feat: convert cert-manager to use service account tokens rather than kiam, version bump of cert-manager

2021-06-30 12:34:02 +02:00 · 2021-06-30 12:34:02 +02:00 · 09cc9e25cc
commit 09cc9e25cc
parent bab6c90185
3 changed files with 28 additions and 15 deletions
--- a/charts/kubezero-cert-manager/Chart.yaml
+++ b/charts/kubezero-cert-manager/Chart.yaml
@ -2,20 +2,20 @@ apiVersion: v2
 name: kubezero-cert-manager
 description: KubeZero Umbrella Chart for cert-manager
 type: application
-version: 0.5.0
+version: 0.6.1
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
  - kubezero
  - cert-manager
 maintainers:
-  - name: Quarky9
+
 dependencies:
  - name: kubezero-lib
    version: ">= 0.1.3"
    repository: https://zero-down-time.github.io/kubezero/
  - name: cert-manager
-    version: 1.2.0
-    repository: https://charts.jetstack.io
+    version: 1.4.0
    condition: cert-manager.enabled
+    repository: https://charts.jetstack.io
 kubeVersion: ">= 1.18.0"
--- a/charts/kubezero-cert-manager/README.md
+++ b/charts/kubezero-cert-manager/README.md
@ -1,24 +1,18 @@
 # kubezero-cert-manager

-![Version: 0.5.0](https://img.shields.io/badge/Version-0.5.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.6.1](https://img.shields.io/badge/Version-0.6.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)

 KubeZero Umbrella Chart for cert-manager

 **Homepage:** <https://kubezero.com>

-## Maintainers
-
-| Name | Email | Url |
-| ---- | ------ | --- |
-| Quarky9 |  |  |
-
 ## Requirements

 Kubernetes: `>= 1.18.0`

 | Repository | Name | Version |
 |------------|------|---------|
-| https://charts.jetstack.io | cert-manager | 1.2.0 |
+| https://charts.jetstack.io | cert-manager | 1.4.0 |
 | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |

 ## AWS - IAM Role
@ -44,7 +38,6 @@ If your resolvers need additional sercrets like CloudFlare API tokens etc. make
 | cert-manager.ingressShim.defaultIssuerKind | string | `"ClusterIssuer"` |  |
 | cert-manager.ingressShim.defaultIssuerName | string | `"letsencrypt-dns-prod"` |  |
 | cert-manager.nodeSelector."node-role.kubernetes.io/master" | string | `""` |  |
-| cert-manager.podAnnotations | object | `{}` |  |
 | cert-manager.prometheus.servicemonitor.enabled | bool | `false` |  |
 | cert-manager.tolerations[0].effect | string | `"NoSchedule"` |  |
 | cert-manager.tolerations[0].key | string | `"node-role.kubernetes.io/master"` |  |
--- a/charts/kubezero-cert-manager/values.yaml
+++ b/charts/kubezero-cert-manager/values.yaml
@ -23,8 +23,28 @@ cert-manager:
    leaderElection:
      namespace: "cert-manager"

-  podAnnotations: {}
-  #   iam.amazonaws.com/role: ""
+  # On AWS enable Projected Service Accounts to assume IAM role
+  #extraEnv:
+  #- name: AWS_ROLE_ARN
+  #  value: "<cert-manager IAM ROLE ARN>"
+  #- name: AWS_WEB_IDENTITY_TOKEN_FILE
+  #  value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
+  #- name: AWS_STS_REGIONAL_ENDPOINTS
+  #  value: regional
+
+  #volumes:
+  #- name: aws-token
+  #  projected:
+  #    sources:
+  #    - serviceAccountToken:
+  #        path: token
+  #        expirationSeconds: 86400
+  #        audience: "sts.amazonaws.com"
+
+  #volumeMounts:
+  #- name: aws-token
+  #  mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
+  #  readOnly: true

  tolerations:
  - key: node-role.kubernetes.io/master