From 1dccf9650634e9ea0672fce3bb221ab953cb2be1 Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Thu, 22 May 2025 12:17:06 +0200 Subject: [PATCH] [cert-manager] Update Cert-manager to v1.17.2 Signed-off-by: Andrei Kvapil --- .../charts/cert-manager/Chart.yaml | 4 +- .../charts/cert-manager/README.md | 41 ++++++++++++------- .../templates/cainjector-deployment.yaml | 6 +++ .../templates/cainjector-service.yaml | 2 + .../charts/cert-manager/templates/crds.yaml | 37 +++++++++++++---- .../cert-manager/templates/deployment.yaml | 6 +++ .../templates/serviceaccount.yaml | 4 +- .../templates/webhook-deployment.yaml | 6 +++ .../charts/cert-manager/values.schema.json | 4 +- .../charts/cert-manager/values.yaml | 32 ++++++++++----- 10 files changed, 105 insertions(+), 37 deletions(-) diff --git a/packages/system/cert-manager/charts/cert-manager/Chart.yaml b/packages/system/cert-manager/charts/cert-manager/Chart.yaml index 300db669..2a49d00c 100644 --- a/packages/system/cert-manager/charts/cert-manager/Chart.yaml +++ b/packages/system/cert-manager/charts/cert-manager/Chart.yaml @@ -6,7 +6,7 @@ annotations: fingerprint: 1020CF3C033D4F35BAE1C19E1226061C665DF13E url: https://cert-manager.io/public-keys/cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.gpg apiVersion: v2 -appVersion: v1.16.3 +appVersion: v1.17.2 description: A Helm chart for cert-manager home: https://cert-manager.io icon: https://raw.githubusercontent.com/cert-manager/community/4d35a69437d21b76322157e6284be4cd64e6d2b7/logo/logo-small.png @@ -23,4 +23,4 @@ maintainers: name: cert-manager sources: - https://github.com/cert-manager/cert-manager -version: v1.16.3 +version: v1.17.2 diff --git a/packages/system/cert-manager/charts/cert-manager/README.md b/packages/system/cert-manager/charts/cert-manager/README.md index 6fa25cc9..1d502429 100644 --- a/packages/system/cert-manager/charts/cert-manager/README.md +++ b/packages/system/cert-manager/charts/cert-manager/README.md @@ -19,7 +19,7 @@ Before installing the chart, you must first install the cert-manager CustomResou This is performed in a separate step to allow you to easily uninstall and reinstall cert-manager without deleting your installed custom resources. ```bash -$ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.16.3/cert-manager.crds.yaml +$ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.17.2/cert-manager.crds.yaml ``` To install the chart with the release name `cert-manager`: @@ -29,7 +29,7 @@ To install the chart with the release name `cert-manager`: $ helm repo add jetstack https://charts.jetstack.io --force-update ## Install the cert-manager helm chart -$ helm install cert-manager --namespace cert-manager --version v1.16.3 jetstack/cert-manager +$ helm install cert-manager --namespace cert-manager --version v1.17.2 jetstack/cert-manager ``` In order to begin issuing certificates, you will need to set up a ClusterIssuer @@ -65,7 +65,7 @@ If you want to completely uninstall cert-manager from your cluster, you will als delete the previously installed CustomResourceDefinition resources: ```console -$ kubectl delete -f https://github.com/cert-manager/cert-manager/releases/download/v1.16.3/cert-manager.crds.yaml +$ kubectl delete -f https://github.com/cert-manager/cert-manager/releases/download/v1.17.2/cert-manager.crds.yaml ``` ## Configuration @@ -316,7 +316,13 @@ If not set and create is true, a name is generated using the fullname template. #### **serviceAccount.annotations** ~ `object` -Optional additional annotations to add to the controller's Service Account. +Optional additional annotations to add to the controller's Service Account. Templates are allowed for both keys and values. +Example using templating: + +```yaml +annotations: + "{{ .Chart.Name }}-helm-chart/version": "{{ .Chart.Version }}" +``` #### **serviceAccount.labels** ~ `object` @@ -364,17 +370,24 @@ config: kubernetesAPIQPS: 9000 kubernetesAPIBurst: 9000 numberOfConcurrentWorkers: 200 + enableGatewayAPI: true + # Feature gates as of v1.17.0. Listed with their default values. + # See https://cert-manager.io/docs/cli/controller/ featureGates: - AdditionalCertificateOutputFormats: true - DisallowInsecureCSRUsageDefinition: true - ExperimentalCertificateSigningRequestControllers: true - ExperimentalGatewayAPISupport: true - LiteralCertificateSubject: true - SecretsFilteredCaching: true - ServerSideApply: true - StableCertificateRequestName: true - UseCertificateRequestBasicConstraints: true - ValidateCAA: true + AdditionalCertificateOutputFormats: true # BETA - default=true + AllAlpha: false # ALPHA - default=false + AllBeta: false # BETA - default=false + ExperimentalCertificateSigningRequestControllers: false # ALPHA - default=false + ExperimentalGatewayAPISupport: true # BETA - default=true + LiteralCertificateSubject: true # BETA - default=true + NameConstraints: true # BETA - default=true + OtherNames: false # ALPHA - default=false + SecretsFilteredCaching: true # BETA - default=true + ServerSideApply: false # ALPHA - default=false + StableCertificateRequestName: true # BETA - default=true + UseCertificateRequestBasicConstraints: false # ALPHA - default=false + UseDomainQualifiedFinalizer: true # BETA - default=false + ValidateCAA: false # ALPHA - default=false # Configure the metrics server for TLS # See https://cert-manager.io/docs/devops-tips/prometheus-metrics/#tls metricsTLSConfig: diff --git a/packages/system/cert-manager/charts/cert-manager/templates/cainjector-deployment.yaml b/packages/system/cert-manager/charts/cert-manager/templates/cainjector-deployment.yaml index 65e65894..dc14ab02 100644 --- a/packages/system/cert-manager/charts/cert-manager/templates/cainjector-deployment.yaml +++ b/packages/system/cert-manager/charts/cert-manager/templates/cainjector-deployment.yaml @@ -53,6 +53,12 @@ spec: prometheus.io/port: '9402' {{- end }} spec: + {{- if not .Values.cainjector.serviceAccount.create }} + {{- with .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} serviceAccountName: {{ template "cainjector.serviceAccountName" . }} {{- if hasKey .Values.cainjector "automountServiceAccountToken" }} automountServiceAccountToken: {{ .Values.cainjector.automountServiceAccountToken }} diff --git a/packages/system/cert-manager/charts/cert-manager/templates/cainjector-service.yaml b/packages/system/cert-manager/charts/cert-manager/templates/cainjector-service.yaml index 2ed9178f..dd0e64db 100644 --- a/packages/system/cert-manager/charts/cert-manager/templates/cainjector-service.yaml +++ b/packages/system/cert-manager/charts/cert-manager/templates/cainjector-service.yaml @@ -1,3 +1,4 @@ +{{- if .Values.cainjector.enabled }} {{- if and .Values.prometheus.enabled (not .Values.prometheus.podmonitor.enabled) }} apiVersion: v1 kind: Service @@ -28,3 +29,4 @@ spec: app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: "cainjector" {{- end }} +{{- end }} diff --git a/packages/system/cert-manager/charts/cert-manager/templates/crds.yaml b/packages/system/cert-manager/charts/cert-manager/templates/crds.yaml index 00930f9c..f5f8ec43 100644 --- a/packages/system/cert-manager/charts/cert-manager/templates/crds.yaml +++ b/packages/system/cert-manager/charts/cert-manager/templates/crds.yaml @@ -514,7 +514,6 @@ spec: type: object required: - create - - passwordSecretRef properties: alias: description: |- @@ -526,17 +525,25 @@ spec: Create enables JKS keystore creation for the Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in - `passwordSecretRef`. + `passwordSecretRef` or `password`. The keystore file will be updated immediately. If the issuer provided a CA certificate, a file named `truststore.jks` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority type: boolean + password: + description: |- + Password provides a literal password used to encrypt the JKS keystore. + Mutually exclusive with passwordSecretRef. + One of password or passwordSecretRef must provide a password with a non-zero length. + type: string passwordSecretRef: description: |- - PasswordSecretRef is a reference to a key in a Secret resource + PasswordSecretRef is a reference to a non-empty key in a Secret resource containing the password used to encrypt the JKS keystore. + Mutually exclusive with password. + One of password or passwordSecretRef must provide a password with a non-zero length. type: object required: - name @@ -559,24 +566,31 @@ spec: type: object required: - create - - passwordSecretRef properties: create: description: |- Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in - `passwordSecretRef`. + `passwordSecretRef` or in `password`. The keystore file will be updated immediately. If the issuer provided a CA certificate, a file named `truststore.p12` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority type: boolean + password: + description: |- + Password provides a literal password used to encrypt the PKCS#12 keystore. + Mutually exclusive with passwordSecretRef. + One of password or passwordSecretRef must provide a password with a non-zero length. + type: string passwordSecretRef: description: |- - PasswordSecretRef is a reference to a key in a Secret resource - containing the password used to encrypt the PKCS12 keystore. + PasswordSecretRef is a reference to a non-empty key in a Secret resource + containing the password used to encrypt the PKCS#12 keystore. + Mutually exclusive with password. + One of password or passwordSecretRef must provide a password with a non-zero length. type: object required: - name @@ -1376,6 +1390,9 @@ spec: resource ID of the managed identity, can not be used at the same time as clientID Cannot be used for Azure Managed Service Identity type: string + tenantID: + description: tenant ID of the managed identity, can not be used at the same time as resourceID + type: string resourceGroupName: description: resource group the DNS zone is located in type: string @@ -4689,6 +4706,9 @@ spec: resource ID of the managed identity, can not be used at the same time as clientID Cannot be used for Azure Managed Service Identity type: string + tenantID: + description: tenant ID of the managed identity, can not be used at the same time as resourceID + type: string resourceGroupName: description: resource group the DNS zone is located in type: string @@ -8415,6 +8435,9 @@ spec: resource ID of the managed identity, can not be used at the same time as clientID Cannot be used for Azure Managed Service Identity type: string + tenantID: + description: tenant ID of the managed identity, can not be used at the same time as resourceID + type: string resourceGroupName: description: resource group the DNS zone is located in type: string diff --git a/packages/system/cert-manager/charts/cert-manager/templates/deployment.yaml b/packages/system/cert-manager/charts/cert-manager/templates/deployment.yaml index e6f3f681..8a4a9734 100644 --- a/packages/system/cert-manager/charts/cert-manager/templates/deployment.yaml +++ b/packages/system/cert-manager/charts/cert-manager/templates/deployment.yaml @@ -52,6 +52,12 @@ spec: prometheus.io/port: '9402' {{- end }} spec: + {{- if not .Values.serviceAccount.create }} + {{- with .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} serviceAccountName: {{ template "cert-manager.serviceAccountName" . }} {{- if hasKey .Values "automountServiceAccountToken" }} automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} diff --git a/packages/system/cert-manager/charts/cert-manager/templates/serviceaccount.yaml b/packages/system/cert-manager/charts/cert-manager/templates/serviceaccount.yaml index 87fc00ea..698ddef8 100644 --- a/packages/system/cert-manager/charts/cert-manager/templates/serviceaccount.yaml +++ b/packages/system/cert-manager/charts/cert-manager/templates/serviceaccount.yaml @@ -11,7 +11,9 @@ metadata: namespace: {{ include "cert-manager.namespace" . }} {{- with .Values.serviceAccount.annotations }} annotations: - {{- toYaml . | nindent 4 }} + {{- range $k, $v := . }} + {{- printf "%s: %s" (tpl $k $) (tpl $v $) | nindent 4 }} + {{- end }} {{- end }} labels: app: {{ include "cert-manager.name" . }} diff --git a/packages/system/cert-manager/charts/cert-manager/templates/webhook-deployment.yaml b/packages/system/cert-manager/charts/cert-manager/templates/webhook-deployment.yaml index 1535589f..857cf353 100644 --- a/packages/system/cert-manager/charts/cert-manager/templates/webhook-deployment.yaml +++ b/packages/system/cert-manager/charts/cert-manager/templates/webhook-deployment.yaml @@ -52,6 +52,12 @@ spec: prometheus.io/port: '9402' {{- end }} spec: + {{- if not .Values.webhook.serviceAccount.create }} + {{- with .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} serviceAccountName: {{ template "webhook.serviceAccountName" . }} {{- if hasKey .Values.webhook "automountServiceAccountToken" }} automountServiceAccountToken: {{ .Values.webhook.automountServiceAccountToken }} diff --git a/packages/system/cert-manager/charts/cert-manager/values.schema.json b/packages/system/cert-manager/charts/cert-manager/values.schema.json index d04da90c..36d1d0ca 100644 --- a/packages/system/cert-manager/charts/cert-manager/values.schema.json +++ b/packages/system/cert-manager/charts/cert-manager/values.schema.json @@ -579,7 +579,7 @@ }, "helm-values.config": { "default": {}, - "description": "This property is used to configure options for the controller pod. This allows setting options that would usually be provided using flags.\n\nIf `apiVersion` and `kind` are unspecified they default to the current latest version (currently `controller.config.cert-manager.io/v1alpha1`). You can pin the version by specifying the `apiVersion` yourself.\n\nFor example:\nconfig:\n apiVersion: controller.config.cert-manager.io/v1alpha1\n kind: ControllerConfiguration\n logging:\n verbosity: 2\n format: text\n leaderElectionConfig:\n namespace: kube-system\n kubernetesAPIQPS: 9000\n kubernetesAPIBurst: 9000\n numberOfConcurrentWorkers: 200\n featureGates:\n AdditionalCertificateOutputFormats: true\n DisallowInsecureCSRUsageDefinition: true\n ExperimentalCertificateSigningRequestControllers: true\n ExperimentalGatewayAPISupport: true\n LiteralCertificateSubject: true\n SecretsFilteredCaching: true\n ServerSideApply: true\n StableCertificateRequestName: true\n UseCertificateRequestBasicConstraints: true\n ValidateCAA: true\n # Configure the metrics server for TLS\n # See https://cert-manager.io/docs/devops-tips/prometheus-metrics/#tls\n metricsTLSConfig:\n dynamic:\n secretNamespace: \"cert-manager\"\n secretName: \"cert-manager-metrics-ca\"\n dnsNames:\n - cert-manager-metrics", + "description": "This property is used to configure options for the controller pod. This allows setting options that would usually be provided using flags.\n\nIf `apiVersion` and `kind` are unspecified they default to the current latest version (currently `controller.config.cert-manager.io/v1alpha1`). You can pin the version by specifying the `apiVersion` yourself.\n\nFor example:\nconfig:\n apiVersion: controller.config.cert-manager.io/v1alpha1\n kind: ControllerConfiguration\n logging:\n verbosity: 2\n format: text\n leaderElectionConfig:\n namespace: kube-system\n kubernetesAPIQPS: 9000\n kubernetesAPIBurst: 9000\n numberOfConcurrentWorkers: 200\n enableGatewayAPI: true\n # Feature gates as of v1.17.0. Listed with their default values.\n # See https://cert-manager.io/docs/cli/controller/\n featureGates:\n AdditionalCertificateOutputFormats: true # BETA - default=true\n AllAlpha: false # ALPHA - default=false\n AllBeta: false # BETA - default=false\n ExperimentalCertificateSigningRequestControllers: false # ALPHA - default=false\n ExperimentalGatewayAPISupport: true # BETA - default=true\n LiteralCertificateSubject: true # BETA - default=true\n NameConstraints: true # BETA - default=true\n OtherNames: false # ALPHA - default=false\n SecretsFilteredCaching: true # BETA - default=true\n ServerSideApply: false # ALPHA - default=false\n StableCertificateRequestName: true # BETA - default=true\n UseCertificateRequestBasicConstraints: false # ALPHA - default=false\n UseDomainQualifiedFinalizer: true # BETA - default=false\n ValidateCAA: false # ALPHA - default=false\n # Configure the metrics server for TLS\n # See https://cert-manager.io/docs/devops-tips/prometheus-metrics/#tls\n metricsTLSConfig:\n dynamic:\n secretNamespace: \"cert-manager\"\n secretName: \"cert-manager-metrics-ca\"\n dnsNames:\n - cert-manager-metrics", "type": "object" }, "helm-values.containerSecurityContext": { @@ -1223,7 +1223,7 @@ "type": "object" }, "helm-values.serviceAccount.annotations": { - "description": "Optional additional annotations to add to the controller's Service Account.", + "description": "Optional additional annotations to add to the controller's Service Account. Templates are allowed for both keys and values.\nExample using templating:\nannotations:\n \"{{ .Chart.Name }}-helm-chart/version\": \"{{ .Chart.Version }}\"", "type": "object" }, "helm-values.serviceAccount.automountServiceAccountToken": { diff --git a/packages/system/cert-manager/charts/cert-manager/values.yaml b/packages/system/cert-manager/charts/cert-manager/values.yaml index 7a1c2953..a8c94f8b 100644 --- a/packages/system/cert-manager/charts/cert-manager/values.yaml +++ b/packages/system/cert-manager/charts/cert-manager/values.yaml @@ -190,7 +190,10 @@ serviceAccount: # +docs:property # name: "" - # Optional additional annotations to add to the controller's Service Account. + # Optional additional annotations to add to the controller's Service Account. Templates are allowed for both keys and values. + # Example using templating: + # annotations: + # "{{ .Chart.Name }}-helm-chart/version": "{{ .Chart.Version }}" # +docs:property # annotations: {} @@ -227,17 +230,24 @@ enableCertificateOwnerRef: false # kubernetesAPIQPS: 9000 # kubernetesAPIBurst: 9000 # numberOfConcurrentWorkers: 200 +# enableGatewayAPI: true +# # Feature gates as of v1.17.0. Listed with their default values. +# # See https://cert-manager.io/docs/cli/controller/ # featureGates: -# AdditionalCertificateOutputFormats: true -# DisallowInsecureCSRUsageDefinition: true -# ExperimentalCertificateSigningRequestControllers: true -# ExperimentalGatewayAPISupport: true -# LiteralCertificateSubject: true -# SecretsFilteredCaching: true -# ServerSideApply: true -# StableCertificateRequestName: true -# UseCertificateRequestBasicConstraints: true -# ValidateCAA: true +# AdditionalCertificateOutputFormats: true # BETA - default=true +# AllAlpha: false # ALPHA - default=false +# AllBeta: false # BETA - default=false +# ExperimentalCertificateSigningRequestControllers: false # ALPHA - default=false +# ExperimentalGatewayAPISupport: true # BETA - default=true +# LiteralCertificateSubject: true # BETA - default=true +# NameConstraints: true # BETA - default=true +# OtherNames: false # ALPHA - default=false +# SecretsFilteredCaching: true # BETA - default=true +# ServerSideApply: false # ALPHA - default=false +# StableCertificateRequestName: true # BETA - default=true +# UseCertificateRequestBasicConstraints: false # ALPHA - default=false +# UseDomainQualifiedFinalizer: true # BETA - default=false +# ValidateCAA: false # ALPHA - default=false # # Configure the metrics server for TLS # # See https://cert-manager.io/docs/devops-tips/prometheus-metrics/#tls # metricsTLSConfig: