Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Chart in charts #504

Open
wants to merge 35 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
35 commits
Select commit Hold shift + click to select a range
64811de
new sync method for vendir
ssyno Dec 30, 2024
f4373a3
push default values
ssyno Jan 7, 2025
6028b0b
default values
ssyno Jan 10, 2025
bffe761
values patch
ssyno Jan 10, 2025
f900e56
chart+values sync patches
ssyno Jan 14, 2025
9be974b
values schema patch
ssyno Jan 14, 2025
9a82cd7
accepting updates
ssyno Jan 14, 2025
80dec0e
job image template fix
ssyno Jan 14, 2025
79172cc
values json trailing space fix
ssyno Jan 14, 2025
f085d6c
chart patch fix
ssyno Jan 14, 2025
b847d12
additional templates handling
ssyno Jan 14, 2025
78bcb55
image-registry patch
ssyno Jan 14, 2025
fee2d2e
pss patch
ssyno Jan 14, 2025
45f85e3
clusterissuer chart image fix
ssyno Jan 14, 2025
772dd38
small typo
ssyno Jan 14, 2025
dc17ba6
final sync update
ssyno Jan 14, 2025
3cda59b
kube-linter fixes 2
ssyno Jan 14, 2025
542090f
kube-linter fix 3
ssyno Jan 14, 2025
de4ebb9
validate sync workflow
ssyno Jan 14, 2025
a744260
chart name fix
ssyno Jan 14, 2025
2316e51
remove Chart.lock
ssyno Jan 14, 2025
f2bc88a
CHANGELOG Update
ssyno Jan 15, 2025
d4cdf9c
missing safe-to-evict podAnnotation
ssyno Jan 22, 2025
21459a4
Cert-manager Chart-in-Charts
ssyno Jan 24, 2025
8bf452e
cert-manager chart update
ssyno Jan 24, 2025
3a045ab
pss patch new
ssyno Jan 24, 2025
978e1f0
image registry patch
ssyno Jan 24, 2025
d0cdafa
image registry patch
ssyno Jan 24, 2025
cb300e0
pss patch fix
ssyno Jan 24, 2025
55f1397
webhook pdb patch
ssyno Jan 24, 2025
3a75ccd
remove duplicate templates
ssyno Jan 24, 2025
333f549
README fix
ssyno Jan 24, 2025
53f7e19
cleaner values
ssyno Jan 24, 2025
83748a9
README update for sync
ssyno Jan 24, 2025
efc017a
new app test suite
ssyno Jan 24, 2025
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .circleci/config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -86,8 +86,8 @@ workflows:

- architect/run-tests-with-ats:
name: execute chart tests
app-test-suite_version: v0.4.1
app-test-suite_container_tag: 0.4.1
app-test-suite_version: v0.10.2
app-test-suite_container_tag: 0.10.2
filters:
# Do not trigger the job on merge to main.
branches:
Expand Down
30 changes: 30 additions & 0 deletions .github/workflows/validate-sync-diffs.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
name: "Validate sync diffs"
on:
pull_request:
branches:
- main
- adopt-sync-patch
push: {}

jobs:
check:
name: "Check sync.sh was called"
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4

- name: Download vendir
uses: giantswarm/install-binary-action@v3
with:
binary: "vendir"
version: "0.40.2"
download_url: "https://github.com/carvel-dev/vendir/releases/download/v${version}/vendir-linux-amd64"
smoke_test: "${binary} --version"

- name: Run sync.sh
run: |
./sync/sync.sh
- name: Check there is no diff
run: |
git diff --exit-code
8 changes: 8 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,14 @@ and this project's packages adheres to [Semantic Versioning](http://semver.org/s

## [Unreleased]

### Changed

- Updates Cert-manager Chart to Upstream 1.16.2

### Added

- Adds new sync method based on Vendir to sync from upstream

## [3.8.2] - 2024-12-03

### Fix
Expand Down
12 changes: 0 additions & 12 deletions helm/cert-manager/Chart.lock

This file was deleted.

7 changes: 5 additions & 2 deletions helm/cert-manager/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,17 +2,20 @@ apiVersion: v2
name: cert-manager-app
description: Simplifies the process of obtaining, renewing and using certificates.
version: 3.8.2
appVersion: v1.14.2
home: https://github.com/giantswarm/cert-manager-app
icon: https://s.giantswarm.io/app-icons/cert-manager/1/light.svg
appVersion: v1.16.2

sources:
- https://github.com/cert-manager/cert-manager
- https://github.com/cert-manager/cert-manager
annotations:
application.giantswarm.io/team: shield
kubeVersion: ">=1.22.0-0"
maintainers:
- name: Shield
dependencies:
- name: cert-manager
version: 1.16.2
- name: cert-manager-giantswarm-clusterissuer
version: 2.0.0
alias: giantSwarmClusterIssuer
Expand Down
175 changes: 175 additions & 0 deletions helm/cert-manager/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,175 @@
# cert-manager-app

![Version: 3.8.2](https://img.shields.io/badge/Version-3.8.2-informational?style=flat-square) ![AppVersion: v1.16.2](https://img.shields.io/badge/AppVersion-v1.16.2-informational?style=flat-square)

Simplifies the process of obtaining, renewing and using certificates.

**Homepage:** <https://github.com/giantswarm/cert-manager-app>

## Maintainers

| Name | Email | Url |
| ---- | ------ | --- |
| Shield | | |

## Source Code

* <https://github.com/cert-manager/cert-manager>

## Requirements

Kubernetes: `>=1.22.0-0`

| Repository | Name | Version |
|------------|------|---------|
| | cert-manager | 1.16.2 |
| | cert-manager-giantswarm-ciliumnetworkpolicies | 0.1.0 |
| | giantSwarmClusterIssuer(cert-manager-giantswarm-clusterissuer) | 2.0.0 |
| | cert-manager-giantswarm-netpol | 0.1.0 |

## Values

| Key | Type | Default | Description |
|-----|------|---------|-------------|
| acmesolver.image.pullPolicy | string | `"IfNotPresent"` | |
| acmesolver.image.registry | string | `"gsoci.azurecr.io"` | |
| acmesolver.image.repository | string | `"giantswarm/cert-manager-acmesolver"` | |
| cainjector.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | |
| cainjector.containerSecurityContext.capabilities.drop[0] | string | `"ALL"` | |
| cainjector.containerSecurityContext.readOnlyRootFilesystem | bool | `true` | |
| cainjector.containerSecurityContext.runAsNonRoot | bool | `true` | |
| cainjector.enabled | bool | `true` | |
| cainjector.image.pullPolicy | string | `"IfNotPresent"` | |
| cainjector.image.registry | string | `"gsoci.azurecr.io"` | |
| cainjector.image.repository | string | `"giantswarm/cert-manager-cainjector"` | |
| cainjector.podAnnotations."cluster-autoscaler.kubernetes.io/safe-to-evict" | string | `"true"` | |
| cainjector.resources.limits.cpu | string | `"100m"` | |
| cainjector.resources.limits.memory | string | `"1Gi"` | |
| cainjector.resources.requests.cpu | string | `"20m"` | |
| cainjector.resources.requests.memory | string | `"64Mi"` | |
| cainjector.securityContext.runAsGroup | int | `1000` | |
| cainjector.securityContext.runAsNonRoot | bool | `true` | |
| cainjector.securityContext.runAsUser | int | `1000` | |
| cainjector.securityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
| cainjector.verticalPodAutoscaler.controlledValues | string | `"RequestsAndLimits"` | |
| cainjector.verticalPodAutoscaler.enabled | bool | `true` | |
| cainjector.verticalPodAutoscaler.mode | string | `"Auto"` | |
| cainjector.verticalPodAutoscaler.updatePolicy.updateMode | string | `"Auto"` | |
| ciliumNetworkPolicy.enabled | bool | `false` | |
| containerSecurityContext.allowPrivilegeEscalation | bool | `false` | |
| containerSecurityContext.capabilities.drop[0] | string | `"ALL"` | |
| containerSecurityContext.readOnlyRootFilesystem | bool | `true` | |
| containerSecurityContext.runAsNonRoot | bool | `true` | |
| crds.enabled | bool | `true` | |
| crds.keep | bool | `true` | |
| fullnameOverride | string | `"cert-manager-app"` | |
| giantswarmNetworkPolicy.enabled | bool | `true` | |
| global.podSecurityStandards.enforced | bool | `true` | |
| image.registry | string | `"gsoci.azurecr.io"` | |
| image.repository | string | `"giantswarm/cert-manager-controller"` | |
| livenessProbe.enabled | bool | `false` | |
| livenessProbe.failureThreshold | int | `8` | |
| livenessProbe.initialDelaySeconds | int | `10` | |
| livenessProbe.periodSeconds | int | `10` | |
| livenessProbe.successThreshold | int | `1` | |
| livenessProbe.timeoutSeconds | int | `15` | |
| podAnnotations."cluster-autoscaler.kubernetes.io/safe-to-evict" | string | `"true"` | |
| prometheus.enabled | bool | `true` | |
| prometheus.servicemonitor.annotations | object | `{}` | |
| prometheus.servicemonitor.enabled | bool | `true` | |
| prometheus.servicemonitor.endpointAdditionalProperties.relabelings[0].action | string | `"replace"` | |
| prometheus.servicemonitor.endpointAdditionalProperties.relabelings[0].regex | string | `";(.*)"` | |
| prometheus.servicemonitor.endpointAdditionalProperties.relabelings[0].replacement | string | `"$1"` | |
| prometheus.servicemonitor.endpointAdditionalProperties.relabelings[0].separator | string | `";"` | |
| prometheus.servicemonitor.endpointAdditionalProperties.relabelings[0].sourceLabels[0] | string | `"namespace"` | |
| prometheus.servicemonitor.endpointAdditionalProperties.relabelings[0].sourceLabels[1] | string | `"__meta_kubernetes_namespace"` | |
| prometheus.servicemonitor.endpointAdditionalProperties.relabelings[0].targetLabel | string | `"namespace"` | |
| prometheus.servicemonitor.endpointAdditionalProperties.relabelings[1].action | string | `"replace"` | |
| prometheus.servicemonitor.endpointAdditionalProperties.relabelings[1].sourceLabels[0] | string | `"__meta_kubernetes_pod_label_app"` | |
| prometheus.servicemonitor.endpointAdditionalProperties.relabelings[1].targetLabel | string | `"app"` | |
| prometheus.servicemonitor.endpointAdditionalProperties.relabelings[2].action | string | `"replace"` | |
| prometheus.servicemonitor.endpointAdditionalProperties.relabelings[2].sourceLabels[0] | string | `"__meta_kubernetes_pod_node_name"` | |
| prometheus.servicemonitor.endpointAdditionalProperties.relabelings[2].targetLabel | string | `"node"` | |
| prometheus.servicemonitor.honorLabels | bool | `false` | |
| prometheus.servicemonitor.interval | string | `"60s"` | |
| prometheus.servicemonitor.labels | object | `{}` | |
| prometheus.servicemonitor.path | string | `"/metrics"` | |
| prometheus.servicemonitor.prometheusInstance | string | `"default"` | |
| prometheus.servicemonitor.scrapeTimeout | string | `"30s"` | |
| prometheus.servicemonitor.targetPort | int | `9402` | |
| resources.limits.cpu | string | `"500m"` | |
| resources.limits.memory | string | `"1Gi"` | |
| resources.requests.cpu | string | `"50m"` | |
| resources.requests.memory | string | `"100Mi"` | |
| securityContext.runAsGroup | int | `1000` | |
| securityContext.runAsNonRoot | bool | `true` | |
| securityContext.runAsUser | int | `1000` | |
| securityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
| startupapicheck.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | |
| startupapicheck.containerSecurityContext.capabilities.drop[0] | string | `"ALL"` | |
| startupapicheck.containerSecurityContext.readOnlyRootFilesystem | bool | `true` | |
| startupapicheck.containerSecurityContext.runAsNonRoot | bool | `true` | |
| startupapicheck.enabled | bool | `false` | |
| startupapicheck.image.pullPolicy | string | `"IfNotPresent"` | |
| startupapicheck.image.registry | string | `"gsoci.azurecr.io"` | |
| startupapicheck.image.repository | string | `"giantswarm/cert-manager-startupapicheck"` | |
| startupapicheck.resources.requests.cpu | string | `"20m"` | |
| startupapicheck.resources.requests.memory | string | `"64Mi"` | |
| startupapicheck.securityContext.runAsNonRoot | bool | `true` | |
| startupapicheck.securityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
| startupapicheck.tolerations[0].effect | string | `"NoSchedule"` | |
| startupapicheck.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
| startupapicheck.tolerations[1].effect | string | `"NoSchedule"` | |
| startupapicheck.tolerations[1].key | string | `"node-role.kubernetes.io/control-plane"` | |
| tolerations[0].effect | string | `"NoSchedule"` | |
| tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
| tolerations[1].effect | string | `"NoSchedule"` | |
| tolerations[1].key | string | `"node-role.kubernetes.io/control-plane"` | |
| webhook.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.labelSelector.matchExpressions[0].key | string | `"apps.giantswarm.io/affinity"` | |
| webhook.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.labelSelector.matchExpressions[0].operator | string | `"In"` | |
| webhook.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.labelSelector.matchExpressions[0].values[0] | string | `"cert-manager-webhook"` | |
| webhook.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.labelSelector.matchExpressions[1].key | string | `"app.kubernetes.io/component"` | |
| webhook.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.labelSelector.matchExpressions[1].operator | string | `"In"` | |
| webhook.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.labelSelector.matchExpressions[1].values[0] | string | `"webhook"` | |
| webhook.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.topologyKey | string | `"kubernetes.io/hostname"` | |
| webhook.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].weight | int | `100` | |
| webhook.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | |
| webhook.containerSecurityContext.capabilities.drop[0] | string | `"ALL"` | |
| webhook.containerSecurityContext.readOnlyRootFilesystem | bool | `true` | |
| webhook.containerSecurityContext.runAsNonRoot | bool | `true` | |
| webhook.image.pullPolicy | string | `"IfNotPresent"` | |
| webhook.image.registry | string | `"gsoci.azurecr.io"` | |
| webhook.image.repository | string | `"giantswarm/cert-manager-webhook"` | |
| webhook.networkPolicy.egress[0].ports[0].port | int | `80` | |
| webhook.networkPolicy.egress[0].ports[0].protocol | string | `"TCP"` | |
| webhook.networkPolicy.egress[0].ports[1].port | int | `443` | |
| webhook.networkPolicy.egress[0].ports[1].protocol | string | `"TCP"` | |
| webhook.networkPolicy.egress[0].ports[2].port | int | `53` | |
| webhook.networkPolicy.egress[0].ports[2].protocol | string | `"TCP"` | |
| webhook.networkPolicy.egress[0].ports[3].port | int | `53` | |
| webhook.networkPolicy.egress[0].ports[3].protocol | string | `"UDP"` | |
| webhook.networkPolicy.egress[0].ports[4].port | int | `6443` | |
| webhook.networkPolicy.egress[0].ports[4].protocol | string | `"TCP"` | |
| webhook.networkPolicy.egress[0].to[0].ipBlock.cidr | string | `"0.0.0.0/0"` | |
| webhook.networkPolicy.enabled | bool | `true` | |
| webhook.networkPolicy.ingress[0].from[0].ipBlock.cidr | string | `"0.0.0.0/0"` | |
| webhook.podDisruptionBudget.enabled | bool | `true` | |
| webhook.podDisruptionBudget.minAvailable | string | `"50%"` | |
| webhook.podLabels."apps.giantswarm.io/affinity" | string | `"cert-manager-webhook"` | |
| webhook.replicaCount | int | `2` | |
| webhook.resources.limits.cpu | string | `"100m"` | |
| webhook.resources.limits.memory | string | `"100Mi"` | |
| webhook.resources.requests.cpu | string | `"20m"` | |
| webhook.resources.requests.memory | string | `"50Mi"` | |
| webhook.securityContext.runAsGroup | int | `1000` | |
| webhook.securityContext.runAsNonRoot | bool | `true` | |
| webhook.securityContext.runAsUser | int | `1000` | |
| webhook.securityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
| webhook.timeoutSeconds | int | `30` | |
| webhook.tolerations[0].effect | string | `"NoSchedule"` | |
| webhook.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
| webhook.tolerations[1].effect | string | `"NoSchedule"` | |
| webhook.tolerations[1].key | string | `"node-role.kubernetes.io/control-plane"` | |

----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ spec:
type: RuntimeDefault
containers:
- name: {{ .Values.name }}
image: '{{ include "registry" . }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}'
image: "{{- if .Values.image.registry -}}{{ .Values.image.registry }}/{{- end -}}{{ .Values.image.repository }}{{- if (.Values.image.digest) -}}@{{ .Values.image.digest }}{{- else -}}:{{ default $.Chart.AppVersion .Values.image.tag }}{{- end -}}"
imagePullPolicy: Always
command:
- /bin/sh
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,17 @@
"type": "string"
}
}
},
"limits": {
"type": "object",
"properties": {
"cpu": {
"type": "string"
},
"memory": {
"type": "string"
}
}
}
}
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@ resources:
requests:
cpu: 100m
memory: 150Mi
limits:
memory: 250Mi

# install
# Install the Giant Swarm ClusterIssuer named `letsencrypt-giantswarm`
Expand Down
26 changes: 26 additions & 0 deletions helm/cert-manager/charts/cert-manager/Chart.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
annotations:
artifacthub.io/category: security
artifacthub.io/license: Apache-2.0
artifacthub.io/prerelease: "false"
artifacthub.io/signKey: |
fingerprint: 1020CF3C033D4F35BAE1C19E1226061C665DF13E
url: https://cert-manager.io/public-keys/cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.gpg
apiVersion: v2
appVersion: v1.16.2
description: A Helm chart for cert-manager
home: https://cert-manager.io
icon: https://raw.githubusercontent.com/cert-manager/community/4d35a69437d21b76322157e6284be4cd64e6d2b7/logo/logo-small.png
keywords:
- cert-manager
- kube-lego
- letsencrypt
- tls
kubeVersion: '>= 1.22.0-0'
maintainers:
- email: [email protected]
name: cert-manager-maintainers
url: https://cert-manager.io
name: cert-manager
sources:
- https://github.com/cert-manager/cert-manager
version: v1.16.2
Loading
Loading