diff --git a/Makefile b/Makefile
index 2725650c..a80e1372 100644
--- a/Makefile
+++ b/Makefile
@@ -54,6 +54,9 @@ CERT_MANAGER_VERSION ?= v1.13.3
CONTROLLER_GEN_VERSION := 0.5.0
CONTROLLER_GEN := ${BIN}/controller-gen-${CONTROLLER_GEN_VERSION}
+# Helm tools
+HELM_TOOL_VERSION := v0.2.2
+
INSTALL_YAML ?= build/install.yaml
all: manager
@@ -114,6 +117,9 @@ undeploy:
manifests: controller-gen
$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=config/crd/bases
+helm-docs: helm-tool
+ $(HELM_TOOL) inject -i charts/aws-pca-issuer/values.yaml -o charts/aws-pca-issuer/README.md --header-search "^" --footer-search ""
+
# Run go fmt against code
fmt:
go fmt ./...
@@ -149,6 +155,10 @@ CONTROLLER_GEN = $(shell pwd)/bin/controller-gen
controller-gen:
$(call go-install-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@v0.4.1)
+HELM_TOOL = $(shell pwd)/bin/helm-tool
+helm-tool:
+ $(call go-install-tool,$(HELM_TOOL),github.com/cert-manager/helm-tool@$(HELM_TOOL_VERSION))
+
# Download kustomize locally if necessary
KUSTOMIZE = $(shell pwd)/bin/kustomize
kustomize:
diff --git a/charts/aws-pca-issuer/README.md b/charts/aws-pca-issuer/README.md
new file mode 100644
index 00000000..62641b3e
--- /dev/null
+++ b/charts/aws-pca-issuer/README.md
@@ -0,0 +1,791 @@
+# AWS Private CA Issuer
+
+AWS Private CA is an AWS service that can setup and manage private CAs, as well as issue private certifiates.
+
+cert-manager is a Kubernetes add-on to automate the management and issuance of TLS certificates from various issuing sources.
+It will ensure certificates are valid and up to date periodically, and attempt to renew certificates at an appropriate time before expiry.
+
+This project acts as an addon (see https://cert-manager.io/docs/configuration/external/) to cert-manager that signs off certificate requests using AWS Private CA.
+
+## Values
+
+
+
+### AWS Private CA Issuer
+
+
+
+
+Property |
+Description |
+Type |
+Default |
+
+
+
+replicaCount |
+
+
+Number of replicas to run of the issuer
+
+ |
+number |
+
+
+```yaml
+1
+```
+
+ |
+
+
+
+image.repository |
+
+
+Image repository
+
+ |
+string |
+
+
+```yaml
+public.ecr.aws/k1n1h4h4/cert-manager-aws-privateca-issuer
+```
+
+ |
+
+
+
+image.pullPolicy |
+
+
+Image pull policy
+
+ |
+string |
+
+
+```yaml
+IfNotPresent
+```
+
+ |
+
+
+
+image.tag |
+
+
+Image tag
+
+ |
+string |
+
+
+```yaml
+""
+```
+
+ |
+
+
+
+disableApprovedCheck |
+
+
+Disable waiting for CertificateRequests to be Approved before signing
+
+ |
+bool |
+
+
+```yaml
+false
+```
+
+ |
+
+
+
+imagePullSecrets |
+
+
+Optional secrets used for pulling the container image
+
+For example:
+
+```yaml
+imagePullSecrets:
+- name: secret-name
+```
+
+ |
+array |
+
+
+```yaml
+[]
+```
+
+ |
+
+
+
+nameOverride |
+
+
+Override the name of the objects created by this chart
+
+ |
+string |
+
+
+```yaml
+""
+```
+
+ |
+
+
+
+fullnameOverride |
+
+
+Override the name of the objects created by this chart
+
+ |
+string |
+
+
+```yaml
+""
+```
+
+ |
+
+
+
+revisionHistoryLimit |
+
+
+Number deployment revisions to keep
+
+ |
+number |
+
+
+```yaml
+10
+```
+
+ |
+
+
+
+serviceAccount.create |
+
+
+Specifies whether a service account should be created
+
+ |
+bool |
+
+
+```yaml
+true
+```
+
+ |
+
+
+
+serviceAccount.annotations |
+
+
+Annotations to add to the service account
+
+ |
+object |
+
+
+```yaml
+{}
+```
+
+ |
+
+
+
+serviceAccount.name |
+
+
+The name of the service account to use.
+If not set and create is true, a name is generated using the fullname template
+
+ |
+string |
+
+
+```yaml
+""
+```
+
+ |
+
+
+
+rbac.create |
+
+
+Specifies whether RBAC should be created
+
+ |
+bool |
+
+
+```yaml
+true
+```
+
+ |
+
+
+
+service.type |
+
+
+Type of service to create
+
+ |
+string |
+
+
+```yaml
+ClusterIP
+```
+
+ |
+
+
+
+service.port |
+
+
+Port the service should listen on
+
+ |
+number |
+
+
+```yaml
+8080
+```
+
+ |
+
+
+
+podAnnotations |
+
+
+Annotations to add to the issuer Pod
+
+ |
+object |
+
+
+```yaml
+{}
+```
+
+ |
+
+
+
+podSecurityContext |
+
+
+Pod security context
+
+
+ |
+object |
+
+
+```yaml
+runAsUser: 65532
+```
+
+ |
+
+
+
+securityContext |
+
+
+Container security context
+
+
+ |
+object |
+
+
+```yaml
+allowPrivilegeEscalation: false
+```
+
+ |
+
+
+
+resources |
+
+
+Kubernetes pod resources requests/limits
+
+For example:
+
+```yaml
+resources:
+ limits:
+ cpu: 100m
+ memory: 128Mi
+ requests:
+ cpu: 100m
+ memory: 128Mi
+```
+
+ |
+object |
+
+
+```yaml
+{}
+```
+
+ |
+
+
+
+nodeSelector |
+
+
+Kubernetes node selector: node labels for pod assignment
+
+ |
+object |
+
+
+```yaml
+{}
+```
+
+ |
+
+
+
+tolerations |
+
+
+Kubernetes pod tolerations for cert-manager-csi-driver
+
+For example:
+
+```yaml
+tolerations:
+- operator: "Exists"
+```
+
+ |
+array |
+
+
+```yaml
+[]
+```
+
+ |
+
+
+
+affinity |
+
+
+A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core
+
+For example:
+
+```yaml
+affinity:
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: foo.bar.com/role
+ operator: In
+ values:
+ - master
+```
+
+ |
+object |
+
+
+```yaml
+{}
+```
+
+ |
+
+
+
+topologySpreadConstraints |
+
+
+List of Kubernetes TopologySpreadConstraints; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core
+
+For example:
+
+```yaml
+topologySpreadConstraints:
+- maxSkew: 1
+ topologyKey: topology.kubernetes.io/zone
+ whenUnsatisfiable: ScheduleAnyway
+ labelSelector:
+ matchLabels:
+ app.kubernetes.io/name: aws-privateca-issuer
+```
+
+ |
+array |
+
+
+```yaml
+[]
+```
+
+ |
+
+
+
+env |
+
+
+Additional environment variables to set in the Pod
+
+
+ |
+object |
+
+
+```yaml
+null
+```
+
+ |
+
+
+
+podLabels |
+
+
+Additional labels to add to the Pod
+
+ |
+object |
+
+
+```yaml
+{}
+```
+
+ |
+
+
+
+volumes |
+
+
+Additional volumes on the operator container.
+
+ |
+array |
+
+
+```yaml
+[]
+```
+
+ |
+
+
+
+volumeMounts |
+
+
+Additional VolumeMounts on the operator container.
+
+ |
+array |
+
+
+```yaml
+[]
+```
+
+ |
+
+
+
+podDisruptionBudget |
+
+
+Configures a disruption budget for the deployment.
+
+Expects input structure similar to https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#poddisruptionbudgetspec-v1-policy. WITHOUT the pod selector, which is handled by the chart. Per https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#poddisruptionbudgetspec-v1-policy, `maxUnavailable` is mutually exclusive with `minAvailable`, you cannot set both.
+
+For example:
+
+```yaml
+podDisruptionBudget:
+ maxUnavailable: 1
+```
+
+Or:
+
+```yaml
+podDisruptionBudget:
+ minAvailable: 1
+```
+
+But NOT:
+
+```yaml
+podDisruptionBudget:
+ minAvailable: 1
+ maxUnavailable: 1
+```
+
+ |
+object |
+
+
+```yaml
+{}
+```
+
+ |
+
+
+
+### Autoscaling
+
+
+