diff --git a/deploy/charts/cert-manager/cainjector/.helmignore b/deploy/charts/cert-manager/cainjector/.helmignore new file mode 100644 index 000000000..f0c131944 --- /dev/null +++ b/deploy/charts/cert-manager/cainjector/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/deploy/charts/cert-manager/cainjector/Chart.yaml b/deploy/charts/cert-manager/cainjector/Chart.yaml new file mode 100644 index 000000000..421312955 --- /dev/null +++ b/deploy/charts/cert-manager/cainjector/Chart.yaml @@ -0,0 +1,16 @@ +name: cainjector +apiVersion: v1 +version: "v0.7.0-alpha.2" +appVersion: "v0.7.0-alpha.0" +description: A Helm chart for deploying the cert-manager cainjector component +home: https://github.com/jetstack/cert-manager +sources: + - https://github.com/jetstack/cert-manager +keywords: + - cert-manager + - kube-lego + - letsencrypt + - tls +maintainers: + - name: munnerz + email: james@jetstack.io diff --git a/deploy/charts/cert-manager/cainjector/templates/NOTES.txt b/deploy/charts/cert-manager/cainjector/templates/NOTES.txt new file mode 100644 index 000000000..e69de29bb diff --git a/deploy/charts/cert-manager/cainjector/templates/_helpers.tpl b/deploy/charts/cert-manager/cainjector/templates/_helpers.tpl new file mode 100644 index 000000000..b8efa0efe --- /dev/null +++ b/deploy/charts/cert-manager/cainjector/templates/_helpers.tpl @@ -0,0 +1,48 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "cainjector.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "cainjector.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "cainjector.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "cainjector.selfSignedIssuer" -}} +{{ printf "%s-selfsign" (include "cainjector.fullname" .) }} +{{- end -}} + +{{- define "cainjector.rootCAIssuer" -}} +{{ printf "%s-ca" (include "cainjector.fullname" .) }} +{{- end -}} + +{{- define "cainjector.rootCACertificate" -}} +{{ printf "%s-ca" (include "cainjector.fullname" .) }} +{{- end -}} + +{{- define "cainjector.servingCertificate" -}} +{{ printf "%s-cainjector-tls" (include "cainjector.fullname" .) }} +{{- end -}} diff --git a/deploy/charts/cert-manager/cainjector/templates/deployment.yaml b/deploy/charts/cert-manager/cainjector/templates/deployment.yaml new file mode 100644 index 000000000..5719dfe1a --- /dev/null +++ b/deploy/charts/cert-manager/cainjector/templates/deployment.yaml @@ -0,0 +1,73 @@ +apiVersion: apps/v1beta1 +kind: Deployment +metadata: + name: {{ include "cainjector.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ include "cainjector.name" . }} + chart: {{ include "cainjector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app: {{ include "cainjector.name" . }} + release: {{ .Release.Name }} + {{- with .Values.strategy }} + strategy: + {{- . | toYaml | nindent 4 }} + {{- end }} + template: + metadata: + labels: + app: {{ include "cainjector.name" . }} + release: {{ .Release.Name }} + annotations: + {{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} + spec: + serviceAccountName: {{ include "cainjector.fullname" . }} + {{- if .Values.global.priorityClassName }} + priorityClassName: {{ .Values.global.priorityClassName | quote }} + {{- end }} + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + args: + {{- if .Values.global.leaderElection.namespace }} + - --leader-election-namespace={{ .Values.global.leaderElection.namespace }} + {{- else }} + - --leader-election-namespace=$(POD_NAMESPACE) + {{- end }} + {{- if .Values.extraArgs }} +{{ toYaml .Values.extraArgs | indent 10 }} + {{- end }} + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + resources: +{{ toYaml .Values.resources | indent 12 }} + volumeMounts: + - name: certs + mountPath: /certs + volumes: + - name: certs + secret: + secretName: {{ include "cainjector.servingCertificate" . }} + {{- with .Values.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} diff --git a/deploy/charts/cert-manager/templates/rbac-injector.yaml b/deploy/charts/cert-manager/cainjector/templates/rbac.yaml similarity index 66% rename from deploy/charts/cert-manager/templates/rbac-injector.yaml rename to deploy/charts/cert-manager/cainjector/templates/rbac.yaml index 880f362a6..82e828737 100644 --- a/deploy/charts/cert-manager/templates/rbac-injector.yaml +++ b/deploy/charts/cert-manager/cainjector/templates/rbac.yaml @@ -2,10 +2,10 @@ apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: - name: {{ template "cert-manager.fullname" . }}-injector + name: {{ template "cainjector.fullname" . }} labels: - app: {{ template "cert-manager.name" . }}-injector - chart: {{ template "cert-manager.chart" . }} + app: {{ template "cainjector.name" . }} + chart: {{ template "cainjector.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} rules: @@ -25,18 +25,18 @@ rules: apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: - name: {{ template "cert-manager.fullname" . }}-injector + name: {{ template "cainjector.fullname" . }} labels: - app: {{ template "cert-manager.name" . }}-injector - chart: {{ template "cert-manager.chart" . }} + app: {{ template "cainjector.name" . }} + chart: {{ template "cainjector.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: {{ template "cert-manager.fullname" . }}-injector + name: {{ template "cainjector.fullname" . }} subjects: - - name: {{ template "cert-manager.serviceAccountName" . }}-injector + - name: {{ template "cainjector.serviceAccountName" . }} namespace: {{ .Release.Namespace | quote }} kind: ServiceAccount -{{- end -}} + {{- end -}} diff --git a/deploy/charts/cert-manager/templates/serviceaccount-injector.yaml b/deploy/charts/cert-manager/cainjector/templates/serviceaccount.yaml similarity index 54% rename from deploy/charts/cert-manager/templates/serviceaccount-injector.yaml rename to deploy/charts/cert-manager/cainjector/templates/serviceaccount.yaml index 46c8f873e..3ec9ec441 100644 --- a/deploy/charts/cert-manager/templates/serviceaccount-injector.yaml +++ b/deploy/charts/cert-manager/cainjector/templates/serviceaccount.yaml @@ -1,15 +1,15 @@ {{- if .Values.serviceAccount.create -}} apiVersion: v1 kind: ServiceAccount -{{- if .Values.global.imagePullSecrets }} + {{- if .Values.global.imagePullSecrets }} imagePullSecrets: {{ toYaml .Values.global.imagePullSecrets | nindent 2 }} -{{- end }} + {{- end }} metadata: - name: {{ template "cert-manager.serviceAccountName" . }}-injector + name: {{ template "cainjector.serviceAccountName" . }} namespace: {{ .Release.Namespace | quote }} labels: - app: {{ template "cert-manager.name" . }}-injector - chart: {{ template "cert-manager.chart" . }} + app: {{ template "cainjector.name" . }} + chart: {{ template "cainjector.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} -{{- end -}} + {{- end -}} diff --git a/deploy/charts/cert-manager/cainjector/values.yaml b/deploy/charts/cert-manager/cainjector/values.yaml new file mode 100644 index 000000000..9b8a789f4 --- /dev/null +++ b/deploy/charts/cert-manager/cainjector/values.yaml @@ -0,0 +1,38 @@ +global: + ## Reference to one or more secrets to be used when pulling images + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + imagePullSecrets: [] + # - name: "image-pull-secret" + + # Optional priority class to be used for the cert-manager pods + priorityClassName: "" + rbac: + create: true + + leaderElection: + # Override the namespace used to store the ConfigMap for leader election + namespace: "" + +replicaCount: 1 + +strategy: {} + # type: RollingUpdate + # rollingUpdate: + # maxSurge: 0 + # maxUnavailable: 1 + +podAnnotations: {} + +# Optional additional arguments for cainjector +extraArgs: [] + +resources: {} + # requests: + # cpu: 10m + # memory: 32Mi + +image: + repository: quay.io/jetstack/cert-manager-cainjector + tag: v0.7.0-alpha.0 + pullPolicy: IfNotPresent diff --git a/deploy/charts/cert-manager/requirements.yaml b/deploy/charts/cert-manager/requirements.yaml index 6131ff088..900d6ebe0 100644 --- a/deploy/charts/cert-manager/requirements.yaml +++ b/deploy/charts/cert-manager/requirements.yaml @@ -4,3 +4,7 @@ dependencies: version: "v0.7.0-alpha.1" repository: "file://webhook" condition: webhook.enabled +- name: cainjector + version: "v0.7.0-alpha.1" + repository: "file://cainjector" + condition: cainjector.enabled diff --git a/deploy/charts/cert-manager/templates/deployment-injector.yaml b/deploy/charts/cert-manager/templates/deployment-injector.yaml deleted file mode 100644 index 6bb405cb5..000000000 --- a/deploy/charts/cert-manager/templates/deployment-injector.yaml +++ /dev/null @@ -1,98 +0,0 @@ -apiVersion: apps/v1beta1 -kind: Deployment -metadata: - name: {{ template "cert-manager.fullname" . }}-injector - namespace: {{ .Release.Namespace | quote }} - labels: - app: {{ template "cert-manager.name" . }}-injector - chart: {{ template "cert-manager.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ template "cert-manager.name" . }}-injector - release: {{ .Release.Name }} - {{- with .Values.strategy }} - strategy: - {{- . | toYaml | nindent 4 }} - {{- end }} - template: - metadata: - labels: - app: {{ template "cert-manager.name" . }}-injector - release: {{ .Release.Name }} -{{- if .Values.podLabels }} -{{ toYaml .Values.podLabels | indent 8 }} -{{- end }} - annotations: - {{- if .Values.podAnnotations }} -{{ toYaml .Values.podAnnotations | indent 8 }} - {{- end }} - prometheus.io/path: "/metrics" - prometheus.io/scrape: 'true' - prometheus.io/port: '9402' - spec: - serviceAccountName: {{ template "cert-manager.serviceAccountName" . }}-injector - {{- if .Values.global.priorityClassName }} - priorityClassName: {{ .Values.global.priorityClassName | quote }} - {{- end }} - {{- if .Values.securityContext.enabled }} - securityContext: - fsGroup: {{ .Values.securityContext.fsGroup }} - runAsUser: {{ .Values.securityContext.runAsUser }} - {{- end }} - containers: - - name: {{ .Chart.Name }}-injector - image: "{{ .Values.image.injectorRepository }}:{{ .Values.image.tag }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - args: - {{- if .Values.leaderElection.namespace }} - - --leader-election-namespace={{ .Values.leaderElection.namespace }} - {{- else }} - - --leader-election-namespace=$(POD_NAMESPACE) - {{- end }} - ports: - - containerPort: 9402 - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - {{- if .Values.extraEnv }} -{{ toYaml .Values.extraEnv | indent 10 }} - {{- end }} - {{- if .Values.http_proxy }} - - name: HTTP_PROXY - value: {{ .Values.http_proxy }} - {{- end }} - {{- if .Values.https_proxy }} - - name: HTTPS_PROXY - value: {{ .Values.https_proxy }} - {{- end }} - {{- if .Values.no_proxy }} - - name: NO_PROXY - value: {{ .Values.no_proxy }} - {{- end }} - resources: -{{ toYaml .Values.resources | indent 12 }} - {{- with .Values.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} -{{- if .Values.podDnsPolicy }} - dnsPolicy: {{ .Values.podDnsPolicy }} -{{- end }} -{{- if .Values.podDnsConfig }} - dnsConfig: -{{ toYaml .Values.podDnsConfig | indent 8 }} -{{- end }} diff --git a/deploy/charts/cert-manager/templates/deployment.yaml b/deploy/charts/cert-manager/templates/deployment.yaml index df8cdb216..14e76db97 100644 --- a/deploy/charts/cert-manager/templates/deployment.yaml +++ b/deploy/charts/cert-manager/templates/deployment.yaml @@ -53,8 +53,8 @@ spec: {{- else }} - --cluster-resource-namespace=$(POD_NAMESPACE) {{- end }} - {{- if .Values.leaderElection.namespace }} - - --leader-election-namespace={{ .Values.leaderElection.namespace }} + {{- if .Values.global.leaderElection.namespace }} + - --leader-election-namespace={{ .Values.globa.leaderElection.namespace }} {{- else }} - --leader-election-namespace=$(POD_NAMESPACE) {{- end }} diff --git a/deploy/charts/cert-manager/values.yaml b/deploy/charts/cert-manager/values.yaml index b11c2f91d..72461e8a3 100644 --- a/deploy/charts/cert-manager/values.yaml +++ b/deploy/charts/cert-manager/values.yaml @@ -13,6 +13,10 @@ global: rbac: create: true + leaderElection: + # Override the namespace used to store the ConfigMap for leader election + namespace: "" + replicaCount: 1 strategy: {} @@ -32,10 +36,6 @@ image: # used. This namespace will not be automatically created by the Helm chart. clusterResourceNamespace: "" -leaderElection: - # Override the namespace used to store the ConfigMap for leader election - namespace: "" - serviceAccount: # Specifies whether a service account should be created create: true @@ -90,6 +90,9 @@ ingressShim: {} webhook: enabled: true +cainjector: + enabled: true + # Use these variables to configure the HTTP_PROXY environment variables # http_proxy: "http://proxy:8080" # http_proxy: "http://proxy:8080"