Skip to content

Commit 2bdd150

Browse files
committed
feat: Externalize ZTVP charts: cert-manager
Signed-off-by: Min Zhang <minzhang@redhat.com>
1 parent 23282a3 commit 2bdd150

10 files changed

Lines changed: 241 additions & 11 deletions

.github/linters/.checkov.yaml

Lines changed: 10 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -5,8 +5,13 @@ directory:
55
skip-path:
66
- tests
77
skip-check:
8-
- CKV_K8S_49 # Minimize wildcard use in Roles and ClusterRoles
9-
- CKV_K8S_155 # Minimize ClusterRoles that grant control over validating or mutating admission webhook configurations
10-
- CKV_K8S_156 # Minimize ClusterRoles that grant permissions to approve CertificateSigningRequests
11-
- CKV_K8S_157 # Minimize Roles and ClusterRoles that grant permissions to bind RoleBindings or ClusterRoleBindings
12-
- CKV_K8S_158 # Minimize Roles and ClusterRoles that grant permissions to escalate Roles or ClusterRoles
8+
# CKV_K8S_49: Minimize wildcard use in Roles and ClusterRoles
9+
- CKV_K8S_49
10+
# CKV_K8S_155: ClusterRoles for admission webhook configurations
11+
- CKV_K8S_155
12+
# CKV_K8S_156: ClusterRoles to approve CertificateSigningRequests
13+
- CKV_K8S_156
14+
# CKV_K8S_157: Roles/ClusterRoles to bind RoleBindings or ClusterRoleBindings
15+
- CKV_K8S_157
16+
# CKV_K8S_158: Roles/ClusterRoles to escalate Roles or ClusterRoles
17+
- CKV_K8S_158

.github/workflows/superlinter.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,3 +14,5 @@ jobs:
1414
with:
1515
sl_env: |
1616
VALIDATE_BIOME_FORMAT=false
17+
VALIDATE_YAML: false
18+
VALIDATE_YAML_PRETTIER: false

.github/workflows/update-helm-repo.yml

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,4 @@
1+
---
12
# This invokes the workflow named 'publish-charts' in the umbrella repo
23
# It expects to have a secret called CHARTS_REPOS_TOKEN which contains
34
# the GitHub token that has permissions to invoke workflows and commit code
@@ -23,13 +24,15 @@ permissions:
2324

2425
jobs:
2526
helmlint:
26-
uses: validatedpatterns/helm-charts/.github/workflows/helmlint.yml@69fd10ef9199eecd093fca715ae9765c78750efc # October 6, 2025
27+
# October 6, 2025
28+
uses: validatedpatterns/helm-charts/.github/workflows/helmlint.yml@69fd10ef9199eecd093fca715ae9765c78750efc
2729
permissions:
2830
contents: read
2931

3032
update-helm-repo:
3133
needs: [helmlint]
32-
uses: validatedpatterns/helm-charts/.github/workflows/update-helm-repo.yml@69fd10ef9199eecd093fca715ae9765c78750efc # October 6, 2025
34+
# October 6, 2025
35+
uses: validatedpatterns/helm-charts/.github/workflows/update-helm-repo.yml@69fd10ef9199eecd093fca715ae9765c78750efc
3336
permissions:
3437
contents: read
3538
secrets:

Chart.yaml

Lines changed: 25 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,27 @@
1+
---
12
apiVersion: v2
2-
description: A Helm chart to serve as the Validated Patterns Template
3+
name: ocp-certmanager
4+
description: >
5+
A Helm chart to deploy OpenShift cert-manager operator with proper
6+
DNS nameserver configuration.
7+
type: application
8+
# This is the chart version. This version number should be incremented each
9+
# time you make changes to the chart and its templates, including the app
10+
# version. Versions are expected to follow Semantic Versioning (semver.org).
11+
version: 0.2.0
12+
13+
# This is the version number of the application being deployed. This version
14+
# number should be incremented each time you make changes to the application.
15+
# It is recommended to use it with quotes.
16+
appVersion: "1.16.0"
17+
home: https://github.com/validatedpatterns/ocp-certmanager-chart
18+
maintainers:
19+
- name: Validated Patterns Team
20+
email: validatedpatterns@googlegroups.com
21+
icon: https://validatedpatterns.io/images/validated-patterns.png
322
keywords:
4-
- pattern
5-
name: vp-template
6-
version: 0.0.1
23+
- cert-manager
24+
- ssl
25+
- tls
26+
- certificates
27+
- openshift

templates/.keep

Whitespace-only changes.

templates/_helpers.tpl

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
{{- /*
2+
Validations for the acme issuer
3+
*/ -}}
4+
{{- define "acme.validations" -}}
5+
{{- if not .solvers }}
6+
{{- fail "For the acme issuer, you must specify the properties solvers" }}
7+
{{- end }}
8+
{{- end }}
9+
10+
{{- /*
11+
Validations for the credentials-request
12+
*/ -}}
13+
{{- define "credential-request.validations" -}}
14+
{{- if not .secretRef }}
15+
{{- fail "CredentialRequest requires a SecretRef definition" }}
16+
{{- end }}
17+
{{- if not .providerSpec }}
18+
{{- fail "CredentialRequest requires a providerSpec definition" }}
19+
{{- end }}
20+
{{- end }}
Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
{{- if .Values.certmgrOperator.issuers }}
2+
{{- range .Values.certmgrOperator.issuers }}
3+
{{- range $name, $issuer := . }}
4+
apiVersion: cert-manager.io/v1
5+
kind: ClusterIssuer
6+
metadata:
7+
name: {{ $name }}
8+
{{- if eq $name "acme" }}
9+
{{- include "acme.validations" $issuer }}
10+
{{- end }}
11+
spec:
12+
{{ $name }}:
13+
{{- tpl (toYaml $issuer) $ | nindent 4 }}
14+
{{- end }}
15+
{{- end }}
16+
{{- end }}
Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
{{- if .Values.certmgrOperator.credentialsRequests }}
2+
{{- range .Values.certmgrOperator.credentialsRequests }}
3+
{{- include "credential-request.validations" . }}
4+
apiVersion: cloudcredential.openshift.io/v1
5+
kind: CredentialsRequest
6+
metadata:
7+
name: {{ .name | default (printf "cert-manager-%s" (randAlpha 5 | lower)) }}
8+
namespace: {{ .namespace | default $.Release.Namespace }}
9+
spec:
10+
{{- tpl (omit . "name" "namespace" | toYaml) $ | nindent 2 }}
11+
{{- end }}
12+
{{- end }}
Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,26 @@
1+
apiVersion: operator.openshift.io/v1alpha1
2+
kind: CertManager
3+
metadata:
4+
name: cluster
5+
annotations:
6+
{{- if eq .Values.installerType "argocd" }}
7+
argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true
8+
{{- else if eq .Values.installerType "helm" }}
9+
"helm.sh/hook": post-install
10+
{{- else }}
11+
# No annotation set
12+
{{- end }}
13+
14+
spec:
15+
managementState: "Managed"
16+
{{- if .Values.certmgrOperator.nameservers }}
17+
controllerConfig:
18+
overrideArgs:
19+
- "--dns01-recursive-nameservers={{ join "," .Values.certmgrOperator.nameservers }}"
20+
- "--dns01-recursive-nameservers-only"
21+
{{- if .Values.certmgrOperator.additionalArgs }}
22+
{{- range .Values.certmgrOperator.additionalArgs }}
23+
- "{{ . }}"
24+
{{- end }}
25+
{{- end }}
26+
{{- end }}

values.yaml

Lines changed: 125 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1 +1,126 @@
11
---
2+
# -- Dictionary of the global settings to configure this chart
3+
# @default -- depends on the individual settings
4+
global:
5+
6+
installerType: "argocd"
7+
8+
# -- String the channel to install cert-manager from (Defaults to "stable-v1")
9+
operatorChannel: "stable-v1"
10+
11+
certmgrOperator:
12+
# -- List of DNS server (ip:port strings) for DNS01 challenges.
13+
# Defaults to [8.8.8.8:53, 1.1.1.1:53]. Necessary for DNS01 ACME solver;
14+
# openshift's internal split-view DNS servers typically won't work.
15+
# See: https://cert-manager.io/docs/configuration/acme/dns01/
16+
# #setting-nameservers-for-dns01-self-check
17+
nameservers:
18+
- 8.8.8.8:53
19+
- 1.1.1.1:53
20+
21+
# -- Arguments to pass to the cert-manager controller (optional)
22+
# Example:
23+
# additionalArgs:
24+
# - "--acme-http01-solver-nameservers=8.8.8.8:53,1.1.1.1:53"
25+
# - "--v=2"
26+
additionalArgs: []
27+
28+
# -- Issuers to use for the cert-manager (optional)
29+
# You can specify multiple issuers for different challenges.
30+
issuers: []
31+
32+
# -- ACME settings
33+
# - acme:
34+
# -- Email to use for ACME account
35+
# email: "user@example.com"
36+
# -- Secret resource to store ACME account's private key
37+
# privateKeySecretRef:
38+
# name: "acme-account-key"
39+
# -- ACME server to use
40+
# Examples:
41+
# - https://acme-staging-v02.api.letsencrypt.org/directory
42+
# - https://acme-v02.api.letsencrypt.org/directory
43+
# server: "https://acme-staging-v02.api.letsencrypt.org/directory"
44+
# -- ACME solvers to use (optional)
45+
# You can specify multiple solvers for different challenges.
46+
# solvers: []
47+
# Examples:
48+
# - dns01:
49+
# -- AWS Route53 example
50+
# route53:
51+
# region: "us-east-1"
52+
# accessKeyIDSecretRef:
53+
# name: "aws-credentials"
54+
# key: aws_access_key_id
55+
# secretAccessKeySecretRef:
56+
# name: "aws-credentials"
57+
# key: aws_secret_access_key
58+
# hostedZoneID: "hosted-zone-id"
59+
# -- Azure example
60+
# azureDNS:
61+
# resourceGroupName: "my-resource-group"
62+
# subscriptionID: "my-subscription-id"
63+
# hostedZoneName: "my-hosted-zone-name"
64+
# environment: "AzurePublicCloud"
65+
# managedIdentity:
66+
# clientID: "my-client-id"
67+
# -- GCP example
68+
# cloudDNS:
69+
# project: "my-project"
70+
# serviceAccountSecretRef:
71+
# name: "my-service-account"
72+
# key: "my-key"
73+
# -- Cloudflare example
74+
# cloudflare:
75+
# apiTokenSecretRef:
76+
# name: "my-api-key"
77+
# key: "my-key"
78+
79+
# -- Cloud credentials to use for the cert-manager (optional)
80+
# You can specify multiple cloud credentials for different cloud providers.
81+
# Used in combination with the solvers to create the DNS records.
82+
credentialsRequests: []
83+
# -- AWS example
84+
# - name: aws
85+
# secretRef:
86+
# name: "aws-credentials"
87+
# namespace: "cert-manager"
88+
# providerSpec:
89+
# apiVersion: cloudcredential.openshift.io/v1
90+
# kind: "AWSProviderSpec"
91+
# statementEntries:
92+
# - effect: Allow
93+
# action:
94+
# - route53:GetChange
95+
# resource: "arn:aws:route53:::change/*"
96+
# - effect: Allow
97+
# action:
98+
# - route53:ChangeResourceRecordSets
99+
# - route53:ListResourceRecordSets
100+
# resource: "arn:aws:route53:::hostedzone/*"
101+
# -- Can be removed if you specify the (optional) hostedZoneID.
102+
# - effect: Allow
103+
# action:
104+
# - route53:ListHostedZones
105+
# resource: "*"
106+
# -- Azure example
107+
# - name: azure
108+
# secretRef:
109+
# name: "azure-credentials"
110+
# namespace: "cert-manager"
111+
# providerSpec:
112+
# apiVersion: cloudcredential.openshift.io/v1
113+
# kind: "AzureProviderSpec"
114+
# roleBindings:
115+
# - role: "DNS Zone Contributor"
116+
# -- GCP example
117+
# - name: gcp
118+
# secretRef:
119+
# name: "gcp-credentials"
120+
# namespace: "cert-manager"
121+
# providerSpec:
122+
# apiVersion: cloudcredential.openshift.io/v1
123+
# kind: "GCPProviderSpec"
124+
# predefinedRoles:
125+
# - "roles/dns.admin"
126+
# gcpServiceAccount: "cert-manager-clusterName-dns"

0 commit comments

Comments
 (0)