feat: Externalize ZTVP charts: cert-manager

.github/linters/.checkov.yaml

@@ -5,8 +5,13 @@ directory:
 skip-path:
   - tests
 skip-check:
-  - CKV_K8S_49 # Minimize wildcard use in Roles and ClusterRoles
-  - CKV_K8S_155 # Minimize ClusterRoles that grant control over validating or mutating admission webhook configurations
-  - CKV_K8S_156 # Minimize ClusterRoles that grant permissions to approve CertificateSigningRequests
-  - CKV_K8S_157 # Minimize Roles and ClusterRoles that grant permissions to bind RoleBindings or ClusterRoleBindings
-  - CKV_K8S_158 # Minimize Roles and ClusterRoles that grant permissions to escalate Roles or ClusterRoles
+  # CKV_K8S_49: Minimize wildcard use in Roles and ClusterRoles
+  - CKV_K8S_49
+  # CKV_K8S_155: ClusterRoles for admission webhook configurations
+  - CKV_K8S_155
+  # CKV_K8S_156: ClusterRoles to approve CertificateSigningRequests
+  - CKV_K8S_156
+  # CKV_K8S_157: Roles/ClusterRoles to bind RoleBindings or ClusterRoleBindings
+  - CKV_K8S_157
+  # CKV_K8S_158: Roles/ClusterRoles to escalate Roles or ClusterRoles
+  - CKV_K8S_158

.github/workflows/superlinter.yml

@@ -14,3 +14,5 @@ jobs:
     with:
       sl_env: |
         VALIDATE_BIOME_FORMAT=false
+        # Exclude Helm chart templates (contain {{ }}; not valid YAML)
+        FILTER_REGEX_EXCLUDE=.*/templates/.*

.github/workflows/update-helm-repo.yml

@@ -1,3 +1,4 @@
+---
 # This invokes the workflow named 'publish-charts' in the umbrella repo
 # It expects to have a secret called CHARTS_REPOS_TOKEN which contains
 # the GitHub token that has permissions to invoke workflows and commit code
@@ -23,13 +24,15 @@ permissions:
 
 jobs:
   helmlint:
-    uses: validatedpatterns/helm-charts/.github/workflows/helmlint.yml@69fd10ef9199eecd093fca715ae9765c78750efc # October 6, 2025
+    # October 6, 2025
+    uses: validatedpatterns/helm-charts/.github/workflows/helmlint.yml@69fd10ef9199eecd093fca715ae9765c78750efc
     permissions:
       contents: read
 
   update-helm-repo:
     needs: [helmlint]
-    uses: validatedpatterns/helm-charts/.github/workflows/update-helm-repo.yml@69fd10ef9199eecd093fca715ae9765c78750efc # October 6, 2025
+    # October 6, 2025
+    uses: validatedpatterns/helm-charts/.github/workflows/update-helm-repo.yml@69fd10ef9199eecd093fca715ae9765c78750efc
     permissions:
       contents: read
     secrets:

.prettierignore

@@ -0,0 +1,4 @@
+# Helm template files contain {{ }} and are not plain YAML
+templates/
+# Keep [ ] for yamllint; Prettier would change to []
+values.yaml

.yamllint

@@ -0,0 +1,12 @@
+extends: default
+ignore:
+  - templates/
+  - templates/**
+  - "**/templates/**"
+rules:
+  document-start: disable
+  line-length:
+    max: 80
+  brackets:
+    min-spaces-inside: 0
+    max-spaces-inside: 1

Chart.yaml

@@ -1,6 +1,27 @@
+---
 apiVersion: v2
-description: A Helm chart to serve as the Validated Patterns Template
+name: ocp-certmanager
+description: >
+  A Helm chart to deploy OpenShift cert-manager operator with proper
+  DNS nameserver configuration.
+type: application
+# This is the chart version. This version number should be incremented each
+# time you make changes to the chart and its templates, including the app
+# version. Versions are expected to follow Semantic Versioning (semver.org).
+version: 0.2.0
+
+# This is the version number of the application being deployed. This version
+# number should be incremented each time you make changes to the application.
+# It is recommended to use it with quotes.
+appVersion: "1.16.0"
+home: https://github.com/validatedpatterns/ocp-certmanager-chart
+maintainers:
+  - name: Validated Patterns Team
+    email: [email protected]
+icon: https://validatedpatterns.io/images/validated-patterns.png
 keywords:
-  - pattern
-name: vp-template
-version: 0.0.1
+  - cert-manager
+  - ssl
+  - tls
+  - certificates
+  - openshift

Makefile

@@ -36,8 +36,10 @@ test: helm-lint helm-unittest ## Runs helm lint and unit tests
 .PHONY: super-linter
 super-linter: ## Runs super linter locally
 	rm -rf .mypy_cache
-	podman run -e RUN_LOCAL=true -e USE_FIND_ALGORITHM=true	\
-					-e VALIDATE_BIOME_FORMAT=false \
-					-v $(PWD):/tmp/lint:rw,z \
-					-w /tmp/lint \
-					ghcr.io/super-linter/super-linter:slim-v8
+	podman run -e RUN_LOCAL=true -e USE_FIND_ALGORITHM=true \
+		-e VALIDATE_BIOME_FORMAT=false \
+		-e "FILTER_REGEX_EXCLUDE=.*/templates/.*" \
+		-e VALIDATE_GITHUB_ACTIONS_ZIZMOR=false \
+		-v $(PWD):/tmp/lint:rw,z \
+		-w /tmp/lint \
+		ghcr.io/super-linter/super-linter:slim-v8

README.md

@@ -1,13 +1,45 @@
-# vp-template
+# ocp-certmanager
 
-![Version: 0.0.1](https://img.shields.io/badge/Version-0.0.1-informational?style=flat-square)
+<!-- markdownlint-disable MD013 -->
 
-A Helm chart to serve as the Validated Patterns Template
+![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.16.0](https://img.shields.io/badge/AppVersion-1.16.0-informational?style=flat-square)
+
+<!-- markdownlint-enable MD013 -->
+
+<!-- markdownlint-disable MD013 -->
+
+A Helm chart to deploy OpenShift cert-manager operator with proper DNS nameserver configuration.
+
+<!-- markdownlint-enable MD013 -->
 
 This chart is used to serve as the template for Validated Patterns Charts
 
 ## Notable changes
 
+**Homepage:** <https://github.com/validatedpatterns/ocp-certmanager-chart>
+
+## Maintainers
+
+| Name                    | Email                                | Url |
+| ----------------------- | ------------------------------------ | --- |
+| Validated Patterns Team | <[email protected]> |     |
+
+<!-- markdownlint-disable MD013 MD034 MD060 -->
+
+## Values
+
+| Key                                 | Type   | Default                            | Description                                                                                                                                                                                                                                                                                               |
+| ----------------------------------- | ------ | ---------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| certmgrOperator.additionalArgs      | list   | `[]`                               | Arguments to pass to the cert-manager controller (optional) Example: additionalArgs: - "--acme-http01-solver-nameservers=8.8.8.8:53,1.1.1.1:53" - "--v=2"                                                                                                                                                 |
+| certmgrOperator.credentialsRequests | list   | `[]`                               | Cloud credentials to use for the cert-manager (optional) You can specify multiple cloud credentials for different cloud providers. Used in combination with the solvers to create the DNS records.                                                                                                        |
+| certmgrOperator.issuers             | list   | `[]`                               | Issuers to use for the cert-manager (optional) You can specify multiple issuers for different challenges.                                                                                                                                                                                                 |
+| certmgrOperator.nameservers         | list   | `["8.8.8.8:53","1.1.1.1:53"]`      | List of DNS server (ip:port strings) for DNS01 challenges. Defaults to [8.8.8.8:53, 1.1.1.1:53]. Necessary for DNS01 ACME solver; openshift's internal split-view DNS servers typically won't work. See: https://cert-manager.io/docs/configuration/acme/dns01/ #setting-nameservers-for-dns01-self-check |
+| global                              | string | depends on the individual settings | Dictionary of the global settings to configure this chart                                                                                                                                                                                                                                                 |
+| installerType                       | string | `"argocd"`                         |                                                                                                                                                                                                                                                                                                           |
+| operatorChannel                     | string | `"stable-v1"`                      | String the channel to install cert-manager from (Defaults to "stable-v1")                                                                                                                                                                                                                                 |
+
+<!-- markdownlint-enable MD013 MD034 MD060 -->
+
 ---
 
 Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)

README.md.gotmpl

@@ -1,9 +1,13 @@
 {{ template "chart.header" . }}
 {{ template "chart.deprecationWarning" . }}
 
+<!-- markdownlint-disable MD013 -->
 {{ template "chart.badgesSection" . }}
+<!-- markdownlint-enable MD013 -->
 
+<!-- markdownlint-disable MD013 -->
 {{ template "chart.description" . }}
+<!-- markdownlint-enable MD013 -->
 
 This chart is used to serve as the template for Validated Patterns Charts
 
@@ -17,6 +21,8 @@ This chart is used to serve as the template for Validated Patterns Charts
 
 {{ template "chart.requirementsSection" . }}
 
+<!-- markdownlint-disable MD013 MD034 MD060 -->
 {{ template "chart.valuesSection" . }}
+<!-- markdownlint-enable MD013 MD034 MD060 -->
 
 {{ template "helm-docs.versionFooter" . }}

templates/_helpers.tpl

@@ -0,0 +1,20 @@
+{{- /*
+  Validations for the acme issuer
+*/ -}}
+{{- define "acme.validations" -}}
+{{- if not .solvers }}
+{{- fail "For the acme issuer, you must specify the properties solvers" }}
+{{- end }}
+{{- end }}
+
+{{- /*
+  Validations for the credentials-request
+*/ -}}
+{{- define "credential-request.validations" -}}
+{{- if not .secretRef }}
+{{- fail "CredentialRequest requires a SecretRef definition" }}
+{{- end }}
+{{- if not .providerSpec }}
+{{- fail "CredentialRequest requires a providerSpec definition" }}
+{{- end }}
+{{- end }}

templates/cert-manager-cluster-issuer.yaml

@@ -0,0 +1,16 @@
+{{- if .Values.certmgrOperator.issuers }}
+{{- range .Values.certmgrOperator.issuers }}
+{{- range $name, $issuer := . }}
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: {{ $name }}
+{{- if eq $name "acme" }}
+{{- include "acme.validations" $issuer }}
+{{- end }}
+spec:
+  {{ $name }}:
+{{- tpl (toYaml $issuer) $ | nindent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}

templates/cert-manager-credentials-request.yaml

@@ -0,0 +1,12 @@
+{{- if .Values.certmgrOperator.credentialsRequests }}
+{{- range .Values.certmgrOperator.credentialsRequests }}
+{{- include "credential-request.validations" . }}
+apiVersion: cloudcredential.openshift.io/v1
+kind: CredentialsRequest
+metadata:
+  name: {{ .name | default (printf "cert-manager-%s" (randAlpha 5 | lower)) }}
+  namespace: {{ .namespace | default $.Release.Namespace }}
+spec:
+{{- tpl (omit . "name" "namespace" | toYaml) $ | nindent 2 }}
+{{- end }}
+{{- end }}

templates/cert-manager-installation.yaml

@@ -0,0 +1,26 @@
+apiVersion: operator.openshift.io/v1alpha1
+kind: CertManager
+metadata:
+  name: cluster
+  annotations:
+{{- if eq .Values.installerType "argocd" }}
+    argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true
+{{- else if eq .Values.installerType "helm" }}
+    "helm.sh/hook": post-install
+{{- else }}
+  # No annotation set
+{{- end }}
+
+spec:
+  managementState: "Managed"
+{{- if .Values.certmgrOperator.nameservers }}
+  controllerConfig:
+    overrideArgs:
+      - "--dns01-recursive-nameservers={{ join "," .Values.certmgrOperator.nameservers }}"
+      - "--dns01-recursive-nameservers-only"
+{{- if .Values.certmgrOperator.additionalArgs }}
+{{- range .Values.certmgrOperator.additionalArgs }}
+      - "{{ . }}"
+{{- end }}
+{{- end }}
+{{- end }}

values.yaml

@@ -1 +1,126 @@
 ---
+# -- Dictionary of the global settings to configure this chart
+# @default -- depends on the individual settings
+global:
+
+installerType: "argocd"
+
+# -- String the channel to install cert-manager from (Defaults to "stable-v1")
+operatorChannel: "stable-v1"
+
+certmgrOperator:
+  # -- List of DNS server (ip:port strings) for DNS01 challenges.
+  # Defaults to [8.8.8.8:53, 1.1.1.1:53]. Necessary for DNS01 ACME solver;
+  # openshift's internal split-view DNS servers typically won't work.
+  # See: https://cert-manager.io/docs/configuration/acme/dns01/
+  #      #setting-nameservers-for-dns01-self-check
+  nameservers:
+    - 8.8.8.8:53
+    - 1.1.1.1:53
+
+  # -- Arguments to pass to the cert-manager controller (optional)
+  # Example:
+  # additionalArgs:
+  #   - "--acme-http01-solver-nameservers=8.8.8.8:53,1.1.1.1:53"
+  #   - "--v=2"
+  additionalArgs: [ ]
+
+  # -- Issuers to use for the cert-manager (optional)
+  # You can specify multiple issuers for different challenges.
+  issuers: [ ]
+
+  # -- ACME settings
+  # - acme:
+  #     -- Email to use for ACME account
+  #     email: "[email protected]"
+  #     -- Secret resource to store ACME account's private key
+  #     privateKeySecretRef:
+  #       name: "acme-account-key"
+  #     -- ACME server to use
+  #     Examples:
+  #     - https://acme-staging-v02.api.letsencrypt.org/directory
+  #     - https://acme-v02.api.letsencrypt.org/directory
+  #     server: "https://acme-staging-v02.api.letsencrypt.org/directory"
+  #     -- ACME solvers to use (optional)
+  #     You can specify multiple solvers for different challenges.
+  #     solvers: []
+  #       Examples:
+  #       - dns01:
+  #         -- AWS Route53 example
+  #         route53:
+  #           region: "us-east-1"
+  #           accessKeyIDSecretRef:
+  #             name: "aws-credentials"
+  #             key: aws_access_key_id
+  #           secretAccessKeySecretRef:
+  #             name: "aws-credentials"
+  #             key: aws_secret_access_key
+  #           hostedZoneID: "hosted-zone-id"
+  #         -- Azure example
+  #         azureDNS:
+  #           resourceGroupName: "my-resource-group"
+  #           subscriptionID: "my-subscription-id"
+  #           hostedZoneName: "my-hosted-zone-name"
+  #           environment: "AzurePublicCloud"
+  #           managedIdentity:
+  #             clientID: "my-client-id"
+  #         -- GCP example
+  #         cloudDNS:
+  #           project: "my-project"
+  #           serviceAccountSecretRef:
+  #             name: "my-service-account"
+  #             key: "my-key"
+  #         -- Cloudflare example
+  #         cloudflare:
+  #           apiTokenSecretRef:
+  #             name: "my-api-key"
+  #             key: "my-key"
+
+  # -- Cloud credentials to use for the cert-manager (optional)
+  # You can specify multiple cloud credentials for different cloud providers.
+  # Used in combination with the solvers to create the DNS records.
+  credentialsRequests: [ ]
+  # -- AWS example
+  # - name: aws
+  #   secretRef:
+  #     name: "aws-credentials"
+  #     namespace: "cert-manager"
+  #   providerSpec:
+  #     apiVersion: cloudcredential.openshift.io/v1
+  #     kind: "AWSProviderSpec"
+  #     statementEntries:
+  #     - effect: Allow
+  #       action:
+  #         - route53:GetChange
+  #       resource: "arn:aws:route53:::change/*"
+  #     - effect: Allow
+  #       action:
+  #         - route53:ChangeResourceRecordSets
+  #         - route53:ListResourceRecordSets
+  #       resource: "arn:aws:route53:::hostedzone/*"
+  #     -- Can be removed if you specify the (optional) hostedZoneID.
+  #     - effect: Allow
+  #       action:
+  #         - route53:ListHostedZones
+  #       resource: "*"
+  # -- Azure example
+  # - name: azure
+  #   secretRef:
+  #     name: "azure-credentials"
+  #     namespace: "cert-manager"
+  #   providerSpec:
+  #     apiVersion: cloudcredential.openshift.io/v1
+  #     kind: "AzureProviderSpec"
+  #     roleBindings:
+  #       - role: "DNS Zone Contributor"
+  # -- GCP example
+  # - name: gcp
+  #   secretRef:
+  #     name: "gcp-credentials"
+  #     namespace: "cert-manager"
+  #   providerSpec:
+  #     apiVersion: cloudcredential.openshift.io/v1
+  #     kind: "GCPProviderSpec"
+  #     predefinedRoles:
+  #       - "roles/dns.admin"
+  #     gcpServiceAccount: "cert-manager-clusterName-dns"