Enhance Helm chart and apply best practices

* Update Chart.yaml * Make templates namespaced * Update config table in README.md * Apply best practices for RBAC (see https://github.com/kubernetes/helm/blob/master/docs/chart_best_practices/rbac.md) * Add extra args for cert-manager container * Make list indentation consistent * Apply standard labels on all resources * Add some content to NOTES.txt
2017-12-18 14:59:59 +01:00 · 2017-12-18 14:59:59 +01:00 · 8e9bf46cb6
commit 8e9bf46cb6
parent 21b4d2821c
12 changed files with 123 additions and 57 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,4 +1,5 @@
 .DS_Store
+.idea
 /acmesolver
 /controller
 /hack/build/dockerfiles/cert-manager-*_*_*
--- a/contrib/charts/cert-manager/Chart.yaml
+++ b/contrib/charts/cert-manager/Chart.yaml
@ -1,4 +1,12 @@
-apiVersion: v1
-description: A Helm chart for Kubernetes
 name: cert-manager
 version: 0.1.0
+appVersion: 0.2.2
+description: A Helm chart for cert-manager
+home: https://github.com/jetstack/cert-manager
+keywords:
+  - cert-manager
+  - kube-lego
+  - letsencrypt
+  - tls
+sources:
+  - https://github.com/jetstack/cert-manager
--- a/contrib/charts/cert-manager/README.md
+++ b/contrib/charts/cert-manager/README.md
@ -44,15 +44,24 @@ The command removes all the Kubernetes components associated with the chart and

 The following tables lists the configurable parameters of the cert-manager chart and their default values.

-| Parameter              | Description                             | Default                                        |
-| ---------------------- | --------------------------------------- | ---------------------------------------------- |
-| `image.repository`     | Image repository                        | `quay.io/jetstack/cert-manager-controller`     |
-| `image.tag`            | Image tag                               | `v0.2.3`                                       |
-| `image.pullPolicy`     | Image pull policy                       | `Always`                                       |
-| `replicaCount`         | Number of cert-manager replicas         | `1`                                            |
-| `createCustomResource` | Create CRD/TPR with this release        | `true`                                         |
-| `rbac.enabled`         | Create RBAC resources with this release | `true`                                         |
-| `resources`            | CPU/Memory resource requests/limits     | `None`                                         |
+| Parameter | Description | Default |
+| --------- | ----------- | ------- |
+| `image.repository` | Image repository | `quay.io/jetstack/cert-manager-controller` |
+| `image.tag` | Image tag | `v0.2.3` |
+| `image.pullPolicy` | Image pull policy | `IfNotPresent` |
+| `replicaCount`  | Number of cert-manager replicas  | `1` |
+| `createCustomResource` | Create CRD/TPR with this release | `true` |
+| `extraArgs` | Optional flags for cert-manager | `[]` |
+| `rbac.create` | If true, create & use RBAC resources | `true`
+| `rbac.serviceAccountName` | ServiceAccount to be used (ignored if rbac.create=true) | `default`
+| `resources` | CPU/memory resource requests/limits | `requests: {cpu: 10m, memory: 32Mi}` |
+| `nodeSelector` | Node labels for pod assignment | `{}` |
+| `ingressShim.enabled` | Enable ingress-shim for automatic ingress integration | `true`|
+| `ingressShim.extraArgs` | Optional flags for ingress-shim | `[]` |
+| `ingressShim.resources` | CPU/memory resource requests/limits for ingress-shim | `requests: {cpu: 10m, memory: 32Mi}` |
+| `ingressShim.image.repository` | Image repository for ingress-shim | `quay.io/jetstack/cert-manager-ingress-shim` |
+| `ingressShim.image.tag` | Image tag for ingress-shim. Defaults to `image.tag` if empty | `` |
+| `ingressShim.image.pullPolicy` | Image pull policy for ingress-shim | `IfNotPresent` |

 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.

--- a/contrib/charts/cert-manager/templates/NOTES.txt
+++ b/contrib/charts/cert-manager/templates/NOTES.txt
@ -0,0 +1,5 @@
+cert-manager has been deployed successfully!
+
+You may now go ahead and create issuers and certificates.
+
+See https://github.com/jetstack/cert-manager/blob/master/docs/README.md
--- a/contrib/charts/cert-manager/templates/_helpers.tpl
+++ b/contrib/charts/cert-manager/templates/_helpers.tpl
@ -2,7 +2,7 @@
 {{/*
 Expand the name of the chart.
 */}}
-{{- define "name" -}}
+{{- define "cert-manager.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
 {{- end -}}

@ -10,7 +10,15 @@ Expand the name of the chart.
 Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 */}}
-{{- define "fullname" -}}
+{{- define "cert-manager.fullname" -}}
 {{- $name := default .Chart.Name .Values.nameOverride -}}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- $fullname := printf "%s-%s" $name .Release.Name -}}
+{{- default $fullname .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "cert-manager.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
--- a/contrib/charts/cert-manager/templates/certificate-crd.yaml
+++ b/contrib/charts/cert-manager/templates/certificate-crd.yaml
@ -4,6 +4,11 @@ apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
  name: certificates.certmanager.k8s.io
+  labels:
+    app: {{ template "cert-manager.name" . }}
+    chart: {{ template "cert-manager.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
 spec:
  group: certmanager.k8s.io
  version: v1alpha1
@ -18,6 +23,6 @@ metadata:
  name: certificate.certmanager.k8s.io
 description: "A specification for a cert-manager certificate"
 versions:
- name: v1alpha1
+  - name: v1alpha1
 {{- end -}}
 {{- end -}}
--- a/contrib/charts/cert-manager/templates/clusterissuer-crd.yaml
+++ b/contrib/charts/cert-manager/templates/clusterissuer-crd.yaml
@ -4,6 +4,11 @@ apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
  name: clusterissuers.certmanager.k8s.io
+  labels:
+    app: {{ template "cert-manager.name" . }}
+    chart: {{ template "cert-manager.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
 spec:
  group: certmanager.k8s.io
  version: v1alpha1
--- a/contrib/charts/cert-manager/templates/deployment.yaml
+++ b/contrib/charts/cert-manager/templates/deployment.yaml
@ -1,40 +1,41 @@
-apiVersion: extensions/v1beta1
+apiVersion: apps/v1beta1
 kind: Deployment
 metadata:
-  name: {{ template "fullname" . }}
+  name: {{ template "cert-manager.fullname" . }}
  labels:
-    app: {{ template "name" . }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    app: {{ template "cert-manager.name" . }}
+    chart: {{ template "cert-manager.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
 spec:
  replicas: {{ .Values.replicaCount }}
+  strategy:
+    type: Recreate
  template:
    metadata:
      labels:
-        app: {{ template "name" . }}
+        app: {{ template "cert-manager.name" . }}
        release: {{ .Release.Name }}
    spec:
-      serviceAccount: {{ template "fullname" . }}
-      serviceAccountName: {{ template "fullname" . }}
+      serviceAccountName: {{ if .Values.rbac.create }}{{ template "cert-manager.fullname" . }}{{ else }}"{{ .Values.rbac.serviceAccountName }}"{{ end }}
      containers:
        - name: {{ .Chart.Name }}
          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
          imagePullPolicy: {{ .Values.image.pullPolicy }}
+        {{- if .Values.extraArgs }}
          args:
-{{- range .Values.extraArgs }}
-          - {{ . }}
-{{- end }}
+{{ toYaml .Values.extraArgs | indent 12 }}
+        {{- end }}
          resources:
 {{ toYaml .Values.resources | indent 12 }}
 {{- if .Values.ingressShim.enabled }}
        - name: ingress-shim
-          image: "{{ .Values.ingressShim.image.repository }}:{{ default .Values.ingressShim.image.tag | default .Values.image.tag }}"
+          image: "{{ .Values.ingressShim.image.repository }}:{{ default .Values.ingressShim.image.tag .Values.image.tag }}"
          imagePullPolicy: {{ .Values.ingressShim.image.pullPolicy }}
+        {{- if .Values.ingressShim.extraArgs }}
          args:
-{{- range .Values.ingressShim.extraArgs }}
-          - {{ . }}
-{{- end }}
+{{ toYaml .Values.ingressShim.extraArgs | indent 12 }}
+        {{- end }}
          resources:
 {{ toYaml .Values.ingressShim.resources | indent 12 }}
 {{- end }}
--- a/contrib/charts/cert-manager/templates/issuer-crd.yaml
+++ b/contrib/charts/cert-manager/templates/issuer-crd.yaml
@ -4,6 +4,11 @@ apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
  name: issuers.certmanager.k8s.io
+  labels:
+    app: {{ template "cert-manager.name" . }}
+    chart: {{ template "cert-manager.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
 spec:
  group: certmanager.k8s.io
  version: v1alpha1
@ -11,13 +16,18 @@ spec:
    kind: Issuer
    plural: issuers
  scope: Namespaced
-{{ else if .Capabilities.APIVersions.Has "extensions/v1beta1"  }}
+{{ else if .Capabilities.APIVersions.Has "extensions/v1beta1" }}
 apiVersion: extensions/v1beta1
 kind: ThirdPartyResource
 metadata:
  name: issuer.certmanager.k8s.io
+  labels:
+    app: {{ template "cert-manager.name" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
 description: "A specification for a cert-manager issuer"
 versions:
- name: v1alpha1
+  - name: v1alpha1
 {{- end -}}
 {{- end -}}
--- a/contrib/charts/cert-manager/templates/rbac.yaml
+++ b/contrib/charts/cert-manager/templates/rbac.yaml
@ -1,39 +1,39 @@
-{{- if .Values.rbac.enabled -}}
+{{- if .Values.rbac.create -}}
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
-  name: {{ template "fullname" . }}
+  name: {{ template "cert-manager.fullname" . }}
  labels:
-    app: {{ template "name" . }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    app: {{ template "cert-manager.name" . }}
+    chart: {{ template "cert-manager.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
 rules:
- apiGroups: ["certmanager.k8s.io"]
-  resources: ["certificates", "issuers", "clusterissuers"]
-  verbs: ["*"]
- apiGroups: [""]
-  resources: ["secrets", "events", "endpoints", "services", "pods"]
-  verbs: ["*"]
- apiGroups: ["extensions"]
-  resources: ["ingresses"]
-  verbs: ["*"]
+  - apiGroups: ["certmanager.k8s.io"]
+    resources: ["certificates", "issuers", "clusterissuers"]
+    verbs: ["*"]
+  - apiGroups: [""]
+    resources: ["secrets", "events", "endpoints", "services", "pods"]
+    verbs: ["*"]
+  - apiGroups: ["extensions"]
+    resources: ["ingresses"]
+    verbs: ["*"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
-  name: {{ template "fullname" . }}
+  name: {{ template "cert-manager.fullname" . }}
  labels:
-    app: {{ template "name" . }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    app: {{ template "cert-manager.name" . }}
+    chart: {{ template "cert-manager.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
-  name: {{ template "fullname" . }}
+  name: {{ template "cert-manager.fullname" . }}
 subjects:
- name: {{ template "fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
-  kind: ServiceAccount
+  - name: {{ template "cert-manager.fullname" . }}
+    namespace: {{ .Release.Namespace | quote }}
+    kind: ServiceAccount
 {{- end -}}
--- a/contrib/charts/cert-manager/templates/serviceaccount.yaml
+++ b/contrib/charts/cert-manager/templates/serviceaccount.yaml
@ -1,9 +1,11 @@
+{{- if .Values.rbac.create -}}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ template "fullname" . }}
+  name: {{ template "cert-manager.fullname" . }}
  labels:
-    app: {{ template "name" . }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    app: {{ template "cert-manager.name" . }}
+    chart: {{ template "cert-manager.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
+{{- end -}}
--- a/contrib/charts/cert-manager/values.yaml
+++ b/contrib/charts/cert-manager/values.yaml
@ -6,12 +6,17 @@ replicaCount: 1
 image:
  repository: quay.io/jetstack/cert-manager-controller
  tag: v0.2.3
-  pullPolicy: Always
+  pullPolicy: IfNotPresent

 createCustomResource: true

 rbac:
-  enabled: true
+  create: true
+  serviceAccountName: default
+
+# Optional additional arguments
+extraArgs: []
+  # - --cluster-resource-namespace=ingress

 resources:
  requests:
@ -21,17 +26,24 @@ resources:
 # Optional additional arguments for cert-manager
 extraArgs: []

+nodeSelector: {}
+
 ingressShim:
  enabled: true
+
  # Optional additional arguments for ingress-shim
  extraArgs: []
+
  resources:
    requests:
      cpu: 10m
      memory: 32Mi
+
  image:
    repository: quay.io/jetstack/cert-manager-ingress-shim
+
    # Defaults to image.tag.
    # You should only change this if you know what you are doing!
    # tag: v0.2.3
-    pullPolicy: Always
+
+    pullPolicy: IfNotPresent