mirror of
https://github.com/projectcapsule/capsule.git
synced 2026-02-14 09:59:57 +00:00
feat: use cert-manager certificates by default (#1818)
* fix(controller): decode old object for delete requests Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore: modernize golang Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore: modernize golang Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore: modernize golang Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * feat(helm): use cert-manager certificates by default Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore: move dependencies to trackable resources Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore: move dependencies to trackable resources Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore: move dependencies to trackable resources Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore: move dependencies to trackable resources Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore: move dependencies to trackable resources Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore: move dependencies to trackable resources Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> --------- Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
This commit is contained in:
Oliver Bähler
GitHub
26
Makefile
26
Makefile
@@ -99,9 +99,7 @@ helm-test: kind
|
||||
helm-test-exec: ct helm-controller-version ko-build-all
|
||||
$(MAKE) e2e-load-image CLUSTER_NAME=capsule-charts IMAGE=$(CAPSULE_IMG) VERSION=v0.0.0
|
||||
@$(KUBECTL) create ns capsule-system || true
|
||||
@$(KUBECTL) apply --force-conflicts --server-side=true -f https://github.com/grafana/grafana-operator/releases/download/v5.18.0/crds.yaml
|
||||
@$(KUBECTL) apply --force-conflicts --server-side=true -f https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.crds.yaml
|
||||
@$(KUBECTL) apply --force-conflicts --server-side=true -f https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.58.0/bundle.yaml
|
||||
$(MAKE) dev-install-deps
|
||||
@$(CT) install --config $(SRC_ROOT)/.github/configs/ct.yaml --namespace=capsule-system --all --debug
|
||||
|
||||
# Setup development env
|
||||
@@ -113,12 +111,27 @@ dev-build: kind
|
||||
dev-destroy: kind
|
||||
$(KIND) delete cluster --name capsule
|
||||
|
||||
dev-install-deps: dev-setup-fluxcd dev-setup-cert-manager dev-install-gw-api-crds dev-install-grafana-operator-crds dev-install-prometheus-crds wait-for-helmreleases
|
||||
|
||||
API_GW := none
|
||||
API_GW_VERSION := v1.3.0
|
||||
API_GW_LOOKUP := kubernetes-sigs/gateway-api
|
||||
dev-install-deps:
|
||||
dev-install-gw-api-crds:
|
||||
@$(KUBECTL) apply --force-conflicts --server-side=true -f https://github.com/$(API_GW_LOOKUP)/releases/download/$(API_GW_VERSION)/standard-install.yaml
|
||||
|
||||
GRAFANA := none
|
||||
GRAFANA_VERSION := v5.18.0
|
||||
GRAFANA_LOOKUP := grafana/grafana-operator
|
||||
dev-install-grafana-operator-crds:
|
||||
@$(KUBECTL) apply --force-conflicts --server-side=true -f https://github.com/grafana/grafana-operator/releases/download/$(GRAFANA_VERSION)/crds.yaml
|
||||
|
||||
PROMETHEUS := none
|
||||
PROMETHEUS_VERSION := v0.58.0
|
||||
PROMETHEUS_LOOKUP := prometheus-operator/prometheus-operator
|
||||
dev-install-prometheus-crds:
|
||||
@$(KUBECTL) apply --force-conflicts --server-side=true -f https://github.com/prometheus-operator/prometheus-operator/releases/download/$(PROMETHEUS_VERSION)/bundle.yaml
|
||||
|
||||
|
||||
# Usage:
|
||||
# LAPTOP_HOST_IP=<YOUR_LAPTOP_IP> make dev-setup
|
||||
# For example:
|
||||
@@ -191,9 +204,13 @@ dev-setup-argocd: dev-setup-fluxcd
|
||||
@printf " \033[1mkubectl get secret -n argocd argocd-initial-admin-secret -o jsonpath='{.data.password}' | base64 -d\033[0m\n\n"
|
||||
@printf " \033[1mkubectl port-forward svc/argocd-server 9091:80 -n argocd\033[0m\n\n"
|
||||
|
||||
dev-setup-cert-manager:
|
||||
@$(KUBECTL) kustomize --load-restrictor='LoadRestrictionsNone' hack/distro/cert-manager | envsubst | kubectl apply -f -
|
||||
|
||||
dev-setup-fluxcd:
|
||||
@$(KUBECTL) kustomize --load-restrictor='LoadRestrictionsNone' hack/distro/fluxcd | envsubst | kubectl apply -f -
|
||||
|
||||
|
||||
# Here to setup the current capsule version
|
||||
# Intended to test updates to new version
|
||||
dev-setup-capsule: dev-setup-fluxcd
|
||||
@@ -307,6 +324,7 @@ e2e-install: ko-build-all
|
||||
--install \
|
||||
--namespace capsule-system \
|
||||
--create-namespace \
|
||||
--set 'replicaCount=2'\
|
||||
--set 'manager.image.pullPolicy=Never' \
|
||||
--set 'manager.resources=null'\
|
||||
--set "manager.image.tag=$(VERSION)" \
|
||||
|
||||
@@ -67,7 +67,7 @@ The following Values have changed key or Value:
|
||||
|-----|------|---------|-------------|
|
||||
| affinity | object | `{}` | Set affinity rules for the Capsule pod |
|
||||
| certManager.additionalSANS | list | `[]` | Specify additional SANS to add to the certificate |
|
||||
| certManager.generateCertificates | bool | `false` | Specifies whether capsule webhooks certificates should be generated using cert-manager |
|
||||
| certManager.generateCertificates | bool | `true` | Specifies whether capsule webhooks certificates should be generated using cert-manager |
|
||||
| customAnnotations | object | `{}` | Additional annotations which will be added to all resources created by Capsule helm chart |
|
||||
| customLabels | object | `{}` | Additional labels which will be added to all resources created by Capsule helm chart |
|
||||
| extraManifests | list | `[]` | Array of additional resources to be created alongside Capsule helm chart |
|
||||
@@ -89,8 +89,8 @@ The following Values have changed key or Value:
|
||||
| serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
|
||||
| serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
|
||||
| serviceAccount.name | string | `""` | The name of the service account to use. If not set and `serviceAccount.create=true`, a name is generated using the fullname template |
|
||||
| tls.create | bool | `true` | When cert-manager is disabled, Capsule will generate the TLS certificate for webhook and CRDs conversion. |
|
||||
| tls.enableController | bool | `true` | Start the Capsule controller that injects the CA into mutating and validating webhooks, and CRD as well. |
|
||||
| tls.create | bool | `false` | When cert-manager is disabled, Capsule will generate the TLS certificate for webhook and CRDs conversion. |
|
||||
| tls.enableController | bool | `false` | Start the Capsule controller that injects the CA into mutating and validating webhooks, and CRD as well. |
|
||||
| tls.name | string | `""` | Override name of the Capsule TLS Secret name when externally managed. |
|
||||
| tolerations | list | `[]` | Set list of tolerations for the Capsule pod |
|
||||
| topologySpreadConstraints | list | `[]` | Set topology spread constraints for the Capsule pod |
|
||||
|
||||
4
charts/capsule/ci/ha-values.yaml
Normal file
4
charts/capsule/ci/ha-values.yaml
Normal file
@@ -0,0 +1,4 @@
|
||||
replicaCount: 2
|
||||
manager:
|
||||
extraArgs:
|
||||
- "--enable-leader-election=true"
|
||||
@@ -83,9 +83,9 @@ crds:
|
||||
# Secret Options
|
||||
tls:
|
||||
# -- Start the Capsule controller that injects the CA into mutating and validating webhooks, and CRD as well.
|
||||
enableController: true
|
||||
enableController: false
|
||||
# -- When cert-manager is disabled, Capsule will generate the TLS certificate for webhook and CRDs conversion.
|
||||
create: true
|
||||
create: false
|
||||
# -- Override name of the Capsule TLS Secret name when externally managed.
|
||||
name: ""
|
||||
|
||||
@@ -320,7 +320,7 @@ serviceAccount:
|
||||
|
||||
certManager:
|
||||
# -- Specifies whether capsule webhooks certificates should be generated using cert-manager
|
||||
generateCertificates: false
|
||||
generateCertificates: true
|
||||
# -- Specify additional SANS to add to the certificate
|
||||
additionalSANS: []
|
||||
# -- Additional labels which will be added to all resources created by Capsule helm chart
|
||||
|
||||
4
hack/distro/cert-manager/kustomization.yaml
Normal file
4
hack/distro/cert-manager/kustomization.yaml
Normal file
@@ -0,0 +1,4 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- release.flux.yaml
|
||||
42
hack/distro/cert-manager/release.flux.yaml
Normal file
42
hack/distro/cert-manager/release.flux.yaml
Normal file
@@ -0,0 +1,42 @@
|
||||
---
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: cert-manager
|
||||
namespace: flux-system
|
||||
spec:
|
||||
serviceAccountName: kustomize-controller
|
||||
interval: 15s
|
||||
timeout: 10m
|
||||
targetNamespace: cert-manager
|
||||
releaseName: "cert-manager"
|
||||
chart:
|
||||
spec:
|
||||
chart: cert-manager
|
||||
version: "1.19.2"
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: cert-manager
|
||||
interval: 24h
|
||||
install:
|
||||
createNamespace: true
|
||||
remediation:
|
||||
retries: -1
|
||||
upgrade:
|
||||
remediation:
|
||||
remediateLastFailure: true
|
||||
retries: -1
|
||||
driftDetection:
|
||||
mode: enabled
|
||||
values:
|
||||
crds:
|
||||
enabled: true
|
||||
---
|
||||
apiVersion: source.toolkit.fluxcd.io/v1
|
||||
kind: HelmRepository
|
||||
metadata:
|
||||
name: cert-manager
|
||||
namespace: flux-system
|
||||
spec:
|
||||
interval: 24h0m0s
|
||||
url: https://charts.jetstack.io
|
||||
Reference in New Issue
Block a user