weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #6760 from inteon/add_crd_keep

Browse Source 
Add `crds.keep` and `crds.enabled` Helm options
This commit is contained in:
jetstack-bot 2024-02-20 12:09:35 +00:00 committed by GitHub
commit 0b379e4b5c
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
15 changed files with 100 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
deploy/charts/cert-manager/README.template.md
View File

@ -170,7 +170,22 @@ The duration the clients should wait between attempting acquisition and renewal
> false > false
> ``` > ```
Install the cert-manager CRDs, it is recommended to not use Helm to manage the CRDs. This option is equivalent to setting crds.enabled=true and crds.keep=true. Deprecated: use crds.enabled and crds.keep instead.
#### **crds.enabled** ~ `bool`
> Default value:
> ```yaml
> false
> ```
This option decides if the CRDs should be installed as part of the Helm installation.
#### **crds.keep** ~ `bool`
> Default value:
> ```yaml
> true
> ```
This option makes it so that the "helm.sh/resource-policy": keep annotation is added to the CRD. This will prevent Helm from uninstalling the CRD when the Helm release is uninstalled. WARNING: when the CRDs are removed, all cert-manager custom resources
(Certificates, Issuers, ...) will be removed too by the garbage collector.
### Controller ### Controller
#### **replicaCount** ~ `number` #### **replicaCount** ~ `number`

3
deploy/charts/cert-manager/templates/NOTES.txt
View File

@ -1,3 +1,6 @@
{{- if .Values.installCRDs }}
⚠️ WARNING: `installCRDs` is deprecated, use `crds.enabled` instead.
{{- end }}
cert-manager {{ .Chart.AppVersion }} has been deployed successfully! cert-manager {{ .Chart.AppVersion }} has been deployed successfully!
In order to begin issuing certificates, you will need to set up a ClusterIssuer In order to begin issuing certificates, you will need to set up a ClusterIssuer

14
deploy/charts/cert-manager/templates/_helpers.tpl
View File

@ -186,3 +186,17 @@ See https://github.com/cert-manager/cert-manager/issues/6329 for a list of linke
{{- if .digest -}}{{ printf "@%s" .digest }}{{- else -}}{{ printf ":%s" (default $defaultTag .tag) }}{{- end -}} {{- if .digest -}}{{ printf "@%s" .digest }}{{- else -}}{{ printf ":%s" (default $defaultTag .tag) }}{{- end -}}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{/*
Check that the user has not set both .installCRDs and .crds.enabled or
set .installCRDs and disabled .crds.keep.
.installCRDs is deprecated and users should use .crds.enabled and .crds.keep instead.
*/}}
{{- define "cert-manager.crd-check" -}}
{{- if and (.Values.installCRDs) (.Values.crds.enabled) }}
{{- fail "ERROR: the deprecated .installCRDs option cannot be enabled at the same time as its replacement .crds.enabled" }}
{{- end }}
{{- if and (.Values.installCRDs) (not .Values.crds.keep) }}
{{- fail "ERROR: .crds.keep is not compatible with .installCRDs, please use .crds.enabled and .crds.keep instead" }}
{{- end }}
{{- end -}}

16
deploy/charts/cert-manager/values.yaml
View File

@ -67,10 +67,22 @@ global:
# +docs:property # +docs:property
# retryPeriod: 15s # retryPeriod: 15s
# Install the cert-manager CRDs, it is recommended to not use Helm to manage # This option is equivalent to setting crds.enabled=true and crds.keep=true.
# the CRDs. # Deprecated: use crds.enabled and crds.keep instead.
installCRDs: false installCRDs: false
crds:
# This option decides if the CRDs should be installed
# as part of the Helm installation.
enabled: false
# This option makes it so that the "helm.sh/resource-policy": keep
# annotation is added to the CRD. This will prevent Helm from uninstalling
# the CRD when the Helm release is uninstalled.
# WARNING: when the CRDs are removed, all cert-manager custom resources
# (Certificates, Issuers, ...) will be removed too by the garbage collector.
keep: true
# +docs:section=Controller # +docs:section=Controller
# The number of replicas of the cert-manager controller to run. # The number of replicas of the cert-manager controller to run.

8
deploy/crds/crd-certificaterequests.yaml
View File

@ -1,7 +1,13 @@
# {{- include "cert-manager.crd-check" . }}
# START crd {{- if or .Values.crds.enabled .Values.installCRDs }}
apiVersion: apiextensions.k8s.io/v1 apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
name: certificaterequests.cert-manager.io name: certificaterequests.cert-manager.io
# START annotations {{- if .Values.crds.keep }}
annotations:
helm.sh/resource-policy: keep
# END annotations {{- end }}
labels: labels:
app: '{{ template "cert-manager.name" . }}' app: '{{ template "cert-manager.name" . }}'
app.kubernetes.io/name: '{{ template "cert-manager.name" . }}' app.kubernetes.io/name: '{{ template "cert-manager.name" . }}'
@ -193,3 +199,5 @@ spec:
format: date-time format: date-time
served: true served: true
storage: true storage: true
# END crd {{- end }}

7
deploy/crds/crd-certificates.yaml
View File

@ -1,7 +1,12 @@
# START crd {{- if or .Values.crds.enabled .Values.installCRDs }}
apiVersion: apiextensions.k8s.io/v1 apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
name: certificates.cert-manager.io name: certificates.cert-manager.io
# START annotations {{- if .Values.crds.keep }}
annotations:
helm.sh/resource-policy: keep
# END annotations {{- end }}
labels: labels:
app: '{{ template "cert-manager.name" . }}' app: '{{ template "cert-manager.name" . }}'
app.kubernetes.io/name: '{{ template "cert-manager.name" . }}' app.kubernetes.io/name: '{{ template "cert-manager.name" . }}'
@ -440,3 +445,5 @@ spec:
type: integer type: integer
served: true served: true
storage: true storage: true
# END crd {{- end }}

7
deploy/crds/crd-challenges.yaml
View File

@ -1,7 +1,12 @@
# START crd {{- if or .Values.crds.enabled .Values.installCRDs }}
apiVersion: apiextensions.k8s.io/v1 apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
name: challenges.acme.cert-manager.io name: challenges.acme.cert-manager.io
# START annotations {{- if .Values.crds.keep }}
annotations:
helm.sh/resource-policy: keep
# END annotations {{- end }}
labels: labels:
app: '{{ template "cert-manager.name" . }}' app: '{{ template "cert-manager.name" . }}'
app.kubernetes.io/name: '{{ template "cert-manager.name" . }}' app.kubernetes.io/name: '{{ template "cert-manager.name" . }}'
@ -1121,3 +1126,5 @@ spec:
storage: true storage: true
subresources: subresources:
status: {} status: {}
# END crd {{- end }}

9
deploy/crds/crd-clusterissuers.yaml
View File

@ -1,11 +1,16 @@
# START crd {{- if or .Values.crds.enabled .Values.installCRDs }}
apiVersion: apiextensions.k8s.io/v1 apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
name: clusterissuers.cert-manager.io name: clusterissuers.cert-manager.io
# START annotations {{- if .Values.crds.keep }}
annotations:
helm.sh/resource-policy: keep
# END annotations {{- end }}
labels: labels:
app: '{{ template "cert-manager.name" . }}' app: '{{ template "cert-manager.name" . }}'
app.kubernetes.io/name: '{{ template "cert-manager.name" . }}' app.kubernetes.io/name: '{{ template "cert-manager.name" . }}'
app.kubernetes.io/instance: "{{ .Release.Name }}" app.kubernetes.io/instance: '{{ .Release.Name }}'
# Generated labels {{- include "labels" . | nindent 4 }} # Generated labels {{- include "labels" . | nindent 4 }}
spec: spec:
group: cert-manager.io group: cert-manager.io
@ -1397,3 +1402,5 @@ spec:
x-kubernetes-list-type: map x-kubernetes-list-type: map
served: true served: true
storage: true storage: true
# END crd {{- end }}

10
deploy/crds/crd-issuers.yaml
View File

@ -1,11 +1,17 @@
# START crd {{- if or .Values.crds.enabled .Values.installCRDs }}
apiVersion: apiextensions.k8s.io/v1 apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
name: issuers.cert-manager.io name: issuers.cert-manager.io
# START annotations {{- if .Values.crds.keep }}
annotations:
helm.sh/resource-policy: keep
# END annotations {{- end }}
labels: labels:
app: '{{ template "cert-manager.name" . }}' app: '{{ template "cert-manager.name" . }}'
app.kubernetes.io/name: '{{ template "cert-manager.name" . }}' app.kubernetes.io/name: '{{ template "cert-manager.name" . }}'
app.kubernetes.io/instance: "{{ .Release.Name }}" app.kubernetes.io/instance: '{{ .Release.Name }}'
app.kubernetes.io/component: "crds"
# Generated labels {{- include "labels" . | nindent 4 }} # Generated labels {{- include "labels" . | nindent 4 }}
spec: spec:
group: cert-manager.io group: cert-manager.io
@ -1397,3 +1403,5 @@ spec:
x-kubernetes-list-type: map x-kubernetes-list-type: map
served: true served: true
storage: true storage: true
# END crd {{- end }}

8
deploy/crds/crd-orders.yaml
View File

@ -1,11 +1,17 @@
# START crd {{- if or .Values.crds.enabled .Values.installCRDs }}
apiVersion: apiextensions.k8s.io/v1 apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
name: orders.acme.cert-manager.io name: orders.acme.cert-manager.io
# START annotations {{- if .Values.crds.keep }}
annotations:
helm.sh/resource-policy: keep
# END annotations {{- end }}
labels: labels:
app: '{{ template "cert-manager.name" . }}' app: '{{ template "cert-manager.name" . }}'
app.kubernetes.io/name: '{{ template "cert-manager.name" . }}' app.kubernetes.io/name: '{{ template "cert-manager.name" . }}'
app.kubernetes.io/instance: '{{ .Release.Name }}' app.kubernetes.io/instance: '{{ .Release.Name }}'
app.kubernetes.io/component: "crds"
# Generated labels {{- include "labels" . | nindent 4 }} # Generated labels {{- include "labels" . | nindent 4 }}
spec: spec:
group: acme.cert-manager.io group: acme.cert-manager.io
@ -177,3 +183,5 @@ spec:
type: string type: string
served: true served: true
storage: true storage: true
# END crd {{- end }}

1
hack/concat-yaml.sh
View File

@ -38,6 +38,7 @@ while (($#)); do
# if there's at least one more file left, output the YAML file separator # if there's at least one more file left, output the YAML file separator
if [[ $# -gt 0 ]]; then if [[ $# -gt 0 ]]; then
echo ""
echo "---" echo "---"
fi fi
done done

1
hack/verify-upgrade.sh
View File

@ -72,6 +72,7 @@ $helm repo update
echo "+++ Installing cert-manager ${LATEST_RELEASE} Helm chart into the cluster..." echo "+++ Installing cert-manager ${LATEST_RELEASE} Helm chart into the cluster..."
# Upgrade or install latest published cert-manager Helm release # Upgrade or install latest published cert-manager Helm release
# We use the deprecated installCRDs=true value, to make the install work for older versions of cert-manager
$helm upgrade \ $helm upgrade \
--install \ --install \
--wait \ --wait \

2
make/e2e-setup.mk
View File

@ -294,7 +294,7 @@ e2e-setup-certmanager: $(bin_dir)/cert-manager.tgz $(foreach binaryname,controll
--set webhook.image.tag="$(TAG)" \ --set webhook.image.tag="$(TAG)" \
--set acmesolver.image.tag="$(TAG)" \ --set acmesolver.image.tag="$(TAG)" \
--set startupapicheck.image.tag="$(TAG)" \ --set startupapicheck.image.tag="$(TAG)" \
--set installCRDs=true \ --set crds.enabled=true \
--set featureGates="$(feature_gates_controller)" \ --set featureGates="$(feature_gates_controller)" \
--set "extraArgs={--kube-api-qps=9000,--kube-api-burst=9000,--concurrent-workers=200}" \ --set "extraArgs={--kube-api-qps=9000,--kube-api-burst=9000,--concurrent-workers=200}" \
--set webhook.featureGates="$(feature_gates_webhook)" \ --set webhook.featureGates="$(feature_gates_webhook)" \

2
make/ko.mk
View File

@ -87,5 +87,5 @@ ko-deploy-certmanager: $(bin_dir)/cert-manager.tgz $(KO_IMAGE_REFS)
--set webhook.image.digest="$(shell $(YQ) .digest $(bin_dir)/scratch/ko/webhook.yaml)" \ --set webhook.image.digest="$(shell $(YQ) .digest $(bin_dir)/scratch/ko/webhook.yaml)" \
--set startupapicheck.image.repository="$(shell $(YQ) .repository $(bin_dir)/scratch/ko/startupapicheck.yaml)" \ --set startupapicheck.image.repository="$(shell $(YQ) .repository $(bin_dir)/scratch/ko/startupapicheck.yaml)" \
--set startupapicheck.image.digest="$(shell $(YQ) .digest $(bin_dir)/scratch/ko/startupapicheck.yaml)" \ --set startupapicheck.image.digest="$(shell $(YQ) .digest $(bin_dir)/scratch/ko/startupapicheck.yaml)" \
--set installCRDs=true \ --set crds.enabled=true \
--set "extraArgs={--acme-http01-solver-image=$(ACME_HTTP01_SOLVER_IMAGE)}" --set "extraArgs={--acme-http01-solver-image=$(ACME_HTTP01_SOLVER_IMAGE)}"

6
make/manifests.mk
View File

@ -105,9 +105,7 @@ $(bin_dir)/helm/cert-manager/templates/NOTES.txt: deploy/charts/cert-manager/tem
cp $< $@ cp $< $@
$(bin_dir)/helm/cert-manager/templates/crds.yaml: $(CRDS_SOURCES) | $(bin_dir)/helm/cert-manager/templates $(bin_dir)/helm/cert-manager/templates/crds.yaml: $(CRDS_SOURCES) | $(bin_dir)/helm/cert-manager/templates
echo '{{- if .Values.installCRDs }}' > $@ ./hack/concat-yaml.sh $^ > $@
./hack/concat-yaml.sh $^ >> $@
echo '{{- end }}' >> $@
$(bin_dir)/helm/cert-manager/values.yaml: deploy/charts/cert-manager/values.yaml | $(bin_dir)/helm/cert-manager $(bin_dir)/helm/cert-manager/values.yaml: deploy/charts/cert-manager/values.yaml | $(bin_dir)/helm/cert-manager
cp $< $@ cp $< $@
@ -140,7 +138,7 @@ $(bin_dir)/scratch/yaml/cert-manager.noncrd.unlicensed.yaml: $(bin_dir)/cert-man
$(bin_dir)/scratch/yaml/cert-manager.all.unlicensed.yaml: $(bin_dir)/cert-manager-$(RELEASE_VERSION).tgz | $(NEEDS_HELM) $(bin_dir)/scratch/yaml $(bin_dir)/scratch/yaml/cert-manager.all.unlicensed.yaml: $(bin_dir)/cert-manager-$(RELEASE_VERSION).tgz | $(NEEDS_HELM) $(bin_dir)/scratch/yaml
@# The sed command removes the first line but only if it matches "---", which helm adds @# The sed command removes the first line but only if it matches "---", which helm adds
$(HELM) template --api-versions="" --namespace=cert-manager --set="installCRDs=true" --set="creator=static" --set="startupapicheck.enabled=false" cert-manager $< | \ $(HELM) template --api-versions="" --namespace=cert-manager --set="crds.enabled=true" --set="creator=static" --set="startupapicheck.enabled=false" cert-manager $< | \
sed -e "1{/^---$$/d;}" > $@ sed -e "1{/^---$$/d;}" > $@
$(bin_dir)/scratch/yaml/cert-manager.crds.unlicensed.yaml: $(bin_dir)/scratch/yaml/cert-manager.all.unlicensed.yaml | $(NEEDS_GO) $(bin_dir)/scratch/yaml $(bin_dir)/scratch/yaml/cert-manager.crds.unlicensed.yaml: $(bin_dir)/scratch/yaml/cert-manager.all.unlicensed.yaml | $(NEEDS_GO) $(bin_dir)/scratch/yaml