Update keptn-cert-manager Helm chart (#104)

Signed-off-by: GitHub <[email protected]>
Co-authored-by: RealAnna <[email protected]>

charts/keptn-cert-manager/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/keptn-cert-manager/Chart.yaml

@@ -0,0 +1,44 @@
+apiVersion: v2
+name: keptn-cert-manager
+description: A Helm chart for Keptn Certificate Manager, a subproject of Keptn
+icon: "https://raw.githubusercontent.com/cncf/artwork/master/projects/keptn/icon/color/keptn-icon-color.svg"
+home: https://keptn.sh
+sources:
+  - "https://github.com/keptn/lifecycle-toolkit"
+keywords:
+  - cloud-native
+  - keptn
+annotations:
+  artifacthub.io/links: |
+    - name: support
+      url: https://github.com/keptn/lifecycle-toolkit/issues/new
+    - name: community
+      url: https://slack.keptn.sh/
+  artifacthub.io/license: "Apache-2.0"
+  artifacthub.io/operator: "true"
+
+kubeVersion: ">= 1.24.0-0"
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.2.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "v1.2.0" # x-release-please-version
+dependencies:
+  - name: common
+    repository: "https://charts.lifecycle.keptn.sh"
+    version: 0.1.0

charts/keptn-cert-manager/README.md

@@ -0,0 +1,43 @@
+# Keptn Certificate Manager
+
+Keptn Certificate Manager handles certificates for Keptn but can also handle certs for any other Kubernetes
+resource.
+
+<!-- markdownlint-disable MD012 -->
+## Parameters
+
+### Global parameters
+
+| Name                       | Description                                                               | Value |
+| -------------------------- | ------------------------------------------------------------------------- | ----- |
+| `global.imageRegistry`     | Global container image registry                                           | `""`  |
+| `global.imagePullSecrets`  | Global Docker registry secret names as an array                           | `[]`  |
+| `global.commonLabels`      | Common annotations to add to all Keptn resources. Evaluated as a template | `{}`  |
+| `global.commonAnnotations` | Common annotations to add to all Keptn resources. Evaluated as a template | `{}`  |
+
+### Keptn Certificate Operator common
+
+| Name                        | Description                                    | Value           |
+| --------------------------- | ---------------------------------------------- | --------------- |
+| `nodeSelector`              | specify custom node selectors for cert manager | `{}`            |
+| `replicas`                  | customize number of replicas                   | `1`             |
+| `tolerations`               | customize tolerations for cert manager         | `[]`            |
+| `topologySpreadConstraints` | add topology constraints for cert manager      | `[]`            |
+| `kubernetesClusterDomain`   | overrides cluster.local                        | `cluster.local` |
+| `annotations`               | add deployment level annotations               | `{}`            |
+| `podAnnotations`            | adds pod level annotations                     | `{}`            |
+
+### Keptn Certificate Operator controller
+
+| Name                       | Description                                                               | Value                        |
+| -------------------------- | ------------------------------------------------------------------------- | ---------------------------- |
+| `containerSecurityContext` | Sets security context for the cert manager                                |                              |
+| `env.labelSelectorKey`     | specify the label selector to find resources to generate certificates for | `keptn.sh/inject-cert`       |
+| `env.labelSelectorValue`   | specify the value for the label selector                                  | `true`                       |
+| `image.registry`           | specify the container registry for the certificate-operator image         | `ghcr.io`                    |
+| `image.repository`         | specify repo for manager image                                            | `keptn/certificate-operator` |
+| `image.tag`                | select tag for manager container                                          | `v1.2.0`                     |
+| `imagePullPolicy`          | select image pull policy for manager container                            | `Always`                     |
+| `livenessProbe`            | custom RBAC proxy liveness probe                                          |                              |
+| `readinessProbe`           | custom manager readiness probe                                            |                              |
+| `resources`                | custom limits and requests for manager container                          |                              |

charts/keptn-cert-manager/templates/certificate-operator-leader-election-rbac.yaml

@@ -0,0 +1,19 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: certificate-operator-leader-election-rolebinding
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: certificate-operator
+    app.kubernetes.io/part-of: keptn-lifecycle-toolkit
+    {{- include "common.labels.standard" (dict "context" .) | nindent 4 }}
+    {{- include "common.annotations" ( dict "context" . ) }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: 'leader-election-role'
+subjects:
+- kind: ServiceAccount
+  name: 'certificate-operator'
+  namespace: '{{ .Release.Namespace }}'

charts/keptn-cert-manager/templates/certificate-operator-rbac.yaml

@@ -0,0 +1,93 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: certificate-operator-role
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+  {{- include "common.labels.standard" (dict "context" . ) | nindent 4 }}
+  {{- include "common.annotations" ( dict "context" . ) }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - keptn-certs
+  resources:
+  - secrets
+  verbs:
+  - get
+  - patch
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: certificate-operator-role
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+  {{- include "common.labels.standard" (dict "context" .) | nindent 4 }}
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - mutatingwebhookconfigurations
+  verbs:
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: certificate-operator-rolebinding
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: certificate-operator
+    app.kubernetes.io/part-of: keptn-lifecycle-toolkit
+  {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" . ) | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: 'certificate-operator-role'
+subjects:
+- kind: ServiceAccount
+  name: 'certificate-operator'
+  namespace: '{{ .Release.Namespace }}'

charts/keptn-cert-manager/templates/certificate-operator-role-binding-rbac.yaml

@@ -0,0 +1,19 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: certificate-operator-role-binding
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: certificate-operator
+    app.kubernetes.io/part-of: keptn-lifecycle-toolkit
+    {{- include "common.labels.standard" ( dict "context" . ) | nindent 4 }}
+    {{- include "common.annotations" ( dict "context" . ) }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: 'certificate-operator-role'
+subjects:
+- kind: ServiceAccount
+  name: 'certificate-operator'
+  namespace: '{{ .Release.Namespace }}'

charts/keptn-cert-manager/templates/deployment.yaml

@@ -0,0 +1,95 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: certificate-operator
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    app.kubernetes.io/component: keptn-cert-manager
+    app.kubernetes.io/part-of: keptn-lifecycle-toolkit
+    control-plane: certificate-operator
+    {{- include "common.labels.standard" ( dict "context" . ) | nindent 4 }}
+    {{- include "common.annotations" ( dict "context" . ) }}
+spec:
+  replicas: {{ .Values.replicas }}
+  selector:
+    matchLabels:
+      control-plane: certificate-operator
+{{- include "common.selectorLabels"  ( dict "context" . ) | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        control-plane: certificate-operator
+{{- include "common.selectorLabels"  ( dict "context" . ) | nindent 8 }}
+      annotations:
+        kubectl.kubernetes.io/default-container: certificate-operator
+        {{- if .Values.podAnnotations }}
+        {{- include "common.tplvalues.render" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }}
+        {{- end }}
+    spec:
+      containers:
+        - args:
+            - --leader-elect
+          command:
+            - /manager
+          env:
+            - name: NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: LABEL_SELECTOR_KEY
+              value: {{ .Values.env.labelSelectorKey | quote }}
+            - name: LABEL_SELECTOR_VALUE
+              value: {{ .Values.env.labelSelectorValue | quote }}
+            - name: KUBERNETES_CLUSTER_DOMAIN
+              value: {{ .Values.kubernetesClusterDomain }}
+          image: {{- include "common.images.image" ( dict "imageRoot" .Values.image "global" .Values.global ) | indent 1}}
+          imagePullPolicy: {{ .Values.imagePullPolicy }}
+          name: certificate-operator
+          resources: {{- toYaml .Values.resources | nindent 12 }}
+          securityContext:
+            allowPrivilegeEscalation: {{ .Values.containerSecurityContext.allowPrivilegeEscalation
+            }}
+            capabilities: {{- include "common.tplvalues.render" (dict "value" .Values.containerSecurityContext.capabilities "context" $) | nindent 14 }}
+            readOnlyRootFilesystem: {{ .Values.containerSecurityContext.readOnlyRootFilesystem
+            }}
+            runAsGroup: {{ .Values.containerSecurityContext.runAsGroup
+            }}
+            runAsUser: {{ .Values.containerSecurityContext.runAsUser
+            }}
+            seccompProfile: {{- include "common.tplvalues.render" (dict "value" .Values.containerSecurityContext.seccompProfile
+            "context" $) | nindent 14 }}
+        {{- if .Values.livenessProbe }}
+          livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.livenessProbe "context" $) | nindent 12 }}
+         {{- else }}
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 8081
+            initialDelaySeconds: 15
+            periodSeconds: 20
+        {{- end }}
+        {{- if .Values.readinessProbe }}
+          readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.readinessProbe "context" $) | nindent 12 }}
+         {{- else }}
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: 8081
+            initialDelaySeconds: 5
+            periodSeconds: 10
+        {{- end }}
+      imagePullSecrets: {{- include "common.images.imagePullSecrets" . }}
+      securityContext:
+        runAsNonRoot: true
+      serviceAccountName: certificate-operator
+      terminationGracePeriodSeconds: 10
+{{- if .Values.topologySpreadConstraints }}
+      topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.topologySpreadConstraints "context" $) | nindent 8 }}
+{{- end }}
+{{- if .Values.nodeSelector }}
+      nodeSelector: {{- include "common.tplvalues.render" ( dict "value" .Values.nodeSelector "context" $) | nindent 8 }}
+{{- end }}
+{{- if .Values.tolerations }}
+      tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" .) | nindent 8 }}
+{{- end }}

charts/keptn-cert-manager/templates/service-account.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: certificate-operator
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/part-of: keptn-lifecycle-toolkit
+    {{- include "common.labels.standard" ( dict "context" $ ) | nindent 4 }}
+    {{- include "common.annotations" ( dict "context" . ) }}