From a6f665353fa2629ee3dfee85a761d899c211ea13 Mon Sep 17 00:00:00 2001 From: Jason Witkowski Date: Mon, 20 Feb 2023 10:08:20 -0500 Subject: [PATCH 1/7] feat: Add option to keep CRDs when helm chart is uninstalled Signed-off-by: Jason Witkowski --- deploy/charts/cert-manager/README.template.md | 12 +++++++++++- deploy/charts/cert-manager/templates/_preflight.tpl | 9 +++++++++ deploy/charts/cert-manager/values.yaml | 8 ++++++-- deploy/crds/crd-certificaterequests.yaml | 3 +++ deploy/crds/crd-certificates.yaml | 3 +++ deploy/crds/crd-challenges.yaml | 3 +++ deploy/crds/crd-clusterissuers.yaml | 4 ++++ deploy/crds/crd-issuers.yaml | 3 +++ deploy/crds/crd-orders.yaml | 3 +++ 9 files changed, 45 insertions(+), 3 deletions(-) create mode 100644 deploy/charts/cert-manager/templates/_preflight.tpl diff --git a/deploy/charts/cert-manager/README.template.md b/deploy/charts/cert-manager/README.template.md index d39d3101d..37657b077 100644 --- a/deploy/charts/cert-manager/README.template.md +++ b/deploy/charts/cert-manager/README.template.md @@ -170,7 +170,17 @@ The duration the clients should wait between attempting acquisition and renewal > false > ``` -Install the cert-manager CRDs, it is recommended to not use Helm to manage the CRDs. +This method of CRDs installation will be deprecated in future releases. It is mutually exclusive with crds.install and crds.keep=true +#### **crds.install** ~ `bool` +> Default value: +> ```yaml +> false +> ``` +#### **crds.keep** ~ `bool` +> Default value: +> ```yaml +> false +> ``` ### Controller #### **replicaCount** ~ `number` diff --git a/deploy/charts/cert-manager/templates/_preflight.tpl b/deploy/charts/cert-manager/templates/_preflight.tpl new file mode 100644 index 000000000..f1418d096 --- /dev/null +++ b/deploy/charts/cert-manager/templates/_preflight.tpl @@ -0,0 +1,9 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "cert-manager.preflight" -}} + {{- if and (.Values.installCRDs) (or (.Values.crds.install) (.Values.crds.keep)) }} + {{- fail "ERROR: Cannot set both .Values.installCRDs and .Values.crds.install" }} + {{- end }} +{{- end -}} diff --git a/deploy/charts/cert-manager/values.yaml b/deploy/charts/cert-manager/values.yaml index cf04369e9..86371ec53 100644 --- a/deploy/charts/cert-manager/values.yaml +++ b/deploy/charts/cert-manager/values.yaml @@ -67,10 +67,14 @@ global: # +docs:property # retryPeriod: 15s -# Install the cert-manager CRDs, it is recommended to not use Helm to manage -# the CRDs. +# This method of CRDs installation will be deprecated in future releases +# It is mutually exclusive with crds.install and crds.keep=true installCRDs: false +crds: + install: false + keep: false + # +docs:section=Controller # The number of replicas of the cert-manager controller to run. diff --git a/deploy/crds/crd-certificaterequests.yaml b/deploy/crds/crd-certificaterequests.yaml index 3bec40300..44c7640c7 100644 --- a/deploy/crds/crd-certificaterequests.yaml +++ b/deploy/crds/crd-certificaterequests.yaml @@ -3,6 +3,9 @@ kind: CustomResourceDefinition metadata: name: certificaterequests.cert-manager.io labels: + {{- if .Values.crds.keep }} + "helm.sh/resource-policy": keep + {{- end }} app: '{{ template "cert-manager.name" . }}' app.kubernetes.io/name: '{{ template "cert-manager.name" . }}' app.kubernetes.io/instance: '{{ .Release.Name }}' diff --git a/deploy/crds/crd-certificates.yaml b/deploy/crds/crd-certificates.yaml index e6e9938f2..a79bd2db4 100644 --- a/deploy/crds/crd-certificates.yaml +++ b/deploy/crds/crd-certificates.yaml @@ -3,6 +3,9 @@ kind: CustomResourceDefinition metadata: name: certificates.cert-manager.io labels: + {{- if .Values.crds.keep }} + "helm.sh/resource-policy": keep + {{- end }} app: '{{ template "cert-manager.name" . }}' app.kubernetes.io/name: '{{ template "cert-manager.name" . }}' app.kubernetes.io/instance: '{{ .Release.Name }}' diff --git a/deploy/crds/crd-challenges.yaml b/deploy/crds/crd-challenges.yaml index 3d18907d7..4b2c5bf6b 100644 --- a/deploy/crds/crd-challenges.yaml +++ b/deploy/crds/crd-challenges.yaml @@ -3,6 +3,9 @@ kind: CustomResourceDefinition metadata: name: challenges.acme.cert-manager.io labels: + {{- if .Values.crds.keep }} + "helm.sh/resource-policy": keep + {{- end }} app: '{{ template "cert-manager.name" . }}' app.kubernetes.io/name: '{{ template "cert-manager.name" . }}' app.kubernetes.io/instance: '{{ .Release.Name }}' diff --git a/deploy/crds/crd-clusterissuers.yaml b/deploy/crds/crd-clusterissuers.yaml index 8d850f68a..f60fbf792 100644 --- a/deploy/crds/crd-clusterissuers.yaml +++ b/deploy/crds/crd-clusterissuers.yaml @@ -1,8 +1,12 @@ +{{- include "cert-manager.preflight" . }} apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: clusterissuers.cert-manager.io labels: + {{- if .Values.crds.keep }} + "helm.sh/resource-policy": keep + {{- end }} app: '{{ template "cert-manager.name" . }}' app.kubernetes.io/name: '{{ template "cert-manager.name" . }}' app.kubernetes.io/instance: "{{ .Release.Name }}" diff --git a/deploy/crds/crd-issuers.yaml b/deploy/crds/crd-issuers.yaml index 924181324..f0602811e 100644 --- a/deploy/crds/crd-issuers.yaml +++ b/deploy/crds/crd-issuers.yaml @@ -3,6 +3,9 @@ kind: CustomResourceDefinition metadata: name: issuers.cert-manager.io labels: + {{- if .Values.crds.keep }} + "helm.sh/resource-policy": keep + {{- end }} app: '{{ template "cert-manager.name" . }}' app.kubernetes.io/name: '{{ template "cert-manager.name" . }}' app.kubernetes.io/instance: "{{ .Release.Name }}" diff --git a/deploy/crds/crd-orders.yaml b/deploy/crds/crd-orders.yaml index 960699094..9b22b1746 100644 --- a/deploy/crds/crd-orders.yaml +++ b/deploy/crds/crd-orders.yaml @@ -3,6 +3,9 @@ kind: CustomResourceDefinition metadata: name: orders.acme.cert-manager.io labels: + {{- if .Values.crds.keep }} + "helm.sh/resource-policy": keep + {{- end }} app: '{{ template "cert-manager.name" . }}' app.kubernetes.io/name: '{{ template "cert-manager.name" . }}' app.kubernetes.io/instance: '{{ .Release.Name }}' From 72b627d12a8c684012abdf30db9e6236c90ed569 Mon Sep 17 00:00:00 2001 From: Jason Witkowski Date: Wed, 1 Mar 2023 09:26:11 -0500 Subject: [PATCH 2/7] Move helm hook from labels to annotations Signed-off-by: Jason Witkowski --- deploy/crds/crd-certificaterequests.yaml | 7 ++++--- deploy/crds/crd-certificates.yaml | 7 ++++--- deploy/crds/crd-challenges.yaml | 7 ++++--- deploy/crds/crd-clusterissuers.yaml | 7 ++++--- deploy/crds/crd-issuers.yaml | 7 ++++--- deploy/crds/crd-orders.yaml | 7 ++++--- 6 files changed, 24 insertions(+), 18 deletions(-) diff --git a/deploy/crds/crd-certificaterequests.yaml b/deploy/crds/crd-certificaterequests.yaml index 44c7640c7..980fb3ac8 100644 --- a/deploy/crds/crd-certificaterequests.yaml +++ b/deploy/crds/crd-certificaterequests.yaml @@ -2,10 +2,11 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: certificaterequests.cert-manager.io - labels: - {{- if .Values.crds.keep }} + {{- if .Values.crds.keep }} + annotations: "helm.sh/resource-policy": keep - {{- end }} + {{- end }} + labels: app: '{{ template "cert-manager.name" . }}' app.kubernetes.io/name: '{{ template "cert-manager.name" . }}' app.kubernetes.io/instance: '{{ .Release.Name }}' diff --git a/deploy/crds/crd-certificates.yaml b/deploy/crds/crd-certificates.yaml index a79bd2db4..0753607df 100644 --- a/deploy/crds/crd-certificates.yaml +++ b/deploy/crds/crd-certificates.yaml @@ -2,10 +2,11 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: certificates.cert-manager.io - labels: - {{- if .Values.crds.keep }} + {{- if .Values.crds.keep }} + annotations: "helm.sh/resource-policy": keep - {{- end }} + {{- end }} + labels: app: '{{ template "cert-manager.name" . }}' app.kubernetes.io/name: '{{ template "cert-manager.name" . }}' app.kubernetes.io/instance: '{{ .Release.Name }}' diff --git a/deploy/crds/crd-challenges.yaml b/deploy/crds/crd-challenges.yaml index 4b2c5bf6b..315012b31 100644 --- a/deploy/crds/crd-challenges.yaml +++ b/deploy/crds/crd-challenges.yaml @@ -2,10 +2,11 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: challenges.acme.cert-manager.io - labels: - {{- if .Values.crds.keep }} + {{- if .Values.crds.keep }} + annotations: "helm.sh/resource-policy": keep - {{- end }} + {{- end }} + labels: app: '{{ template "cert-manager.name" . }}' app.kubernetes.io/name: '{{ template "cert-manager.name" . }}' app.kubernetes.io/instance: '{{ .Release.Name }}' diff --git a/deploy/crds/crd-clusterissuers.yaml b/deploy/crds/crd-clusterissuers.yaml index f60fbf792..824e7db80 100644 --- a/deploy/crds/crd-clusterissuers.yaml +++ b/deploy/crds/crd-clusterissuers.yaml @@ -3,10 +3,11 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: clusterissuers.cert-manager.io - labels: - {{- if .Values.crds.keep }} + {{- if .Values.crds.keep }} + annotations: "helm.sh/resource-policy": keep - {{- end }} + {{- end }} + labels: app: '{{ template "cert-manager.name" . }}' app.kubernetes.io/name: '{{ template "cert-manager.name" . }}' app.kubernetes.io/instance: "{{ .Release.Name }}" diff --git a/deploy/crds/crd-issuers.yaml b/deploy/crds/crd-issuers.yaml index f0602811e..34ac9df07 100644 --- a/deploy/crds/crd-issuers.yaml +++ b/deploy/crds/crd-issuers.yaml @@ -2,10 +2,11 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: issuers.cert-manager.io - labels: - {{- if .Values.crds.keep }} + {{- if .Values.crds.keep }} + annotations: "helm.sh/resource-policy": keep - {{- end }} + {{- end }} + labels: app: '{{ template "cert-manager.name" . }}' app.kubernetes.io/name: '{{ template "cert-manager.name" . }}' app.kubernetes.io/instance: "{{ .Release.Name }}" diff --git a/deploy/crds/crd-orders.yaml b/deploy/crds/crd-orders.yaml index 9b22b1746..de211b11a 100644 --- a/deploy/crds/crd-orders.yaml +++ b/deploy/crds/crd-orders.yaml @@ -2,10 +2,11 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: orders.acme.cert-manager.io - labels: - {{- if .Values.crds.keep }} + {{- if .Values.crds.keep }} + annotations: "helm.sh/resource-policy": keep - {{- end }} + {{- end }} + labels: app: '{{ template "cert-manager.name" . }}' app.kubernetes.io/name: '{{ template "cert-manager.name" . }}' app.kubernetes.io/instance: '{{ .Release.Name }}' From d34e2c858999ef4251393fa623a2064ea0d22554 Mon Sep 17 00:00:00 2001 From: Tim Ramlot <42113979+inteon@users.noreply.github.com> Date: Thu, 15 Feb 2024 15:28:09 +0100 Subject: [PATCH 3/7] add CRD keep annotation Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com> --- deploy/charts/cert-manager/README.template.md | 11 ++++++++--- deploy/charts/cert-manager/templates/NOTES.txt | 3 +++ .../charts/cert-manager/templates/_helpers.tpl | 14 ++++++++++++++ .../charts/cert-manager/templates/_preflight.tpl | 9 --------- deploy/charts/cert-manager/values.yaml | 16 ++++++++++++---- deploy/crds/crd-certificaterequests.yaml | 10 +++++++--- deploy/crds/crd-certificates.yaml | 9 ++++++--- deploy/crds/crd-challenges.yaml | 9 ++++++--- deploy/crds/crd-clusterissuers.yaml | 12 +++++++----- deploy/crds/crd-issuers.yaml | 12 ++++++++---- deploy/crds/crd-orders.yaml | 10 +++++++--- hack/concat-yaml.sh | 1 + make/manifests.mk | 4 +--- 13 files changed, 80 insertions(+), 40 deletions(-) delete mode 100644 deploy/charts/cert-manager/templates/_preflight.tpl diff --git a/deploy/charts/cert-manager/README.template.md b/deploy/charts/cert-manager/README.template.md index 37657b077..0695f523e 100644 --- a/deploy/charts/cert-manager/README.template.md +++ b/deploy/charts/cert-manager/README.template.md @@ -170,17 +170,22 @@ The duration the clients should wait between attempting acquisition and renewal > false > ``` -This method of CRDs installation will be deprecated in future releases. It is mutually exclusive with crds.install and crds.keep=true -#### **crds.install** ~ `bool` +This option is equivalent with setting crds.enabled=true and crds.keep=true. Deprecated: use crds.enabled and crds.keep instead. +#### **crds.enabled** ~ `bool` > Default value: > ```yaml > false > ``` + +This option decides if the CRDs should be installed as part of the Helm installation. #### **crds.keep** ~ `bool` > Default value: > ```yaml -> false +> true > ``` + +This option makes it so that the "helm.sh/resource-policy": keep annotation is added to the CRD. This will prevent Helm from uninstalling the CRD when the Helm release is uninstalled. WARNING: when the CRDs are removed, all cert-manager custom resources +(Certificates, Issuers, ...) will be removed too by the garbage collector. ### Controller #### **replicaCount** ~ `number` diff --git a/deploy/charts/cert-manager/templates/NOTES.txt b/deploy/charts/cert-manager/templates/NOTES.txt index 102535460..341d10123 100644 --- a/deploy/charts/cert-manager/templates/NOTES.txt +++ b/deploy/charts/cert-manager/templates/NOTES.txt @@ -1,3 +1,6 @@ +{{- if .Values.installCRDs }} +⚠️ WARNING: `installCRDs` is deprecated, use `crds.enabled` instead. +{{- end }} cert-manager {{ .Chart.AppVersion }} has been deployed successfully! In order to begin issuing certificates, you will need to set up a ClusterIssuer diff --git a/deploy/charts/cert-manager/templates/_helpers.tpl b/deploy/charts/cert-manager/templates/_helpers.tpl index 067fe6a05..9902c089f 100644 --- a/deploy/charts/cert-manager/templates/_helpers.tpl +++ b/deploy/charts/cert-manager/templates/_helpers.tpl @@ -186,3 +186,17 @@ See https://github.com/cert-manager/cert-manager/issues/6329 for a list of linke {{- if .digest -}}{{ printf "@%s" .digest }}{{- else -}}{{ printf ":%s" (default $defaultTag .tag) }}{{- end -}} {{- end }} {{- end }} + +{{/* +Check that the user has not set both .installCRDs and .crds.enabled or +set .installCRDs and disabled .crds.keep. +.installCRDs is deprecated and users should use .crds.enabled and .crds.keep instead. +*/}} +{{- define "cert-manager.crd-check" -}} + {{- if and (.Values.installCRDs) (.Values.crds.enabled) }} + {{- fail "ERROR: the deprecated .installCRDs option cannot be enabled at the same time as its replacement .crds.enabled" }} + {{- end }} + {{- if and (.Values.installCRDs) (not .Values.crds.keep) }} + {{- fail "ERROR: .crds.keep is not compatible with .installCRDs, please use .crds.enabled and .crds.keep instead" }} + {{- end }} +{{- end -}} diff --git a/deploy/charts/cert-manager/templates/_preflight.tpl b/deploy/charts/cert-manager/templates/_preflight.tpl deleted file mode 100644 index f1418d096..000000000 --- a/deploy/charts/cert-manager/templates/_preflight.tpl +++ /dev/null @@ -1,9 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "cert-manager.preflight" -}} - {{- if and (.Values.installCRDs) (or (.Values.crds.install) (.Values.crds.keep)) }} - {{- fail "ERROR: Cannot set both .Values.installCRDs and .Values.crds.install" }} - {{- end }} -{{- end -}} diff --git a/deploy/charts/cert-manager/values.yaml b/deploy/charts/cert-manager/values.yaml index 86371ec53..f5908cdae 100644 --- a/deploy/charts/cert-manager/values.yaml +++ b/deploy/charts/cert-manager/values.yaml @@ -67,13 +67,21 @@ global: # +docs:property # retryPeriod: 15s -# This method of CRDs installation will be deprecated in future releases -# It is mutually exclusive with crds.install and crds.keep=true +# This option is equivalent with setting crds.enabled=true and crds.keep=true. +# Deprecated: use crds.enabled and crds.keep instead. installCRDs: false crds: - install: false - keep: false + # This option decides if the CRDs should be installed + # as part of the Helm installation. + enabled: false + + # This option makes it so that the "helm.sh/resource-policy": keep + # annotation is added to the CRD. This will prevent Helm from uninstalling + # the CRD when the Helm release is uninstalled. + # WARNING: when the CRDs are removed, all cert-manager custom resources + # (Certificates, Issuers, ...) will be removed too by the garbage collector. + keep: true # +docs:section=Controller diff --git a/deploy/crds/crd-certificaterequests.yaml b/deploy/crds/crd-certificaterequests.yaml index 980fb3ac8..f8b6a8c36 100644 --- a/deploy/crds/crd-certificaterequests.yaml +++ b/deploy/crds/crd-certificaterequests.yaml @@ -1,11 +1,13 @@ +# {{- include "cert-manager.crd-check" . }} +# START crd {{- if or .Values.crds.enabled .Values.installCRDs }} apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: certificaterequests.cert-manager.io - {{- if .Values.crds.keep }} + # START annotations {{- if and .Values.crds.keep }} annotations: - "helm.sh/resource-policy": keep - {{- end }} + helm.sh/resource-policy: keep + # END annotations {{- end }} labels: app: '{{ template "cert-manager.name" . }}' app.kubernetes.io/name: '{{ template "cert-manager.name" . }}' @@ -197,3 +199,5 @@ spec: format: date-time served: true storage: true + +# END crd {{- end }} diff --git a/deploy/crds/crd-certificates.yaml b/deploy/crds/crd-certificates.yaml index 0753607df..9a5d18373 100644 --- a/deploy/crds/crd-certificates.yaml +++ b/deploy/crds/crd-certificates.yaml @@ -1,11 +1,12 @@ +# START crd {{- if or .Values.crds.enabled .Values.installCRDs }} apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: certificates.cert-manager.io - {{- if .Values.crds.keep }} + # START annotations {{- if and .Values.crds.keep }} annotations: - "helm.sh/resource-policy": keep - {{- end }} + helm.sh/resource-policy: keep + # END annotations {{- end }} labels: app: '{{ template "cert-manager.name" . }}' app.kubernetes.io/name: '{{ template "cert-manager.name" . }}' @@ -444,3 +445,5 @@ spec: type: integer served: true storage: true + +# END crd {{- end }} diff --git a/deploy/crds/crd-challenges.yaml b/deploy/crds/crd-challenges.yaml index 315012b31..a2476a035 100644 --- a/deploy/crds/crd-challenges.yaml +++ b/deploy/crds/crd-challenges.yaml @@ -1,11 +1,12 @@ +# START crd {{- if or .Values.crds.enabled .Values.installCRDs }} apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: challenges.acme.cert-manager.io - {{- if .Values.crds.keep }} + # START annotations {{- if and .Values.crds.keep }} annotations: - "helm.sh/resource-policy": keep - {{- end }} + helm.sh/resource-policy: keep + # END annotations {{- end }} labels: app: '{{ template "cert-manager.name" . }}' app.kubernetes.io/name: '{{ template "cert-manager.name" . }}' @@ -1125,3 +1126,5 @@ spec: storage: true subresources: status: {} + +# END crd {{- end }} diff --git a/deploy/crds/crd-clusterissuers.yaml b/deploy/crds/crd-clusterissuers.yaml index 824e7db80..98785899d 100644 --- a/deploy/crds/crd-clusterissuers.yaml +++ b/deploy/crds/crd-clusterissuers.yaml @@ -1,16 +1,16 @@ -{{- include "cert-manager.preflight" . }} +# START crd {{- if or .Values.crds.enabled .Values.installCRDs }} apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: clusterissuers.cert-manager.io - {{- if .Values.crds.keep }} + # START annotations {{- if and .Values.crds.keep }} annotations: - "helm.sh/resource-policy": keep - {{- end }} + helm.sh/resource-policy: keep + # END annotations {{- end }} labels: app: '{{ template "cert-manager.name" . }}' app.kubernetes.io/name: '{{ template "cert-manager.name" . }}' - app.kubernetes.io/instance: "{{ .Release.Name }}" + app.kubernetes.io/instance: '{{ .Release.Name }}' # Generated labels {{- include "labels" . | nindent 4 }} spec: group: cert-manager.io @@ -1378,3 +1378,5 @@ spec: x-kubernetes-list-type: map served: true storage: true + +# END crd {{- end }} diff --git a/deploy/crds/crd-issuers.yaml b/deploy/crds/crd-issuers.yaml index 34ac9df07..685f05173 100644 --- a/deploy/crds/crd-issuers.yaml +++ b/deploy/crds/crd-issuers.yaml @@ -1,15 +1,17 @@ +# START crd {{- if or .Values.crds.enabled .Values.installCRDs }} apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: issuers.cert-manager.io - {{- if .Values.crds.keep }} + # START annotations {{- if and .Values.crds.keep }} annotations: - "helm.sh/resource-policy": keep - {{- end }} + helm.sh/resource-policy: keep + # END annotations {{- end }} labels: app: '{{ template "cert-manager.name" . }}' app.kubernetes.io/name: '{{ template "cert-manager.name" . }}' - app.kubernetes.io/instance: "{{ .Release.Name }}" + app.kubernetes.io/instance: '{{ .Release.Name }}' + app.kubernetes.io/component: "crds" # Generated labels {{- include "labels" . | nindent 4 }} spec: group: cert-manager.io @@ -1377,3 +1379,5 @@ spec: x-kubernetes-list-type: map served: true storage: true + +# END crd {{- end }} diff --git a/deploy/crds/crd-orders.yaml b/deploy/crds/crd-orders.yaml index de211b11a..9e61d3a16 100644 --- a/deploy/crds/crd-orders.yaml +++ b/deploy/crds/crd-orders.yaml @@ -1,15 +1,17 @@ +# START crd {{- if or .Values.crds.enabled .Values.installCRDs }} apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: orders.acme.cert-manager.io - {{- if .Values.crds.keep }} + # START annotations {{- if and .Values.crds.keep }} annotations: - "helm.sh/resource-policy": keep - {{- end }} + helm.sh/resource-policy: keep + # END annotations {{- end }} labels: app: '{{ template "cert-manager.name" . }}' app.kubernetes.io/name: '{{ template "cert-manager.name" . }}' app.kubernetes.io/instance: '{{ .Release.Name }}' + app.kubernetes.io/component: "crds" # Generated labels {{- include "labels" . | nindent 4 }} spec: group: acme.cert-manager.io @@ -181,3 +183,5 @@ spec: type: string served: true storage: true + +# END crd {{- end }} diff --git a/hack/concat-yaml.sh b/hack/concat-yaml.sh index 9f7dff965..b4c33c981 100755 --- a/hack/concat-yaml.sh +++ b/hack/concat-yaml.sh @@ -38,6 +38,7 @@ while (($#)); do # if there's at least one more file left, output the YAML file separator if [[ $# -gt 0 ]]; then + echo "" echo "---" fi done diff --git a/make/manifests.mk b/make/manifests.mk index 82766fc21..e22658ec3 100644 --- a/make/manifests.mk +++ b/make/manifests.mk @@ -105,9 +105,7 @@ $(bin_dir)/helm/cert-manager/templates/NOTES.txt: deploy/charts/cert-manager/tem cp $< $@ $(bin_dir)/helm/cert-manager/templates/crds.yaml: $(CRDS_SOURCES) | $(bin_dir)/helm/cert-manager/templates - echo '{{- if .Values.installCRDs }}' > $@ - ./hack/concat-yaml.sh $^ >> $@ - echo '{{- end }}' >> $@ + ./hack/concat-yaml.sh $^ > $@ $(bin_dir)/helm/cert-manager/values.yaml: deploy/charts/cert-manager/values.yaml | $(bin_dir)/helm/cert-manager cp $< $@ From 4a35796f00d21260d9db223bcdaa659a0a938561 Mon Sep 17 00:00:00 2001 From: Tim Ramlot <42113979+inteon@users.noreply.github.com> Date: Mon, 19 Feb 2024 14:23:20 +0100 Subject: [PATCH 4/7] replace usage of installCRDs with crds.enabled Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com> --- hack/verify-upgrade.sh | 2 +- make/e2e-setup.mk | 2 +- make/ko.mk | 2 +- make/manifests.mk | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/hack/verify-upgrade.sh b/hack/verify-upgrade.sh index be7b6ac27..2b6d42922 100755 --- a/hack/verify-upgrade.sh +++ b/hack/verify-upgrade.sh @@ -76,7 +76,7 @@ $helm upgrade \ --install \ --wait \ --namespace "${NAMESPACE}" \ - --set installCRDs=true \ + --set crds.enabled=true \ --create-namespace \ --version "${LATEST_RELEASE}" \ "$RELEASE_NAME" \ diff --git a/make/e2e-setup.mk b/make/e2e-setup.mk index 8bf021bf8..3ed8ce1ad 100644 --- a/make/e2e-setup.mk +++ b/make/e2e-setup.mk @@ -294,7 +294,7 @@ e2e-setup-certmanager: $(bin_dir)/cert-manager.tgz $(foreach binaryname,controll --set webhook.image.tag="$(TAG)" \ --set acmesolver.image.tag="$(TAG)" \ --set startupapicheck.image.tag="$(TAG)" \ - --set installCRDs=true \ + --set crds.enabled=true \ --set featureGates="$(feature_gates_controller)" \ --set "extraArgs={--kube-api-qps=9000,--kube-api-burst=9000,--concurrent-workers=200}" \ --set webhook.featureGates="$(feature_gates_webhook)" \ diff --git a/make/ko.mk b/make/ko.mk index a2e685634..93f62942c 100644 --- a/make/ko.mk +++ b/make/ko.mk @@ -87,5 +87,5 @@ ko-deploy-certmanager: $(bin_dir)/cert-manager.tgz $(KO_IMAGE_REFS) --set webhook.image.digest="$(shell $(YQ) .digest $(bin_dir)/scratch/ko/webhook.yaml)" \ --set startupapicheck.image.repository="$(shell $(YQ) .repository $(bin_dir)/scratch/ko/startupapicheck.yaml)" \ --set startupapicheck.image.digest="$(shell $(YQ) .digest $(bin_dir)/scratch/ko/startupapicheck.yaml)" \ - --set installCRDs=true \ + --set crds.enabled=true \ --set "extraArgs={--acme-http01-solver-image=$(ACME_HTTP01_SOLVER_IMAGE)}" diff --git a/make/manifests.mk b/make/manifests.mk index e22658ec3..580569beb 100644 --- a/make/manifests.mk +++ b/make/manifests.mk @@ -138,7 +138,7 @@ $(bin_dir)/scratch/yaml/cert-manager.noncrd.unlicensed.yaml: $(bin_dir)/cert-man $(bin_dir)/scratch/yaml/cert-manager.all.unlicensed.yaml: $(bin_dir)/cert-manager-$(RELEASE_VERSION).tgz | $(NEEDS_HELM) $(bin_dir)/scratch/yaml @# The sed command removes the first line but only if it matches "---", which helm adds - $(HELM) template --api-versions="" --namespace=cert-manager --set="installCRDs=true" --set="creator=static" --set="startupapicheck.enabled=false" cert-manager $< | \ + $(HELM) template --api-versions="" --namespace=cert-manager --set="crds.enabled=true" --set="creator=static" --set="startupapicheck.enabled=false" cert-manager $< | \ sed -e "1{/^---$$/d;}" > $@ $(bin_dir)/scratch/yaml/cert-manager.crds.unlicensed.yaml: $(bin_dir)/scratch/yaml/cert-manager.all.unlicensed.yaml | $(NEEDS_GO) $(bin_dir)/scratch/yaml From 2deaaaa2333e0dec5935063150fb386835e64980 Mon Sep 17 00:00:00 2001 From: Tim Ramlot <42113979+inteon@users.noreply.github.com> Date: Mon, 19 Feb 2024 14:24:04 +0100 Subject: [PATCH 5/7] fix typo Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com> --- deploy/charts/cert-manager/README.template.md | 2 +- deploy/charts/cert-manager/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/deploy/charts/cert-manager/README.template.md b/deploy/charts/cert-manager/README.template.md index 0695f523e..051ff6902 100644 --- a/deploy/charts/cert-manager/README.template.md +++ b/deploy/charts/cert-manager/README.template.md @@ -170,7 +170,7 @@ The duration the clients should wait between attempting acquisition and renewal > false > ``` -This option is equivalent with setting crds.enabled=true and crds.keep=true. Deprecated: use crds.enabled and crds.keep instead. +This option is equivalent to setting crds.enabled=true and crds.keep=true. Deprecated: use crds.enabled and crds.keep instead. #### **crds.enabled** ~ `bool` > Default value: > ```yaml diff --git a/deploy/charts/cert-manager/values.yaml b/deploy/charts/cert-manager/values.yaml index f5908cdae..91397f1af 100644 --- a/deploy/charts/cert-manager/values.yaml +++ b/deploy/charts/cert-manager/values.yaml @@ -67,7 +67,7 @@ global: # +docs:property # retryPeriod: 15s -# This option is equivalent with setting crds.enabled=true and crds.keep=true. +# This option is equivalent to setting crds.enabled=true and crds.keep=true. # Deprecated: use crds.enabled and crds.keep instead. installCRDs: false From 815dbc9e8faec7bcd2ba5bdad6fe71fc3c3bd30a Mon Sep 17 00:00:00 2001 From: Tim Ramlot <42113979+inteon@users.noreply.github.com> Date: Mon, 19 Feb 2024 14:24:57 +0100 Subject: [PATCH 6/7] remove unused and in Helm template Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com> --- deploy/crds/crd-certificaterequests.yaml | 2 +- deploy/crds/crd-certificates.yaml | 2 +- deploy/crds/crd-challenges.yaml | 2 +- deploy/crds/crd-clusterissuers.yaml | 2 +- deploy/crds/crd-issuers.yaml | 2 +- deploy/crds/crd-orders.yaml | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/deploy/crds/crd-certificaterequests.yaml b/deploy/crds/crd-certificaterequests.yaml index f8b6a8c36..2a23b4f8a 100644 --- a/deploy/crds/crd-certificaterequests.yaml +++ b/deploy/crds/crd-certificaterequests.yaml @@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: certificaterequests.cert-manager.io - # START annotations {{- if and .Values.crds.keep }} + # START annotations {{- if .Values.crds.keep }} annotations: helm.sh/resource-policy: keep # END annotations {{- end }} diff --git a/deploy/crds/crd-certificates.yaml b/deploy/crds/crd-certificates.yaml index 9a5d18373..fca9bec27 100644 --- a/deploy/crds/crd-certificates.yaml +++ b/deploy/crds/crd-certificates.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: certificates.cert-manager.io - # START annotations {{- if and .Values.crds.keep }} + # START annotations {{- if .Values.crds.keep }} annotations: helm.sh/resource-policy: keep # END annotations {{- end }} diff --git a/deploy/crds/crd-challenges.yaml b/deploy/crds/crd-challenges.yaml index a2476a035..e4c63d6d7 100644 --- a/deploy/crds/crd-challenges.yaml +++ b/deploy/crds/crd-challenges.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: challenges.acme.cert-manager.io - # START annotations {{- if and .Values.crds.keep }} + # START annotations {{- if .Values.crds.keep }} annotations: helm.sh/resource-policy: keep # END annotations {{- end }} diff --git a/deploy/crds/crd-clusterissuers.yaml b/deploy/crds/crd-clusterissuers.yaml index 98785899d..e652f3b44 100644 --- a/deploy/crds/crd-clusterissuers.yaml +++ b/deploy/crds/crd-clusterissuers.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: clusterissuers.cert-manager.io - # START annotations {{- if and .Values.crds.keep }} + # START annotations {{- if .Values.crds.keep }} annotations: helm.sh/resource-policy: keep # END annotations {{- end }} diff --git a/deploy/crds/crd-issuers.yaml b/deploy/crds/crd-issuers.yaml index 685f05173..6f799fa13 100644 --- a/deploy/crds/crd-issuers.yaml +++ b/deploy/crds/crd-issuers.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: issuers.cert-manager.io - # START annotations {{- if and .Values.crds.keep }} + # START annotations {{- if .Values.crds.keep }} annotations: helm.sh/resource-policy: keep # END annotations {{- end }} diff --git a/deploy/crds/crd-orders.yaml b/deploy/crds/crd-orders.yaml index 9e61d3a16..85018b6b9 100644 --- a/deploy/crds/crd-orders.yaml +++ b/deploy/crds/crd-orders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: orders.acme.cert-manager.io - # START annotations {{- if and .Values.crds.keep }} + # START annotations {{- if .Values.crds.keep }} annotations: helm.sh/resource-policy: keep # END annotations {{- end }} From 15d69499528a70ec477b179c1a1212b316f7c257 Mon Sep 17 00:00:00 2001 From: Tim Ramlot <42113979+inteon@users.noreply.github.com> Date: Mon, 19 Feb 2024 14:38:39 +0100 Subject: [PATCH 7/7] the upgrade script has to keep using the old installCRDs option Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com> --- hack/verify-upgrade.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/hack/verify-upgrade.sh b/hack/verify-upgrade.sh index 2b6d42922..6aedc2736 100755 --- a/hack/verify-upgrade.sh +++ b/hack/verify-upgrade.sh @@ -72,11 +72,12 @@ $helm repo update echo "+++ Installing cert-manager ${LATEST_RELEASE} Helm chart into the cluster..." # Upgrade or install latest published cert-manager Helm release +# We use the deprecated installCRDs=true value, to make the install work for older versions of cert-manager $helm upgrade \ --install \ --wait \ --namespace "${NAMESPACE}" \ - --set crds.enabled=true \ + --set installCRDs=true \ --create-namespace \ --version "${LATEST_RELEASE}" \ "$RELEASE_NAME" \