diff --git a/.github/linters/.checkov.yaml b/.github/linters/.checkov.yaml index fe4590f..4031a76 100644 --- a/.github/linters/.checkov.yaml +++ b/.github/linters/.checkov.yaml @@ -5,8 +5,13 @@ directory: skip-path: - tests skip-check: - - CKV_K8S_49 # Minimize wildcard use in Roles and ClusterRoles - - CKV_K8S_155 # Minimize ClusterRoles that grant control over validating or mutating admission webhook configurations - - CKV_K8S_156 # Minimize ClusterRoles that grant permissions to approve CertificateSigningRequests - - CKV_K8S_157 # Minimize Roles and ClusterRoles that grant permissions to bind RoleBindings or ClusterRoleBindings - - CKV_K8S_158 # Minimize Roles and ClusterRoles that grant permissions to escalate Roles or ClusterRoles + # CKV_K8S_49: Minimize wildcard use in Roles and ClusterRoles + - CKV_K8S_49 + # CKV_K8S_155: ClusterRoles for admission webhook configurations + - CKV_K8S_155 + # CKV_K8S_156: ClusterRoles to approve CertificateSigningRequests + - CKV_K8S_156 + # CKV_K8S_157: Roles/ClusterRoles to bind RoleBindings or ClusterRoleBindings + - CKV_K8S_157 + # CKV_K8S_158: Roles/ClusterRoles to escalate Roles or ClusterRoles + - CKV_K8S_158 diff --git a/.github/workflows/superlinter.yml b/.github/workflows/superlinter.yml index bb67637..9a7b27e 100644 --- a/.github/workflows/superlinter.yml +++ b/.github/workflows/superlinter.yml @@ -14,3 +14,5 @@ jobs: with: sl_env: | VALIDATE_BIOME_FORMAT=false + # Exclude Helm chart templates (contain {{ }}; not valid YAML) + FILTER_REGEX_EXCLUDE=.*/templates/.* diff --git a/.github/workflows/update-helm-repo.yml b/.github/workflows/update-helm-repo.yml index 4c62cd1..dcbd310 100644 --- a/.github/workflows/update-helm-repo.yml +++ b/.github/workflows/update-helm-repo.yml @@ -1,3 +1,4 @@ +--- # This invokes the workflow named 'publish-charts' in the umbrella repo # It expects to have a secret called CHARTS_REPOS_TOKEN which contains # the GitHub token that has permissions to invoke workflows and commit code @@ -23,13 +24,15 @@ permissions: jobs: helmlint: - uses: validatedpatterns/helm-charts/.github/workflows/helmlint.yml@69fd10ef9199eecd093fca715ae9765c78750efc # October 6, 2025 + # October 6, 2025 + uses: validatedpatterns/helm-charts/.github/workflows/helmlint.yml@69fd10ef9199eecd093fca715ae9765c78750efc permissions: contents: read update-helm-repo: needs: [helmlint] - uses: validatedpatterns/helm-charts/.github/workflows/update-helm-repo.yml@69fd10ef9199eecd093fca715ae9765c78750efc # October 6, 2025 + # October 6, 2025 + uses: validatedpatterns/helm-charts/.github/workflows/update-helm-repo.yml@69fd10ef9199eecd093fca715ae9765c78750efc permissions: contents: read secrets: diff --git a/.prettierignore b/.prettierignore new file mode 100644 index 0000000..0dbcb34 --- /dev/null +++ b/.prettierignore @@ -0,0 +1,4 @@ +# Helm template files contain {{ }} and are not plain YAML +templates/ +# Keep [ ] for yamllint; Prettier would change to [] +values.yaml \ No newline at end of file diff --git a/.yamllint b/.yamllint new file mode 100644 index 0000000..0ea5d73 --- /dev/null +++ b/.yamllint @@ -0,0 +1,12 @@ +extends: default +ignore: + - templates/ + - templates/** + - "**/templates/**" +rules: + document-start: disable + line-length: + max: 80 + brackets: + min-spaces-inside: 0 + max-spaces-inside: 1 diff --git a/Chart.yaml b/Chart.yaml index 4fa33cc..f20a530 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,6 +1,27 @@ +--- apiVersion: v2 -description: A Helm chart to serve as the Validated Patterns Template +name: ocp-certmanager +description: > + A Helm chart to deploy OpenShift cert-manager operator with proper + DNS nameserver configuration. +type: application +# This is the chart version. This version number should be incremented each +# time you make changes to the chart and its templates, including the app +# version. Versions are expected to follow Semantic Versioning (semver.org). +version: 0.2.0 + +# This is the version number of the application being deployed. This version +# number should be incremented each time you make changes to the application. +# It is recommended to use it with quotes. +appVersion: "1.16.0" +home: https://github.com/validatedpatterns/ocp-certmanager-chart +maintainers: + - name: Validated Patterns Team + email: validatedpatterns@googlegroups.com +icon: https://validatedpatterns.io/images/validated-patterns.png keywords: - - pattern -name: vp-template -version: 0.0.1 + - cert-manager + - ssl + - tls + - certificates + - openshift diff --git a/Makefile b/Makefile index 319317a..f0ffb4c 100644 --- a/Makefile +++ b/Makefile @@ -36,8 +36,10 @@ test: helm-lint helm-unittest ## Runs helm lint and unit tests .PHONY: super-linter super-linter: ## Runs super linter locally rm -rf .mypy_cache - podman run -e RUN_LOCAL=true -e USE_FIND_ALGORITHM=true \ - -e VALIDATE_BIOME_FORMAT=false \ - -v $(PWD):/tmp/lint:rw,z \ - -w /tmp/lint \ - ghcr.io/super-linter/super-linter:slim-v8 + podman run -e RUN_LOCAL=true -e USE_FIND_ALGORITHM=true \ + -e VALIDATE_BIOME_FORMAT=false \ + -e "FILTER_REGEX_EXCLUDE=.*/templates/.*" \ + -e VALIDATE_GITHUB_ACTIONS_ZIZMOR=false \ + -v $(PWD):/tmp/lint:rw,z \ + -w /tmp/lint \ + ghcr.io/super-linter/super-linter:slim-v8 diff --git a/README.md b/README.md index b7aa861..56adc07 100644 --- a/README.md +++ b/README.md @@ -1,13 +1,45 @@ -# vp-template +# ocp-certmanager -![Version: 0.0.1](https://img.shields.io/badge/Version-0.0.1-informational?style=flat-square) + -A Helm chart to serve as the Validated Patterns Template +![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.16.0](https://img.shields.io/badge/AppVersion-1.16.0-informational?style=flat-square) + + + + + +A Helm chart to deploy OpenShift cert-manager operator with proper DNS nameserver configuration. + + This chart is used to serve as the template for Validated Patterns Charts ## Notable changes +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ----------------------- | ------------------------------------ | --- | +| Validated Patterns Team | | | + + + +## Values + +| Key | Type | Default | Description | +| ----------------------------------- | ------ | ---------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| certmgrOperator.additionalArgs | list | `[]` | Arguments to pass to the cert-manager controller (optional) Example: additionalArgs: - "--acme-http01-solver-nameservers=8.8.8.8:53,1.1.1.1:53" - "--v=2" | +| certmgrOperator.credentialsRequests | list | `[]` | Cloud credentials to use for the cert-manager (optional) You can specify multiple cloud credentials for different cloud providers. Used in combination with the solvers to create the DNS records. | +| certmgrOperator.issuers | list | `[]` | Issuers to use for the cert-manager (optional) You can specify multiple issuers for different challenges. | +| certmgrOperator.nameservers | list | `["8.8.8.8:53","1.1.1.1:53"]` | List of DNS server (ip:port strings) for DNS01 challenges. Defaults to [8.8.8.8:53, 1.1.1.1:53]. Necessary for DNS01 ACME solver; openshift's internal split-view DNS servers typically won't work. See: https://cert-manager.io/docs/configuration/acme/dns01/ #setting-nameservers-for-dns01-self-check | +| global | string | depends on the individual settings | Dictionary of the global settings to configure this chart | +| installerType | string | `"argocd"` | | +| operatorChannel | string | `"stable-v1"` | String the channel to install cert-manager from (Defaults to "stable-v1") | + + + --- Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2) diff --git a/README.md.gotmpl b/README.md.gotmpl index bf3762f..c426f84 100644 --- a/README.md.gotmpl +++ b/README.md.gotmpl @@ -1,9 +1,13 @@ {{ template "chart.header" . }} {{ template "chart.deprecationWarning" . }} + {{ template "chart.badgesSection" . }} + + {{ template "chart.description" . }} + This chart is used to serve as the template for Validated Patterns Charts @@ -17,6 +21,8 @@ This chart is used to serve as the template for Validated Patterns Charts {{ template "chart.requirementsSection" . }} + {{ template "chart.valuesSection" . }} + {{ template "helm-docs.versionFooter" . }} diff --git a/templates/.keep b/templates/.keep deleted file mode 100644 index e69de29..0000000 diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl new file mode 100644 index 0000000..8f13c94 --- /dev/null +++ b/templates/_helpers.tpl @@ -0,0 +1,20 @@ +{{- /* + Validations for the acme issuer +*/ -}} +{{- define "acme.validations" -}} +{{- if not .solvers }} +{{- fail "For the acme issuer, you must specify the properties solvers" }} +{{- end }} +{{- end }} + +{{- /* + Validations for the credentials-request +*/ -}} +{{- define "credential-request.validations" -}} +{{- if not .secretRef }} +{{- fail "CredentialRequest requires a SecretRef definition" }} +{{- end }} +{{- if not .providerSpec }} +{{- fail "CredentialRequest requires a providerSpec definition" }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/cert-manager-cluster-issuer.yaml b/templates/cert-manager-cluster-issuer.yaml new file mode 100644 index 0000000..69d6230 --- /dev/null +++ b/templates/cert-manager-cluster-issuer.yaml @@ -0,0 +1,16 @@ +{{- if .Values.certmgrOperator.issuers }} +{{- range .Values.certmgrOperator.issuers }} +{{- range $name, $issuer := . }} +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: {{ $name }} +{{- if eq $name "acme" }} +{{- include "acme.validations" $issuer }} +{{- end }} +spec: + {{ $name }}: +{{- tpl (toYaml $issuer) $ | nindent 4 }} +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/cert-manager-credentials-request.yaml b/templates/cert-manager-credentials-request.yaml new file mode 100644 index 0000000..2ae7b29 --- /dev/null +++ b/templates/cert-manager-credentials-request.yaml @@ -0,0 +1,12 @@ +{{- if .Values.certmgrOperator.credentialsRequests }} +{{- range .Values.certmgrOperator.credentialsRequests }} +{{- include "credential-request.validations" . }} +apiVersion: cloudcredential.openshift.io/v1 +kind: CredentialsRequest +metadata: + name: {{ .name | default (printf "cert-manager-%s" (randAlpha 5 | lower)) }} + namespace: {{ .namespace | default $.Release.Namespace }} +spec: +{{- tpl (omit . "name" "namespace" | toYaml) $ | nindent 2 }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/cert-manager-installation.yaml b/templates/cert-manager-installation.yaml new file mode 100644 index 0000000..17a171c --- /dev/null +++ b/templates/cert-manager-installation.yaml @@ -0,0 +1,26 @@ +apiVersion: operator.openshift.io/v1alpha1 +kind: CertManager +metadata: + name: cluster + annotations: +{{- if eq .Values.installerType "argocd" }} + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +{{- else if eq .Values.installerType "helm" }} + "helm.sh/hook": post-install +{{- else }} + # No annotation set +{{- end }} + +spec: + managementState: "Managed" +{{- if .Values.certmgrOperator.nameservers }} + controllerConfig: + overrideArgs: + - "--dns01-recursive-nameservers={{ join "," .Values.certmgrOperator.nameservers }}" + - "--dns01-recursive-nameservers-only" +{{- if .Values.certmgrOperator.additionalArgs }} +{{- range .Values.certmgrOperator.additionalArgs }} + - "{{ . }}" +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/values.yaml b/values.yaml index ed97d53..c488fa2 100644 --- a/values.yaml +++ b/values.yaml @@ -1 +1,126 @@ --- +# -- Dictionary of the global settings to configure this chart +# @default -- depends on the individual settings +global: + +installerType: "argocd" + +# -- String the channel to install cert-manager from (Defaults to "stable-v1") +operatorChannel: "stable-v1" + +certmgrOperator: + # -- List of DNS server (ip:port strings) for DNS01 challenges. + # Defaults to [8.8.8.8:53, 1.1.1.1:53]. Necessary for DNS01 ACME solver; + # openshift's internal split-view DNS servers typically won't work. + # See: https://cert-manager.io/docs/configuration/acme/dns01/ + # #setting-nameservers-for-dns01-self-check + nameservers: + - 8.8.8.8:53 + - 1.1.1.1:53 + + # -- Arguments to pass to the cert-manager controller (optional) + # Example: + # additionalArgs: + # - "--acme-http01-solver-nameservers=8.8.8.8:53,1.1.1.1:53" + # - "--v=2" + additionalArgs: [ ] + + # -- Issuers to use for the cert-manager (optional) + # You can specify multiple issuers for different challenges. + issuers: [ ] + + # -- ACME settings + # - acme: + # -- Email to use for ACME account + # email: "user@example.com" + # -- Secret resource to store ACME account's private key + # privateKeySecretRef: + # name: "acme-account-key" + # -- ACME server to use + # Examples: + # - https://acme-staging-v02.api.letsencrypt.org/directory + # - https://acme-v02.api.letsencrypt.org/directory + # server: "https://acme-staging-v02.api.letsencrypt.org/directory" + # -- ACME solvers to use (optional) + # You can specify multiple solvers for different challenges. + # solvers: [] + # Examples: + # - dns01: + # -- AWS Route53 example + # route53: + # region: "us-east-1" + # accessKeyIDSecretRef: + # name: "aws-credentials" + # key: aws_access_key_id + # secretAccessKeySecretRef: + # name: "aws-credentials" + # key: aws_secret_access_key + # hostedZoneID: "hosted-zone-id" + # -- Azure example + # azureDNS: + # resourceGroupName: "my-resource-group" + # subscriptionID: "my-subscription-id" + # hostedZoneName: "my-hosted-zone-name" + # environment: "AzurePublicCloud" + # managedIdentity: + # clientID: "my-client-id" + # -- GCP example + # cloudDNS: + # project: "my-project" + # serviceAccountSecretRef: + # name: "my-service-account" + # key: "my-key" + # -- Cloudflare example + # cloudflare: + # apiTokenSecretRef: + # name: "my-api-key" + # key: "my-key" + + # -- Cloud credentials to use for the cert-manager (optional) + # You can specify multiple cloud credentials for different cloud providers. + # Used in combination with the solvers to create the DNS records. + credentialsRequests: [ ] + # -- AWS example + # - name: aws + # secretRef: + # name: "aws-credentials" + # namespace: "cert-manager" + # providerSpec: + # apiVersion: cloudcredential.openshift.io/v1 + # kind: "AWSProviderSpec" + # statementEntries: + # - effect: Allow + # action: + # - route53:GetChange + # resource: "arn:aws:route53:::change/*" + # - effect: Allow + # action: + # - route53:ChangeResourceRecordSets + # - route53:ListResourceRecordSets + # resource: "arn:aws:route53:::hostedzone/*" + # -- Can be removed if you specify the (optional) hostedZoneID. + # - effect: Allow + # action: + # - route53:ListHostedZones + # resource: "*" + # -- Azure example + # - name: azure + # secretRef: + # name: "azure-credentials" + # namespace: "cert-manager" + # providerSpec: + # apiVersion: cloudcredential.openshift.io/v1 + # kind: "AzureProviderSpec" + # roleBindings: + # - role: "DNS Zone Contributor" + # -- GCP example + # - name: gcp + # secretRef: + # name: "gcp-credentials" + # namespace: "cert-manager" + # providerSpec: + # apiVersion: cloudcredential.openshift.io/v1 + # kind: "GCPProviderSpec" + # predefinedRoles: + # - "roles/dns.admin" + # gcpServiceAccount: "cert-manager-clusterName-dns"