github-personal/cozystack
1
0
Fork 0
mirror of https://github.com/outbackdingo/cozystack.git synced 2026-01-27 18:18:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

[cert-manager] Update Cert-manager to v1.17.2 (#975)

Browse Source 
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

- **New Features**
- Added support for specifying a literal password in keystore
configurations, alongside existing secret reference options.
- Introduced a new optional tenant ID field for Azure DNS managed
identity in ACME DNS01 solver configuration.

- **Improvements**
  - Updated cert-manager Helm chart and documentation to version 1.17.2.
- Expanded feature gate configuration options with detailed default
values and stability levels.
- Enhanced documentation and examples for templating service account
annotations.
- Improved conditional logic for resource creation and image pull
secrets handling in deployments and services.

- **Bug Fixes**
- Made password fields in keystore configurations mutually exclusive and
optional, improving flexibility and clarity.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
This commit is contained in:
Andrei Kvapil
2025-05-24 22:36:51 +02:00
committed by GitHub
parent d497be9e95 1dccf96506
commit ee1763cb85
10 changed files with 105 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
packages/system/cert-manager/charts/cert-manager/Chart.yaml
View File

@@ -6,7 +6,7 @@ annotations:
fingerprint: 1020CF3C033D4F35BAE1C19E1226061C665DF13E
url: https://cert-manager.io/public-keys/cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.gpg
apiVersion: v2
appVersion: v1.16.3
appVersion: v1.17.2
description: A Helm chart for cert-manager
home: https://cert-manager.io
icon: https://raw.githubusercontent.com/cert-manager/community/4d35a69437d21b76322157e6284be4cd64e6d2b7/logo/logo-small.png
@@ -23,4 +23,4 @@ maintainers:
name: cert-manager
sources:
- https://github.com/cert-manager/cert-manager
version: v1.16.3
version: v1.17.2

41
packages/system/cert-manager/charts/cert-manager/README.md
View File

@@ -19,7 +19,7 @@ Before installing the chart, you must first install the cert-manager CustomResou
This is performed in a separate step to allow you to easily uninstall and reinstall cert-manager without deleting your installed custom resources.
```bash
$ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.16.3/cert-manager.crds.yaml
$ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.17.2/cert-manager.crds.yaml
```
To install the chart with the release name `cert-manager`:
@@ -29,7 +29,7 @@ To install the chart with the release name `cert-manager`:
$ helm repo add jetstack https://charts.jetstack.io --force-update
## Install the cert-manager helm chart
$ helm install cert-manager --namespace cert-manager --version v1.16.3 jetstack/cert-manager
$ helm install cert-manager --namespace cert-manager --version v1.17.2 jetstack/cert-manager
```
In order to begin issuing certificates, you will need to set up a ClusterIssuer
@@ -65,7 +65,7 @@ If you want to completely uninstall cert-manager from your cluster, you will als
delete the previously installed CustomResourceDefinition resources:
```console
$ kubectl delete -f https://github.com/cert-manager/cert-manager/releases/download/v1.16.3/cert-manager.crds.yaml
$ kubectl delete -f https://github.com/cert-manager/cert-manager/releases/download/v1.17.2/cert-manager.crds.yaml
```
## Configuration
@@ -316,7 +316,13 @@ If not set and create is true, a name is generated using the fullname template.
#### **serviceAccount.annotations** ~ `object`
Optional additional annotations to add to the controller's Service Account.
Optional additional annotations to add to the controller's Service Account. Templates are allowed for both keys and values.
Example using templating:
```yaml
annotations:
"{{ .Chart.Name }}-helm-chart/version": "{{ .Chart.Version }}"
```
#### **serviceAccount.labels** ~ `object`
@@ -364,17 +370,24 @@ config:
kubernetesAPIQPS: 9000
kubernetesAPIBurst: 9000
numberOfConcurrentWorkers: 200
enableGatewayAPI: true
# Feature gates as of v1.17.0. Listed with their default values.
# See https://cert-manager.io/docs/cli/controller/
featureGates:
AdditionalCertificateOutputFormats: true
DisallowInsecureCSRUsageDefinition: true
ExperimentalCertificateSigningRequestControllers: true
ExperimentalGatewayAPISupport: true
LiteralCertificateSubject: true
SecretsFilteredCaching: true
ServerSideApply: true
StableCertificateRequestName: true
UseCertificateRequestBasicConstraints: true
ValidateCAA: true
AdditionalCertificateOutputFormats: true # BETA - default=true
AllAlpha: false # ALPHA - default=false
AllBeta: false # BETA - default=false
ExperimentalCertificateSigningRequestControllers: false # ALPHA - default=false
ExperimentalGatewayAPISupport: true # BETA - default=true
LiteralCertificateSubject: true # BETA - default=true
NameConstraints: true # BETA - default=true
OtherNames: false # ALPHA - default=false
SecretsFilteredCaching: true # BETA - default=true
ServerSideApply: false # ALPHA - default=false
StableCertificateRequestName: true # BETA - default=true
UseCertificateRequestBasicConstraints: false # ALPHA - default=false
UseDomainQualifiedFinalizer: true # BETA - default=false
ValidateCAA: false # ALPHA - default=false
# Configure the metrics server for TLS
# See https://cert-manager.io/docs/devops-tips/prometheus-metrics/#tls
metricsTLSConfig:

6
packages/system/cert-manager/charts/cert-manager/templates/cainjector-deployment.yaml
View File

@@ -53,6 +53,12 @@ spec:
prometheus.io/port: '9402'
{{- end }}
spec:
{{- if not .Values.cainjector.serviceAccount.create }}
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
serviceAccountName: {{ template "cainjector.serviceAccountName" . }}
{{- if hasKey .Values.cainjector "automountServiceAccountToken" }}
automountServiceAccountToken: {{ .Values.cainjector.automountServiceAccountToken }}

2
packages/system/cert-manager/charts/cert-manager/templates/cainjector-service.yaml
View File

@@ -1,3 +1,4 @@
{{- if .Values.cainjector.enabled }}
{{- if and .Values.prometheus.enabled (not .Values.prometheus.podmonitor.enabled) }}
apiVersion: v1
kind: Service
@@ -28,3 +29,4 @@ spec:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "cainjector"
{{- end }}
{{- end }}

37
packages/system/cert-manager/charts/cert-manager/templates/crds.yaml
View File

@@ -514,7 +514,6 @@ spec:
type: object
required:
- create
- passwordSecretRef
properties:
alias:
description: |-
@@ -526,17 +525,25 @@ spec:
Create enables JKS keystore creation for the Certificate.
If true, a file named `keystore.jks` will be created in the target
Secret resource, encrypted using the password stored in
`passwordSecretRef`.
`passwordSecretRef` or `password`.
The keystore file will be updated immediately.
If the issuer provided a CA certificate, a file named `truststore.jks`
will also be created in the target Secret resource, encrypted using the
password stored in `passwordSecretRef`
containing the issuing Certificate Authority
type: boolean
password:
description: |-
Password provides a literal password used to encrypt the JKS keystore.
Mutually exclusive with passwordSecretRef.
One of password or passwordSecretRef must provide a password with a non-zero length.
type: string
passwordSecretRef:
description: |-
PasswordSecretRef is a reference to a key in a Secret resource
PasswordSecretRef is a reference to a non-empty key in a Secret resource
containing the password used to encrypt the JKS keystore.
Mutually exclusive with password.
One of password or passwordSecretRef must provide a password with a non-zero length.
type: object
required:
- name
@@ -559,24 +566,31 @@ spec:
type: object
required:
- create
- passwordSecretRef
properties:
create:
description: |-
Create enables PKCS12 keystore creation for the Certificate.
If true, a file named `keystore.p12` will be created in the target
Secret resource, encrypted using the password stored in
`passwordSecretRef`.
`passwordSecretRef` or in `password`.
The keystore file will be updated immediately.
If the issuer provided a CA certificate, a file named `truststore.p12` will
also be created in the target Secret resource, encrypted using the
password stored in `passwordSecretRef` containing the issuing Certificate
Authority
type: boolean
password:
description: |-
Password provides a literal password used to encrypt the PKCS#12 keystore.
Mutually exclusive with passwordSecretRef.
One of password or passwordSecretRef must provide a password with a non-zero length.
type: string
passwordSecretRef:
description: |-
PasswordSecretRef is a reference to a key in a Secret resource
containing the password used to encrypt the PKCS12 keystore.
PasswordSecretRef is a reference to a non-empty key in a Secret resource
containing the password used to encrypt the PKCS#12 keystore.
Mutually exclusive with password.
One of password or passwordSecretRef must provide a password with a non-zero length.
type: object
required:
- name
@@ -1376,6 +1390,9 @@ spec:
resource ID of the managed identity, can not be used at the same time as clientID
Cannot be used for Azure Managed Service Identity
type: string
tenantID:
description: tenant ID of the managed identity, can not be used at the same time as resourceID
type: string
resourceGroupName:
description: resource group the DNS zone is located in
type: string
@@ -4689,6 +4706,9 @@ spec:
resource ID of the managed identity, can not be used at the same time as clientID
Cannot be used for Azure Managed Service Identity
type: string
tenantID:
description: tenant ID of the managed identity, can not be used at the same time as resourceID
type: string
resourceGroupName:
description: resource group the DNS zone is located in
type: string
@@ -8415,6 +8435,9 @@ spec:
resource ID of the managed identity, can not be used at the same time as clientID
Cannot be used for Azure Managed Service Identity
type: string
tenantID:
description: tenant ID of the managed identity, can not be used at the same time as resourceID
type: string
resourceGroupName:
description: resource group the DNS zone is located in
type: string

6
packages/system/cert-manager/charts/cert-manager/templates/deployment.yaml
View File

@@ -52,6 +52,12 @@ spec:
prometheus.io/port: '9402'
{{- end }}
spec:
{{- if not .Values.serviceAccount.create }}
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
serviceAccountName: {{ template "cert-manager.serviceAccountName" . }}
{{- if hasKey .Values "automountServiceAccountToken" }}
automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}

4
packages/system/cert-manager/charts/cert-manager/templates/serviceaccount.yaml
View File

@@ -11,7 +11,9 @@ metadata:
namespace: {{ include "cert-manager.namespace" . }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- range $k, $v := . }}
{{- printf "%s: %s" (tpl $k $) (tpl $v $) | nindent 4 }}
{{- end }}
{{- end }}
labels:
app: {{ include "cert-manager.name" . }}

6
packages/system/cert-manager/charts/cert-manager/templates/webhook-deployment.yaml
View File

@@ -52,6 +52,12 @@ spec:
prometheus.io/port: '9402'
{{- end }}
spec:
{{- if not .Values.webhook.serviceAccount.create }}
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
serviceAccountName: {{ template "webhook.serviceAccountName" . }}
{{- if hasKey .Values.webhook "automountServiceAccountToken" }}
automountServiceAccountToken: {{ .Values.webhook.automountServiceAccountToken }}

4
packages/system/cert-manager/charts/cert-manager/values.schema.json
View File

@@ -579,7 +579,7 @@
},
"helm-values.config": {
"default": {},
"description": "This property is used to configure options for the controller pod. This allows setting options that would usually be provided using flags.\n\nIf `apiVersion` and `kind` are unspecified they default to the current latest version (currently `controller.config.cert-manager.io/v1alpha1`). You can pin the version by specifying the `apiVersion` yourself.\n\nFor example:\nconfig:\n apiVersion: controller.config.cert-manager.io/v1alpha1\n kind: ControllerConfiguration\n logging:\n verbosity: 2\n format: text\n leaderElectionConfig:\n namespace: kube-system\n kubernetesAPIQPS: 9000\n kubernetesAPIBurst: 9000\n numberOfConcurrentWorkers: 200\n featureGates:\n AdditionalCertificateOutputFormats: true\n DisallowInsecureCSRUsageDefinition: true\n ExperimentalCertificateSigningRequestControllers: true\n ExperimentalGatewayAPISupport: true\n LiteralCertificateSubject: true\n SecretsFilteredCaching: true\n ServerSideApply: true\n StableCertificateRequestName: true\n UseCertificateRequestBasicConstraints: true\n ValidateCAA: true\n # Configure the metrics server for TLS\n # See https://cert-manager.io/docs/devops-tips/prometheus-metrics/#tls\n metricsTLSConfig:\n dynamic:\n secretNamespace: \"cert-manager\"\n secretName: \"cert-manager-metrics-ca\"\n dnsNames:\n - cert-manager-metrics",
"description": "This property is used to configure options for the controller pod. This allows setting options that would usually be provided using flags.\n\nIf `apiVersion` and `kind` are unspecified they default to the current latest version (currently `controller.config.cert-manager.io/v1alpha1`). You can pin the version by specifying the `apiVersion` yourself.\n\nFor example:\nconfig:\n apiVersion: controller.config.cert-manager.io/v1alpha1\n kind: ControllerConfiguration\n logging:\n verbosity: 2\n format: text\n leaderElectionConfig:\n namespace: kube-system\n kubernetesAPIQPS: 9000\n kubernetesAPIBurst: 9000\n numberOfConcurrentWorkers: 200\n enableGatewayAPI: true\n # Feature gates as of v1.17.0. Listed with their default values.\n # See https://cert-manager.io/docs/cli/controller/\n featureGates:\n AdditionalCertificateOutputFormats: true # BETA - default=true\n AllAlpha: false # ALPHA - default=false\n AllBeta: false # BETA - default=false\n ExperimentalCertificateSigningRequestControllers: false # ALPHA - default=false\n ExperimentalGatewayAPISupport: true # BETA - default=true\n LiteralCertificateSubject: true # BETA - default=true\n NameConstraints: true # BETA - default=true\n OtherNames: false # ALPHA - default=false\n SecretsFilteredCaching: true # BETA - default=true\n ServerSideApply: false # ALPHA - default=false\n StableCertificateRequestName: true # BETA - default=true\n UseCertificateRequestBasicConstraints: false # ALPHA - default=false\n UseDomainQualifiedFinalizer: true # BETA - default=false\n ValidateCAA: false # ALPHA - default=false\n # Configure the metrics server for TLS\n # See https://cert-manager.io/docs/devops-tips/prometheus-metrics/#tls\n metricsTLSConfig:\n dynamic:\n secretNamespace: \"cert-manager\"\n secretName: \"cert-manager-metrics-ca\"\n dnsNames:\n - cert-manager-metrics",
"type": "object"
},
"helm-values.containerSecurityContext": {
@@ -1223,7 +1223,7 @@
"type": "object"
},
"helm-values.serviceAccount.annotations": {
"description": "Optional additional annotations to add to the controller's Service Account.",
"description": "Optional additional annotations to add to the controller's Service Account. Templates are allowed for both keys and values.\nExample using templating:\nannotations:\n \"{{ .Chart.Name }}-helm-chart/version\": \"{{ .Chart.Version }}\"",
"type": "object"
},
"helm-values.serviceAccount.automountServiceAccountToken": {

32
packages/system/cert-manager/charts/cert-manager/values.yaml
View File

@@ -190,7 +190,10 @@ serviceAccount:
# +docs:property
# name: ""
# Optional additional annotations to add to the controller's Service Account.
# Optional additional annotations to add to the controller's Service Account. Templates are allowed for both keys and values.
# Example using templating:
# annotations:
# "{{ .Chart.Name }}-helm-chart/version": "{{ .Chart.Version }}"
# +docs:property
# annotations: {}
@@ -227,17 +230,24 @@ enableCertificateOwnerRef: false
# kubernetesAPIQPS: 9000
# kubernetesAPIBurst: 9000
# numberOfConcurrentWorkers: 200
# enableGatewayAPI: true
# # Feature gates as of v1.17.0. Listed with their default values.
# # See https://cert-manager.io/docs/cli/controller/
# featureGates:
# AdditionalCertificateOutputFormats: true
# DisallowInsecureCSRUsageDefinition: true
# ExperimentalCertificateSigningRequestControllers: true
# ExperimentalGatewayAPISupport: true
# LiteralCertificateSubject: true
# SecretsFilteredCaching: true
# ServerSideApply: true
# StableCertificateRequestName: true
# UseCertificateRequestBasicConstraints: true
# ValidateCAA: true
# AdditionalCertificateOutputFormats: true # BETA - default=true
# AllAlpha: false # ALPHA - default=false
# AllBeta: false # BETA - default=false
# ExperimentalCertificateSigningRequestControllers: false # ALPHA - default=false
# ExperimentalGatewayAPISupport: true # BETA - default=true
# LiteralCertificateSubject: true # BETA - default=true
# NameConstraints: true # BETA - default=true
# OtherNames: false # ALPHA - default=false
# SecretsFilteredCaching: true # BETA - default=true
# ServerSideApply: false # ALPHA - default=false
# StableCertificateRequestName: true # BETA - default=true
# UseCertificateRequestBasicConstraints: false # ALPHA - default=false
# UseDomainQualifiedFinalizer: true # BETA - default=false
# ValidateCAA: false # ALPHA - default=false
# # Configure the metrics server for TLS
# # See https://cert-manager.io/docs/devops-tips/prometheus-metrics/#tls
# metricsTLSConfig: