diff --git a/build/helm.bzl b/build/helm.bzl index 7bcdc9683..9758cd835 100644 --- a/build/helm.bzl +++ b/build/helm.bzl @@ -19,6 +19,7 @@ def helm_pkg( chart_name, chart_yaml, values_yaml, + readme_file, tpl_files, srcs = [], helm_cmd = "//hack/bin:helm", @@ -46,6 +47,7 @@ def helm_pkg( srcs = [ chart_yaml, values_yaml, + readme_file, ], mode = "0644", visibility = ["//visibility:private"], diff --git a/deploy/BUILD.bazel b/deploy/BUILD.bazel index 44dc59b31..3b2f2d26a 100644 --- a/deploy/BUILD.bazel +++ b/deploy/BUILD.bazel @@ -7,7 +7,7 @@ pkg_tar( mode = "0644", package_dir = "deploy", deps = [ - "//deploy/charts/cert-manager", + "//deploy/charts/cert-manager:release-tar", "//deploy/manifests", ], ) diff --git a/deploy/charts/cert-manager/BUILD.bazel b/deploy/charts/cert-manager/BUILD.bazel index 0d67f7b74..be9a5dab6 100644 --- a/deploy/charts/cert-manager/BUILD.bazel +++ b/deploy/charts/cert-manager/BUILD.bazel @@ -4,9 +4,9 @@ load("@io_k8s_repo_infra//defs:pkg.bzl", "pkg_tar") load("//build:helm.bzl", "helm_pkg") pkg_tar( - name = "cert-manager", + name = "release-tar", srcs = [ - ":package", + ":cert-manager", ], extension = "tar.gz", mode = "0644", @@ -15,10 +15,11 @@ pkg_tar( ) helm_pkg( - name = "package", + name = "cert-manager", srcs = ["//deploy/charts/cert-manager/templates:chart-srcs"], chart_name = "cert-manager", chart_yaml = ":Chart.yaml", + readme_file = ":README.md", tpl_files = [ "//deploy/charts/cert-manager/templates:_helpers.tpl", ], diff --git a/deploy/charts/cert-manager/README.template.md b/deploy/charts/cert-manager/README.template.md index d66f7d17a..2bc347274 100644 --- a/deploy/charts/cert-manager/README.template.md +++ b/deploy/charts/cert-manager/README.template.md @@ -130,8 +130,6 @@ The following table lists the configurable parameters of the cert-manager chart | `https_proxy` | Value of the `HTTPS_PROXY` environment variable in the cert-manager pod | | | `no_proxy` | Value of the `NO_PROXY` environment variable in the cert-manager pod | | | `webhook.replicaCount` | Number of cert-manager webhook replicas | `1` | -| `webhook.serviceName` | The name of the Service resource deployed for the webhook pod | `cert-manager-webhook` | -| `webhook.rootCASecretName` | The name of the Secret resource that will be used to store the webhook's root CA certificate | `cert-manager-webhook-ca` | | `webhook.podAnnotations` | Annotations to add to the webhook pods | `{}` | | `webhook.deploymentAnnotations` | Annotations to add to the webhook deployment | `{}` | | `webhook.extraArgs` | Optional flags for cert-manager webhook component | `[]` | diff --git a/deploy/charts/cert-manager/templates/_helpers.tpl b/deploy/charts/cert-manager/templates/_helpers.tpl index 9abfd0c5a..570439916 100644 --- a/deploy/charts/cert-manager/templates/_helpers.tpl +++ b/deploy/charts/cert-manager/templates/_helpers.tpl @@ -64,6 +64,10 @@ If release name contains chart name it will be used as a full name. {{- printf "%s-webhook" $trimmedName | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{- define "webhook.caRef" -}} +{{ .Release.Namespace}}/{{ template "webhook.fullname" . }}-ca +{{- end -}} + {{/* Create chart name and version as used by the chart label. */}} diff --git a/deploy/charts/cert-manager/templates/webhook-deployment.yaml b/deploy/charts/cert-manager/templates/webhook-deployment.yaml index 4f4e01f71..28f73e4fa 100644 --- a/deploy/charts/cert-manager/templates/webhook-deployment.yaml +++ b/deploy/charts/cert-manager/templates/webhook-deployment.yaml @@ -57,8 +57,8 @@ spec: {{- end }} - --secure-port={{ .Values.webhook.securePort }} - --dynamic-serving-ca-secret-namespace={{ .Release.Namespace }} - - --dynamic-serving-ca-secret-name={{ .Values.webhook.rootCASecretName }} - - --dynamic-serving-dns-names={{ .Values.webhook.serviceName }},{{ .Values.webhook.serviceName }}.{{ .Release.Namespace }},{{ .Values.webhook.serviceName }}.{{ .Release.Namespace }}.svc + - --dynamic-serving-ca-secret-name={{ template "webhook.fullname" . }}-ca + - --dynamic-serving-dns-names={{ template "webhook.fullname" . }},{{ template "webhook.fullname" . }}.{{ .Release.Namespace }},{{ template "webhook.fullname" . }}.{{ .Release.Namespace }}.svc {{- if .Values.webhook.extraArgs }} {{ toYaml .Values.webhook.extraArgs | indent 10 }} {{- end }} diff --git a/deploy/charts/cert-manager/templates/webhook-mutating-webhook.yaml b/deploy/charts/cert-manager/templates/webhook-mutating-webhook.yaml index ad165d5b8..f5ca4a34d 100644 --- a/deploy/charts/cert-manager/templates/webhook-mutating-webhook.yaml +++ b/deploy/charts/cert-manager/templates/webhook-mutating-webhook.yaml @@ -10,7 +10,7 @@ metadata: app.kubernetes.io/component: "webhook" helm.sh/chart: {{ include "webhook.chart" . }} annotations: - cert-manager.io/inject-ca-from-secret: "{{ .Release.Namespace }}/{{ .Values.webhook.rootCASecretName }}" + cert-manager.io/inject-ca-from-secret: "{{ .Release.Namespace }}/{{ template "webhook.fullname" . }}-ca" webhooks: - name: webhook.cert-manager.io rules: @@ -36,6 +36,6 @@ webhooks: caBundle: "" {{- end }} service: - name: {{ .Values.webhook.serviceName }} + name: {{ template "webhook.fullname" . }} namespace: {{ .Release.Namespace | quote }} path: /mutate diff --git a/deploy/charts/cert-manager/templates/webhook-rbac.yaml b/deploy/charts/cert-manager/templates/webhook-rbac.yaml index 4ba148975..53a37de3a 100644 --- a/deploy/charts/cert-manager/templates/webhook-rbac.yaml +++ b/deploy/charts/cert-manager/templates/webhook-rbac.yaml @@ -15,7 +15,7 @@ rules: - apiGroups: [""] resources: ["secrets"] resourceNames: - - '{{ .Values.webhook.rootCASecretName }}' + - '{{ template "webhook.fullname" . }}-ca' verbs: ["get", "list", "watch", "update"] # It's not possible to grant CREATE permission on a single resourceName. - apiGroups: [""] diff --git a/deploy/charts/cert-manager/templates/webhook-service.yaml b/deploy/charts/cert-manager/templates/webhook-service.yaml index 4e13ebcb1..8f96f51c6 100644 --- a/deploy/charts/cert-manager/templates/webhook-service.yaml +++ b/deploy/charts/cert-manager/templates/webhook-service.yaml @@ -1,7 +1,7 @@ apiVersion: v1 kind: Service metadata: - name: {{ .Values.webhook.serviceName }} + name: {{ template "webhook.fullname" . }} namespace: {{ .Release.Namespace | quote }} labels: app: {{ include "webhook.name" . }} diff --git a/deploy/charts/cert-manager/templates/webhook-validating-webhook.yaml b/deploy/charts/cert-manager/templates/webhook-validating-webhook.yaml index 2e6bf83e9..b09ad94f0 100644 --- a/deploy/charts/cert-manager/templates/webhook-validating-webhook.yaml +++ b/deploy/charts/cert-manager/templates/webhook-validating-webhook.yaml @@ -10,7 +10,7 @@ metadata: app.kubernetes.io/component: "webhook" helm.sh/chart: {{ include "webhook.chart" . }} annotations: - cert-manager.io/inject-ca-from-secret: "{{ .Release.Namespace }}/{{ .Values.webhook.rootCASecretName }}" + cert-manager.io/inject-ca-from-secret: "{{ .Release.Namespace }}/{{ template "webhook.fullname" . }}-ca" webhooks: - name: webhook.cert-manager.io namespaceSelector: @@ -46,6 +46,6 @@ webhooks: caBundle: "" {{- end }} service: - name: {{ .Values.webhook.serviceName }} + name: {{ template "webhook.fullname" . }} namespace: {{ .Release.Namespace | quote }} path: /mutate diff --git a/deploy/charts/cert-manager/values.yaml b/deploy/charts/cert-manager/values.yaml index 7f274e183..4bad11888 100644 --- a/deploy/charts/cert-manager/values.yaml +++ b/deploy/charts/cert-manager/values.yaml @@ -155,23 +155,6 @@ tolerations: [] webhook: replicaCount: 1 - # The name of the webhook service is fixed in the values.yaml and not based - # on the name of the Helm release because the CRD manifests, which are not - # managed by Helm, need to hardcode the name of the service for their - # conversion webhook configuration. - # If you change this value, you must also manually update the - # `spec.conversion.webhookClientConfig.service.name` field on all - # cert-manager CRD resources. - serviceName: cert-manager-webhook - # The name of the Secret resource that will be created and used to store the - # root CA used to sign serving certificates for the webhook. - # This will be automatically injected into the Mutating, Validating and CRD - # resources by the cainjector component. - # If you change this value, you must also manually update the - # `cert-manager.io/inject-ca-from-secret` value on all cert-manager CRD - # resources. - rootCASecretName: cert-manager-webhook-ca - strategy: {} # type: RollingUpdate # rollingUpdate: diff --git a/deploy/crds/BUILD.bazel b/deploy/crds/BUILD.bazel index b4ecde6dd..a6b2fb809 100644 --- a/deploy/crds/BUILD.bazel +++ b/deploy/crds/BUILD.bazel @@ -46,6 +46,7 @@ genrule( srcs = [":templates.%s" % variant], chart_name = "cert-manager", chart_yaml = "//deploy/charts/cert-manager:Chart.yaml", + readme_file = "//deploy/charts/cert-manager:README.md", tpl_files = [ "//deploy/charts/cert-manager/templates:_helpers.tpl", ], @@ -77,6 +78,7 @@ crds = [ srcs = [":crd-%s.yaml" % crd], chart_name = "cert-manager", chart_yaml = "//deploy/charts/cert-manager:Chart.yaml", + readme_file = "//deploy/charts/cert-manager:README.md", tpl_files = [ "//deploy/charts/cert-manager/templates:_helpers.tpl", ], diff --git a/deploy/crds/crd-certificaterequests.yaml b/deploy/crds/crd-certificaterequests.yaml index 59cad19d6..51af11739 100644 --- a/deploy/crds/crd-certificaterequests.yaml +++ b/deploy/crds/crd-certificaterequests.yaml @@ -3,7 +3,7 @@ kind: CustomResourceDefinition metadata: name: certificaterequests.cert-manager.io annotations: - cert-manager.io/inject-ca-from-secret: '{{ .Release.Namespace }}/cert-manager-webhook-ca' + cert-manager.io/inject-ca-from-secret: '{{ template "webhook.caRef" . }}' labels: app: '{{ template "cert-manager.name" . }}' app.kubernetes.io/name: '{{ template "cert-manager.name" . }}' @@ -38,10 +38,8 @@ spec: # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server. webhookClientConfig: service: - # If you have deployed cert-manager into a namespace other than - # 'cert-manager', be sure to update this value. namespace: '{{ .Release.Namespace }}' - name: cert-manager-webhook + name: '{{ template "webhook.fullname" . }}' path: /convert names: kind: CertificateRequest diff --git a/deploy/crds/crd-certificates.yaml b/deploy/crds/crd-certificates.yaml index 6f2dd00b0..b717251b6 100644 --- a/deploy/crds/crd-certificates.yaml +++ b/deploy/crds/crd-certificates.yaml @@ -3,7 +3,7 @@ kind: CustomResourceDefinition metadata: name: certificates.cert-manager.io annotations: - cert-manager.io/inject-ca-from-secret: '{{ .Release.Namespace }}/cert-manager-webhook-ca' + "cert-manager.io/inject-ca-from-secret": '{{ template "webhook.caRef" . }}' labels: app: '{{ template "cert-manager.name" . }}' app.kubernetes.io/name: '{{ template "cert-manager.name" . }}' @@ -41,10 +41,8 @@ spec: # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server. webhookClientConfig: service: - # If you have deployed cert-manager into a namespace other than - # 'cert-manager', be sure to update this value. namespace: '{{ .Release.Namespace }}' - name: cert-manager-webhook + name: '{{ template "webhook.fullname" . }}' path: /convert names: kind: Certificate diff --git a/deploy/crds/crd-challenges.yaml b/deploy/crds/crd-challenges.yaml index af8e10a6e..bd134dd81 100644 --- a/deploy/crds/crd-challenges.yaml +++ b/deploy/crds/crd-challenges.yaml @@ -3,7 +3,7 @@ kind: CustomResourceDefinition metadata: name: challenges.acme.cert-manager.io annotations: - cert-manager.io/inject-ca-from-secret: '{{ .Release.Namespace }}/cert-manager-webhook-ca' + "cert-manager.io/inject-ca-from-secret": '{{ template "webhook.caRef" . }}' labels: app: '{{ template "cert-manager.name" . }}' app.kubernetes.io/name: '{{ template "cert-manager.name" . }}' @@ -37,10 +37,8 @@ spec: # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server. webhookClientConfig: service: - # If you have deployed cert-manager into a namespace other than - # 'cert-manager', be sure to update this value. namespace: '{{ .Release.Namespace }}' - name: cert-manager-webhook + name: '{{ template "webhook.fullname" . }}' path: /convert names: kind: Challenge diff --git a/deploy/crds/crd-clusterissuers.yaml b/deploy/crds/crd-clusterissuers.yaml index cc5afd733..e258da814 100644 --- a/deploy/crds/crd-clusterissuers.yaml +++ b/deploy/crds/crd-clusterissuers.yaml @@ -3,7 +3,7 @@ kind: CustomResourceDefinition metadata: name: clusterissuers.cert-manager.io annotations: - cert-manager.io/inject-ca-from-secret: '{{ .Release.Namespace }}/cert-manager-webhook-ca' + cert-manager.io/inject-ca-from-secret: '{{ template "webhook.caRef" . }}' labels: app: '{{ template "cert-manager.name" . }}' app.kubernetes.io/name: '{{ template "cert-manager.name" . }}' @@ -34,10 +34,8 @@ spec: # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server. webhookClientConfig: service: - # If you have deployed cert-manager into a namespace other than - # 'cert-manager', be sure to update this value. namespace: '{{ .Release.Namespace }}' - name: cert-manager-webhook + name: '{{ template "webhook.fullname" . }}' path: /convert names: kind: ClusterIssuer diff --git a/deploy/crds/crd-issuers.yaml b/deploy/crds/crd-issuers.yaml index 6c2cb0a77..702dc80ec 100644 --- a/deploy/crds/crd-issuers.yaml +++ b/deploy/crds/crd-issuers.yaml @@ -3,7 +3,7 @@ kind: CustomResourceDefinition metadata: name: issuers.cert-manager.io annotations: - cert-manager.io/inject-ca-from-secret: '{{ .Release.Namespace }}/cert-manager-webhook-ca' + "cert-manager.io/inject-ca-from-secret": '{{ template "webhook.caRef" . }}' labels: app: '{{ template "cert-manager.name" . }}' app.kubernetes.io/name: '{{ template "cert-manager.name" . }}' @@ -34,10 +34,8 @@ spec: # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server. webhookClientConfig: service: - # If you have deployed cert-manager into a namespace other than - # 'cert-manager', be sure to update this value. namespace: '{{ .Release.Namespace }}' - name: cert-manager-webhook + name: '{{ template "webhook.fullname" . }}' path: /convert names: kind: Issuer diff --git a/deploy/crds/crd-orders.yaml b/deploy/crds/crd-orders.yaml index 591d15967..00b3c9826 100644 --- a/deploy/crds/crd-orders.yaml +++ b/deploy/crds/crd-orders.yaml @@ -3,7 +3,7 @@ kind: CustomResourceDefinition metadata: name: orders.acme.cert-manager.io annotations: - cert-manager.io/inject-ca-from-secret: '{{ .Release.Namespace }}/cert-manager-webhook-ca' + "cert-manager.io/inject-ca-from-secret": '{{ template "webhook.caRef" . }}' labels: app: '{{ template "cert-manager.name" . }}' app.kubernetes.io/name: '{{ template "cert-manager.name" . }}' @@ -38,10 +38,8 @@ spec: # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server. webhookClientConfig: service: - # If you have deployed cert-manager into a namespace other than - # 'cert-manager', be sure to update this value. namespace: '{{ .Release.Namespace }}' - name: cert-manager-webhook + name: '{{ template "webhook.fullname" . }}' path: /convert names: kind: Order diff --git a/deploy/manifests/BUILD.bazel b/deploy/manifests/BUILD.bazel index b1a5ffcb1..4790f256f 100644 --- a/deploy/manifests/BUILD.bazel +++ b/deploy/manifests/BUILD.bazel @@ -27,7 +27,7 @@ VARIANTS = { [helm_tmpl( name = "%s.manifests" % name, - helm_pkg = "//deploy/charts/cert-manager:package", + helm_pkg = "//deploy/charts/cert-manager", release_name = RELEASE_NAME, release_namespace = RELEASE_NAMESPACE, values = meta["values"], diff --git a/devel/addon/certmanager/install.sh b/devel/addon/certmanager/install.sh index 64882307e..57ad29f39 100755 --- a/devel/addon/certmanager/install.sh +++ b/devel/addon/certmanager/install.sh @@ -49,7 +49,7 @@ wait kubectl get namespace "${NAMESPACE}" || kubectl create namespace "${NAMESPACE}" # Build the Helm chart package .tgz -bazel build //deploy/charts/cert-manager:package +bazel build //deploy/charts/cert-manager # Upgrade or install Pebble helm upgrade \ diff --git a/hack/verify-chart-version.sh b/hack/verify-chart-version.sh index fa4cc92fb..a115e41b7 100755 --- a/hack/verify-chart-version.sh +++ b/hack/verify-chart-version.sh @@ -24,19 +24,18 @@ chart_dir="deploy/charts/cert-manager" echo "Linting chart: ${chart_dir}" -cleanup() { - rm "${REPO_ROOT}/${chart_dir}"/requirements.lock > /dev/null 2>&1 || true -} +bazel build //deploy/charts/cert-manager +tmpdir="$(mktemp -d -p "${REPO_ROOT}")" +trap "rm -rf ${tmpdir}" EXIT -cleanup -trap cleanup EXIT +tar -C "${tmpdir}" -xvf bazel-bin/deploy/charts/cert-manager/cert-manager.tgz -if ! docker run -v ${REPO_ROOT}:/workspace --workdir /workspace \ - quay.io/helmpack/chart-testing:v2.3.3 \ +if ! docker run -v ${tmpdir}:/workspace --workdir /workspace \ + quay.io/helmpack/chart-testing:v3.0.0-beta.2 \ ct lint \ --check-version-increment=false \ - --charts "/workspace/${chart_dir}" \ --validate-maintainers=false \ + --charts "/workspace/cert-manager" \ --debug; then echo "Linting failed" exit 1