From 6cd4aa4544f6cdb2c0fba498438371401720d642 Mon Sep 17 00:00:00 2001 From: Matteo Ruina Date: Mon, 30 May 2022 12:16:31 +0200 Subject: [PATCH 01/24] Add github actions to test and lint charts --- .github/workflows/e2e.yaml | 3 +- .github/workflows/helm.yml | 78 ++++++++++++++++++++++++++++++++++++++ ct.yaml | 5 +++ 3 files changed, 85 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/helm.yml create mode 100644 ct.yaml diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index c34f54e..e40342a 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -10,6 +10,7 @@ jobs: runs-on: ubuntu-latest env: IMG: skyscanner/kms-issuer:dev + CERT_MANAGER_VERSION: v1.8.0 steps: - uses: actions/checkout@v3.0.2 @@ -36,7 +37,7 @@ jobs: run: kubectl wait --for=condition=Ready -l app=local-kms -n local-kms pod - name: Install cert-manager - run: kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.8.0/cert-manager.yaml + run: kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/${CERT_MANAGER_VERSION}/cert-manager.yaml - name: Install kms-issuer CRDs run: make install diff --git a/.github/workflows/helm.yml b/.github/workflows/helm.yml new file mode 100644 index 0000000..199b804 --- /dev/null +++ b/.github/workflows/helm.yml @@ -0,0 +1,78 @@ +name: Test Helm Chart + +on: + push: + branches: + - main + pull_request: + +jobs: + test-build: + name: test-helm-chart + runs-on: ubuntu-latest + env: + IMG: skyscanner/kms-issuer:dev + CERT_MANAGER_VERSION: v1.8.0 + + steps: + - name: Checkout + uses: actions/checkout@v3.0.2 + + - name: Set up Helm + uses: azure/setup-helm@v2.1 + with: + version: v3.5.2 + + # Python is required because `ct lint` runs Yamale (https://github.com/23andMe/Yamale) and + # yamllint (https://github.com/adrienverge/yamllint) which require Python + - uses: actions/setup-python@v3.1.2 + with: + python-version: '3.x' + + - name: Set up chart-testing + uses: helm/chart-testing-action@v2.2.1 + with: + version: v3.3.0 + + - name: Run chart-testing (list-changed) + id: list-changed + run: | + changed=$(ct list-changed --config ct.yaml) + if [[ -n "$changed" ]]; then + echo "::set-output name=changed::true" + fi + + - name: Run chart-testing (lint) + run: ct lint --config ct.yaml + if: steps.list-changed.outputs.changed == 'true' + + - name: Create k8s Kind Cluster + uses: helm/kind-action@v1.2.0 + with: + cluster_name: kind + if: steps.list-changed.outputs.changed == 'true' + + - name: Install cert-manager + run: kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/${CERT_MANAGER_VERSION}/cert-manager.yaml + if: steps.list-changed.outputs.changed == 'true' + + - name: Build the testing kms-issuer docker image + run: docker build -t ${IMG} . + if: steps.list-changed.outputs.changed == 'true' + + - name: Load test docker image into the kind cluster + run: kind load docker-image ${IMG} + if: steps.list-changed.outputs.changed == 'true' + + - name: Run chart-testing (install) + run: ct install --config ct.yaml + if: steps.list-changed.outputs.changed == 'true' + + helm-docs: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3.0.2 + + - name: Run helm-docs + uses: docker://jnorwood/helm-docs:v1.10.0 diff --git a/ct.yaml b/ct.yaml new file mode 100644 index 0000000..063d64c --- /dev/null +++ b/ct.yaml @@ -0,0 +1,5 @@ + +chart-dirs: + - charts +target-branch: main +upgrade: true \ No newline at end of file From 8f409a572ca0d31da082a816952030bf47bf5f54 Mon Sep 17 00:00:00 2001 From: Matteo Ruina Date: Mon, 30 May 2022 12:58:15 +0200 Subject: [PATCH 02/24] Add helm chart --- .github/workflows/helm.yml | 4 +- charts/kms-issuer/.helmignore | 23 ++++++ charts/kms-issuer/Chart.yaml | 24 ++++++ charts/kms-issuer/templates/_helpers.tpl | 62 ++++++++++++++ charts/kms-issuer/templates/deployment.yaml | 61 ++++++++++++++ charts/kms-issuer/templates/hpa.yaml | 28 +++++++ charts/kms-issuer/templates/ingress.yaml | 61 ++++++++++++++ charts/kms-issuer/templates/service.yaml | 15 ++++ .../kms-issuer/templates/serviceaccount.yaml | 12 +++ charts/kms-issuer/values.yaml | 82 +++++++++++++++++++ 10 files changed, 371 insertions(+), 1 deletion(-) create mode 100644 charts/kms-issuer/.helmignore create mode 100644 charts/kms-issuer/Chart.yaml create mode 100644 charts/kms-issuer/templates/_helpers.tpl create mode 100644 charts/kms-issuer/templates/deployment.yaml create mode 100644 charts/kms-issuer/templates/hpa.yaml create mode 100644 charts/kms-issuer/templates/ingress.yaml create mode 100644 charts/kms-issuer/templates/service.yaml create mode 100644 charts/kms-issuer/templates/serviceaccount.yaml create mode 100644 charts/kms-issuer/values.yaml diff --git a/.github/workflows/helm.yml b/.github/workflows/helm.yml index 199b804..819b931 100644 --- a/.github/workflows/helm.yml +++ b/.github/workflows/helm.yml @@ -12,6 +12,8 @@ jobs: runs-on: ubuntu-latest env: IMG: skyscanner/kms-issuer:dev + REPOSITORY: skyscanner/kms-issuer + TAG: dev CERT_MANAGER_VERSION: v1.8.0 steps: @@ -65,7 +67,7 @@ jobs: if: steps.list-changed.outputs.changed == 'true' - name: Run chart-testing (install) - run: ct install --config ct.yaml + run: ct install --config ct.yaml --helm-extra-set-args "--set=img.repository=${REPOSITORY},--set=img.tag=${TAG}" if: steps.list-changed.outputs.changed == 'true' helm-docs: diff --git a/charts/kms-issuer/.helmignore b/charts/kms-issuer/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/charts/kms-issuer/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/kms-issuer/Chart.yaml b/charts/kms-issuer/Chart.yaml new file mode 100644 index 0000000..83c20d1 --- /dev/null +++ b/charts/kms-issuer/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: kms-issuer +description: A Helm chart to install kms-issuer + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "v2.0.0" diff --git a/charts/kms-issuer/templates/_helpers.tpl b/charts/kms-issuer/templates/_helpers.tpl new file mode 100644 index 0000000..5acff6b --- /dev/null +++ b/charts/kms-issuer/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "kms-issuer.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "kms-issuer.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "kms-issuer.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "kms-issuer.labels" -}} +helm.sh/chart: {{ include "kms-issuer.chart" . }} +{{ include "kms-issuer.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "kms-issuer.selectorLabels" -}} +app.kubernetes.io/name: {{ include "kms-issuer.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "kms-issuer.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "kms-issuer.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/charts/kms-issuer/templates/deployment.yaml b/charts/kms-issuer/templates/deployment.yaml new file mode 100644 index 0000000..1e23357 --- /dev/null +++ b/charts/kms-issuer/templates/deployment.yaml @@ -0,0 +1,61 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "kms-issuer.fullname" . }} + labels: + {{- include "kms-issuer.labels" . | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "kms-issuer.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "kms-issuer.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "kms-issuer.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: 80 + protocol: TCP + livenessProbe: + httpGet: + path: / + port: http + readinessProbe: + httpGet: + path: / + port: http + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/kms-issuer/templates/hpa.yaml b/charts/kms-issuer/templates/hpa.yaml new file mode 100644 index 0000000..10ce590 --- /dev/null +++ b/charts/kms-issuer/templates/hpa.yaml @@ -0,0 +1,28 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "kms-issuer.fullname" . }} + labels: + {{- include "kms-issuer.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "kms-issuer.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/charts/kms-issuer/templates/ingress.yaml b/charts/kms-issuer/templates/ingress.yaml new file mode 100644 index 0000000..3a3c75d --- /dev/null +++ b/charts/kms-issuer/templates/ingress.yaml @@ -0,0 +1,61 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "kms-issuer.fullname" . -}} +{{- $svcPort := .Values.service.port -}} +{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} + {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }} + {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}} + {{- end }} +{{- end }} +{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1 +{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1beta1 +{{- else -}} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + {{- include "kms-issuer.labels" . | nindent 4 }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} + ingressClassName: {{ .Values.ingress.className }} + {{- end }} + {{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} + pathType: {{ .pathType }} + {{- end }} + backend: + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + service: + name: {{ $fullName }} + port: + number: {{ $svcPort }} + {{- else }} + serviceName: {{ $fullName }} + servicePort: {{ $svcPort }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/kms-issuer/templates/service.yaml b/charts/kms-issuer/templates/service.yaml new file mode 100644 index 0000000..55459b7 --- /dev/null +++ b/charts/kms-issuer/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kms-issuer.fullname" . }} + labels: + {{- include "kms-issuer.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "kms-issuer.selectorLabels" . | nindent 4 }} diff --git a/charts/kms-issuer/templates/serviceaccount.yaml b/charts/kms-issuer/templates/serviceaccount.yaml new file mode 100644 index 0000000..e1befb4 --- /dev/null +++ b/charts/kms-issuer/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "kms-issuer.serviceAccountName" . }} + labels: + {{- include "kms-issuer.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/kms-issuer/values.yaml b/charts/kms-issuer/values.yaml new file mode 100644 index 0000000..44f6897 --- /dev/null +++ b/charts/kms-issuer/values.yaml @@ -0,0 +1,82 @@ +# Default values for kms-issuer. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +image: + repository: ghcr.io/skyscanner/kms-issuer + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "" + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +podAnnotations: {} + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +service: + type: ClusterIP + port: 80 + +ingress: + enabled: false + className: "" + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: chart-example.local + paths: + - path: / + pathType: ImplementationSpecific + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +nodeSelector: {} + +tolerations: [] + +affinity: {} From c6f7a35f866e3f0f9cf1b7411024e9ffbcad60dd Mon Sep 17 00:00:00 2001 From: Matteo Ruina Date: Mon, 30 May 2022 13:15:22 +0200 Subject: [PATCH 03/24] Fix linting in helm action --- .github/workflows/helm.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/helm.yml b/.github/workflows/helm.yml index 819b931..a4aba6b 100644 --- a/.github/workflows/helm.yml +++ b/.github/workflows/helm.yml @@ -19,6 +19,12 @@ jobs: steps: - name: Checkout uses: actions/checkout@v3.0.2 + with: + fetch-depth: 0 + + - uses: actions/setup-go@v3 + with: + go-version: 1.17 - name: Set up Helm uses: azure/setup-helm@v2.1 From b2abbe929d328a9fa14284421149b6e27df319fb Mon Sep 17 00:00:00 2001 From: Matteo Ruina Date: Mon, 30 May 2022 13:59:40 +0200 Subject: [PATCH 04/24] Add maintainers --- .github/workflows/helm.yml | 6 ++---- charts/kms-issuer/Chart.yaml | 7 +++++++ 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/.github/workflows/helm.yml b/.github/workflows/helm.yml index a4aba6b..b03d930 100644 --- a/.github/workflows/helm.yml +++ b/.github/workflows/helm.yml @@ -1,10 +1,8 @@ -name: Test Helm Chart +name: Helm Chart Tests on: - push: - branches: - - main pull_request: + workflow_dispatch: jobs: test-build: diff --git a/charts/kms-issuer/Chart.yaml b/charts/kms-issuer/Chart.yaml index 83c20d1..003bec2 100644 --- a/charts/kms-issuer/Chart.yaml +++ b/charts/kms-issuer/Chart.yaml @@ -22,3 +22,10 @@ version: 0.1.0 # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. appVersion: "v2.0.0" + +keywords: + - cert-manager + - kubernetes + - kms +maintainers: + - name: maruina From 4cafbf261e4cd964f1bcc3961483e8e443c50160 Mon Sep 17 00:00:00 2001 From: Matteo Ruina Date: Mon, 30 May 2022 14:31:17 +0200 Subject: [PATCH 05/24] Update ct --- .github/workflows/helm.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/helm.yml b/.github/workflows/helm.yml index b03d930..144525b 100644 --- a/.github/workflows/helm.yml +++ b/.github/workflows/helm.yml @@ -38,7 +38,7 @@ jobs: - name: Set up chart-testing uses: helm/chart-testing-action@v2.2.1 with: - version: v3.3.0 + version: v3.6.0 - name: Run chart-testing (list-changed) id: list-changed From 1fbf17b21b7df11202ee99fa821e6634b6264685 Mon Sep 17 00:00:00 2001 From: Matteo Ruina Date: Mon, 30 May 2022 15:01:01 +0200 Subject: [PATCH 06/24] Add ci values --- .github/workflows/helm.yml | 2 -- charts/kms-issuer/ci/dev-values.yaml | 3 +++ 2 files changed, 3 insertions(+), 2 deletions(-) create mode 100644 charts/kms-issuer/ci/dev-values.yaml diff --git a/.github/workflows/helm.yml b/.github/workflows/helm.yml index 144525b..c11adff 100644 --- a/.github/workflows/helm.yml +++ b/.github/workflows/helm.yml @@ -10,8 +10,6 @@ jobs: runs-on: ubuntu-latest env: IMG: skyscanner/kms-issuer:dev - REPOSITORY: skyscanner/kms-issuer - TAG: dev CERT_MANAGER_VERSION: v1.8.0 steps: diff --git a/charts/kms-issuer/ci/dev-values.yaml b/charts/kms-issuer/ci/dev-values.yaml new file mode 100644 index 0000000..9023506 --- /dev/null +++ b/charts/kms-issuer/ci/dev-values.yaml @@ -0,0 +1,3 @@ +image: + repository: skyscanner/kms-issuer + tag: dev From f94a1f61fbe5a825c2adc358e25f7a537687577d Mon Sep 17 00:00:00 2001 From: Matteo Ruina Date: Mon, 30 May 2022 16:35:16 +0200 Subject: [PATCH 07/24] Add chart scheleton --- .gitignore | 1 + charts/kms-issuer/ci/dev-values.yaml | 1 + ...msissuers.cert-manager.skyscanner.net.yaml | 119 ++++++++++++++++ .../kmskeys.cert-manager.skyscanner.net.yaml | 129 ++++++++++++++++++ charts/kms-issuer/templates/config.yaml | 19 +++ charts/kms-issuer/templates/deployment.yaml | 103 ++++++++------ charts/kms-issuer/templates/hpa.yaml | 28 ---- charts/kms-issuer/templates/ingress.yaml | 61 --------- charts/kms-issuer/templates/rbac.yaml | 54 ++++++++ charts/kms-issuer/templates/service.yaml | 17 +-- charts/kms-issuer/values.yaml | 50 ++----- 11 files changed, 406 insertions(+), 176 deletions(-) create mode 100644 charts/kms-issuer/crds/kmsissuers.cert-manager.skyscanner.net.yaml create mode 100644 charts/kms-issuer/crds/kmskeys.cert-manager.skyscanner.net.yaml create mode 100644 charts/kms-issuer/templates/config.yaml delete mode 100644 charts/kms-issuer/templates/hpa.yaml delete mode 100644 charts/kms-issuer/templates/ingress.yaml create mode 100644 charts/kms-issuer/templates/rbac.yaml diff --git a/.gitignore b/.gitignore index a25b34c..38c351e 100644 --- a/.gitignore +++ b/.gitignore @@ -24,3 +24,4 @@ testbin/* *.swo *~ .vscode +ct_previous* \ No newline at end of file diff --git a/charts/kms-issuer/ci/dev-values.yaml b/charts/kms-issuer/ci/dev-values.yaml index 9023506..2447eac 100644 --- a/charts/kms-issuer/ci/dev-values.yaml +++ b/charts/kms-issuer/ci/dev-values.yaml @@ -1,3 +1,4 @@ +# Keep in sync with the IMG variable in .github/workflows/helm.yml image: repository: skyscanner/kms-issuer tag: dev diff --git a/charts/kms-issuer/crds/kmsissuers.cert-manager.skyscanner.net.yaml b/charts/kms-issuer/crds/kmsissuers.cert-manager.skyscanner.net.yaml new file mode 100644 index 0000000..416de6c --- /dev/null +++ b/charts/kms-issuer/crds/kmsissuers.cert-manager.skyscanner.net.yaml @@ -0,0 +1,119 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: kmsissuers.cert-manager.skyscanner.net +spec: + group: cert-manager.skyscanner.net + names: + kind: KMSIssuer + listKind: KMSIssuerList + plural: kmsissuers + singular: kmsissuer + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: KMSIssuer is the Schema for the kmsissuers API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: KMSIssuerSpec defines the desired state of KMSIssuer + properties: + commonName: + description: 'CommonName is a common name to be used on the Certificate. + The CommonName should have a length of 64 characters or fewer to + avoid generating invalid CSRs. This value is ignored by TLS clients + when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4' + type: string + duration: + description: Certificate default Duration + type: string + keyId: + description: KeyID is the unique identifier for the customer master + key (CMK) deletion. When unspecified, a RSA 2048 key is created + and managed by the operator. + type: string + renewBefore: + description: RenewBefore is the amount of time before the currently + issued certificate’s notAfter time that the issuer will begin to + attempt to renew the certificate. If this value is greater than + the total duration of the certificate (i.e. notAfter - notBefore), + it will be automatically renewed 2/3rds of the way through the certificate’s + duration. + type: string + type: object + status: + description: KMSIssuerStatus defines the observed state of KMSIssuer + properties: + certificate: + description: Byte slice containing a PEM encoded signed certificate + of the CA + format: byte + type: string + conditions: + items: + description: Condition contains condition information. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the + details of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation + for the condition's last transition. + type: string + status: + allOf: + - enum: + - "True" + - "False" + - Unknown + - enum: + - "True" + - "False" + - Unknown + description: Status of the condition, one of ('True', 'False', + 'Unknown'). + type: string + type: + description: Type of the condition, currently ('Ready'). + enum: + - Ready + type: string + required: + - status + - type + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/charts/kms-issuer/crds/kmskeys.cert-manager.skyscanner.net.yaml b/charts/kms-issuer/crds/kmskeys.cert-manager.skyscanner.net.yaml new file mode 100644 index 0000000..d1561a9 --- /dev/null +++ b/charts/kms-issuer/crds/kmskeys.cert-manager.skyscanner.net.yaml @@ -0,0 +1,129 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: kmskeys.cert-manager.skyscanner.net +spec: + group: cert-manager.skyscanner.net + names: + kind: KMSKey + listKind: KMSKeyList + plural: kmskeys + singular: kmskey + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: KMSKey is the Schema for the kmskeys API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: KMSKeySpec defines the desired state of KMSKey + properties: + aliasName: + description: AliasName Specifies the alias name for the kms key. This + value must begin with alias/ followed by a name, such as alias/ExampleAlias. + type: string + customerMasterKeySpec: + description: CustomerMasterKeySpec determines the signing algorithms + that the CMK supports. Only RSA_2048 is currently supported. + type: string + deletionPendingWindowInDays: + description: This value is optional. If you include a value, it must + be between 7 and 30, inclusive. If you do not include a value, it + defaults to 30. + type: integer + deletionPolicy: + description: DeletionPolicy to deletes the alias and key on object + deletion. + enum: + - Retain + - Delete + type: string + description: + description: Description for the key + type: string + policy: + description: The key policy to attach to the CMK + type: string + tags: + additionalProperties: + type: string + description: Tags is a list of tags for the key + type: object + required: + - aliasName + type: object + status: + description: KMSKeyStatus defines the observed state of KMSKey + properties: + conditions: + items: + description: Condition contains condition information. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the + details of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation + for the condition's last transition. + type: string + status: + allOf: + - enum: + - "True" + - "False" + - Unknown + - enum: + - "True" + - "False" + - Unknown + description: Status of the condition, one of ('True', 'False', + 'Unknown'). + type: string + type: + description: Type of the condition, currently ('Ready'). + enum: + - Ready + type: string + required: + - status + - type + type: object + type: array + keyId: + description: KeyID is the unique identifier for the customer master + key (CMK) + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/charts/kms-issuer/templates/config.yaml b/charts/kms-issuer/templates/config.yaml new file mode 100644 index 0000000..3a4fd65 --- /dev/null +++ b/charts/kms-issuer/templates/config.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "kms-issuer.fullname" . }}-manager-config + namespace: {{ .Release.Namespace }} +data: + controller_manager_config.yaml: | + apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 + kind: ControllerManagerConfig + health: + healthProbeBindAddress: :8081 + metrics: + bindAddress: 127.0.0.1:8080 + webhook: + port: 9443 + leaderElection: + leaderElect: true + resourceName: dcb53387 \ No newline at end of file diff --git a/charts/kms-issuer/templates/deployment.yaml b/charts/kms-issuer/templates/deployment.yaml index 1e23357..fd56116 100644 --- a/charts/kms-issuer/templates/deployment.yaml +++ b/charts/kms-issuer/templates/deployment.yaml @@ -1,8 +1,10 @@ +--- apiVersion: apps/v1 kind: Deployment metadata: name: {{ include "kms-issuer.fullname" . }} labels: + control-plane: {{ include "kms-issuer.fullname" . }}-controller-manager {{- include "kms-issuer.labels" . | nindent 4 }} spec: {{- if not .Values.autoscaling.enabled }} @@ -10,52 +12,71 @@ spec: {{- end }} selector: matchLabels: - {{- include "kms-issuer.selectorLabels" . | nindent 6 }} + control-plane: {{ include "kms-issuer.fullname" . }}-controller-manager template: metadata: {{- with .Values.podAnnotations }} annotations: {{- toYaml . | nindent 8 }} {{- end }} - labels: - {{- include "kms-issuer.selectorLabels" . | nindent 8 }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} + spec: + containers: + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 + name: kube-rbac-proxy + ports: + - containerPort: 8443 + name: https + protocol: TCP + - command: + - /manager + - --health-probe-bind-address={{ .Values.healthProbeBindAddress }} + - --metrics-bind-address={{ .Values.metricsBindAddress }} + {{- if or (gt ( .Values.replicaCount | int64) 1) .Values.args.enableLeaderElection }} + - --enable-leader-election=true {{- end }} - serviceAccountName: {{ include "kms-issuer.serviceAccountName" . }} + - --enable-approved-check={{ .Values.enableApprovedCheck }} + - --local-aws-endpoint={{ .Values.localAwsEndpoit }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + ports: + - containerPort: 9443 + name: webhook-server + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + {{- toYaml .Values.resources | nindent 12 }} securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} - containers: - - name: {{ .Chart.Name }} - securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - ports: - - name: http - containerPort: 80 - protocol: TCP - livenessProbe: - httpGet: - path: / - port: http - readinessProbe: - httpGet: - path: / - port: http - resources: - {{- toYaml .Values.resources | nindent 12 }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + serviceAccountName: {{ include "aws-auth-manager.fullname" . }}-controller-manager + terminationGracePeriodSeconds: 10 + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} \ No newline at end of file diff --git a/charts/kms-issuer/templates/hpa.yaml b/charts/kms-issuer/templates/hpa.yaml deleted file mode 100644 index 10ce590..0000000 --- a/charts/kms-issuer/templates/hpa.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.autoscaling.enabled }} -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - name: {{ include "kms-issuer.fullname" . }} - labels: - {{- include "kms-issuer.labels" . | nindent 4 }} -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ include "kms-issuer.fullname" . }} - minReplicas: {{ .Values.autoscaling.minReplicas }} - maxReplicas: {{ .Values.autoscaling.maxReplicas }} - metrics: - {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} - - type: Resource - resource: - name: cpu - targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} - {{- end }} - {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} - - type: Resource - resource: - name: memory - targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} - {{- end }} -{{- end }} diff --git a/charts/kms-issuer/templates/ingress.yaml b/charts/kms-issuer/templates/ingress.yaml deleted file mode 100644 index 3a3c75d..0000000 --- a/charts/kms-issuer/templates/ingress.yaml +++ /dev/null @@ -1,61 +0,0 @@ -{{- if .Values.ingress.enabled -}} -{{- $fullName := include "kms-issuer.fullname" . -}} -{{- $svcPort := .Values.service.port -}} -{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} - {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }} - {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}} - {{- end }} -{{- end }} -{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} -apiVersion: networking.k8s.io/v1 -{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} -apiVersion: networking.k8s.io/v1beta1 -{{- else -}} -apiVersion: extensions/v1beta1 -{{- end }} -kind: Ingress -metadata: - name: {{ $fullName }} - labels: - {{- include "kms-issuer.labels" . | nindent 4 }} - {{- with .Values.ingress.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} - ingressClassName: {{ .Values.ingress.className }} - {{- end }} - {{- if .Values.ingress.tls }} - tls: - {{- range .Values.ingress.tls }} - - hosts: - {{- range .hosts }} - - {{ . | quote }} - {{- end }} - secretName: {{ .secretName }} - {{- end }} - {{- end }} - rules: - {{- range .Values.ingress.hosts }} - - host: {{ .host | quote }} - http: - paths: - {{- range .paths }} - - path: {{ .path }} - {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} - pathType: {{ .pathType }} - {{- end }} - backend: - {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} - service: - name: {{ $fullName }} - port: - number: {{ $svcPort }} - {{- else }} - serviceName: {{ $fullName }} - servicePort: {{ $svcPort }} - {{- end }} - {{- end }} - {{- end }} -{{- end }} diff --git a/charts/kms-issuer/templates/rbac.yaml b/charts/kms-issuer/templates/rbac.yaml new file mode 100644 index 0000000..f57aab0 --- /dev/null +++ b/charts/kms-issuer/templates/rbac.yaml @@ -0,0 +1,54 @@ +{{- if or (gt ( .Values.replicaCount | int64) 1) .Values.args.enableLeaderElection }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "kms-issuer.fullname" . }}-leader-election-role + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "kms-issuer.fullname" . }}-election-rolebinding + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "kms-issuer.fullname" . }}-election-role +subjects: +- kind: ServiceAccount + name: {{ include "kms-issuer.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{-end }} diff --git a/charts/kms-issuer/templates/service.yaml b/charts/kms-issuer/templates/service.yaml index 55459b7..24232d5 100644 --- a/charts/kms-issuer/templates/service.yaml +++ b/charts/kms-issuer/templates/service.yaml @@ -1,15 +1,16 @@ +--- apiVersion: v1 kind: Service metadata: - name: {{ include "kms-issuer.fullname" . }} labels: - {{- include "kms-issuer.labels" . | nindent 4 }} + control-plane: {{ include "kms-issuer.fullname" . }}-controller-manager + name: {{ include "kms-issuer.fullname" . }}-metrics-service + namespace: {{ .Release.Namespace }} spec: - type: {{ .Values.service.type }} ports: - - port: {{ .Values.service.port }} - targetPort: http - protocol: TCP - name: http + - name: https + port: 8443 + protocol: TCP + targetPort: https selector: - {{- include "kms-issuer.selectorLabels" . | nindent 4 }} + control-plane: {{ include "kms-issuer.fullname" . }}-controller-manager \ No newline at end of file diff --git a/charts/kms-issuer/values.yaml b/charts/kms-issuer/values.yaml index 44f6897..ff381c5 100644 --- a/charts/kms-issuer/values.yaml +++ b/charts/kms-issuer/values.yaml @@ -14,6 +14,18 @@ imagePullSecrets: [] nameOverride: "" fullnameOverride: "" +args: + # -- The address the metric endpoint binds to. + metricsBindAddress: :8080 + # -- Enable leader election for controller manager. + leaderElect: false + # -- The address the probe endpoint binds to + healthProbeBindAddress: :8081 + # -- Enable waiting for CertificateRequests to have an approved condition before signing + enableApprovedCheck: "true" + # -- The address of a local-kms endpoint for testing + localAwsEndpoint: "" + serviceAccount: # Specifies whether a service account should be created create: true @@ -25,37 +37,6 @@ serviceAccount: podAnnotations: {} -podSecurityContext: {} - # fsGroup: 2000 - -securityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 - -service: - type: ClusterIP - port: 80 - -ingress: - enabled: false - className: "" - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - hosts: - - host: chart-example.local - paths: - - path: / - pathType: ImplementationSpecific - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little @@ -68,13 +49,6 @@ resources: {} # cpu: 100m # memory: 128Mi -autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 100 - targetCPUUtilizationPercentage: 80 - # targetMemoryUtilizationPercentage: 80 - nodeSelector: {} tolerations: [] From e5fd658b5ef0692f927b3d910d360a33fc642710 Mon Sep 17 00:00:00 2001 From: Matteo Ruina Date: Tue, 31 May 2022 09:52:23 +0200 Subject: [PATCH 08/24] Fix template --- charts/kms-issuer/Chart.yaml | 2 +- charts/kms-issuer/templates/deployment.yaml | 10 ++++++---- charts/kms-issuer/templates/rbac.yaml | 2 +- charts/kms-issuer/values.yaml | 2 +- 4 files changed, 9 insertions(+), 7 deletions(-) diff --git a/charts/kms-issuer/Chart.yaml b/charts/kms-issuer/Chart.yaml index 003bec2..ea7d63a 100644 --- a/charts/kms-issuer/Chart.yaml +++ b/charts/kms-issuer/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.0 +version: 1.0.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/charts/kms-issuer/templates/deployment.yaml b/charts/kms-issuer/templates/deployment.yaml index fd56116..8cf1328 100644 --- a/charts/kms-issuer/templates/deployment.yaml +++ b/charts/kms-issuer/templates/deployment.yaml @@ -34,13 +34,15 @@ spec: protocol: TCP - command: - /manager - - --health-probe-bind-address={{ .Values.healthProbeBindAddress }} - - --metrics-bind-address={{ .Values.metricsBindAddress }} + - --health-probe-bind-address={{ .Values.args.healthProbeBindAddress }} + - --metrics-bind-address={{ .Values.args.metricsBindAddress }} {{- if or (gt ( .Values.replicaCount | int64) 1) .Values.args.enableLeaderElection }} - --enable-leader-election=true {{- end }} - - --enable-approved-check={{ .Values.enableApprovedCheck }} - - --local-aws-endpoint={{ .Values.localAwsEndpoit }} + {{- if .Values.args.enableApprovedCheck }} + - --enable-approved-check=true + {{-end }} + - --local-aws-endpoint={{ .Values.args.localAwsEndpoit }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: IfNotPresent livenessProbe: diff --git a/charts/kms-issuer/templates/rbac.yaml b/charts/kms-issuer/templates/rbac.yaml index f57aab0..80509ae 100644 --- a/charts/kms-issuer/templates/rbac.yaml +++ b/charts/kms-issuer/templates/rbac.yaml @@ -51,4 +51,4 @@ subjects: - kind: ServiceAccount name: {{ include "kms-issuer.serviceAccountName" . }} namespace: {{ .Release.Namespace }} -{{-end }} +{{- end }} diff --git a/charts/kms-issuer/values.yaml b/charts/kms-issuer/values.yaml index ff381c5..6d46fb1 100644 --- a/charts/kms-issuer/values.yaml +++ b/charts/kms-issuer/values.yaml @@ -22,7 +22,7 @@ args: # -- The address the probe endpoint binds to healthProbeBindAddress: :8081 # -- Enable waiting for CertificateRequests to have an approved condition before signing - enableApprovedCheck: "true" + enableApprovedCheck: true # -- The address of a local-kms endpoint for testing localAwsEndpoint: "" From e6aa616d78dcb5afcc01f7bcc8df53872f5fcaf5 Mon Sep 17 00:00:00 2001 From: Matteo Ruina Date: Tue, 31 May 2022 10:48:00 +0200 Subject: [PATCH 09/24] Fix RBAC roles --- charts/kms-issuer/ci/dev-values.yaml | 2 + charts/kms-issuer/templates/deployment.yaml | 101 +++++------ charts/kms-issuer/templates/rbac.yaml | 170 +++++++++++++++++- .../kms-issuer/templates/serviceaccount.yaml | 1 + 4 files changed, 218 insertions(+), 56 deletions(-) diff --git a/charts/kms-issuer/ci/dev-values.yaml b/charts/kms-issuer/ci/dev-values.yaml index 2447eac..e36bdbb 100644 --- a/charts/kms-issuer/ci/dev-values.yaml +++ b/charts/kms-issuer/ci/dev-values.yaml @@ -2,3 +2,5 @@ image: repository: skyscanner/kms-issuer tag: dev + +replicaCount: 2 \ No newline at end of file diff --git a/charts/kms-issuer/templates/deployment.yaml b/charts/kms-issuer/templates/deployment.yaml index 8cf1328..bb3cba9 100644 --- a/charts/kms-issuer/templates/deployment.yaml +++ b/charts/kms-issuer/templates/deployment.yaml @@ -3,13 +3,12 @@ apiVersion: apps/v1 kind: Deployment metadata: name: {{ include "kms-issuer.fullname" . }} + namespace: {{ .Release.Namespace }} labels: control-plane: {{ include "kms-issuer.fullname" . }}-controller-manager {{- include "kms-issuer.labels" . | nindent 4 }} spec: - {{- if not .Values.autoscaling.enabled }} replicas: {{ .Values.replicaCount }} - {{- end }} selector: matchLabels: control-plane: {{ include "kms-issuer.fullname" . }}-controller-manager @@ -19,57 +18,55 @@ spec: annotations: {{- toYaml . | nindent 8 }} {{- end }} - spec: - containers: - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - protocol: TCP - - command: - - /manager - - --health-probe-bind-address={{ .Values.args.healthProbeBindAddress }} - - --metrics-bind-address={{ .Values.args.metricsBindAddress }} - {{- if or (gt ( .Values.replicaCount | int64) 1) .Values.args.enableLeaderElection }} - - --enable-leader-election=true - {{- end }} - {{- if .Values.args.enableApprovedCheck }} - - --enable-approved-check=true - {{-end }} - - --local-aws-endpoint={{ .Values.args.localAwsEndpoit }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - {{- toYaml .Values.resources | nindent 12 }} + labels: + control-plane: {{ include "kms-issuer.fullname" . }}-controller-manager + spec: + containers: + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 + name: kube-rbac-proxy + ports: + - containerPort: 8443 + name: https + protocol: TCP + - command: + - /manager + - --health-probe-bind-address={{ .Values.args.healthProbeBindAddress }} + - --metrics-bind-address={{ .Values.args.metricsBindAddress }} + {{- if or (gt ( .Values.replicaCount | int64) 1) .Values.args.leaderElect }} + - --leader-elect=true + {{- end }} + {{- if .Values.args.enableApprovedCheck }} + - --enable-approved-check=true + {{- end }} + - --local-aws-endpoint={{ .Values.args.localAwsEndpoit }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + {{- toYaml .Values.resources | nindent 12 }} + securityContext: + allowPrivilegeEscalation: false securityContext: - allowPrivilegeEscalation: false - securityContext: - runAsNonRoot: true - serviceAccountName: {{ include "aws-auth-manager.fullname" . }}-controller-manager - terminationGracePeriodSeconds: 10 + runAsNonRoot: true + serviceAccountName: {{ include "kms-issuer.serviceAccountName" . }} + terminationGracePeriodSeconds: 10 {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/kms-issuer/templates/rbac.yaml b/charts/kms-issuer/templates/rbac.yaml index 80509ae..62459b8 100644 --- a/charts/kms-issuer/templates/rbac.yaml +++ b/charts/kms-issuer/templates/rbac.yaml @@ -1,4 +1,86 @@ -{{- if or (gt ( .Values.replicaCount | int64) 1) .Values.args.enableLeaderElection }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "kms-issuer.fullname" . }}-manager-role +rules: +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - cert-manager.io + resources: + - certificaterequests + verbs: + - get + - list + - update + - watch +- apiGroups: + - cert-manager.io + resources: + - certificaterequests/status + verbs: + - get + - patch + - update +- apiGroups: + - cert-manager.skyscanner.net + resources: + - kmsissuers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - cert-manager.skyscanner.net + resources: + - kmsissuers/status + verbs: + - get + - patch + - update +- apiGroups: + - cert-manager.skyscanner.net + resources: + - kmskeys + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - cert-manager.skyscanner.net + resources: + - kmskeys/status + verbs: + - get + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "kms-issuer.fullname" . }}-manager-role +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "kms-issuer.fullname" . }}-manager-role +subjects: +- kind: ServiceAccount + name: {{ include "kms-issuer.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -41,14 +123,94 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: {{ include "kms-issuer.fullname" . }}-election-rolebinding + name: {{ include "kms-issuer.fullname" . }}-leader-election-role namespace: {{ .Release.Namespace }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: {{ include "kms-issuer.fullname" . }}-election-role + name: {{ include "kms-issuer.fullname" . }}-leader-election-role +subjects: +- kind: ServiceAccount + name: {{ include "kms-issuer.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "kms-issuer.fullname" . }}-cert-manager-controller-approve +rules: +- apiGroups: + - cert-manager.io + resourceNames: + - kmsissuers.cert-manager.skyscanner.net/* + resources: + - signers + verbs: + - approve +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "kms-issuer.fullname" . }}-cert-manager-controller-approve +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "kms-issuer.fullname" . }}-cert-manager-controller-approve +subjects: +- kind: ServiceAccount + name: cert-manager + namespace: cert-manager +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "kms-issuer.fullname" . }}-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "kms-issuer.fullname" . }}-metrics-reader +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "kms-issuer.fullname" . }}-metrics-reader +subjects: +- kind: ServiceAccount + name: {{ include "kms-issuer.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "kms-issuer.fullname" . }}-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "kms-issuer.fullname" . }}-proxy-role +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "kms-issuer.fullname" . }}-proxy-role subjects: - kind: ServiceAccount name: {{ include "kms-issuer.serviceAccountName" . }} namespace: {{ .Release.Namespace }} -{{- end }} diff --git a/charts/kms-issuer/templates/serviceaccount.yaml b/charts/kms-issuer/templates/serviceaccount.yaml index e1befb4..4e94b5c 100644 --- a/charts/kms-issuer/templates/serviceaccount.yaml +++ b/charts/kms-issuer/templates/serviceaccount.yaml @@ -3,6 +3,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "kms-issuer.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} labels: {{- include "kms-issuer.labels" . | nindent 4 }} {{- with .Values.serviceAccount.annotations }} From d55fc92f3af098f11c5d6415cea1017848c96071 Mon Sep 17 00:00:00 2001 From: Matteo Ruina Date: Tue, 31 May 2022 10:50:41 +0200 Subject: [PATCH 10/24] Add README --- charts/kms-issuer/README.md | 33 ++++++++++++++++++++++++++++++ charts/kms-issuer/README.md.gotmpl | 9 ++++++++ 2 files changed, 42 insertions(+) create mode 100644 charts/kms-issuer/README.md create mode 100644 charts/kms-issuer/README.md.gotmpl diff --git a/charts/kms-issuer/README.md b/charts/kms-issuer/README.md new file mode 100644 index 0000000..4eb0d6e --- /dev/null +++ b/charts/kms-issuer/README.md @@ -0,0 +1,33 @@ +# kms-issuer + +![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v2.0.0](https://img.shields.io/badge/AppVersion-v2.0.0-informational?style=flat-square) + +A Helm chart to install kms-issuer + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | | +| args.enableApprovedCheck | bool | `true` | Enable waiting for CertificateRequests to have an approved condition before signing | +| args.healthProbeBindAddress | string | `":8081"` | The address the probe endpoint binds to | +| args.leaderElect | bool | `false` | Enable leader election for controller manager. | +| args.localAwsEndpoint | string | `""` | The address of a local-kms endpoint for testing | +| args.metricsBindAddress | string | `":8080"` | The address the metric endpoint binds to. | +| fullnameOverride | string | `""` | | +| image.pullPolicy | string | `"IfNotPresent"` | | +| image.repository | string | `"ghcr.io/skyscanner/kms-issuer"` | | +| image.tag | string | `""` | | +| imagePullSecrets | list | `[]` | | +| nameOverride | string | `""` | | +| nodeSelector | object | `{}` | | +| podAnnotations | object | `{}` | | +| replicaCount | int | `1` | | +| resources | object | `{}` | | +| serviceAccount.annotations | object | `{}` | | +| serviceAccount.create | bool | `true` | | +| serviceAccount.name | string | `""` | | +| tolerations | list | `[]` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.10.0](https://github.com/norwoodj/helm-docs/releases/v1.10.0) \ No newline at end of file diff --git a/charts/kms-issuer/README.md.gotmpl b/charts/kms-issuer/README.md.gotmpl new file mode 100644 index 0000000..5d08da3 --- /dev/null +++ b/charts/kms-issuer/README.md.gotmpl @@ -0,0 +1,9 @@ +# {{ template "chart.name" . }} + +{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }} + +{{ template "chart.description" . }} + +{{ template "chart.valuesSection" . }} + +{{ template "helm-docs.versionFooter" . }} \ No newline at end of file From cf04a793d3518ad4bfc2c060be4b65db536baac7 Mon Sep 17 00:00:00 2001 From: Matteo Ruina Date: Tue, 31 May 2022 11:16:18 +0200 Subject: [PATCH 11/24] Fix linting --- charts/kms-issuer/ci/dev-values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/kms-issuer/ci/dev-values.yaml b/charts/kms-issuer/ci/dev-values.yaml index e36bdbb..416da74 100644 --- a/charts/kms-issuer/ci/dev-values.yaml +++ b/charts/kms-issuer/ci/dev-values.yaml @@ -3,4 +3,4 @@ image: repository: skyscanner/kms-issuer tag: dev -replicaCount: 2 \ No newline at end of file +replicaCount: 2 From 0c52da2e991c0e5a4a209d6656ff0c84ef559df1 Mon Sep 17 00:00:00 2001 From: Matteo Ruina Date: Tue, 31 May 2022 11:39:37 +0200 Subject: [PATCH 12/24] Add release workflow --- .github/workflows/release.yml | 17 +++++++++++++++++ README.md | 22 ++++++++++++++++++++++ 2 files changed, 39 insertions(+) create mode 100644 .github/workflows/release.yml diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..8fceb61 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,17 @@ +name: Release artifacts + +on: + push: + tags: + - "*" + +jobs: + release: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3.0.2 + + - name: Publish Helm charts + uses: stefanprodan/helm-gh-pages@master + with: + token: ${{ secrets.GITHUB_TOKEN }} diff --git a/README.md b/README.md index eee149b..b890151 100644 --- a/README.md +++ b/README.md @@ -11,6 +11,28 @@ In this guide, we assume that you have a [Kubernetes](https://kubernetes.io/) en For any details on Cert-Manager, check the [official documentation](https://cert-manager.io/docs/usage/). +## Install + +You can install the controller using the official helm chart: + +```console +helm repo add kms-issuer 'https://skyscanner.github.io/kms-issuer' +helm repo update +``` + +To install the chart with the release name `kmsrelease`: + +```console + # Create the infrabin namespace: + + kubectl create namespace kms-issuer-system + + Run helm install: + + helm upgrade --install kmsrelease kms-issuer/kms-issuer \ + --namespace kms-issuer-system +```console + ### Usage 1. Install [cert-manager](https://cert-manager.io/docs/installation/). The operator has been tested with version v0.15.1 From 2bd166d85c216a5a4e92092b4e2ce93fe90196b6 Mon Sep 17 00:00:00 2001 From: Matteo Ruina Date: Tue, 31 May 2022 14:57:58 +0200 Subject: [PATCH 13/24] Use controller-get to generate CRDs for the chart --- Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/Makefile b/Makefile index 17573e8..165827a 100644 --- a/Makefile +++ b/Makefile @@ -42,6 +42,7 @@ help: ## Display this help. .PHONY: manifests manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects. $(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases + $(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=charts/kms-issuer/crds .PHONY: generate generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations. From 1519a0e93229661ae6f7168aef41e176eaca65ce Mon Sep 17 00:00:00 2001 From: Matteo Ruina Date: Tue, 31 May 2022 14:58:14 +0200 Subject: [PATCH 14/24] Remove unused config --- charts/kms-issuer/templates/config.yaml | 19 ------------------- 1 file changed, 19 deletions(-) delete mode 100644 charts/kms-issuer/templates/config.yaml diff --git a/charts/kms-issuer/templates/config.yaml b/charts/kms-issuer/templates/config.yaml deleted file mode 100644 index 3a4fd65..0000000 --- a/charts/kms-issuer/templates/config.yaml +++ /dev/null @@ -1,19 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "kms-issuer.fullname" . }}-manager-config - namespace: {{ .Release.Namespace }} -data: - controller_manager_config.yaml: | - apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 - kind: ControllerManagerConfig - health: - healthProbeBindAddress: :8081 - metrics: - bindAddress: 127.0.0.1:8080 - webhook: - port: 9443 - leaderElection: - leaderElect: true - resourceName: dcb53387 \ No newline at end of file From 3859a62afc525e78891fb59cbb1cc0454e94af81 Mon Sep 17 00:00:00 2001 From: Matteo Ruina Date: Tue, 31 May 2022 14:58:35 +0200 Subject: [PATCH 15/24] Make RBAC proxy configurable --- charts/kms-issuer/templates/deployment.yaml | 2 ++ charts/kms-issuer/templates/rbac.yaml | 15 ++------------- charts/kms-issuer/templates/service.yaml | 4 +++- charts/kms-issuer/values.yaml | 3 +++ 4 files changed, 10 insertions(+), 14 deletions(-) diff --git a/charts/kms-issuer/templates/deployment.yaml b/charts/kms-issuer/templates/deployment.yaml index bb3cba9..832f31f 100644 --- a/charts/kms-issuer/templates/deployment.yaml +++ b/charts/kms-issuer/templates/deployment.yaml @@ -22,6 +22,7 @@ spec: control-plane: {{ include "kms-issuer.fullname" . }}-controller-manager spec: containers: + {{- if .Values.enableMetricsRbacProxy }} - args: - --secure-listen-address=0.0.0.0:8443 - --upstream=http://127.0.0.1:8080/ @@ -33,6 +34,7 @@ spec: - containerPort: 8443 name: https protocol: TCP + {{- endif }} - command: - /manager - --health-probe-bind-address={{ .Values.args.healthProbeBindAddress }} diff --git a/charts/kms-issuer/templates/rbac.yaml b/charts/kms-issuer/templates/rbac.yaml index 62459b8..8aa9033 100644 --- a/charts/kms-issuer/templates/rbac.yaml +++ b/charts/kms-issuer/templates/rbac.yaml @@ -171,19 +171,7 @@ rules: verbs: - get --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "kms-issuer.fullname" . }}-metrics-reader -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ include "kms-issuer.fullname" . }}-metrics-reader -subjects: -- kind: ServiceAccount - name: {{ include "kms-issuer.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} ---- +{{- if .Values.enableMetricsRbacProxy }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -214,3 +202,4 @@ subjects: - kind: ServiceAccount name: {{ include "kms-issuer.serviceAccountName" . }} namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/kms-issuer/templates/service.yaml b/charts/kms-issuer/templates/service.yaml index 24232d5..c0b1bdc 100644 --- a/charts/kms-issuer/templates/service.yaml +++ b/charts/kms-issuer/templates/service.yaml @@ -1,3 +1,4 @@ +{{- if .Values.enableMetricsRbacProxy }} --- apiVersion: v1 kind: Service @@ -13,4 +14,5 @@ spec: protocol: TCP targetPort: https selector: - control-plane: {{ include "kms-issuer.fullname" . }}-controller-manager \ No newline at end of file + control-plane: {{ include "kms-issuer.fullname" . }}-controller-manager +{{- end }} \ No newline at end of file diff --git a/charts/kms-issuer/values.yaml b/charts/kms-issuer/values.yaml index 6d46fb1..2595b76 100644 --- a/charts/kms-issuer/values.yaml +++ b/charts/kms-issuer/values.yaml @@ -14,6 +14,9 @@ imagePullSecrets: [] nameOverride: "" fullnameOverride: "" +# -- Enable an RBAC proxy to protect the metrics endpoint +enableMetricsRbacProxy: false + args: # -- The address the metric endpoint binds to. metricsBindAddress: :8080 From ef75d6ae29414698e9cc04cb4a14c877f1605736 Mon Sep 17 00:00:00 2001 From: Matteo Ruina Date: Tue, 31 May 2022 15:00:17 +0200 Subject: [PATCH 16/24] Fix rbac roles for metrics --- charts/kms-issuer/templates/deployment.yaml | 2 +- charts/kms-issuer/templates/rbac.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/kms-issuer/templates/deployment.yaml b/charts/kms-issuer/templates/deployment.yaml index 832f31f..d056c5f 100644 --- a/charts/kms-issuer/templates/deployment.yaml +++ b/charts/kms-issuer/templates/deployment.yaml @@ -34,7 +34,7 @@ spec: - containerPort: 8443 name: https protocol: TCP - {{- endif }} + {{- end }} - command: - /manager - --health-probe-bind-address={{ .Values.args.healthProbeBindAddress }} diff --git a/charts/kms-issuer/templates/rbac.yaml b/charts/kms-issuer/templates/rbac.yaml index 8aa9033..746f565 100644 --- a/charts/kms-issuer/templates/rbac.yaml +++ b/charts/kms-issuer/templates/rbac.yaml @@ -160,6 +160,7 @@ subjects: - kind: ServiceAccount name: cert-manager namespace: cert-manager +{{- if .Values.enableMetricsRbacProxy }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -171,7 +172,6 @@ rules: verbs: - get --- -{{- if .Values.enableMetricsRbacProxy }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: From a1261bda889ae7eea56dcbda66f569246752325c Mon Sep 17 00:00:00 2001 From: Matteo Ruina Date: Tue, 31 May 2022 15:05:29 +0200 Subject: [PATCH 17/24] Add CI values to test the RBAC proxy --- charts/kms-issuer/ci/rbac-values.yaml | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 charts/kms-issuer/ci/rbac-values.yaml diff --git a/charts/kms-issuer/ci/rbac-values.yaml b/charts/kms-issuer/ci/rbac-values.yaml new file mode 100644 index 0000000..ebe3651 --- /dev/null +++ b/charts/kms-issuer/ci/rbac-values.yaml @@ -0,0 +1,6 @@ +# Keep in sync with the IMG variable in .github/workflows/helm.yml +image: + repository: skyscanner/kms-issuer + tag: dev + +enableMetricsRbacProxy: true From 30e0d0b2da346b59d5ff9babf5037eab691005e8 Mon Sep 17 00:00:00 2001 From: Matteo Ruina Date: Tue, 31 May 2022 15:05:53 +0200 Subject: [PATCH 18/24] Alway enable the metric service --- charts/kms-issuer/templates/service.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/charts/kms-issuer/templates/service.yaml b/charts/kms-issuer/templates/service.yaml index c0b1bdc..1a6bf90 100644 --- a/charts/kms-issuer/templates/service.yaml +++ b/charts/kms-issuer/templates/service.yaml @@ -1,4 +1,3 @@ -{{- if .Values.enableMetricsRbacProxy }} --- apiVersion: v1 kind: Service @@ -15,4 +14,3 @@ spec: targetPort: https selector: control-plane: {{ include "kms-issuer.fullname" . }}-controller-manager -{{- end }} \ No newline at end of file From ff067ddacb321bf2f82fcbb5b21e3c95d0f42993 Mon Sep 17 00:00:00 2001 From: Matteo Ruina Date: Tue, 31 May 2022 15:06:14 +0200 Subject: [PATCH 19/24] Update README --- charts/kms-issuer/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/charts/kms-issuer/README.md b/charts/kms-issuer/README.md index 4eb0d6e..795eae3 100644 --- a/charts/kms-issuer/README.md +++ b/charts/kms-issuer/README.md @@ -14,6 +14,7 @@ A Helm chart to install kms-issuer | args.leaderElect | bool | `false` | Enable leader election for controller manager. | | args.localAwsEndpoint | string | `""` | The address of a local-kms endpoint for testing | | args.metricsBindAddress | string | `":8080"` | The address the metric endpoint binds to. | +| enableMetricsRbacProxy | bool | `false` | Enable an RBAC proxy to protect the metrics endpoint | | fullnameOverride | string | `""` | | | image.pullPolicy | string | `"IfNotPresent"` | | | image.repository | string | `"ghcr.io/skyscanner/kms-issuer"` | | From e459a8525e425455c2b162cc2fa1030627a1f265 Mon Sep 17 00:00:00 2001 From: Matteo Ruina Date: Tue, 31 May 2022 15:10:43 +0200 Subject: [PATCH 20/24] Remove hardcoded value for readiness and liveness port --- charts/kms-issuer/templates/deployment.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/kms-issuer/templates/deployment.yaml b/charts/kms-issuer/templates/deployment.yaml index d056c5f..51cb626 100644 --- a/charts/kms-issuer/templates/deployment.yaml +++ b/charts/kms-issuer/templates/deployment.yaml @@ -51,14 +51,14 @@ spec: livenessProbe: httpGet: path: /healthz - port: 8081 + port: {{ (split ":" .Values.args.healthProbeBindAddress)._1 }} initialDelaySeconds: 15 periodSeconds: 20 name: manager readinessProbe: httpGet: path: /readyz - port: 8081 + port: {{ (split ":" .Values.args.healthProbeBindAddress)._1 }} initialDelaySeconds: 5 periodSeconds: 10 resources: From 2368c8fa5838bda1d3db9f83fb6b998d98385ca3 Mon Sep 17 00:00:00 2001 From: Matteo Ruina Date: Tue, 31 May 2022 15:24:31 +0200 Subject: [PATCH 21/24] Keep leader election always enabled --- charts/kms-issuer/ci/dev-values.yaml | 2 -- charts/kms-issuer/ci/leader-values.yaml | 6 ++++++ charts/kms-issuer/templates/deployment.yaml | 2 +- charts/kms-issuer/templates/rbac.yaml | 2 ++ charts/kms-issuer/values.yaml | 2 +- 5 files changed, 10 insertions(+), 4 deletions(-) create mode 100644 charts/kms-issuer/ci/leader-values.yaml diff --git a/charts/kms-issuer/ci/dev-values.yaml b/charts/kms-issuer/ci/dev-values.yaml index 416da74..2447eac 100644 --- a/charts/kms-issuer/ci/dev-values.yaml +++ b/charts/kms-issuer/ci/dev-values.yaml @@ -2,5 +2,3 @@ image: repository: skyscanner/kms-issuer tag: dev - -replicaCount: 2 diff --git a/charts/kms-issuer/ci/leader-values.yaml b/charts/kms-issuer/ci/leader-values.yaml new file mode 100644 index 0000000..416da74 --- /dev/null +++ b/charts/kms-issuer/ci/leader-values.yaml @@ -0,0 +1,6 @@ +# Keep in sync with the IMG variable in .github/workflows/helm.yml +image: + repository: skyscanner/kms-issuer + tag: dev + +replicaCount: 2 diff --git a/charts/kms-issuer/templates/deployment.yaml b/charts/kms-issuer/templates/deployment.yaml index 51cb626..9d2f183 100644 --- a/charts/kms-issuer/templates/deployment.yaml +++ b/charts/kms-issuer/templates/deployment.yaml @@ -39,7 +39,7 @@ spec: - /manager - --health-probe-bind-address={{ .Values.args.healthProbeBindAddress }} - --metrics-bind-address={{ .Values.args.metricsBindAddress }} - {{- if or (gt ( .Values.replicaCount | int64) 1) .Values.args.leaderElect }} + {{- if .Values.args.leaderElect }} - --leader-elect=true {{- end }} {{- if .Values.args.enableApprovedCheck }} diff --git a/charts/kms-issuer/templates/rbac.yaml b/charts/kms-issuer/templates/rbac.yaml index 746f565..03486e5 100644 --- a/charts/kms-issuer/templates/rbac.yaml +++ b/charts/kms-issuer/templates/rbac.yaml @@ -81,6 +81,7 @@ subjects: - kind: ServiceAccount name: {{ include "kms-issuer.serviceAccountName" . }} namespace: {{ .Release.Namespace }} +{{- if .Values.args.leaderElect }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -133,6 +134,7 @@ subjects: - kind: ServiceAccount name: {{ include "kms-issuer.serviceAccountName" . }} namespace: {{ .Release.Namespace }} +{{- end }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole diff --git a/charts/kms-issuer/values.yaml b/charts/kms-issuer/values.yaml index 2595b76..950cdc0 100644 --- a/charts/kms-issuer/values.yaml +++ b/charts/kms-issuer/values.yaml @@ -21,7 +21,7 @@ args: # -- The address the metric endpoint binds to. metricsBindAddress: :8080 # -- Enable leader election for controller manager. - leaderElect: false + leaderElect: true # -- The address the probe endpoint binds to healthProbeBindAddress: :8081 # -- Enable waiting for CertificateRequests to have an approved condition before signing From cc29ffce6e94144fcf156ff93c722aa3705aee84 Mon Sep 17 00:00:00 2001 From: Matteo Ruina Date: Tue, 31 May 2022 15:32:05 +0200 Subject: [PATCH 22/24] Allow to disable cert-manager approve RBAC --- charts/kms-issuer/README.md | 5 ++++- charts/kms-issuer/templates/rbac.yaml | 6 ++++-- charts/kms-issuer/values.yaml | 8 ++++++++ 3 files changed, 16 insertions(+), 3 deletions(-) diff --git a/charts/kms-issuer/README.md b/charts/kms-issuer/README.md index 795eae3..931b94f 100644 --- a/charts/kms-issuer/README.md +++ b/charts/kms-issuer/README.md @@ -11,9 +11,12 @@ A Helm chart to install kms-issuer | affinity | object | `{}` | | | args.enableApprovedCheck | bool | `true` | Enable waiting for CertificateRequests to have an approved condition before signing | | args.healthProbeBindAddress | string | `":8081"` | The address the probe endpoint binds to | -| args.leaderElect | bool | `false` | Enable leader election for controller manager. | +| args.leaderElect | bool | `true` | Enable leader election for controller manager. | | args.localAwsEndpoint | string | `""` | The address of a local-kms endpoint for testing | | args.metricsBindAddress | string | `":8080"` | The address the metric endpoint binds to. | +| certManagerApprovalRBAC.enable | bool | `true` | Enable a ClusterRoleBinding for cert-manager to approve CSR | +| certManagerApprovalRBAC.namespace | string | `"cert-manager"` | The namespace where cert-manager service account is deployed | +| certManagerApprovalRBAC.serviceAccountName | string | `"cert-manager"` | The service account name that cert-manager is using | | enableMetricsRbacProxy | bool | `false` | Enable an RBAC proxy to protect the metrics endpoint | | fullnameOverride | string | `""` | | | image.pullPolicy | string | `"IfNotPresent"` | | diff --git a/charts/kms-issuer/templates/rbac.yaml b/charts/kms-issuer/templates/rbac.yaml index 03486e5..3a7a103 100644 --- a/charts/kms-issuer/templates/rbac.yaml +++ b/charts/kms-issuer/templates/rbac.yaml @@ -135,6 +135,7 @@ subjects: name: {{ include "kms-issuer.serviceAccountName" . }} namespace: {{ .Release.Namespace }} {{- end }} +{{- if .Values.certManagerApprovalRBAC.enable }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -160,8 +161,9 @@ roleRef: name: {{ include "kms-issuer.fullname" . }}-cert-manager-controller-approve subjects: - kind: ServiceAccount - name: cert-manager - namespace: cert-manager + name: {{ .Values.certManagerApprovalRBAC.serviceAccountName }} + namespace: {{ .Values.certManagerApprovalRBAC.namespace }} +{{- end }} {{- if .Values.enableMetricsRbacProxy }} --- apiVersion: rbac.authorization.k8s.io/v1 diff --git a/charts/kms-issuer/values.yaml b/charts/kms-issuer/values.yaml index 950cdc0..1519631 100644 --- a/charts/kms-issuer/values.yaml +++ b/charts/kms-issuer/values.yaml @@ -38,6 +38,14 @@ serviceAccount: # If not set and create is true, a name is generated using the fullname template name: "" +certManagerApprovalRBAC: + # -- Enable a ClusterRoleBinding for cert-manager to approve CSR + enable: true + # -- The service account name that cert-manager is using + serviceAccountName: cert-manager + # -- The namespace where cert-manager service account is deployed + namespace: cert-manager + podAnnotations: {} resources: {} From 8c69a2269cfcfd0e62188b769fd44d0e1b03be09 Mon Sep 17 00:00:00 2001 From: Matteo Ruina Date: Tue, 31 May 2022 15:42:52 +0200 Subject: [PATCH 23/24] Add AWS_REGION env var --- charts/kms-issuer/README.md | 1 + charts/kms-issuer/ci/dev-values.yaml | 4 ++++ charts/kms-issuer/templates/deployment.yaml | 4 ++++ charts/kms-issuer/values.yaml | 5 +++++ 4 files changed, 14 insertions(+) diff --git a/charts/kms-issuer/README.md b/charts/kms-issuer/README.md index 931b94f..2ca05f9 100644 --- a/charts/kms-issuer/README.md +++ b/charts/kms-issuer/README.md @@ -18,6 +18,7 @@ A Helm chart to install kms-issuer | certManagerApprovalRBAC.namespace | string | `"cert-manager"` | The namespace where cert-manager service account is deployed | | certManagerApprovalRBAC.serviceAccountName | string | `"cert-manager"` | The service account name that cert-manager is using | | enableMetricsRbacProxy | bool | `false` | Enable an RBAC proxy to protect the metrics endpoint | +| env[0] | object | `{"name":"AWS_REGION","value":""}` | The AWS region the controller is deployed to | | fullnameOverride | string | `""` | | | image.pullPolicy | string | `"IfNotPresent"` | | | image.repository | string | `"ghcr.io/skyscanner/kms-issuer"` | | diff --git a/charts/kms-issuer/ci/dev-values.yaml b/charts/kms-issuer/ci/dev-values.yaml index 2447eac..be20def 100644 --- a/charts/kms-issuer/ci/dev-values.yaml +++ b/charts/kms-issuer/ci/dev-values.yaml @@ -2,3 +2,7 @@ image: repository: skyscanner/kms-issuer tag: dev + +env: + - name: AWS_REGION + value: test-region diff --git a/charts/kms-issuer/templates/deployment.yaml b/charts/kms-issuer/templates/deployment.yaml index 9d2f183..8b6ecc7 100644 --- a/charts/kms-issuer/templates/deployment.yaml +++ b/charts/kms-issuer/templates/deployment.yaml @@ -47,6 +47,10 @@ spec: {{- end }} - --local-aws-endpoint={{ .Values.args.localAwsEndpoit }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + {{- with .Values.env }} + env: + {{- toYaml . | nindent 10 }} + {{- end }} imagePullPolicy: IfNotPresent livenessProbe: httpGet: diff --git a/charts/kms-issuer/values.yaml b/charts/kms-issuer/values.yaml index 1519631..c29c56b 100644 --- a/charts/kms-issuer/values.yaml +++ b/charts/kms-issuer/values.yaml @@ -29,6 +29,11 @@ args: # -- The address of a local-kms endpoint for testing localAwsEndpoint: "" +env: + # -- The AWS region the controller is deployed to + - name: AWS_REGION + value: "" + serviceAccount: # Specifies whether a service account should be created create: true From 4ff6d390f8f3155a98530fa2ba3f07966bef7798 Mon Sep 17 00:00:00 2001 From: Matteo Ruina Date: Tue, 31 May 2022 15:47:46 +0200 Subject: [PATCH 24/24] Add pdb --- charts/kms-issuer/README.md | 3 +++ charts/kms-issuer/ci/dev-values.yaml | 3 +++ charts/kms-issuer/templates/pdb.yaml | 21 +++++++++++++++++++++ charts/kms-issuer/values.yaml | 5 +++++ 4 files changed, 32 insertions(+) create mode 100644 charts/kms-issuer/templates/pdb.yaml diff --git a/charts/kms-issuer/README.md b/charts/kms-issuer/README.md index 2ca05f9..977ab0a 100644 --- a/charts/kms-issuer/README.md +++ b/charts/kms-issuer/README.md @@ -27,6 +27,9 @@ A Helm chart to install kms-issuer | nameOverride | string | `""` | | | nodeSelector | object | `{}` | | | podAnnotations | object | `{}` | | +| podDisruptionBudget.enable | bool | `false` | | +| podDisruptionBudget.maxUnavailable | string | `""` | | +| podDisruptionBudget.minAvailable | int | `1` | | | replicaCount | int | `1` | | | resources | object | `{}` | | | serviceAccount.annotations | object | `{}` | | diff --git a/charts/kms-issuer/ci/dev-values.yaml b/charts/kms-issuer/ci/dev-values.yaml index be20def..53b5aec 100644 --- a/charts/kms-issuer/ci/dev-values.yaml +++ b/charts/kms-issuer/ci/dev-values.yaml @@ -6,3 +6,6 @@ image: env: - name: AWS_REGION value: test-region + +podDisruptionBudget: + enable: true diff --git a/charts/kms-issuer/templates/pdb.yaml b/charts/kms-issuer/templates/pdb.yaml new file mode 100644 index 0000000..4a72db2 --- /dev/null +++ b/charts/kms-issuer/templates/pdb.yaml @@ -0,0 +1,21 @@ +{{- if .Values.podDisruptionBudget.enable }} +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "kms-issuer.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + control-plane: {{ include "kms-issuer.fullname" . }}-controller-manager + {{- include "kms-issuer.labels" . | nindent 4 }} +spec: + {{- if .Values.podDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.podDisruptionBudget.minAvailable }} + {{- end }} + {{- if .Values.podDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }} + {{- end }} + selector: + matchLabels: + control-plane: {{ include "kms-issuer.fullname" . }}-controller-manager +{{- end }} diff --git a/charts/kms-issuer/values.yaml b/charts/kms-issuer/values.yaml index c29c56b..70e692f 100644 --- a/charts/kms-issuer/values.yaml +++ b/charts/kms-issuer/values.yaml @@ -70,3 +70,8 @@ nodeSelector: {} tolerations: [] affinity: {} + +podDisruptionBudget: + enable: false + minAvailable: 1 + maxUnavailable: ""