From c6ea5b934a91669b9386958637b21fae127f5d3c Mon Sep 17 00:00:00 2001 From: Khan <503424608@ge.com> Date: Mon, 2 Dec 2024 15:49:21 +0530 Subject: [PATCH 01/14] Add tpl support for certmanager Signed-off-by: Khan <503424608@ge.com> --- deploy/charts/trust-manager/templates/_helpers.tpl | 6 +++++- deploy/charts/trust-manager/values.yaml | 8 +++----- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/deploy/charts/trust-manager/templates/_helpers.tpl b/deploy/charts/trust-manager/templates/_helpers.tpl index dbb75906..cd180f44 100644 --- a/deploy/charts/trust-manager/templates/_helpers.tpl +++ b/deploy/charts/trust-manager/templates/_helpers.tpl @@ -52,5 +52,9 @@ This gets around an problem within helm discussed here https://github.com/helm/helm/issues/5358 */}} {{- define "trust-manager.namespace" -}} - {{ .Values.namespace | default .Release.Namespace }} + {{- if .Values.app.webhook.tls.approverPolicy.certManagerNamespace -}} + {{ tpl .Values.app.webhook.tls.approverPolicy.certManagerNamespace . }} + {{- else -}} + {{ .Release.Namespace }} + {{- end -}} {{- end -}} diff --git a/deploy/charts/trust-manager/values.yaml b/deploy/charts/trust-manager/values.yaml index 92c9fca1..61933bfa 100644 --- a/deploy/charts/trust-manager/values.yaml +++ b/deploy/charts/trust-manager/values.yaml @@ -200,7 +200,7 @@ app: trust: # The namespace used as the trust source. Note that the namespace _must_ exist # before installing trust-manager. - namespace: cert-manager + namespace: "{{ .Release.Namespace }}" # Add a TPL default securityContext: # If false, disables the default seccomp profile, which might be required to run on certain platforms. @@ -230,7 +230,6 @@ app: ipFamilyPolicy: "" # Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. Can be IPv4 and/or IPv6. ipFamilies: [] - # The nodePort set on the Service used by the webhook. # +docs:property # nodePort: 8080 @@ -247,7 +246,7 @@ app: enabled: false # The namespace in which cert-manager was installed. Only used if `app.webhook.tls.approverPolicy.enabled` is true. - certManagerNamespace: "cert-manager" + certManagerNamespace: "{{ .Release.Namespace }}" # Add a TPL default # The name of cert-manager's Service Account. Only used if `app.webhook.tls.approverPolicy.enabled` is true. certManagerServiceAccount: "cert-manager" @@ -302,7 +301,6 @@ podDisruptionBudget: # if it is used on the Node where the only remaining trust-manager # Pod is currently running. enabled: false - # This configures the minimum available pods for disruptions. It can either be set to # an integer (e.g. 1) or a percentage value (e.g. 25%). # It cannot be used if `maxUnavailable` is set. @@ -317,5 +315,5 @@ podDisruptionBudget: # +docs:property # maxUnavailable: 1 -# Labels to apply to all resources + # Labels to apply to all resources commonLabels: {} From 927da87be32808ce10f13e4cedf77e23f8093263 Mon Sep 17 00:00:00 2001 From: Khan <503424608@ge.com> Date: Mon, 2 Dec 2024 15:58:07 +0530 Subject: [PATCH 02/14] Add tpl support for certmanager Signed-off-by: Khan <503424608@ge.com> --- deploy/charts/trust-manager/templates/webhook.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/charts/trust-manager/templates/webhook.yaml b/deploy/charts/trust-manager/templates/webhook.yaml index 235857d2..1df0e811 100644 --- a/deploy/charts/trust-manager/templates/webhook.yaml +++ b/deploy/charts/trust-manager/templates/webhook.yaml @@ -110,5 +110,5 @@ webhooks: {{ end }} service: name: {{ include "trust-manager.name" . }} - namespace: {{ include "trust-manager.namespace" . }} + namespace: {{ include "trust-manager.namespace" . }} #Dynamic namespace path: /validate-trust-cert-manager-io-v1alpha1-bundle From 1ba663bce51595886ad5dcb7157c93f4aceeb36a Mon Sep 17 00:00:00 2001 From: Khan <503424608@ge.com> Date: Mon, 2 Dec 2024 16:42:03 +0530 Subject: [PATCH 03/14] Extend DRY support into trust-manager official Helm chart, Signed-off-by: Asif Khan Signed-off-by: Khan <503424608@ge.com> --- deploy/charts/trust-manager/templates/webhook.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/charts/trust-manager/templates/webhook.yaml b/deploy/charts/trust-manager/templates/webhook.yaml index 1df0e811..235857d2 100644 --- a/deploy/charts/trust-manager/templates/webhook.yaml +++ b/deploy/charts/trust-manager/templates/webhook.yaml @@ -110,5 +110,5 @@ webhooks: {{ end }} service: name: {{ include "trust-manager.name" . }} - namespace: {{ include "trust-manager.namespace" . }} #Dynamic namespace + namespace: {{ include "trust-manager.namespace" . }} path: /validate-trust-cert-manager-io-v1alpha1-bundle From 87ef014c5f00e44bff715b03f5b939dbbf2aaf5e Mon Sep 17 00:00:00 2001 From: Khan <503424608@ge.com> Date: Tue, 3 Dec 2024 12:06:11 +0530 Subject: [PATCH 04/14] Extend DRY support into trust-manager official Helm chart Signed-off-by: Khan <503424608@ge.com> --- deploy/charts/trust-manager/templates/webhook.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/charts/trust-manager/templates/webhook.yaml b/deploy/charts/trust-manager/templates/webhook.yaml index 235857d2..368de2cb 100644 --- a/deploy/charts/trust-manager/templates/webhook.yaml +++ b/deploy/charts/trust-manager/templates/webhook.yaml @@ -111,4 +111,4 @@ webhooks: service: name: {{ include "trust-manager.name" . }} namespace: {{ include "trust-manager.namespace" . }} - path: /validate-trust-cert-manager-io-v1alpha1-bundle + path: /validate-trust-cert-manager-io-v1alpha1-bundle \ No newline at end of file From 56424a767e3732b7edfacb0702e4313530d26ac5 Mon Sep 17 00:00:00 2001 From: Asif-git03 Date: Wed, 18 Dec 2024 18:00:13 +0530 Subject: [PATCH 05/14] Update _helpers.tpl Reverting back changes Signed-off-by: Asif-git03 --- deploy/charts/trust-manager/templates/_helpers.tpl | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/deploy/charts/trust-manager/templates/_helpers.tpl b/deploy/charts/trust-manager/templates/_helpers.tpl index cd180f44..dbb75906 100644 --- a/deploy/charts/trust-manager/templates/_helpers.tpl +++ b/deploy/charts/trust-manager/templates/_helpers.tpl @@ -52,9 +52,5 @@ This gets around an problem within helm discussed here https://github.com/helm/helm/issues/5358 */}} {{- define "trust-manager.namespace" -}} - {{- if .Values.app.webhook.tls.approverPolicy.certManagerNamespace -}} - {{ tpl .Values.app.webhook.tls.approverPolicy.certManagerNamespace . }} - {{- else -}} - {{ .Release.Namespace }} - {{- end -}} + {{ .Values.namespace | default .Release.Namespace }} {{- end -}} From 754c72a03e19c42863e406c2f47b3798085c8ef8 Mon Sep 17 00:00:00 2001 From: Asif-git03 Date: Wed, 18 Dec 2024 18:04:17 +0530 Subject: [PATCH 06/14] Update values.yaml Reverting back changes Signed-off-by: Asif-git03 --- deploy/charts/trust-manager/values.yaml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/deploy/charts/trust-manager/values.yaml b/deploy/charts/trust-manager/values.yaml index 61933bfa..8ebfd9bc 100644 --- a/deploy/charts/trust-manager/values.yaml +++ b/deploy/charts/trust-manager/values.yaml @@ -200,7 +200,7 @@ app: trust: # The namespace used as the trust source. Note that the namespace _must_ exist # before installing trust-manager. - namespace: "{{ .Release.Namespace }}" # Add a TPL default + namespace: cert-manager securityContext: # If false, disables the default seccomp profile, which might be required to run on certain platforms. @@ -230,6 +230,7 @@ app: ipFamilyPolicy: "" # Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. Can be IPv4 and/or IPv6. ipFamilies: [] + # The nodePort set on the Service used by the webhook. # +docs:property # nodePort: 8080 @@ -245,8 +246,7 @@ app: # Whether to create an approver-policy CertificateRequestPolicy allowing auto-approval of the trust-manager webhook certificate. If you have approver-policy installed, you almost certainly want to enable this. enabled: false - # The namespace in which cert-manager was installed. Only used if `app.webhook.tls.approverPolicy.enabled` is true. - certManagerNamespace: "{{ .Release.Namespace }}" # Add a TPL default + certManagerNamespace: "cert-manager" # The name of cert-manager's Service Account. Only used if `app.webhook.tls.approverPolicy.enabled` is true. certManagerServiceAccount: "cert-manager" @@ -301,6 +301,7 @@ podDisruptionBudget: # if it is used on the Node where the only remaining trust-manager # Pod is currently running. enabled: false + # This configures the minimum available pods for disruptions. It can either be set to # an integer (e.g. 1) or a percentage value (e.g. 25%). # It cannot be used if `maxUnavailable` is set. From 498c5522b3ea67bb9b9dcf70fb6da0bbc0d3f5e1 Mon Sep 17 00:00:00 2001 From: Khan <503424608@ge.com> Date: Thu, 19 Dec 2024 01:50:51 +0530 Subject: [PATCH 07/14] Revert changes to values.yaml, webhook.yaml Signed-off-by: Khan <503424608@ge.com> --- deploy/charts/trust-manager/templates/webhook.yaml | 2 +- deploy/charts/trust-manager/values.yaml | 7 ++++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/deploy/charts/trust-manager/templates/webhook.yaml b/deploy/charts/trust-manager/templates/webhook.yaml index 368de2cb..235857d2 100644 --- a/deploy/charts/trust-manager/templates/webhook.yaml +++ b/deploy/charts/trust-manager/templates/webhook.yaml @@ -111,4 +111,4 @@ webhooks: service: name: {{ include "trust-manager.name" . }} namespace: {{ include "trust-manager.namespace" . }} - path: /validate-trust-cert-manager-io-v1alpha1-bundle \ No newline at end of file + path: /validate-trust-cert-manager-io-v1alpha1-bundle diff --git a/deploy/charts/trust-manager/values.yaml b/deploy/charts/trust-manager/values.yaml index 8ebfd9bc..92c9fca1 100644 --- a/deploy/charts/trust-manager/values.yaml +++ b/deploy/charts/trust-manager/values.yaml @@ -230,7 +230,7 @@ app: ipFamilyPolicy: "" # Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. Can be IPv4 and/or IPv6. ipFamilies: [] - + # The nodePort set on the Service used by the webhook. # +docs:property # nodePort: 8080 @@ -246,6 +246,7 @@ app: # Whether to create an approver-policy CertificateRequestPolicy allowing auto-approval of the trust-manager webhook certificate. If you have approver-policy installed, you almost certainly want to enable this. enabled: false + # The namespace in which cert-manager was installed. Only used if `app.webhook.tls.approverPolicy.enabled` is true. certManagerNamespace: "cert-manager" # The name of cert-manager's Service Account. Only used if `app.webhook.tls.approverPolicy.enabled` is true. @@ -301,7 +302,7 @@ podDisruptionBudget: # if it is used on the Node where the only remaining trust-manager # Pod is currently running. enabled: false - + # This configures the minimum available pods for disruptions. It can either be set to # an integer (e.g. 1) or a percentage value (e.g. 25%). # It cannot be used if `maxUnavailable` is set. @@ -316,5 +317,5 @@ podDisruptionBudget: # +docs:property # maxUnavailable: 1 - # Labels to apply to all resources +# Labels to apply to all resources commonLabels: {} From 212552cbd30e9862b6f8eba05401601ee6f9ef5b Mon Sep 17 00:00:00 2001 From: Asif-git03 Date: Thu, 19 Dec 2024 01:53:28 +0530 Subject: [PATCH 08/14] Update _helpers.tpl Adding TPL function Signed-off-by: Asif-git03 --- deploy/charts/trust-manager/templates/_helpers.tpl | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/deploy/charts/trust-manager/templates/_helpers.tpl b/deploy/charts/trust-manager/templates/_helpers.tpl index dbb75906..c351e82c 100644 --- a/deploy/charts/trust-manager/templates/_helpers.tpl +++ b/deploy/charts/trust-manager/templates/_helpers.tpl @@ -13,6 +13,14 @@ Create chart name and version as used by the chart label. {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{/* +Get Values.app.trust.namespace as a templated value +*/}} +{{- define "trust-manager.trust.namespace" -}} +{{- tpl .Values.app.trust.namespace . -}} +{{- end -}} + + {{/* Common labels */}} From 92bb0054496f582f13dae3cfaa09215eaff3fc04 Mon Sep 17 00:00:00 2001 From: Asif-git03 Date: Thu, 19 Dec 2024 01:54:07 +0530 Subject: [PATCH 09/14] Update certificate.yaml Adding TPL function Signed-off-by: Asif-git03 --- deploy/charts/trust-manager/templates/certificate.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/charts/trust-manager/templates/certificate.yaml b/deploy/charts/trust-manager/templates/certificate.yaml index d038934a..54b40ff3 100644 --- a/deploy/charts/trust-manager/templates/certificate.yaml +++ b/deploy/charts/trust-manager/templates/certificate.yaml @@ -83,7 +83,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: trust-manager-policy-role + {{ printf "--trust-namespace=%s" (include "trust-manager.trust.namespace" .) | quote }} subjects: - kind: ServiceAccount name: {{ .Values.app.webhook.tls.approverPolicy.certManagerServiceAccount }} From 5b064f2ce1f6a70ef7efd98b7a679a6db428f7ea Mon Sep 17 00:00:00 2001 From: Asif-git03 Date: Thu, 19 Dec 2024 01:55:23 +0530 Subject: [PATCH 10/14] Update certificate.yaml Adding TPL function Signed-off-by: Asif-git03 --- deploy/charts/trust-manager/templates/certificate.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deploy/charts/trust-manager/templates/certificate.yaml b/deploy/charts/trust-manager/templates/certificate.yaml index 54b40ff3..69a18e75 100644 --- a/deploy/charts/trust-manager/templates/certificate.yaml +++ b/deploy/charts/trust-manager/templates/certificate.yaml @@ -83,11 +83,11 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - {{ printf "--trust-namespace=%s" (include "trust-manager.trust.namespace" .) | quote }} + name: trust-manager-policy-role subjects: - kind: ServiceAccount name: {{ .Values.app.webhook.tls.approverPolicy.certManagerServiceAccount }} - namespace: {{ .Values.app.webhook.tls.approverPolicy.certManagerNamespace }} + namespace: {{ tpl .Values.app.webhook.tls.approverPolicy.certManagerNamespace . }} {{ end }} From c0ede8049b05dbd360a3ccb4f89b518e312c4e1f Mon Sep 17 00:00:00 2001 From: Asif-git03 Date: Thu, 19 Dec 2024 01:55:56 +0530 Subject: [PATCH 11/14] Update deployment.yaml Adding TPL function Signed-off-by: Asif-git03 --- deploy/charts/trust-manager/templates/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/charts/trust-manager/templates/deployment.yaml b/deploy/charts/trust-manager/templates/deployment.yaml index 27e742b1..8227a4a2 100644 --- a/deploy/charts/trust-manager/templates/deployment.yaml +++ b/deploy/charts/trust-manager/templates/deployment.yaml @@ -83,7 +83,7 @@ spec: - "--leader-election-lease-duration={{.Values.app.leaderElection.leaseDuration}}" - "--leader-election-renew-deadline={{.Values.app.leaderElection.renewDeadline}}" # trust - - "--trust-namespace={{.Values.app.trust.namespace}}" + - {{ printf "--trust-namespace=%s" (include "trust-manager.trust.namespace" .) | quote }} # webhook - "--webhook-host={{.Values.app.webhook.host}}" - "--webhook-port={{.Values.app.webhook.port}}" From d1d7b4d02384bf8d6275e344b0358b43e46f91de Mon Sep 17 00:00:00 2001 From: Asif-git03 Date: Thu, 19 Dec 2024 01:56:27 +0530 Subject: [PATCH 12/14] Update role.yaml Adding TPL function Signed-off-by: Asif-git03 --- deploy/charts/trust-manager/templates/role.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/charts/trust-manager/templates/role.yaml b/deploy/charts/trust-manager/templates/role.yaml index 2ba9eb6b..e38cc05c 100644 --- a/deploy/charts/trust-manager/templates/role.yaml +++ b/deploy/charts/trust-manager/templates/role.yaml @@ -2,7 +2,7 @@ kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ include "trust-manager.name" . }} - namespace: {{ .Values.app.trust.namespace }} + namespace: {{ include "trust-manager.trust.namespace" . }} labels: {{- include "trust-manager.labels" . | nindent 4 }} rules: From 4472190c69bdf24359d2f9357e5bf04bc3e4a83b Mon Sep 17 00:00:00 2001 From: Asif-git03 Date: Thu, 19 Dec 2024 01:56:54 +0530 Subject: [PATCH 13/14] Update rolebinding.yaml Adding TPL function Signed-off-by: Asif-git03 --- deploy/charts/trust-manager/templates/rolebinding.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/charts/trust-manager/templates/rolebinding.yaml b/deploy/charts/trust-manager/templates/rolebinding.yaml index 7425ed08..34a8f3fc 100644 --- a/deploy/charts/trust-manager/templates/rolebinding.yaml +++ b/deploy/charts/trust-manager/templates/rolebinding.yaml @@ -2,7 +2,7 @@ kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ include "trust-manager.name" . }} - namespace: {{ .Values.app.trust.namespace }} + namespace: {{ include "trust-manager.trust.namespace" . }} labels: {{- include "trust-manager.labels" . | nindent 4 }} roleRef: From e732f578f91bb1668f17fa7b8ad790bd4fd5ce8e Mon Sep 17 00:00:00 2001 From: Asif-git03 Date: Thu, 19 Dec 2024 01:57:38 +0530 Subject: [PATCH 14/14] Update _helpers.tpl Adding TPL function Signed-off-by: Asif-git03 --- deploy/charts/trust-manager/templates/_helpers.tpl | 1 - 1 file changed, 1 deletion(-) diff --git a/deploy/charts/trust-manager/templates/_helpers.tpl b/deploy/charts/trust-manager/templates/_helpers.tpl index c351e82c..7407c446 100644 --- a/deploy/charts/trust-manager/templates/_helpers.tpl +++ b/deploy/charts/trust-manager/templates/_helpers.tpl @@ -20,7 +20,6 @@ Get Values.app.trust.namespace as a templated value {{- tpl .Values.app.trust.namespace . -}} {{- end -}} - {{/* Common labels */}}