change startupapicheck to helm post-install hook

Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>

deploy/charts/cert-manager/templates/startupapicheck-rbac.yaml

@@ -12,6 +12,10 @@ metadata:
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/component: "startupapicheck"
     {{- include "labels" . | nindent 4 }}
+  {{- if .Values.startupapicheck.rbac.annotations }}
+  annotations:
+{{ toYaml .Values.startupapicheck.rbac.annotations | indent 4 }}
+  {{- end }}
 rules:
   - apiGroups: ["cert-manager.io"]
     resources: ["certificates"]
@@ -29,6 +33,10 @@ metadata:
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/component: "startupapicheck"
     {{- include "labels" . | nindent 4 }}
+  {{- if .Values.startupapicheck.rbac.annotations }}
+  annotations:
+{{ toYaml .Values.startupapicheck.rbac.annotations | indent 4 }}
+  {{- end }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role

deploy/charts/cert-manager/values.yaml

@@ -397,6 +397,8 @@ cainjector:
     # Automount API credentials for a Service Account.
     automountServiceAccountToken: true
 
+# This startupapicheck is a Helm post-install hook that waits for the webhook
+# endpoints to become available.
 startupapicheck:
   enabled: true
 
@@ -412,7 +414,9 @@ startupapicheck:
   backoffLimit: 4
 
   # Optional additional annotations to add to the startupapicheck Job
-  # jobAnnotations: {}
+  jobAnnotations:
+    helm.sh/hook: post-install
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
 
   # Optional additional annotations to add to the startupapicheck Pods
   # podAnnotations: {}
@@ -449,13 +453,23 @@ startupapicheck:
 
     pullPolicy: IfNotPresent
 
+  rbac:
+    annotations:
+      helm.sh/hook: post-install
+      helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+
   serviceAccount:
     # Specifies whether a service account should be created
     create: true
+
     # The name of the service account to use.
     # If not set and create is true, a name is generated using the fullname template
     # name: ""
+
     # Optional additional annotations to add to the Job's ServiceAccount
-    # annotations: {}
+    annotations:
+      helm.sh/hook: post-install
+      helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+
     # Automount API credentials for a Service Account.
     automountServiceAccountToken: true

deploy/crds/BUILD.bazel

@@ -50,6 +50,7 @@ helm_tmpl(
         # Set creator to "static", so the Helm chart does
         # not add Helm-specific labels to the resources.
         "creator": "static",
+        "startupapicheck.enabled": "false",
     },
     visibility = ["//visibility:public"],
 )
@@ -76,6 +77,7 @@ helm_tmpl(
         # Set creator to "static", so the Helm chart does
         # not add Helm-specific labels to the resources.
         "creator": "static",
+        "startupapicheck.enabled": "false",
     },
     visibility = ["//visibility:public"],
 ) for crd in crds]

deploy/manifests/BUILD.bazel

@@ -19,6 +19,7 @@ helm_tmpl(
         # Set creator to "static", so the Helm chart does
         # not add Helm-specific labels to the resources.
         "creator": "static",
+        "startupapicheck.enabled": "false",
     },
 )
 

devel/addon/certmanager/install.sh

@@ -59,7 +59,6 @@ bazel build //deploy/charts/cert-manager
 helm upgrade \
     --install \
     --wait \
-    --wait-for-jobs \
     --namespace "${NAMESPACE}" \
     --set image.tag="${APP_VERSION}" \
     --set cainjector.image.tag="${APP_VERSION}" \