diff --git a/charts/keptn-cert-manager/.helmignore b/charts/keptn-cert-manager/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/charts/keptn-cert-manager/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/keptn-cert-manager/Chart.yaml b/charts/keptn-cert-manager/Chart.yaml new file mode 100644 index 0000000..9d7b8db --- /dev/null +++ b/charts/keptn-cert-manager/Chart.yaml @@ -0,0 +1,44 @@ +apiVersion: v2 +name: keptn-cert-manager +description: A Helm chart for Keptn Certificate Manager, a subproject of Keptn +icon: "https://raw.githubusercontent.com/cncf/artwork/master/projects/keptn/icon/color/keptn-icon-color.svg" +home: https://keptn.sh +sources: + - "https://github.com/keptn/lifecycle-toolkit" +keywords: + - cloud-native + - keptn +annotations: + artifacthub.io/links: | + - name: support + url: https://github.com/keptn/lifecycle-toolkit/issues/new + - name: community + url: https://slack.keptn.sh/ + artifacthub.io/license: "Apache-2.0" + artifacthub.io/operator: "true" + +kubeVersion: ">= 1.24.0-0" +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.2.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "v1.2.0" # x-release-please-version +dependencies: + - name: common + repository: "https://charts.lifecycle.keptn.sh" + version: 0.1.0 diff --git a/charts/keptn-cert-manager/README.md b/charts/keptn-cert-manager/README.md new file mode 100644 index 0000000..fd7b0c3 --- /dev/null +++ b/charts/keptn-cert-manager/README.md @@ -0,0 +1,43 @@ +# Keptn Certificate Manager + +Keptn Certificate Manager handles certificates for Keptn but can also handle certs for any other Kubernetes +resource. + + +## Parameters + +### Global parameters + +| Name | Description | Value | +| -------------------------- | ------------------------------------------------------------------------- | ----- | +| `global.imageRegistry` | Global container image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.commonLabels` | Common annotations to add to all Keptn resources. Evaluated as a template | `{}` | +| `global.commonAnnotations` | Common annotations to add to all Keptn resources. Evaluated as a template | `{}` | + +### Keptn Certificate Operator common + +| Name | Description | Value | +| --------------------------- | ---------------------------------------------- | --------------- | +| `nodeSelector` | specify custom node selectors for cert manager | `{}` | +| `replicas` | customize number of replicas | `1` | +| `tolerations` | customize tolerations for cert manager | `[]` | +| `topologySpreadConstraints` | add topology constraints for cert manager | `[]` | +| `kubernetesClusterDomain` | overrides cluster.local | `cluster.local` | +| `annotations` | add deployment level annotations | `{}` | +| `podAnnotations` | adds pod level annotations | `{}` | + +### Keptn Certificate Operator controller + +| Name | Description | Value | +| -------------------------- | ------------------------------------------------------------------------- | ---------------------------- | +| `containerSecurityContext` | Sets security context for the cert manager | | +| `env.labelSelectorKey` | specify the label selector to find resources to generate certificates for | `keptn.sh/inject-cert` | +| `env.labelSelectorValue` | specify the value for the label selector | `true` | +| `image.registry` | specify the container registry for the certificate-operator image | `ghcr.io` | +| `image.repository` | specify repo for manager image | `keptn/certificate-operator` | +| `image.tag` | select tag for manager container | `v1.2.0` | +| `imagePullPolicy` | select image pull policy for manager container | `Always` | +| `livenessProbe` | custom RBAC proxy liveness probe | | +| `readinessProbe` | custom manager readiness probe | | +| `resources` | custom limits and requests for manager container | | diff --git a/charts/keptn-cert-manager/templates/certificate-operator-leader-election-rbac.yaml b/charts/keptn-cert-manager/templates/certificate-operator-leader-election-rbac.yaml new file mode 100644 index 0000000..59b0dc1 --- /dev/null +++ b/charts/keptn-cert-manager/templates/certificate-operator-leader-election-rbac.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: certificate-operator-leader-election-rolebinding + namespace: {{ .Release.Namespace | quote }} + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: certificate-operator + app.kubernetes.io/part-of: keptn-lifecycle-toolkit + {{- include "common.labels.standard" (dict "context" .) | nindent 4 }} + {{- include "common.annotations" ( dict "context" . ) }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'leader-election-role' +subjects: +- kind: ServiceAccount + name: 'certificate-operator' + namespace: '{{ .Release.Namespace }}' diff --git a/charts/keptn-cert-manager/templates/certificate-operator-rbac.yaml b/charts/keptn-cert-manager/templates/certificate-operator-rbac.yaml new file mode 100644 index 0000000..2eb36ff --- /dev/null +++ b/charts/keptn-cert-manager/templates/certificate-operator-rbac.yaml @@ -0,0 +1,93 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: certificate-operator-role + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "common.labels.standard" (dict "context" . ) | nindent 4 }} + {{- include "common.annotations" ( dict "context" . ) }} +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - list + - watch +- apiGroups: + - "" + resourceNames: + - keptn-certs + resources: + - secrets + verbs: + - get + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: certificate-operator-role + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "common.labels.standard" (dict "context" .) | nindent 4 }} +rules: +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: certificate-operator-rolebinding + namespace: {{ .Release.Namespace | quote }} + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: certificate-operator + app.kubernetes.io/part-of: keptn-lifecycle-toolkit + {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" . ) | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: 'certificate-operator-role' +subjects: +- kind: ServiceAccount + name: 'certificate-operator' + namespace: '{{ .Release.Namespace }}' diff --git a/charts/keptn-cert-manager/templates/certificate-operator-role-binding-rbac.yaml b/charts/keptn-cert-manager/templates/certificate-operator-role-binding-rbac.yaml new file mode 100644 index 0000000..2597f8d --- /dev/null +++ b/charts/keptn-cert-manager/templates/certificate-operator-role-binding-rbac.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: certificate-operator-role-binding + namespace: {{ .Release.Namespace | quote }} + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: certificate-operator + app.kubernetes.io/part-of: keptn-lifecycle-toolkit + {{- include "common.labels.standard" ( dict "context" . ) | nindent 4 }} + {{- include "common.annotations" ( dict "context" . ) }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'certificate-operator-role' +subjects: +- kind: ServiceAccount + name: 'certificate-operator' + namespace: '{{ .Release.Namespace }}' diff --git a/charts/keptn-cert-manager/templates/deployment.yaml b/charts/keptn-cert-manager/templates/deployment.yaml new file mode 100644 index 0000000..9454ce2 --- /dev/null +++ b/charts/keptn-cert-manager/templates/deployment.yaml @@ -0,0 +1,95 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: certificate-operator + namespace: {{ .Release.Namespace | quote }} + labels: + app.kubernetes.io/component: keptn-cert-manager + app.kubernetes.io/part-of: keptn-lifecycle-toolkit + control-plane: certificate-operator + {{- include "common.labels.standard" ( dict "context" . ) | nindent 4 }} + {{- include "common.annotations" ( dict "context" . ) }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + control-plane: certificate-operator +{{- include "common.selectorLabels" ( dict "context" . ) | nindent 6 }} + template: + metadata: + labels: + control-plane: certificate-operator +{{- include "common.selectorLabels" ( dict "context" . ) | nindent 8 }} + annotations: + kubectl.kubernetes.io/default-container: certificate-operator + {{- if .Values.podAnnotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }} + {{- end }} + spec: + containers: + - args: + - --leader-elect + command: + - /manager + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LABEL_SELECTOR_KEY + value: {{ .Values.env.labelSelectorKey | quote }} + - name: LABEL_SELECTOR_VALUE + value: {{ .Values.env.labelSelectorValue | quote }} + - name: KUBERNETES_CLUSTER_DOMAIN + value: {{ .Values.kubernetesClusterDomain }} + image: {{- include "common.images.image" ( dict "imageRoot" .Values.image "global" .Values.global ) | indent 1}} + imagePullPolicy: {{ .Values.imagePullPolicy }} + name: certificate-operator + resources: {{- toYaml .Values.resources | nindent 12 }} + securityContext: + allowPrivilegeEscalation: {{ .Values.containerSecurityContext.allowPrivilegeEscalation + }} + capabilities: {{- include "common.tplvalues.render" (dict "value" .Values.containerSecurityContext.capabilities "context" $) | nindent 14 }} + readOnlyRootFilesystem: {{ .Values.containerSecurityContext.readOnlyRootFilesystem + }} + runAsGroup: {{ .Values.containerSecurityContext.runAsGroup + }} + runAsUser: {{ .Values.containerSecurityContext.runAsUser + }} + seccompProfile: {{- include "common.tplvalues.render" (dict "value" .Values.containerSecurityContext.seccompProfile + "context" $) | nindent 14 }} + {{- if .Values.livenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.livenessProbe "context" $) | nindent 12 }} + {{- else }} + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + {{- end }} + {{- if .Values.readinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.readinessProbe "context" $) | nindent 12 }} + {{- else }} + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + {{- end }} + imagePullSecrets: {{- include "common.images.imagePullSecrets" . }} + securityContext: + runAsNonRoot: true + serviceAccountName: certificate-operator + terminationGracePeriodSeconds: 10 +{{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.topologySpreadConstraints "context" $) | nindent 8 }} +{{- end }} +{{- if .Values.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" ( dict "value" .Values.nodeSelector "context" $) | nindent 8 }} +{{- end }} +{{- if .Values.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" .) | nindent 8 }} +{{- end }} diff --git a/charts/keptn-cert-manager/templates/service-account.yaml b/charts/keptn-cert-manager/templates/service-account.yaml new file mode 100644 index 0000000..e465673 --- /dev/null +++ b/charts/keptn-cert-manager/templates/service-account.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: certificate-operator + namespace: {{ .Release.Namespace | quote }} + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/part-of: keptn-lifecycle-toolkit + {{- include "common.labels.standard" ( dict "context" $ ) | nindent 4 }} + {{- include "common.annotations" ( dict "context" . ) }} diff --git a/charts/keptn-cert-manager/values.yaml b/charts/keptn-cert-manager/values.yaml new file mode 100644 index 0000000..1617d15 --- /dev/null +++ b/charts/keptn-cert-manager/values.yaml @@ -0,0 +1,108 @@ +## @section Global parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass + +## +global: + ## @param global.imageRegistry Global container image registry + imageRegistry: "" + + ## @param global.imagePullSecrets Global Docker registry secret names as an array + ## E.g. + ## imagePullSecrets: + ## - myRegistryKeySecretName + ## + imagePullSecrets: [] + ## @param global.commonLabels Common annotations to add to all Keptn resources. Evaluated as a template + commonLabels: {} + ## @param global.commonAnnotations Common annotations to add to all Keptn resources. Evaluated as a template + commonAnnotations: {} + + +# yamllint disable rule:line-length +## @section Keptn Certificate Operator common +## @param nodeSelector specify custom node selectors for cert manager +nodeSelector: {} +## @param replicas customize number of replicas +replicas: 1 +## @param tolerations customize tolerations for cert manager +tolerations: [] +## @param topologySpreadConstraints add topology constraints for cert manager +topologySpreadConstraints: [] + +## @param kubernetesClusterDomain overrides cluster.local +kubernetesClusterDomain: cluster.local +## @param annotations add deployment level annotations +annotations: {} +## @param podAnnotations adds pod level annotations +podAnnotations: {} + +## @section Keptn Certificate Operator controller +## @extra containerSecurityContext Sets security context for the cert manager +## @skip containerSecurityContext.allowPrivilegeEscalation +## @skip containerSecurityContext.capabilities.drop +## @skip containerSecurityContext.readOnlyRootFilesystem +## @skip containerSecurityContext.runAsGroup +## @skip containerSecurityContext.runAsUser +## @skip containerSecurityContext.seccompProfile.type +containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 65532 + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault +env: +## @param env.labelSelectorKey specify the label selector to find resources to generate certificates for + labelSelectorKey: keptn.sh/inject-cert +## @param env.labelSelectorValue specify the value for the label selector + labelSelectorValue: "true" +image: +## @param image.registry specify the container registry for the certificate-operator image + registry: ghcr.io +## @param image.repository specify repo for manager image + repository: keptn/certificate-operator +## @param image.tag select tag for manager container + tag: v1.2.0 # x-release-please-version +## @param imagePullPolicy select image pull policy for manager container +imagePullPolicy: Always + +## @extra livenessProbe custom RBAC proxy liveness probe +## @skip livenessProbe.httpGet.path +## @skip livenessProbe.httpGet.port +## @skip livenessProbe.initialDelaySeconds +## @skip livenessProbe.periodSeconds +livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + +## @extra readinessProbe custom manager readiness probe +## @skip readinessProbe.httpGet.path +## @skip readinessProbe.httpGet.port +## @skip readinessProbe.initialDelaySeconds +## @skip readinessProbe.periodSeconds +readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + +## @extra resources custom limits and requests for manager container +## @skip resources.limits.cpu +## @skip resources.limits.memory +## @skip resources.requests.cpu +## @skip resources.requests.memory +resources: + limits: + cpu: 25m + memory: 64Mi + requests: + cpu: 5m + memory: 16Mi