add support for generating certificates with helm

This removes the hard dependency on cert-manager by allowing users to
choose not to create a Certificate

Signed-off-by: Ashley Davis <[email protected]>

deploy/charts/trust-manager/templates/certificate.yaml

@@ -1,3 +1,5 @@
+{{- if not .Values.issueIsolatedCert -}}
+
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
@@ -7,7 +9,9 @@ metadata:
 {{ include "trust-manager.labels" . | indent 4 }}
 spec:
   selfSigned: {}
+
 ---
+
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -23,4 +27,6 @@ spec:
   issuerRef:
     name: {{ include "trust-manager.name" . }}
     kind: Issuer
-    group: cert-manager.io
+    group: cert-manager.io
+
+{{ end }}

deploy/charts/trust-manager/templates/webhook.yaml

@@ -1,3 +1,47 @@
+{{- /*
+$ca is always generated here even if issueIsolatedCert is false because we need it to be
+visible in the scope for the ValidatingWebhookConfiguration below.
+
+genCA has two args - first is cert commonName and second is validity in days (9125 = ~25 years)
+
+We don't write this CA to a secret because we don't want it to be used for any other purpose!
+
+DO NOT USE $ca ANYWHERE IF issueIsolatedCert IS NOT ENABLED
+*/}}
+
+{{- $ca := genCA (printf "*.%s.svc" .Release.Namespace ) 9125 -}}
+
+
+{{- if .Values.issueIsolatedCert -}}
+{{- $svcName := (printf "%s.%s.svc" (include "trust-manager.name" . ) .Release.Namespace ) -}}
+
+{{- /*
+genSignedCert has the following args, in order:
+1. The cert CN
+2. A list of IP addresses the cert is valid for
+3. A list of DNS altnames the cert is valid for
+4. The duration in days (3650 = ~10 years)
+5. The signing CA
+*/}}
+{{- $cert := genSignedCert $svcName nil (list $svcName) 3650 $ca -}}
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "trust-manager.name" . }}-tls
+  namespace: {{ .Release.Namespace }}
+  labels:
+{{ include "trust-manager.labels" . | indent 4 }}
+type: kubernetes.io/tls
+data:
+  ca.crt: {{ $ca.Cert | b64enc }}
+  tls.key: {{ $cert.Key | b64enc }}
+  tls.crt: {{ $cert.Cert | b64enc }}
+
+---
+
+{{ end }}
+
 apiVersion: v1
 kind: Service
 metadata:
@@ -18,16 +62,20 @@ spec:
       name: webhook
   selector:
     app: {{ include "trust-manager.name" . }}
+
 ---
+
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   name: {{ include "trust-manager.name" . }}
   labels:
     app: {{ include "trust-manager.name" . }}
 {{ include "trust-manager.labels" . | indent 4 }}
+{{ if not .Values.issueIsolatedCert }}
   annotations:
     cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/{{ include "trust-manager.name" . }}"
+{{ end }}
 
 webhooks:
   - name: trust.cert-manager.io
@@ -46,6 +94,9 @@ webhooks:
     failurePolicy: Fail
     sideEffects: None
     clientConfig:
+{{ if .Values.issueIsolatedCert }}
+      caBundle: "{{ $ca.Cert | b64enc }}"
+{{ end }}
       service:
         name: {{ include "trust-manager.name" . }}
         namespace: {{ .Release.Namespace | quote }}

deploy/charts/trust-manager/values.yaml

@@ -16,6 +16,9 @@ defaultPackage:
   # -- Whether to load the default trust package during pod initialization and include it in main container args. This container enables the 'useDefaultCAs' source on Bundles.
   enabled: true
 
+# -- Whether to issue an "isolated" cert, which removes the requirement for cert-manager to be installed by using Helm to issue a webhook certificate.
+issueIsolatedCert: false
+
 defaultPackageImage:
   # -- Repository for the default package image. This image enables the 'useDefaultCAs' source on Bundles.
   repository: quay.io/jetstack/cert-manager-package-debian