From 8db2ede39f3a46ecadcdde8adc605e3be455835c Mon Sep 17 00:00:00 2001 From: Mathew Wicks <5735406+thesuperzapper@users.noreply.github.com> Date: Thu, 26 Oct 2023 15:10:20 -0700 Subject: [PATCH 1/2] Add helm values for annotations Signed-off-by: Mathew Wicks <5735406+thesuperzapper@users.noreply.github.com> --- deploy/charts/trust-manager/README.md | 2 ++ deploy/charts/trust-manager/templates/certificate.yaml | 4 ++++ deploy/charts/trust-manager/templates/deployment.yaml | 2 ++ deploy/charts/trust-manager/values.yaml | 6 ++++++ 4 files changed, 14 insertions(+) diff --git a/deploy/charts/trust-manager/README.md b/deploy/charts/trust-manager/README.md index 6a30b6bb..4d0e82d6 100644 --- a/deploy/charts/trust-manager/README.md +++ b/deploy/charts/trust-manager/README.md @@ -34,6 +34,8 @@ Kubernetes: `>= 1.25.0-0` | app.readinessProbe.path | string | `"/readyz"` | Path on which to expose trust-manager HTTP readiness probe using default network interface. | | app.readinessProbe.port | int | `6060` | Container port on which to expose trust-manager HTTP readiness probe using default network interface. | | app.securityContext.seccompProfileEnabled | bool | `true` | If false, disables the default seccomp profile, which might be required to run on certain platforms | +| app.deploymentAnnotations | object | `{}` | Annotations for the trust-manager Deployment | +| app.certificateAnnotations | object | `{}` | Annotations for the Certificate/Issuer resources created by trust-manager | | app.trust.namespace | string | `"cert-manager"` | Namespace used as trust source. Note that the namespace _must_ exist before installing trust-manager. | | app.webhook.host | string | `"0.0.0.0"` | Host that the webhook listens on. | | app.webhook.hostNetwork | bool | `false` | Specifies if the app should be started in hostNetwork mode. Required for use in some managed kubernetes clusters (such as AWS EKS) with custom CNI. | diff --git a/deploy/charts/trust-manager/templates/certificate.yaml b/deploy/charts/trust-manager/templates/certificate.yaml index 12cf1da5..39e17b6d 100644 --- a/deploy/charts/trust-manager/templates/certificate.yaml +++ b/deploy/charts/trust-manager/templates/certificate.yaml @@ -3,6 +3,8 @@ kind: Issuer metadata: name: {{ include "trust-manager.name" . }} namespace: {{ include "trust-manager.namespace" . }} + annotations: + {{- toYaml .Values.app.certificateAnnotations | nindent 4 }} labels: {{ include "trust-manager.labels" . | indent 4 }} spec: @@ -15,6 +17,8 @@ kind: Certificate metadata: name: {{ include "trust-manager.name" . }} namespace: {{ include "trust-manager.namespace" . }} + annotations: + {{- toYaml .Values.app.certificateAnnotations | nindent 4 }} labels: {{ include "trust-manager.labels" . | indent 4 }} spec: diff --git a/deploy/charts/trust-manager/templates/deployment.yaml b/deploy/charts/trust-manager/templates/deployment.yaml index 25588d5f..3a4e8ec0 100644 --- a/deploy/charts/trust-manager/templates/deployment.yaml +++ b/deploy/charts/trust-manager/templates/deployment.yaml @@ -3,6 +3,8 @@ kind: Deployment metadata: name: {{ include "trust-manager.name" . }} namespace: {{ include "trust-manager.namespace" . }} + annotations: + {{- toYaml .Values.app.deploymentAnnotations | nindent 4 }} labels: {{ include "trust-manager.labels" . | indent 4 }} spec: diff --git a/deploy/charts/trust-manager/values.yaml b/deploy/charts/trust-manager/values.yaml index 3cd2854e..29e4a51f 100644 --- a/deploy/charts/trust-manager/values.yaml +++ b/deploy/charts/trust-manager/values.yaml @@ -108,6 +108,12 @@ app: # -- If false, disables the default seccomp profile, which might be required to run on certain platforms seccompProfileEnabled: true + # -- Annotations for the trust-manager Deployment + deploymentAnnotations: {} + + # -- Annotations for the Certificate/Issuer resources created by trust-manager + certificateAnnotations: {} + secretTargets: # -- If set to true, enable writing trust bundles to Kubernetes Secrets as a target. # trust-manager can only write to secrets which are explicitly allowed via either authorizedSecrets or authorizedSecretsAll. From ddfc6a6ef0e0f62605270463ebf2fe8c8dd6dcd6 Mon Sep 17 00:00:00 2001 From: Mathew Wicks <5735406+thesuperzapper@users.noreply.github.com> Date: Mon, 30 Oct 2023 10:47:05 -0700 Subject: [PATCH 2/2] Add helm values for annotations Signed-off-by: Mathew Wicks <5735406+thesuperzapper@users.noreply.github.com> --- deploy/charts/trust-manager/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deploy/charts/trust-manager/README.md b/deploy/charts/trust-manager/README.md index 4d0e82d6..e47d4577 100644 --- a/deploy/charts/trust-manager/README.md +++ b/deploy/charts/trust-manager/README.md @@ -25,6 +25,8 @@ Kubernetes: `>= 1.25.0-0` | Key | Type | Default | Description | |-----|------|---------|-------------| | affinity | object | `{}` | Kubernetes Affinty; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core | +| app.certificateAnnotations | object | `{}` | Annotations for the Certificate/Issuer resources created by trust-manager | +| app.deploymentAnnotations | object | `{}` | Annotations for the trust-manager Deployment | | app.logLevel | int | `1` | Verbosity of trust-manager logging; takes a value from 1-5, with higher being more verbose | | app.metrics.port | int | `9402` | Port for exposing Prometheus metrics on 0.0.0.0 on path '/metrics'. | | app.metrics.service | object | `{"enabled":true,"servicemonitor":{"enabled":false,"interval":"10s","labels":{},"prometheusInstance":"default","scrapeTimeout":"5s"},"type":"ClusterIP"}` | Service to expose metrics endpoint. | @@ -34,8 +36,6 @@ Kubernetes: `>= 1.25.0-0` | app.readinessProbe.path | string | `"/readyz"` | Path on which to expose trust-manager HTTP readiness probe using default network interface. | | app.readinessProbe.port | int | `6060` | Container port on which to expose trust-manager HTTP readiness probe using default network interface. | | app.securityContext.seccompProfileEnabled | bool | `true` | If false, disables the default seccomp profile, which might be required to run on certain platforms | -| app.deploymentAnnotations | object | `{}` | Annotations for the trust-manager Deployment | -| app.certificateAnnotations | object | `{}` | Annotations for the Certificate/Issuer resources created by trust-manager | | app.trust.namespace | string | `"cert-manager"` | Namespace used as trust source. Note that the namespace _must_ exist before installing trust-manager. | | app.webhook.host | string | `"0.0.0.0"` | Host that the webhook listens on. | | app.webhook.hostNetwork | bool | `false` | Specifies if the app should be started in hostNetwork mode. Required for use in some managed kubernetes clusters (such as AWS EKS) with custom CNI. |