Deployment files for CA Injector

This adds deployment files for the CA injector to the cert-manager
controller chart.  It reuses as much as possible from the existing
deployment options.

Signed-off-by: Solly Ross <sollyross@google.com>

deploy/charts/cert-manager/templates/deployment-injector.yaml

@@ -0,0 +1,98 @@
+apiVersion: apps/v1beta1
+kind: Deployment
+metadata:
+  name: {{ template "cert-manager.fullname" . }}-injector
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    app: {{ template "cert-manager.name" . }}-injector
+    chart: {{ template "cert-manager.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      app: {{ template "cert-manager.name" . }}-injector
+      release: {{ .Release.Name }}
+  {{- with .Values.strategy }}
+  strategy:
+    {{- . | toYaml | nindent 4 }}
+  {{- end }}
+  template:
+    metadata:
+      labels:
+        app: {{ template "cert-manager.name" . }}-injector
+        release: {{ .Release.Name }}
+{{- if .Values.podLabels }}
+{{ toYaml .Values.podLabels | indent 8 }}
+{{- end }}
+      annotations:
+      {{- if .Values.podAnnotations }}
+{{ toYaml .Values.podAnnotations | indent 8 }}
+      {{- end }}
+        prometheus.io/path: "/metrics"
+        prometheus.io/scrape: 'true'
+        prometheus.io/port: '9402'
+    spec:
+      serviceAccountName: {{ template "cert-manager.serviceAccountName" . }}-injector
+      {{- if .Values.global.priorityClassName }}
+      priorityClassName: {{ .Values.global.priorityClassName | quote }}
+      {{- end }}
+      {{- if .Values.securityContext.enabled }}
+      securityContext:
+        fsGroup: {{ .Values.securityContext.fsGroup }}
+        runAsUser: {{ .Values.securityContext.runAsUser }}
+      {{- end }}
+      containers:
+        - name: {{ .Chart.Name }}-injector
+          image:  "{{ .Values.image.injectorRepository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          args:
+        {{- if .Values.leaderElection.namespace }}
+          - --leader-election-namespace={{ .Values.leaderElection.namespace }}
+        {{- else }}
+          - --leader-election-namespace=$(POD_NAMESPACE)
+        {{- end }}
+          ports:
+          - containerPort: 9402
+          env:
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+        {{- if .Values.extraEnv }}
+{{ toYaml .Values.extraEnv | indent 10 }}
+        {{- end }}
+          {{- if .Values.http_proxy }}
+          - name: HTTP_PROXY
+            value: {{ .Values.http_proxy }}
+          {{- end }}
+          {{- if .Values.https_proxy }}
+          - name: HTTPS_PROXY
+            value: {{ .Values.https_proxy }}
+          {{- end }}
+          {{- if .Values.no_proxy }}
+          - name: NO_PROXY
+            value: {{ .Values.no_proxy }}
+          {{- end }}
+          resources:
+{{ toYaml .Values.resources | indent 12 }}
+    {{- with .Values.nodeSelector }}
+      nodeSelector:
+{{ toYaml . | indent 8 }}
+    {{- end }}
+    {{- with .Values.affinity }}
+      affinity:
+{{ toYaml . | indent 8 }}
+    {{- end }}
+    {{- with .Values.tolerations }}
+      tolerations:
+{{ toYaml . | indent 8 }}
+    {{- end }}
+{{- if .Values.podDnsPolicy }}
+      dnsPolicy: {{ .Values.podDnsPolicy }}
+{{- end }}
+{{- if .Values.podDnsConfig }}
+      dnsConfig:
+{{ toYaml .Values.podDnsConfig | indent 8 }}
+{{- end }}

deploy/charts/cert-manager/templates/rbac-injector.yaml

@@ -0,0 +1,42 @@
+{{- if .Values.global.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: {{ template "cert-manager.fullname" . }}-injector
+  labels:
+    app: {{ template "cert-manager.name" . }}-injector
+    chart: {{ template "cert-manager.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+rules:
+  - apiGroups: ["certmanager.k8s.io"]
+    resources: ["certificates"]
+    verbs: ["*"]
+  - apiGroups: [""]
+    resources: ["secrets", "configmaps", "events"]
+    verbs: ["*"]
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
+    verbs: ["*"]
+  - apiGroups: ["apiregistration.k8s.io"]
+    resources: ["apiservices"]
+    verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "cert-manager.fullname" . }}-injector
+  labels:
+    app: {{ template "cert-manager.name" . }}-injector
+    chart: {{ template "cert-manager.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "cert-manager.fullname" . }}-injector
+subjects:
+  - name: {{ template "cert-manager.serviceAccountName" . }}-injector
+    namespace: {{ .Release.Namespace | quote }}
+    kind: ServiceAccount
+{{- end -}}

deploy/charts/cert-manager/templates/serviceaccount-injector.yaml

@@ -0,0 +1,15 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+{{- if .Values.global.imagePullSecrets }}
+imagePullSecrets: {{ toYaml .Values.global.imagePullSecrets | nindent 2 }}
+{{- end }}
+metadata:
+  name: {{ template "cert-manager.serviceAccountName" . }}-injector
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    app: {{ template "cert-manager.name" . }}-injector
+    chart: {{ template "cert-manager.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+{{- end -}}

deploy/charts/cert-manager/values.yaml

@@ -23,6 +23,7 @@ strategy: {}
 
 image:
   repository: quay.io/jetstack/cert-manager-controller
+  injectorRepository: quay.io/jetstack/cert-manager-injectorcontroller
   tag: v0.7.0-alpha.0
   pullPolicy: IfNotPresent
 

deploy/manifests/cert-manager-no-webhook.yaml

@@ -967,6 +967,18 @@ metadata:
 
 ---
 ---
+# Source: cert-manager/templates/serviceaccount-injector.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cert-manager-injector
+  namespace: "cert-manager"
+  labels:
+    app: cert-manager-injector
+    chart: cert-manager-v0.7.0-alpha.1
+    release: cert-manager
+    heritage: Tiller
+---
 # Source: cert-manager/templates/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
@@ -979,6 +991,48 @@ metadata:
     release: cert-manager
     heritage: Tiller
 ---
+# Source: cert-manager/templates/rbac-injector.yaml
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: cert-manager-injector
+  labels:
+    app: cert-manager-injector
+    chart: cert-manager-v0.7.0-alpha.1
+    release: cert-manager
+    heritage: Tiller
+rules:
+  - apiGroups: ["certmanager.k8s.io"]
+    resources: ["certificates"]
+    verbs: ["*"]
+  - apiGroups: [""]
+    resources: ["secrets", "configmaps", "events"]
+    verbs: ["*"]
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
+    verbs: ["*"]
+  - apiGroups: ["apiregistration.k8s.io"]
+    resources: ["apiservices"]
+    verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: cert-manager-injector
+  labels:
+    app: cert-manager-injector
+    chart: cert-manager-v0.7.0-alpha.1
+    release: cert-manager
+    heritage: Tiller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-injector
+subjects:
+  - name: cert-manager-injector
+    namespace: "cert-manager"
+    kind: ServiceAccount
+---
 # Source: cert-manager/templates/rbac.yaml
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
@@ -1050,6 +1104,54 @@ rules:
   - apiGroups: ["certmanager.k8s.io"]
     resources: ["certificates", "issuers"]
     verbs: ["create", "delete", "deletecollection", "patch", "update"]
+---
+# Source: cert-manager/templates/deployment-injector.yaml
+apiVersion: apps/v1beta1
+kind: Deployment
+metadata:
+  name: cert-manager-injector
+  namespace: "cert-manager"
+  labels:
+    app: cert-manager-injector
+    chart: cert-manager-v0.7.0-alpha.1
+    release: cert-manager
+    heritage: Tiller
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: cert-manager-injector
+      release: cert-manager
+  template:
+    metadata:
+      labels:
+        app: cert-manager-injector
+        release: cert-manager
+      annotations:
+        prometheus.io/path: "/metrics"
+        prometheus.io/scrape: 'true'
+        prometheus.io/port: '9402'
+    spec:
+      serviceAccountName: cert-manager-injector
+      containers:
+        - name: cert-manager-injector
+          image:  "quay.io/jetstack/cert-manager-injectorcontroller:v0.7.0-alpha.0"
+          imagePullPolicy: IfNotPresent
+          args:
+          - --leader-election-namespace=$(POD_NAMESPACE)
+          ports:
+          - containerPort: 9402
+          env:
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          resources:
+            requests:
+              cpu: 10m
+              memory: 32Mi
+            
+
 ---
 # Source: cert-manager/templates/deployment.yaml
 apiVersion: apps/v1beta1

deploy/manifests/cert-manager.yaml

@@ -980,6 +980,18 @@ metadata:
     heritage: Tiller
 
 ---
+# Source: cert-manager/templates/serviceaccount-injector.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cert-manager-injector
+  namespace: "cert-manager"
+  labels:
+    app: cert-manager-injector
+    chart: cert-manager-v0.7.0-alpha.1
+    release: cert-manager
+    heritage: Tiller
+---
 # Source: cert-manager/templates/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
@@ -992,6 +1004,48 @@ metadata:
     release: cert-manager
     heritage: Tiller
 ---
+# Source: cert-manager/templates/rbac-injector.yaml
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: cert-manager-injector
+  labels:
+    app: cert-manager-injector
+    chart: cert-manager-v0.7.0-alpha.1
+    release: cert-manager
+    heritage: Tiller
+rules:
+  - apiGroups: ["certmanager.k8s.io"]
+    resources: ["certificates"]
+    verbs: ["*"]
+  - apiGroups: [""]
+    resources: ["secrets", "configmaps", "events"]
+    verbs: ["*"]
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
+    verbs: ["*"]
+  - apiGroups: ["apiregistration.k8s.io"]
+    resources: ["apiservices"]
+    verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: cert-manager-injector
+  labels:
+    app: cert-manager-injector
+    chart: cert-manager-v0.7.0-alpha.1
+    release: cert-manager
+    heritage: Tiller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-injector
+subjects:
+  - name: cert-manager-injector
+    namespace: "cert-manager"
+    kind: ServiceAccount
+---
 # Source: cert-manager/templates/rbac.yaml
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
@@ -1206,6 +1260,54 @@ spec:
         secret:
           secretName: cert-manager-webhook-webhook-tls
 
+---
+# Source: cert-manager/templates/deployment-injector.yaml
+apiVersion: apps/v1beta1
+kind: Deployment
+metadata:
+  name: cert-manager-injector
+  namespace: "cert-manager"
+  labels:
+    app: cert-manager-injector
+    chart: cert-manager-v0.7.0-alpha.1
+    release: cert-manager
+    heritage: Tiller
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: cert-manager-injector
+      release: cert-manager
+  template:
+    metadata:
+      labels:
+        app: cert-manager-injector
+        release: cert-manager
+      annotations:
+        prometheus.io/path: "/metrics"
+        prometheus.io/scrape: 'true'
+        prometheus.io/port: '9402'
+    spec:
+      serviceAccountName: cert-manager-injector
+      containers:
+        - name: cert-manager-injector
+          image:  "quay.io/jetstack/cert-manager-injectorcontroller:v0.7.0-alpha.0"
+          imagePullPolicy: IfNotPresent
+          args:
+          - --leader-election-namespace=$(POD_NAMESPACE)
+          ports:
+          - containerPort: 9402
+          env:
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          resources:
+            requests:
+              cpu: 10m
+              memory: 32Mi
+            
+
 ---
 # Source: cert-manager/templates/deployment.yaml
 apiVersion: apps/v1beta1