-manager.name" . }}' app.kubernetes.io/instance: '{{ .Release.Name }}' + app.kubernetes.io/component: "crds" # Generated labels {{- include "labels" . | nindent 4 }} spec: group: acme.cert-manager.io @@ -177,3 +183,5 @@ spec: type: string served: true storage: true + +# END crd {{- end }} diff --git a/hack/concat-yaml.sh b/hack/concat-yaml.sh index 9f7dff965..b4c33c981 100755 --- a/hack/concat-yaml.sh +++ b/hack/concat-yaml.sh @@ -38,6 +38,7 @@ while (($#)); do # if there's at least one more file left, output the YAML file separator if [[ $# -gt 0 ]]; then + echo "" echo "---" fi done diff --git a/hack/verify-upgrade.sh b/hack/verify-upgrade.sh index be7b6ac27..6aedc2736 100755 --- a/hack/verify-upgrade.sh +++ b/hack/verify-upgrade.sh @@ -72,6 +72,7 @@ $helm repo update echo "+++ Installing cert-manager ${LATEST_RELEASE} Helm chart into the cluster..." # Upgrade or install latest published cert-manager Helm release +# We use the deprecated installCRDs=true value, to make the install work for older versions of cert-manager $helm upgrade \ --install \ --wait \ diff --git a/make/e2e-setup.mk b/make/e2e-setup.mk index 8bf021bf8..3ed8ce1ad 100644 --- a/make/e2e-setup.mk +++ b/make/e2e-setup.mk @@ -294,7 +294,7 @@ e2e-setup-certmanager: $(bin_dir)/cert-manager.tgz $(foreach binaryname,controll --set webhook.image.tag="$(TAG)" \ --set acmesolver.image.tag="$(TAG)" \ --set startupapicheck.image.tag="$(TAG)" \ - --set installCRDs=true \ + --set crds.enabled=true \ --set featureGates="$(feature_gates_controller)" \ --set "extraArgs={--kube-api-qps=9000,--kube-api-burst=9000,--concurrent-workers=200}" \ --set webhook.featureGates="$(feature_gates_webhook)" \ diff --git a/make/ko.mk b/make/ko.mk index a2e685634..93f62942c 100644 --- a/make/ko.mk +++ b/make/ko.mk @@ -87,5 +87,5 @@ ko-deploy-certmanager: $(bin_dir)/cert-manager.tgz $(KO_IMAGE_REFS) --set webhook.image.digest="$(shell $(YQ) .digest $(bin_dir)/scratch/ko/webhook.yaml)" \ --set startupapicheck.image.repository="$(shell $(YQ) .repository $(bin_dir)/scratch/ko/startupapicheck.yaml)" \ --set startupapicheck.image.digest="$(shell $(YQ) .digest $(bin_dir)/scratch/ko/startupapicheck.yaml)" \ - --set installCRDs=true \ + --set crds.enabled=true \ --set "extraArgs={--acme-http01-solver-image=$(ACME_HTTP01_SOLVER_IMAGE)}" diff --git a/make/manifests.mk b/make/manifests.mk index 82766fc21..580569beb 100644 --- a/make/manifests.mk +++ b/make/manifests.mk @@ -105,9 +105,7 @@ $(bin_dir)/helm/cert-manager/templates/NOTES.txt: deploy/charts/cert-manager/tem cp $< $@ $(bin_dir)/helm/cert-manager/templates/crds.yaml: $(CRDS_SOURCES) | $(bin_dir)/helm/cert-manager/templates - echo '{{- if .Values.installCRDs }}' > $@ - ./hack/concat-yaml.sh $^ >> $@ - echo '{{- end }}' >> $@ + ./hack/concat-yaml.sh $^ > $@ $(bin_dir)/helm/cert-manager/values.yaml: deploy/charts/cert-manager/values.yaml | $(bin_dir)/helm/cert-manager cp $< $@ @@ -140,7 +138,7 @@ $(bin_dir)/scratch/yaml/cert-manager.noncrd.unlicensed.yaml: $(bin_dir)/cert-man $(bin_dir)/scratch/yaml/cert-manager.all.unlicensed.yaml: $(bin_dir)/cert-manager-$(RELEASE_VERSION).tgz | $(NEEDS_HELM) $(bin_dir)/scratch/yaml @# The sed command removes the first line but only if it matches "---", which helm adds - $(HELM) template --api-versions="" --namespace=cert-manager --set="installCRDs=true" --set="creator=static" --set="startupapicheck.enabled=false" cert-manager $< | \ + $(HELM) template --api-versions="" --namespace=cert-manager --set="crds.enabled=true" --set="creator=static" --set="startupapicheck.enabled=false" cert-manager $< | \ sed -e "1{/^---$$/d;}" > $@ $(bin_dir)/scratch/yaml/cert-manager.crds.unlicensed.yaml: $(bin_dir)/scratch/yaml/cert-manager.all.unlicensed.yaml | $(NEEDS_GO) $(bin_dir)/scratch/yaml