From 6f081c955a306617912e03f2835dc4cd1744d4e8 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Sun, 14 Jun 2020 17:59:56 +0100 Subject: [PATCH] Revert annotations for cert-manager, enable selfheal for cert-manager to work around bootstrap issues --- charts/kubezero-app/Chart.yaml | 2 +- charts/kubezero-app/README.md | 2 +- charts/kubezero-app/templates/_app.yaml | 4 +++- .../kubezero-app/templates/cert-manager.yaml | 2 +- charts/kubezero-cert-manager/README.md | 16 ++++++++++++--- charts/kubezero-cert-manager/README.md.gotmpl | 20 +++++++++++++++++++ .../templates/cluster-ca.yaml | 8 -------- charts/kubezero-cert-manager/values.yaml | 6 +++--- 8 files changed, 42 insertions(+), 18 deletions(-) create mode 100644 charts/kubezero-cert-manager/README.md.gotmpl diff --git a/charts/kubezero-app/Chart.yaml b/charts/kubezero-app/Chart.yaml index 764eeb8..2522dde 100644 --- a/charts/kubezero-app/Chart.yaml +++ b/charts/kubezero-app/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kubezero-app description: KubeZero ArgoCD Application - Root chart of the KubeZero type: application -version: 0.2.3 +version: 0.2.4 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: diff --git a/charts/kubezero-app/README.md b/charts/kubezero-app/README.md index 479f387..836c8f5 100644 --- a/charts/kubezero-app/README.md +++ b/charts/kubezero-app/README.md @@ -2,7 +2,7 @@ kubezero-app ============ KubeZero ArgoCD Application - Root chart of the KubeZero -Current chart version is `0.2.2` +Current chart version is `0.2.4` Source code can be found [here](https://kubezero.com) diff --git a/charts/kubezero-app/templates/_app.yaml b/charts/kubezero-app/templates/_app.yaml index 1734694..2a59e75 100644 --- a/charts/kubezero-app/templates/_app.yaml +++ b/charts/kubezero-app/templates/_app.yaml @@ -35,5 +35,7 @@ spec: syncPolicy: automated: prune: true - selfHeal: false + {{- if .selfheal }} + selfHeal: true + {{- end }} {{- end }} diff --git a/charts/kubezero-app/templates/cert-manager.yaml b/charts/kubezero-app/templates/cert-manager.yaml index b744db8..afc8981 100644 --- a/charts/kubezero-app/templates/cert-manager.yaml +++ b/charts/kubezero-app/templates/cert-manager.yaml @@ -1,5 +1,5 @@ {{- if index .Values "cert-manager" "enabled" }} -{{ template "kubezero-app.app" dict "root" . "name" "cert-manager" "type" "helm" "namespace" "cert-manager" }} +{{ template "kubezero-app.app" dict "root" . "name" "cert-manager" "type" "helm" "namespace" "cert-manager" "selfheal" "true" }} --- apiVersion: v1 kind: Namespace diff --git a/charts/kubezero-cert-manager/README.md b/charts/kubezero-cert-manager/README.md index 8027bbf..15f0d8d 100644 --- a/charts/kubezero-cert-manager/README.md +++ b/charts/kubezero-cert-manager/README.md @@ -2,7 +2,7 @@ kubezero-cert-manager ===================== KubeZero Umbrella Chart for cert-manager -Current chart version is `0.3.3` +Current chart version is `0.3.4` Source code can be found [here](https://kubezero.com) @@ -10,9 +10,19 @@ Source code can be found [here](https://kubezero.com) | Repository | Name | Version | |------------|------|---------| -| https://charts.jetstack.io | cert-manager | 0.15.0 | +| https://charts.jetstack.io | cert-manager | 0.15.1 | | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.1 | +## AWS - IAM Role +If you use kiam or kube2iam and restrict access on nodes running cert-manager please adjust: +``` +cert-manager.podAnnotations: + iam.amazonaws.com/role: +``` + +## Resolver Secrets +If your resolvers need additional sercrets like CloudFlare API tokens etc. make sure to provide these secrets separatly matching your defined issuers. + ## Chart Values | Key | Type | Default | Description | @@ -25,7 +35,7 @@ Source code can be found [here](https://kubezero.com) | cert-manager.ingressShim.defaultIssuerName | string | `"letsencrypt-dns-prod"` | | | cert-manager.installCRDs | bool | `true` | | | cert-manager.nodeSelector."node-role.kubernetes.io/master" | string | `""` | | -| cert-manager.podAnnotations."iam.amazonaws.com/role" | string | `""` | IAM role ARN the cert-manager might use via kiam eg."arn:aws:iam::123456789012:role/certManagerRoleArn" | +| cert-manager.podAnnotations | object | `{}` | "iam.amazonaws.com/roleIAM:" role ARN the cert-manager might use via kiam eg."arn:aws:iam::123456789012:role/certManagerRoleArn" | | cert-manager.prometheus.servicemonitor.enabled | bool | `false` | | | cert-manager.tolerations[0].effect | string | `"NoSchedule"` | | | cert-manager.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | diff --git a/charts/kubezero-cert-manager/README.md.gotmpl b/charts/kubezero-cert-manager/README.md.gotmpl new file mode 100644 index 0000000..229df43 --- /dev/null +++ b/charts/kubezero-cert-manager/README.md.gotmpl @@ -0,0 +1,20 @@ +{{ template "chart.header" . }} +{{ template "chart.description" . }} + +{{ template "chart.versionLine" . }} + +{{ template "chart.sourceLinkLine" . }} + +{{ template "chart.requirementsSection" . }} + +## AWS - IAM Role +If you use kiam or kube2iam and restrict access on nodes running cert-manager please adjust: +``` +cert-manager.podAnnotations: + iam.amazonaws.com/role: +``` + +## Resolver Secrets +If your resolvers need additional sercrets like CloudFlare API tokens etc. make sure to provide these secrets separatly matching your defined issuers. + +{{ template "chart.valuesSection" . }} diff --git a/charts/kubezero-cert-manager/templates/cluster-ca.yaml b/charts/kubezero-cert-manager/templates/cluster-ca.yaml index 91acb06..f5f70b0 100644 --- a/charts/kubezero-cert-manager/templates/cluster-ca.yaml +++ b/charts/kubezero-cert-manager/templates/cluster-ca.yaml @@ -9,8 +9,6 @@ metadata: namespace: kube-system labels: {{ include "kubezero-lib.labels" . | indent 4 }} - annotations: - "helm.sh/hook": "post-install" spec: selfSigned: {} --- @@ -21,8 +19,6 @@ metadata: namespace: kube-system labels: {{ include "kubezero-lib.labels" . | indent 4 }} - annotations: - "helm.sh/hook": "post-install" spec: secretName: kubezero-ca-tls commonName: "kubezero-local-ca" @@ -41,8 +37,6 @@ metadata: namespace: kube-system labels: {{ include "kubezero-lib.labels" . | indent 4 }} - annotations: - "helm.sh/hook": "post-install" data: tls.crt: {{ .Values.localCA.ca.crt | b64enc }} tls.key: {{ .Values.localCA.ca.key | b64enc }} @@ -56,8 +50,6 @@ metadata: namespace: kube-system labels: {{ include "kubezero-lib.labels" . | indent 4 }} - annotations: - "helm.sh/hook": "post-install" spec: ca: secretName: kubezero-ca-tls diff --git a/charts/kubezero-cert-manager/values.yaml b/charts/kubezero-cert-manager/values.yaml index e8b6eec..b14b4b9 100644 --- a/charts/kubezero-cert-manager/values.yaml +++ b/charts/kubezero-cert-manager/values.yaml @@ -45,6 +45,6 @@ cert-manager: prometheus: servicemonitor: enabled: false - # cert-manager.podAnnotations."iam.amazonaws.com/role" -- IAM role ARN the cert-manager might use via kiam eg."arn:aws:iam::123456789012:role/certManagerRoleArn" - podAnnotations: - iam.amazonaws.com/role: "" + # cert-manager.podAnnotations -- "iam.amazonaws.com/roleIAM:" role ARN the cert-manager might use via kiam eg."arn:aws:iam::123456789012:role/certManagerRoleArn" + podAnnotations: {} + # iam.amazonaws.com/role: ""