Move cainjector into its own subchart

Signed-off-by: James Munnelly <james@munnelly.eu>

deploy/charts/cert-manager/cainjector/.helmignore

@@ -0,0 +1,21 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj

deploy/charts/cert-manager/cainjector/Chart.yaml

@@ -0,0 +1,16 @@
+name: cainjector
+apiVersion: v1
+version: "v0.7.0-alpha.2"
+appVersion: "v0.7.0-alpha.0"
+description: A Helm chart for deploying the cert-manager cainjector component
+home: https://github.com/jetstack/cert-manager
+sources:
+  - https://github.com/jetstack/cert-manager
+keywords:
+  - cert-manager
+  - kube-lego
+  - letsencrypt
+  - tls
+maintainers:
+  - name: munnerz
+    email: james@jetstack.io

deploy/charts/cert-manager/cainjector/templates/_helpers.tpl

@@ -0,0 +1,48 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "cainjector.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "cainjector.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "cainjector.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "cainjector.selfSignedIssuer" -}}
+{{ printf "%s-selfsign" (include "cainjector.fullname" .) }}
+{{- end -}}
+
+{{- define "cainjector.rootCAIssuer" -}}
+{{ printf "%s-ca" (include "cainjector.fullname" .) }}
+{{- end -}}
+
+{{- define "cainjector.rootCACertificate" -}}
+{{ printf "%s-ca" (include "cainjector.fullname" .) }}
+{{- end -}}
+
+{{- define "cainjector.servingCertificate" -}}
+{{ printf "%s-cainjector-tls" (include "cainjector.fullname" .) }}
+{{- end -}}

deploy/charts/cert-manager/cainjector/templates/deployment.yaml

@@ -0,0 +1,73 @@
+apiVersion: apps/v1beta1
+kind: Deployment
+metadata:
+  name: {{ include "cainjector.fullname" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    app: {{ include "cainjector.name" . }}
+    chart: {{ include "cainjector.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      app: {{ include "cainjector.name" . }}
+      release: {{ .Release.Name }}
+  {{- with .Values.strategy }}
+  strategy:
+    {{- . | toYaml | nindent 4 }}
+  {{- end }}
+  template:
+    metadata:
+      labels:
+        app: {{ include "cainjector.name" . }}
+        release: {{ .Release.Name }}
+      annotations:
+      {{- if .Values.podAnnotations }}
+{{ toYaml .Values.podAnnotations | indent 8 }}
+      {{- end }}
+    spec:
+      serviceAccountName: {{ include "cainjector.fullname" . }}
+      {{- if .Values.global.priorityClassName }}
+      priorityClassName: {{ .Values.global.priorityClassName | quote }}
+      {{- end }}
+      containers:
+        - name: {{ .Chart.Name }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          args:
+          {{- if .Values.global.leaderElection.namespace }}
+          - --leader-election-namespace={{ .Values.global.leaderElection.namespace }}
+          {{- else }}
+          - --leader-election-namespace=$(POD_NAMESPACE)
+          {{- end }}
+          {{- if .Values.extraArgs }}
+{{ toYaml .Values.extraArgs | indent 10 }}
+          {{- end }}
+          env:
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          resources:
+{{ toYaml .Values.resources | indent 12 }}
+          volumeMounts:
+          - name: certs
+            mountPath: /certs
+      volumes:
+      - name: certs
+        secret:
+          secretName: {{ include "cainjector.servingCertificate" . }}
+    {{- with .Values.nodeSelector }}
+      nodeSelector:
+{{ toYaml . | indent 8 }}
+    {{- end }}
+    {{- with .Values.affinity }}
+      affinity:
+{{ toYaml . | indent 8 }}
+    {{- end }}
+    {{- with .Values.tolerations }}
+      tolerations:
+{{ toYaml . | indent 8 }}
+    {{- end }}

deploy/charts/cert-manager/cainjector/templates/rbac.yaml

@@ -2,10 +2,10 @@
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
-  name: {{ template "cert-manager.fullname" . }}-injector
+  name: {{ template "cainjector.fullname" . }}
   labels:
-    app: {{ template "cert-manager.name" . }}-injector
-    chart: {{ template "cert-manager.chart" . }}
+    app: {{ template "cainjector.name" . }}
+    chart: {{ template "cainjector.chart" . }}
     release: {{ .Release.Name }}
     heritage: {{ .Release.Service }}
 rules:
@@ -25,18 +25,18 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
-  name: {{ template "cert-manager.fullname" . }}-injector
+  name: {{ template "cainjector.fullname" . }}
   labels:
-    app: {{ template "cert-manager.name" . }}-injector
-    chart: {{ template "cert-manager.chart" . }}
+    app: {{ template "cainjector.name" . }}
+    chart: {{ template "cainjector.chart" . }}
     release: {{ .Release.Name }}
     heritage: {{ .Release.Service }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: {{ template "cert-manager.fullname" . }}-injector
+  name: {{ template "cainjector.fullname" . }}
 subjects:
-  - name: {{ template "cert-manager.serviceAccountName" . }}-injector
+  - name: {{ template "cainjector.serviceAccountName" . }}
     namespace: {{ .Release.Namespace | quote }}
     kind: ServiceAccount
-{{- end -}}
+  {{- end -}}

deploy/charts/cert-manager/cainjector/templates/serviceaccount.yaml

@@ -1,15 +1,15 @@
 {{- if .Values.serviceAccount.create -}}
 apiVersion: v1
 kind: ServiceAccount
-{{- if .Values.global.imagePullSecrets }}
+  {{- if .Values.global.imagePullSecrets }}
 imagePullSecrets: {{ toYaml .Values.global.imagePullSecrets | nindent 2 }}
-{{- end }}
+  {{- end }}
 metadata:
-  name: {{ template "cert-manager.serviceAccountName" . }}-injector
+  name: {{ template "cainjector.serviceAccountName" . }}
   namespace: {{ .Release.Namespace | quote }}
   labels:
-    app: {{ template "cert-manager.name" . }}-injector
-    chart: {{ template "cert-manager.chart" . }}
+    app: {{ template "cainjector.name" . }}
+    chart: {{ template "cainjector.chart" . }}
     release: {{ .Release.Name }}
     heritage: {{ .Release.Service }}
-{{- end -}}
+  {{- end -}}

deploy/charts/cert-manager/cainjector/values.yaml

@@ -0,0 +1,38 @@
+global:
+  ## Reference to one or more secrets to be used when pulling images
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+  ##
+  imagePullSecrets: []
+  # - name: "image-pull-secret"
+
+  # Optional priority class to be used for the cert-manager pods
+  priorityClassName: ""
+  rbac:
+    create: true
+
+  leaderElection:
+    # Override the namespace used to store the ConfigMap for leader election
+    namespace: ""
+
+replicaCount: 1
+
+strategy: {}
+  # type: RollingUpdate
+  # rollingUpdate:
+  #   maxSurge: 0
+  #   maxUnavailable: 1
+
+podAnnotations: {}
+
+# Optional additional arguments for cainjector
+extraArgs: []
+
+resources: {}
+  # requests:
+  #   cpu: 10m
+  #   memory: 32Mi
+
+image:
+  repository: quay.io/jetstack/cert-manager-cainjector
+  tag: v0.7.0-alpha.0
+  pullPolicy: IfNotPresent

deploy/charts/cert-manager/requirements.yaml

@@ -4,3 +4,7 @@ dependencies:
   version: "v0.7.0-alpha.1"
   repository: "file://webhook"
   condition: webhook.enabled
+- name: cainjector
+  version: "v0.7.0-alpha.1"
+  repository: "file://cainjector"
+  condition: cainjector.enabled

deploy/charts/cert-manager/templates/deployment-injector.yaml

@@ -1,98 +0,0 @@
-apiVersion: apps/v1beta1
-kind: Deployment
-metadata:
-  name: {{ template "cert-manager.fullname" . }}-injector
-  namespace: {{ .Release.Namespace | quote }}
-  labels:
-    app: {{ template "cert-manager.name" . }}-injector
-    chart: {{ template "cert-manager.chart" . }}
-    release: {{ .Release.Name }}
-    heritage: {{ .Release.Service }}
-spec:
-  replicas: {{ .Values.replicaCount }}
-  selector:
-    matchLabels:
-      app: {{ template "cert-manager.name" . }}-injector
-      release: {{ .Release.Name }}
-  {{- with .Values.strategy }}
-  strategy:
-    {{- . | toYaml | nindent 4 }}
-  {{- end }}
-  template:
-    metadata:
-      labels:
-        app: {{ template "cert-manager.name" . }}-injector
-        release: {{ .Release.Name }}
-{{- if .Values.podLabels }}
-{{ toYaml .Values.podLabels | indent 8 }}
-{{- end }}
-      annotations:
-      {{- if .Values.podAnnotations }}
-{{ toYaml .Values.podAnnotations | indent 8 }}
-      {{- end }}
-        prometheus.io/path: "/metrics"
-        prometheus.io/scrape: 'true'
-        prometheus.io/port: '9402'
-    spec:
-      serviceAccountName: {{ template "cert-manager.serviceAccountName" . }}-injector
-      {{- if .Values.global.priorityClassName }}
-      priorityClassName: {{ .Values.global.priorityClassName | quote }}
-      {{- end }}
-      {{- if .Values.securityContext.enabled }}
-      securityContext:
-        fsGroup: {{ .Values.securityContext.fsGroup }}
-        runAsUser: {{ .Values.securityContext.runAsUser }}
-      {{- end }}
-      containers:
-        - name: {{ .Chart.Name }}-injector
-          image:  "{{ .Values.image.injectorRepository }}:{{ .Values.image.tag }}"
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
-          args:
-        {{- if .Values.leaderElection.namespace }}
-          - --leader-election-namespace={{ .Values.leaderElection.namespace }}
-        {{- else }}
-          - --leader-election-namespace=$(POD_NAMESPACE)
-        {{- end }}
-          ports:
-          - containerPort: 9402
-          env:
-          - name: POD_NAMESPACE
-            valueFrom:
-              fieldRef:
-                fieldPath: metadata.namespace
-        {{- if .Values.extraEnv }}
-{{ toYaml .Values.extraEnv | indent 10 }}
-        {{- end }}
-          {{- if .Values.http_proxy }}
-          - name: HTTP_PROXY
-            value: {{ .Values.http_proxy }}
-          {{- end }}
-          {{- if .Values.https_proxy }}
-          - name: HTTPS_PROXY
-            value: {{ .Values.https_proxy }}
-          {{- end }}
-          {{- if .Values.no_proxy }}
-          - name: NO_PROXY
-            value: {{ .Values.no_proxy }}
-          {{- end }}
-          resources:
-{{ toYaml .Values.resources | indent 12 }}
-    {{- with .Values.nodeSelector }}
-      nodeSelector:
-{{ toYaml . | indent 8 }}
-    {{- end }}
-    {{- with .Values.affinity }}
-      affinity:
-{{ toYaml . | indent 8 }}
-    {{- end }}
-    {{- with .Values.tolerations }}
-      tolerations:
-{{ toYaml . | indent 8 }}
-    {{- end }}
-{{- if .Values.podDnsPolicy }}
-      dnsPolicy: {{ .Values.podDnsPolicy }}
-{{- end }}
-{{- if .Values.podDnsConfig }}
-      dnsConfig:
-{{ toYaml .Values.podDnsConfig | indent 8 }}
-{{- end }}

deploy/charts/cert-manager/templates/deployment.yaml

@@ -53,8 +53,8 @@ spec:
         {{- else }}
           - --cluster-resource-namespace=$(POD_NAMESPACE)
         {{- end }}
-        {{- if .Values.leaderElection.namespace }}
-          - --leader-election-namespace={{ .Values.leaderElection.namespace }}
+        {{- if .Values.global.leaderElection.namespace }}
+          - --leader-election-namespace={{ .Values.globa.leaderElection.namespace }}
         {{- else }}
           - --leader-election-namespace=$(POD_NAMESPACE)
         {{- end }}

deploy/charts/cert-manager/values.yaml

@@ -13,6 +13,10 @@ global:
   rbac:
     create: true
 
+  leaderElection:
+    # Override the namespace used to store the ConfigMap for leader election
+    namespace: ""
+
 replicaCount: 1
 
 strategy: {}
@@ -32,10 +36,6 @@ image:
 # used. This namespace will not be automatically created by the Helm chart.
 clusterResourceNamespace: ""
 
-leaderElection:
-  # Override the namespace used to store the ConfigMap for leader election
-  namespace: ""
-
 serviceAccount:
   # Specifies whether a service account should be created
   create: true
@@ -90,6 +90,9 @@ ingressShim: {}
 webhook:
   enabled: true
 
+cainjector:
+  enabled: true
+
 # Use these variables to configure the HTTP_PROXY environment variables
 # http_proxy: "http://proxy:8080"
 # http_proxy: "http://proxy:8080"