Update cert-manager for 1.26

This commit is contained in:
Stefan Reimer 2023-08-21 11:56:56 +00:00
parent 0a845f687f
commit d322ad1b03
10 changed files with 124 additions and 75 deletions

View File

@ -3,6 +3,9 @@ set -ex
. ../../scripts/lib-update.sh . ../../scripts/lib-update.sh
login_ecr_public
update_helm
patch_chart aws-node-termination-handler patch_chart aws-node-termination-handler
patch_chart aws-eks-asg-rolling-update-handler patch_chart aws-eks-asg-rolling-update-handler

View File

@ -18,4 +18,4 @@ dependencies:
- name: cert-manager - name: cert-manager
version: v1.12.3 version: v1.12.3
repository: https://charts.jetstack.io repository: https://charts.jetstack.io
kubeVersion: ">= 1.25.0" kubeVersion: ">= 1.26.0"

View File

@ -1,6 +1,6 @@
# kubezero-cert-manager # kubezero-cert-manager
![Version: 0.9.4](https://img.shields.io/badge/Version-0.9.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.9.5](https://img.shields.io/badge/Version-0.9.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
KubeZero Umbrella Chart for cert-manager KubeZero Umbrella Chart for cert-manager
@ -14,12 +14,12 @@ KubeZero Umbrella Chart for cert-manager
## Requirements ## Requirements
Kubernetes: `>= 1.25.0` Kubernetes: `>= 1.26.0`
| Repository | Name | Version | | Repository | Name | Version |
|------------|------|---------| |------------|------|---------|
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 | | https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 |
| https://charts.jetstack.io | cert-manager | 1.11.1 | | https://charts.jetstack.io | cert-manager | v1.12.3 |
## AWS - OIDC IAM roles ## AWS - OIDC IAM roles
@ -32,11 +32,15 @@ If your resolvers need additional sercrets like CloudFlare API tokens etc. make
| Key | Type | Default | Description | | Key | Type | Default | Description |
|-----|------|---------|-------------| |-----|------|---------|-------------|
| cert-manager.cainjector.extraArgs[0] | string | `"--logging-format=json"` | |
| cert-manager.cainjector.extraArgs[1] | string | `"--leader-elect=false"` | |
| cert-manager.cainjector.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | | | cert-manager.cainjector.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | |
| cert-manager.cainjector.tolerations[0].effect | string | `"NoSchedule"` | | | cert-manager.cainjector.tolerations[0].effect | string | `"NoSchedule"` | |
| cert-manager.cainjector.tolerations[0].key | string | `"node-role.kubernetes.io/control-plane"` | | | cert-manager.cainjector.tolerations[0].key | string | `"node-role.kubernetes.io/control-plane"` | |
| cert-manager.enabled | bool | `true` | | | cert-manager.enabled | bool | `true` | |
| cert-manager.extraArgs[0] | string | `"--dns01-recursive-nameservers-only"` | | | cert-manager.extraArgs[0] | string | `"--logging-format=json"` | |
| cert-manager.extraArgs[1] | string | `"--leader-elect=false"` | |
| cert-manager.extraArgs[2] | string | `"--dns01-recursive-nameservers-only"` | |
| cert-manager.global.leaderElection.namespace | string | `"cert-manager"` | | | cert-manager.global.leaderElection.namespace | string | `"cert-manager"` | |
| cert-manager.ingressShim.defaultIssuerKind | string | `"ClusterIssuer"` | | | cert-manager.ingressShim.defaultIssuerKind | string | `"ClusterIssuer"` | |
| cert-manager.ingressShim.defaultIssuerName | string | `"letsencrypt-dns-prod"` | | | cert-manager.ingressShim.defaultIssuerName | string | `"letsencrypt-dns-prod"` | |
@ -45,6 +49,7 @@ If your resolvers need additional sercrets like CloudFlare API tokens etc. make
| cert-manager.startupapicheck.enabled | bool | `false` | | | cert-manager.startupapicheck.enabled | bool | `false` | |
| cert-manager.tolerations[0].effect | string | `"NoSchedule"` | | | cert-manager.tolerations[0].effect | string | `"NoSchedule"` | |
| cert-manager.tolerations[0].key | string | `"node-role.kubernetes.io/control-plane"` | | | cert-manager.tolerations[0].key | string | `"node-role.kubernetes.io/control-plane"` | |
| cert-manager.webhook.extraArgs[0] | string | `"--logging-format=json"` | |
| cert-manager.webhook.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | | | cert-manager.webhook.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | |
| cert-manager.webhook.tolerations[0].effect | string | `"NoSchedule"` | | | cert-manager.webhook.tolerations[0].effect | string | `"NoSchedule"` | |
| cert-manager.webhook.tolerations[0].key | string | `"node-role.kubernetes.io/control-plane"` | | | cert-manager.webhook.tolerations[0].key | string | `"node-role.kubernetes.io/control-plane"` | |

View File

@ -1,3 +1,4 @@
rules: rules:
- name: prometheus-rules - name: prometheus-rules
condition: 'index .Values "cert-manager" "prometheus" "servicemonitor" "enabled"'
url: file://rules/cert-manager-mixin-prometheusRule url: file://rules/cert-manager-mixin-prometheusRule

View File

@ -8,7 +8,7 @@
"subdir": "jsonnet/kube-prometheus" "subdir": "jsonnet/kube-prometheus"
} }
}, },
"version": "release-0.10" "version": "main"
}, },
{ {
"source": { "source": {

View File

@ -8,8 +8,8 @@
"subdir": "grafana" "subdir": "grafana"
} }
}, },
"version": "199e363523104ff8b3a12483a4e3eca86372b078", "version": "5698c8940b6dadca3f42107b7839557bc041761f",
"sum": "/jDHzVAjHB4AOLkJHw1GyATX5ogZ1iMdcJXZAgaG3+g=" "sum": "l6fPvh3tW6fWot308w71QY/amrYsFPeitvz1IgJxqQA="
}, },
{ {
"source": { "source": {
@ -18,8 +18,18 @@
"subdir": "contrib/mixin" "subdir": "contrib/mixin"
} }
}, },
"version": "9d2cda4e44a26f064d8578e258bbba2fc3cd5b73", "version": "e2e17c75fe1006ea44b6ad793fa7b23f5e3546f4",
"sum": "W/Azptf1PoqjyMwJON96UY69MFugDA4IAYiKURscryc=" "sum": "GdePvMDfLQcVhwzk/Ephi/jC27ywGObLB5t0eC0lXd4="
},
{
"source": {
"git": {
"remote": "https://github.com/grafana/grafana.git",
"subdir": "grafana-mixin"
}
},
"version": "1120f9e255760a3c104b57871fcb91801e934382",
"sum": "MkjR7zCgq6MUZgjDzop574tFKoTX2OBr7DTwm1K+Ofs="
}, },
{ {
"source": { "source": {
@ -28,9 +38,19 @@
"subdir": "grafonnet" "subdir": "grafonnet"
} }
}, },
"version": "f0b70307b8e5f12236b277883d998af129a8211f", "version": "a1d61cce1da59c71409b99b5c7568511fec661ea",
"sum": "342u++/7rViR/zj2jeJOjshzglkZ1SY+hFNuyCBFMdc=" "sum": "342u++/7rViR/zj2jeJOjshzglkZ1SY+hFNuyCBFMdc="
}, },
{
"source": {
"git": {
"remote": "https://github.com/grafana/grafonnet-lib.git",
"subdir": "grafonnet-7.0"
}
},
"version": "a1d61cce1da59c71409b99b5c7568511fec661ea",
"sum": "gCtR9s/4D5fxU9aKXg0Bru+/njZhA0YjLjPiASc61FM="
},
{ {
"source": { "source": {
"git": { "git": {
@ -38,8 +58,8 @@
"subdir": "grafana-builder" "subdir": "grafana-builder"
} }
}, },
"version": "e0b90a4435817ad642d8d049e7dd975264cb960e", "version": "62aec8403a5c38d5dc97ba596703753289b1c33b",
"sum": "tDR6yT2GVfw0wTU12iZH+m01HrbIr6g/xN+/8nzNkU0=" "sum": "xEFMv4+ObwP5L1Wu0XK5agWci4AJzNApys6iKAQxLlQ="
}, },
{ {
"source": { "source": {
@ -48,18 +68,8 @@
"subdir": "" "subdir": ""
} }
}, },
"version": "ab104c5c406b91078d676475c14ab18644f84f2d", "version": "46fc905d5b2981642043088ac7902ea50db2903e",
"sum": "tRpIInEClWUNe5IS6uIjucFN/KqDFgg19+yo78VrLfU=" "sum": "8FAie1MXww5Ip9F8hQWkU9Fio1Af+hO4weQuuexioIQ="
},
{
"source": {
"git": {
"remote": "https://github.com/kubernetes-monitoring/kubernetes-mixin.git",
"subdir": "lib/promgrafonnet"
}
},
"version": "eed459199703c969afc318ea55b9361ae48180a7",
"sum": "zv7hXGui6BfHzE9wPatHI/AGZa4A2WKo6pq7ZdqBsps="
}, },
{ {
"source": { "source": {
@ -68,8 +78,8 @@
"subdir": "jsonnet/kube-state-metrics" "subdir": "jsonnet/kube-state-metrics"
} }
}, },
"version": "e080c3ce73ad514254e38dccb37c93bec6b257ae", "version": "570970378edf10655dd81e662658359eb10d9329",
"sum": "U1wzIpTAtOvC1yj43Y8PfvT0JfvnAcMfNH12Wi+ab0Y=" "sum": "+dOzAK+fwsFf97uZpjcjTcEJEC1H8hh/j8f5uIQK/5g="
}, },
{ {
"source": { "source": {
@ -78,8 +88,8 @@
"subdir": "jsonnet/kube-state-metrics-mixin" "subdir": "jsonnet/kube-state-metrics-mixin"
} }
}, },
"version": "e080c3ce73ad514254e38dccb37c93bec6b257ae", "version": "570970378edf10655dd81e662658359eb10d9329",
"sum": "u8gaydJoxEjzizQ8jY8xSjYgWooPmxw+wIWdDxifMAk=" "sum": "qclI7LwucTjBef3PkGBkKxF0mfZPbHnn4rlNWKGtR4c="
}, },
{ {
"source": { "source": {
@ -88,8 +98,8 @@
"subdir": "jsonnet/kube-prometheus" "subdir": "jsonnet/kube-prometheus"
} }
}, },
"version": "e7eff18e7e70d7f1168105521451c4d7bd6a6d96", "version": "4b5b94347dd71b3649fef612ab3b8cf237ac48b9",
"sum": "gcgf9y8wos4W8jgcJKuTDfORYDigCxx+q3QOYEijQFo=" "sum": "8AeC579AWxP6VzLTxQ/ccIrwOY0G782ZceLlWmOL5/o="
}, },
{ {
"source": { "source": {
@ -98,8 +108,8 @@
"subdir": "jsonnet/mixin" "subdir": "jsonnet/mixin"
} }
}, },
"version": "d8ba1c766a141cb35072ae2f2578ec8588c9efcd", "version": "8b947d4ff1329440a46903c16f05717b24170061",
"sum": "qZ4WgiweaE6eeKtFK60QUjLO8sf2L9Q8fgafWvDcyfY=", "sum": "n3flMIzlADeyygb0uipZ4KPp2uNSjdtkrwgHjTC7Ca4=",
"name": "prometheus-operator-mixin" "name": "prometheus-operator-mixin"
}, },
{ {
@ -109,8 +119,8 @@
"subdir": "jsonnet/prometheus-operator" "subdir": "jsonnet/prometheus-operator"
} }
}, },
"version": "d8ba1c766a141cb35072ae2f2578ec8588c9efcd", "version": "8b947d4ff1329440a46903c16f05717b24170061",
"sum": "yjdwZ+5UXL42EavJleAJmd8Ou6MSDfExvlKAxFCxXVE=" "sum": "LLGbS2uangsA5enNpZKxwdCAPZnO1Bj+W+o8Esk0QLw="
}, },
{ {
"source": { "source": {
@ -119,8 +129,8 @@
"subdir": "doc/alertmanager-mixin" "subdir": "doc/alertmanager-mixin"
} }
}, },
"version": "16fa045db47d68a09a102c7b80b8899c1f57c153", "version": "6fe1a24df07eed6f6818abd500708040beee7d7b",
"sum": "pep+dHzfIjh2SU5pEkwilMCAT/NoL6YYflV4x8cr7vU=", "sum": "1d7ZKYArJKacAWXLUz0bRC1uOkozee/PPw97/W5zGhc=",
"name": "alertmanager" "name": "alertmanager"
}, },
{ {
@ -130,8 +140,8 @@
"subdir": "docs/node-mixin" "subdir": "docs/node-mixin"
} }
}, },
"version": "a2321e7b940ddcff26873612bccdf7cd4c42b6b6", "version": "f2b274350a07bfd8afcad1a62ef561f8a303fcc2",
"sum": "MlWDAKGZ+JArozRKdKEvewHeWn8j2DNBzesJfLVd0dk=" "sum": "By6n6U10hYDogUsyhsaKZehbhzxBZZobJloiKyKadgM="
}, },
{ {
"source": { "source": {
@ -140,10 +150,20 @@
"subdir": "documentation/prometheus-mixin" "subdir": "documentation/prometheus-mixin"
} }
}, },
"version": "41f1a8125e664985dd30674e5bdf6b683eff5d32", "version": "4d8e380269da5912265274469ff873142bbbabc3",
"sum": "ZjQoYhvgKwJNkg+h+m9lW3SYjnjv5Yx5btEipLhru88=", "sum": "8OngT76gVXOUROOOeP9yTe6E/dn+2D2J34Dn690QCG0=",
"name": "prometheus" "name": "prometheus"
}, },
{
"source": {
"git": {
"remote": "https://github.com/pyrra-dev/pyrra.git",
"subdir": "config/crd/bases"
}
},
"version": "2b8c6d372d90942c3b53a9b225a82441be8c5b7b",
"sum": "L3lljFFoFB+nhXnyo8Yl1hKqe60nhHXY0IZCO3H2iVk="
},
{ {
"source": { "source": {
"git": { "git": {
@ -151,8 +171,8 @@
"subdir": "mixin" "subdir": "mixin"
} }
}, },
"version": "fb97c9a5ef51849ccb7960abbeb9581ad7f511b9", "version": "8fcd30ffcedf9e2728518dc2970d070d4c301302",
"sum": "X+060DnePPeN/87fgj0SrfxVitywTk8hZA9V4nHxl1g=", "sum": "WhheqsiX0maUXByZFsb9xhCEsGXK2955bPmPPf1x+Cs=",
"name": "thanos-mixin" "name": "thanos-mixin"
}, },
{ {

View File

@ -1,24 +1,19 @@
#!/bin/bash #!/bin/bash
set -ex set -ex
helm dep update . ../../scripts/lib-update.sh
update_helm
update_jsonnet
# Install cert-mamanger mixin
jb install gitlab.com/uneeq-oss/cert-manager-mixin@master
# Install rules
rm -rf rules && mkdir -p rules
jsonnet -J vendor -m rules rules.jsonnet
../kubezero-metrics/sync_prometheus_rules.py cert-manager-rules.yaml templates
# Fetch dashboards from Grafana.com and update ZDT CM # Fetch dashboards from Grafana.com and update ZDT CM
../kubezero-metrics/sync_grafana_dashboards.py dashboards.yaml templates/grafana-dashboards.yaml ../kubezero-metrics/sync_grafana_dashboards.py dashboards.yaml templates/grafana-dashboards.yaml
# Get kube-mixin for alerts
which jsonnet > /dev/null || { echo "Required jsonnet not found!"; exit 1;}
which jb > /dev/null || { echo "Required jb ( json-bundler ) not found!"; exit 1;}
[ -r jsonnetfile.json ] || jb init
if [ -r jsonnetfile.lock.json ]; then
jb update
else
jb install github.com/prometheus-operator/kube-prometheus/jsonnet/kube-prometheus@release-0.10
jb install gitlab.com/uneeq-oss/cert-manager-mixin@master
fi
rm -rf rules && mkdir -p rules
jsonnet -J vendor -m rules rules.jsonnet
../kubezero-metrics/sync_prometheus_rules.py cert-manager-rules.yaml templates

View File

@ -23,6 +23,13 @@ cert-manager:
leaderElection: leaderElection:
namespace: "cert-manager" namespace: "cert-manager"
extraArgs:
- "--logging-format=json"
- "--leader-elect=false"
- "--dns01-recursive-nameservers-only"
# When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted
# - --enable-certificate-owner-ref=true
#enableCertificateOwnerRef: true #enableCertificateOwnerRef: true
# On AWS enable Projected Service Accounts to assume IAM role # On AWS enable Projected Service Accounts to assume IAM role
@ -64,6 +71,8 @@ cert-manager:
effect: NoSchedule effect: NoSchedule
nodeSelector: nodeSelector:
node-role.kubernetes.io/control-plane: "" node-role.kubernetes.io/control-plane: ""
extraArgs:
- "--logging-format=json"
cainjector: cainjector:
tolerations: tolerations:
@ -71,11 +80,9 @@ cert-manager:
effect: NoSchedule effect: NoSchedule
nodeSelector: nodeSelector:
node-role.kubernetes.io/control-plane: "" node-role.kubernetes.io/control-plane: ""
extraArgs:
extraArgs: - "--logging-format=json"
- "--dns01-recursive-nameservers-only" - "--leader-elect=false"
# When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted
# - --enable-certificate-owner-ref=true
prometheus: prometheus:
servicemonitor: servicemonitor:

View File

@ -38,7 +38,7 @@ network:
cert-manager: cert-manager:
enabled: false enabled: false
namespace: cert-manager namespace: cert-manager
targetRevision: 0.9.4 targetRevision: 0.9.5
storage: storage:
enabled: false enabled: false

View File

@ -1,15 +1,33 @@
#!/bin/bash #!/bin/bash
set -ex set -ex
#helm repo update # prometheus metrics mixin branch
# https://github.com/prometheus-operator/kube-prometheus#compatibility
KUBE_PROMETHEUS_RELEASE=main
update_jsonnet() {
which jsonnet > /dev/null || { echo "Required jsonnet not found!"; exit 1;}
which jb > /dev/null || { echo "Required jb ( json-bundler ) not found!"; exit 1;}
# remove previous versions
rm -f jsonnetfile.json jsonnetfile.lock.json
jb init
jb install github.com/prometheus-operator/kube-prometheus/jsonnet/kube-prometheus@main
}
update_helm() {
#helm repo update
helm dep update
}
# AWS public ECR # AWS public ECR
aws ecr-public get-login-password \ login_ecr_public() {
--region us-east-1 | helm registry login \ aws ecr-public get-login-password \
--username AWS \ --region us-east-1 | helm registry login \
--password-stdin public.ecr.aws --username AWS \
--password-stdin public.ecr.aws
helm dep update }
patch_chart() { patch_chart() {
CHART=$1 CHART=$1
@ -20,7 +38,7 @@ patch_chart() {
tar xfvz charts/$CHART-$VERSION.tgz -C charts && rm charts/$CHART-$VERSION.tgz tar xfvz charts/$CHART-$VERSION.tgz -C charts && rm charts/$CHART-$VERSION.tgz
# diff -tuNr charts/aws-node-termination-handler.orig charts/aws-node-termination-handler > nth.patch # diff -tuNr charts/aws-node-termination-handler.orig charts/aws-node-termination-handler > nth.patch
patch -p0 -i $CHART.patch --no-backup-if-mismatch [ -r $CHART.patch ] && patch -p0 -i $CHART.patch --no-backup-if-mismatch
} }
update_docs() { update_docs() {