From 8eb88d451bf45118ff048b4a080377f1d33a8ed3 Mon Sep 17 00:00:00 2001 From: Solly Ross Date: Fri, 22 Feb 2019 16:49:22 -0800 Subject: [PATCH] Deployment files for CA Injector This adds deployment files for the CA injector to the cert-manager controller chart. It reuses as much as possible from the existing deployment options. Signed-off-by: Solly Ross --- .../templates/deployment-injector.yaml | 98 +++++++++++++++++ .../cert-manager/templates/rbac-injector.yaml | 42 ++++++++ .../templates/serviceaccount-injector.yaml | 15 +++ deploy/charts/cert-manager/values.yaml | 1 + deploy/manifests/cert-manager-no-webhook.yaml | 102 ++++++++++++++++++ deploy/manifests/cert-manager.yaml | 102 ++++++++++++++++++ 6 files changed, 360 insertions(+) create mode 100644 deploy/charts/cert-manager/templates/deployment-injector.yaml create mode 100644 deploy/charts/cert-manager/templates/rbac-injector.yaml create mode 100644 deploy/charts/cert-manager/templates/serviceaccount-injector.yaml diff --git a/deploy/charts/cert-manager/templates/deployment-injector.yaml b/deploy/charts/cert-manager/templates/deployment-injector.yaml new file mode 100644 index 000000000..6bb405cb5 --- /dev/null +++ b/deploy/charts/cert-manager/templates/deployment-injector.yaml @@ -0,0 +1,98 @@ +apiVersion: apps/v1beta1 +kind: Deployment +metadata: + name: {{ template "cert-manager.fullname" . }}-injector + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ template "cert-manager.name" . }}-injector + chart: {{ template "cert-manager.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app: {{ template "cert-manager.name" . }}-injector + release: {{ .Release.Name }} + {{- with .Values.strategy }} + strategy: + {{- . | toYaml | nindent 4 }} + {{- end }} + template: + metadata: + labels: + app: {{ template "cert-manager.name" . }}-injector + release: {{ .Release.Name }} +{{- if .Values.podLabels }} +{{ toYaml .Values.podLabels | indent 8 }} +{{- end }} + annotations: + {{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} + prometheus.io/path: "/metrics" + prometheus.io/scrape: 'true' + prometheus.io/port: '9402' + spec: + serviceAccountName: {{ template "cert-manager.serviceAccountName" . }}-injector + {{- if .Values.global.priorityClassName }} + priorityClassName: {{ .Values.global.priorityClassName | quote }} + {{- end }} + {{- if .Values.securityContext.enabled }} + securityContext: + fsGroup: {{ .Values.securityContext.fsGroup }} + runAsUser: {{ .Values.securityContext.runAsUser }} + {{- end }} + containers: + - name: {{ .Chart.Name }}-injector + image: "{{ .Values.image.injectorRepository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + args: + {{- if .Values.leaderElection.namespace }} + - --leader-election-namespace={{ .Values.leaderElection.namespace }} + {{- else }} + - --leader-election-namespace=$(POD_NAMESPACE) + {{- end }} + ports: + - containerPort: 9402 + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- if .Values.extraEnv }} +{{ toYaml .Values.extraEnv | indent 10 }} + {{- end }} + {{- if .Values.http_proxy }} + - name: HTTP_PROXY + value: {{ .Values.http_proxy }} + {{- end }} + {{- if .Values.https_proxy }} + - name: HTTPS_PROXY + value: {{ .Values.https_proxy }} + {{- end }} + {{- if .Values.no_proxy }} + - name: NO_PROXY + value: {{ .Values.no_proxy }} + {{- end }} + resources: +{{ toYaml .Values.resources | indent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} +{{- if .Values.podDnsPolicy }} + dnsPolicy: {{ .Values.podDnsPolicy }} +{{- end }} +{{- if .Values.podDnsConfig }} + dnsConfig: +{{ toYaml .Values.podDnsConfig | indent 8 }} +{{- end }} diff --git a/deploy/charts/cert-manager/templates/rbac-injector.yaml b/deploy/charts/cert-manager/templates/rbac-injector.yaml new file mode 100644 index 000000000..880f362a6 --- /dev/null +++ b/deploy/charts/cert-manager/templates/rbac-injector.yaml @@ -0,0 +1,42 @@ +{{- if .Values.global.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: {{ template "cert-manager.fullname" . }}-injector + labels: + app: {{ template "cert-manager.name" . }}-injector + chart: {{ template "cert-manager.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: + - apiGroups: ["certmanager.k8s.io"] + resources: ["certificates"] + verbs: ["*"] + - apiGroups: [""] + resources: ["secrets", "configmaps", "events"] + verbs: ["*"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"] + verbs: ["*"] + - apiGroups: ["apiregistration.k8s.io"] + resources: ["apiservices"] + verbs: ["*"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: {{ template "cert-manager.fullname" . }}-injector + labels: + app: {{ template "cert-manager.name" . }}-injector + chart: {{ template "cert-manager.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "cert-manager.fullname" . }}-injector +subjects: + - name: {{ template "cert-manager.serviceAccountName" . }}-injector + namespace: {{ .Release.Namespace | quote }} + kind: ServiceAccount +{{- end -}} diff --git a/deploy/charts/cert-manager/templates/serviceaccount-injector.yaml b/deploy/charts/cert-manager/templates/serviceaccount-injector.yaml new file mode 100644 index 000000000..46c8f873e --- /dev/null +++ b/deploy/charts/cert-manager/templates/serviceaccount-injector.yaml @@ -0,0 +1,15 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: {{ toYaml .Values.global.imagePullSecrets | nindent 2 }} +{{- end }} +metadata: + name: {{ template "cert-manager.serviceAccountName" . }}-injector + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ template "cert-manager.name" . }}-injector + chart: {{ template "cert-manager.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +{{- end -}} diff --git a/deploy/charts/cert-manager/values.yaml b/deploy/charts/cert-manager/values.yaml index 0612bd0a1..60dc16432 100644 --- a/deploy/charts/cert-manager/values.yaml +++ b/deploy/charts/cert-manager/values.yaml @@ -23,6 +23,7 @@ strategy: {} image: repository: quay.io/jetstack/cert-manager-controller + injectorRepository: quay.io/jetstack/cert-manager-injectorcontroller tag: v0.7.0-alpha.0 pullPolicy: IfNotPresent diff --git a/deploy/manifests/cert-manager-no-webhook.yaml b/deploy/manifests/cert-manager-no-webhook.yaml index fd2a1b266..32e136bf7 100644 --- a/deploy/manifests/cert-manager-no-webhook.yaml +++ b/deploy/manifests/cert-manager-no-webhook.yaml @@ -967,6 +967,18 @@ metadata: --- --- +# Source: cert-manager/templates/serviceaccount-injector.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cert-manager-injector + namespace: "cert-manager" + labels: + app: cert-manager-injector + chart: cert-manager-v0.7.0-alpha.1 + release: cert-manager + heritage: Tiller +--- # Source: cert-manager/templates/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount @@ -979,6 +991,48 @@ metadata: release: cert-manager heritage: Tiller --- +# Source: cert-manager/templates/rbac-injector.yaml +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: cert-manager-injector + labels: + app: cert-manager-injector + chart: cert-manager-v0.7.0-alpha.1 + release: cert-manager + heritage: Tiller +rules: + - apiGroups: ["certmanager.k8s.io"] + resources: ["certificates"] + verbs: ["*"] + - apiGroups: [""] + resources: ["secrets", "configmaps", "events"] + verbs: ["*"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"] + verbs: ["*"] + - apiGroups: ["apiregistration.k8s.io"] + resources: ["apiservices"] + verbs: ["*"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: cert-manager-injector + labels: + app: cert-manager-injector + chart: cert-manager-v0.7.0-alpha.1 + release: cert-manager + heritage: Tiller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cert-manager-injector +subjects: + - name: cert-manager-injector + namespace: "cert-manager" + kind: ServiceAccount +--- # Source: cert-manager/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole @@ -1050,6 +1104,54 @@ rules: - apiGroups: ["certmanager.k8s.io"] resources: ["certificates", "issuers"] verbs: ["create", "delete", "deletecollection", "patch", "update"] +--- +# Source: cert-manager/templates/deployment-injector.yaml +apiVersion: apps/v1beta1 +kind: Deployment +metadata: + name: cert-manager-injector + namespace: "cert-manager" + labels: + app: cert-manager-injector + chart: cert-manager-v0.7.0-alpha.1 + release: cert-manager + heritage: Tiller +spec: + replicas: 1 + selector: + matchLabels: + app: cert-manager-injector + release: cert-manager + template: + metadata: + labels: + app: cert-manager-injector + release: cert-manager + annotations: + prometheus.io/path: "/metrics" + prometheus.io/scrape: 'true' + prometheus.io/port: '9402' + spec: + serviceAccountName: cert-manager-injector + containers: + - name: cert-manager-injector + image: "quay.io/jetstack/cert-manager-injectorcontroller:v0.7.0-alpha.0" + imagePullPolicy: IfNotPresent + args: + - --leader-election-namespace=$(POD_NAMESPACE) + ports: + - containerPort: 9402 + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + resources: + requests: + cpu: 10m + memory: 32Mi + + --- # Source: cert-manager/templates/deployment.yaml apiVersion: apps/v1beta1 diff --git a/deploy/manifests/cert-manager.yaml b/deploy/manifests/cert-manager.yaml index 396a8c32c..bd285327a 100644 --- a/deploy/manifests/cert-manager.yaml +++ b/deploy/manifests/cert-manager.yaml @@ -980,6 +980,18 @@ metadata: heritage: Tiller --- +# Source: cert-manager/templates/serviceaccount-injector.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cert-manager-injector + namespace: "cert-manager" + labels: + app: cert-manager-injector + chart: cert-manager-v0.7.0-alpha.1 + release: cert-manager + heritage: Tiller +--- # Source: cert-manager/templates/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount @@ -992,6 +1004,48 @@ metadata: release: cert-manager heritage: Tiller --- +# Source: cert-manager/templates/rbac-injector.yaml +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: cert-manager-injector + labels: + app: cert-manager-injector + chart: cert-manager-v0.7.0-alpha.1 + release: cert-manager + heritage: Tiller +rules: + - apiGroups: ["certmanager.k8s.io"] + resources: ["certificates"] + verbs: ["*"] + - apiGroups: [""] + resources: ["secrets", "configmaps", "events"] + verbs: ["*"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"] + verbs: ["*"] + - apiGroups: ["apiregistration.k8s.io"] + resources: ["apiservices"] + verbs: ["*"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: cert-manager-injector + labels: + app: cert-manager-injector + chart: cert-manager-v0.7.0-alpha.1 + release: cert-manager + heritage: Tiller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cert-manager-injector +subjects: + - name: cert-manager-injector + namespace: "cert-manager" + kind: ServiceAccount +--- # Source: cert-manager/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole @@ -1206,6 +1260,54 @@ spec: secret: secretName: cert-manager-webhook-webhook-tls +--- +# Source: cert-manager/templates/deployment-injector.yaml +apiVersion: apps/v1beta1 +kind: Deployment +metadata: + name: cert-manager-injector + namespace: "cert-manager" + labels: + app: cert-manager-injector + chart: cert-manager-v0.7.0-alpha.1 + release: cert-manager + heritage: Tiller +spec: + replicas: 1 + selector: + matchLabels: + app: cert-manager-injector + release: cert-manager + template: + metadata: + labels: + app: cert-manager-injector + release: cert-manager + annotations: + prometheus.io/path: "/metrics" + prometheus.io/scrape: 'true' + prometheus.io/port: '9402' + spec: + serviceAccountName: cert-manager-injector + containers: + - name: cert-manager-injector + image: "quay.io/jetstack/cert-manager-injectorcontroller:v0.7.0-alpha.0" + imagePullPolicy: IfNotPresent + args: + - --leader-election-namespace=$(POD_NAMESPACE) + ports: + - containerPort: 9402 + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + resources: + requests: + cpu: 10m + memory: 32Mi + + --- # Source: cert-manager/templates/deployment.yaml apiVersion: apps/v1beta1