diff --git a/Makefile b/Makefile index 2725650c..a80e1372 100644 --- a/Makefile +++ b/Makefile @@ -54,6 +54,9 @@ CERT_MANAGER_VERSION ?= v1.13.3 CONTROLLER_GEN_VERSION := 0.5.0 CONTROLLER_GEN := ${BIN}/controller-gen-${CONTROLLER_GEN_VERSION} +# Helm tools +HELM_TOOL_VERSION := v0.2.2 + INSTALL_YAML ?= build/install.yaml all: manager @@ -114,6 +117,9 @@ undeploy: manifests: controller-gen $(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=config/crd/bases +helm-docs: helm-tool + $(HELM_TOOL) inject -i charts/aws-pca-issuer/values.yaml -o charts/aws-pca-issuer/README.md --header-search "^" --footer-search "" + # Run go fmt against code fmt: go fmt ./... @@ -149,6 +155,10 @@ CONTROLLER_GEN = $(shell pwd)/bin/controller-gen controller-gen: $(call go-install-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@v0.4.1) +HELM_TOOL = $(shell pwd)/bin/helm-tool +helm-tool: + $(call go-install-tool,$(HELM_TOOL),github.com/cert-manager/helm-tool@$(HELM_TOOL_VERSION)) + # Download kustomize locally if necessary KUSTOMIZE = $(shell pwd)/bin/kustomize kustomize: diff --git a/charts/aws-pca-issuer/README.md b/charts/aws-pca-issuer/README.md new file mode 100644 index 00000000..62641b3e --- /dev/null +++ b/charts/aws-pca-issuer/README.md @@ -0,0 +1,791 @@ +# AWS Private CA Issuer + +AWS Private CA is an AWS service that can setup and manage private CAs, as well as issue private certifiates. + +cert-manager is a Kubernetes add-on to automate the management and issuance of TLS certificates from various issuing sources. +It will ensure certificates are valid and up to date periodically, and attempt to renew certificates at an appropriate time before expiry. + +This project acts as an addon (see https://cert-manager.io/docs/configuration/external/) to cert-manager that signs off certificate requests using AWS Private CA. + +## Values + + + +### AWS Private CA Issuer + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
PropertyDescriptionTypeDefault
replicaCount + +Number of replicas to run of the issuer + +number + +```yaml +1 +``` + +
image.repository + +Image repository + +string + +```yaml +public.ecr.aws/k1n1h4h4/cert-manager-aws-privateca-issuer +``` + +
image.pullPolicy + +Image pull policy + +string + +```yaml +IfNotPresent +``` + +
image.tag + +Image tag + +string + +```yaml +"" +``` + +
disableApprovedCheck + +Disable waiting for CertificateRequests to be Approved before signing + +bool + +```yaml +false +``` + +
imagePullSecrets + +Optional secrets used for pulling the container image + +For example: + +```yaml +imagePullSecrets: +- name: secret-name +``` + +array + +```yaml +[] +``` + +
nameOverride + +Override the name of the objects created by this chart + +string + +```yaml +"" +``` + +
fullnameOverride + +Override the name of the objects created by this chart + +string + +```yaml +"" +``` + +
revisionHistoryLimit + +Number deployment revisions to keep + +number + +```yaml +10 +``` + +
serviceAccount.create + +Specifies whether a service account should be created + +bool + +```yaml +true +``` + +
serviceAccount.annotations + +Annotations to add to the service account + +object + +```yaml +{} +``` + +
serviceAccount.name + +The name of the service account to use. +If not set and create is true, a name is generated using the fullname template + +string + +```yaml +"" +``` + +
rbac.create + +Specifies whether RBAC should be created + +bool + +```yaml +true +``` + +
service.type + +Type of service to create + +string + +```yaml +ClusterIP +``` + +
service.port + +Port the service should listen on + +number + +```yaml +8080 +``` + +
podAnnotations + +Annotations to add to the issuer Pod + +object + +```yaml +{} +``` + +
podSecurityContext + +Pod security context + + +object + +```yaml +runAsUser: 65532 +``` + +
securityContext + +Container security context + + +object + +```yaml +allowPrivilegeEscalation: false +``` + +
resources + +Kubernetes pod resources requests/limits + +For example: + +```yaml +resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 128Mi +``` + +object + +```yaml +{} +``` + +
nodeSelector + +Kubernetes node selector: node labels for pod assignment + +object + +```yaml +{} +``` + +
tolerations + +Kubernetes pod tolerations for cert-manager-csi-driver + +For example: + +```yaml +tolerations: +- operator: "Exists" +``` + +array + +```yaml +[] +``` + +
affinity + +A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core + +For example: + +```yaml +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: foo.bar.com/role + operator: In + values: + - master +``` + +object + +```yaml +{} +``` + +
topologySpreadConstraints + +List of Kubernetes TopologySpreadConstraints; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core + +For example: + +```yaml +topologySpreadConstraints: +- maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + app.kubernetes.io/name: aws-privateca-issuer +``` + +array + +```yaml +[] +``` + +
env + +Additional environment variables to set in the Pod + + +object + +```yaml +null +``` + +
podLabels + +Additional labels to add to the Pod + +object + +```yaml +{} +``` + +
volumes + +Additional volumes on the operator container. + +array + +```yaml +[] +``` + +
volumeMounts + +Additional VolumeMounts on the operator container. + +array + +```yaml +[] +``` + +
podDisruptionBudget + +Configures a disruption budget for the deployment. + +Expects input structure similar to https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#poddisruptionbudgetspec-v1-policy. WITHOUT the pod selector, which is handled by the chart. Per https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#poddisruptionbudgetspec-v1-policy, `maxUnavailable` is mutually exclusive with `minAvailable`, you cannot set both. + +For example: + +```yaml +podDisruptionBudget: + maxUnavailable: 1 +``` + +Or: + +```yaml +podDisruptionBudget: + minAvailable: 1 +``` + +But NOT: + +```yaml +podDisruptionBudget: + minAvailable: 1 + maxUnavailable: 1 +``` + +object + +```yaml +{} +``` + +
+ +### Autoscaling + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
PropertyDescriptionTypeDefault
autoscaling.enabled + +Enable auto scaling using a HorizontalPodAutoscaler + +bool + +```yaml +false +``` + +
autoscaling.minReplicas + +Minimum number of replicas to deploy + +number + +```yaml +1 +``` + +
autoscaling.maxReplicas + +Maximum number of replicas to deploy + +number + +```yaml +100 +``` + +
autoscaling.targetCPUUtilizationPercentage + +CPU threshold to scale at as a percentage of the requested CPUs + +number + +```yaml +80 +``` + +
autoscaling.targetMemoryUtilizationPercentage + +Memory threshold to scale at as a percentage of the requested memory + + +number + +```yaml + +``` + +
+ +### Approver Role + + +Options for configuring a target ServiceAccount with the role to approve all awspca.cert-manager.io requests. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
PropertyDescriptionTypeDefault
approverRole.enabled + +Create the ClusterRole to allow the issuer to approve certificate requests + +bool + +```yaml +true +``` + +
approverRole.serviceAccountName + +Service account give approval permission + +string + +```yaml +cert-manager +``` + +
approverRole.namespace + +Namespace the service account resides in + +string + +```yaml +cert-manager +``` + +
+ +### Monitoring + + + + + + + + + + + + + + + + + + + + + + + +
PropertyDescriptionTypeDefault
serviceMonitor.create + +Create Prometheus ServiceMonitor + +bool + +```yaml +false +``` + +
serviceMonitor.annotations + +Annotations to add to the Prometheus ServiceMonitor + +object + +```yaml +{} +``` + +
+ + \ No newline at end of file diff --git a/charts/aws-pca-issuer/values.yaml b/charts/aws-pca-issuer/values.yaml index 4d66207c..8f705193 100644 --- a/charts/aws-pca-issuer/values.yaml +++ b/charts/aws-pca-issuer/values.yaml @@ -1,19 +1,33 @@ -# Default values for aws-pca-issuer. +# +docs:section=AWS Private CA Issuer +# Number of replicas to run of the issuer replicaCount: 1 image: + # Image repository repository: public.ecr.aws/k1n1h4h4/cert-manager-aws-privateca-issuer + # Image pull policy pullPolicy: IfNotPresent + # Image tag tag: "" # Disable waiting for CertificateRequests to be Approved before signing disableApprovedCheck: false +# Optional secrets used for pulling the container image +# +# For example: +# imagePullSecrets: +# - name: secret-name imagePullSecrets: [] + +# Override the name of the objects created by this chart nameOverride: "" + +# Override the name of the objects created by this chart fullnameOverride: "" +# Number deployment revisions to keep revisionHistoryLimit: 10 serviceAccount: @@ -30,47 +44,63 @@ rbac: create: true service: + # Type of service to create type: ClusterIP + # Port the service should listen on port: 8080 - -# Options for configuring a target ServiceAccount with the role to approve -# all awspca.cert-manager.io requests. -approverRole: - enabled: true - serviceAccountName: cert-manager - namespace: cert-manager - -serviceMonitor: - create: false - annotations: {} - labels: {} - +# Annotations to add to the issuer Pod podAnnotations: {} +# Pod security context +# +docs:property podSecurityContext: runAsUser: 65532 +# Container security context +# +docs:property securityContext: allowPrivilegeEscalation: false +# Kubernetes pod resources requests/limits +# +# For example: +# resources: +# limits: +# cpu: 100m +# memory: 128Mi +# requests: +# cpu: 100m +# memory: 128Mi resources: {} -autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 100 - targetCPUUtilizationPercentage: 80 - # targetMemoryUtilizationPercentage: 80 - +# Kubernetes node selector: node labels for pod assignment nodeSelector: {} +# Kubernetes pod tolerations for cert-manager-csi-driver +# +# For example: +# tolerations: +# - operator: "Exists" tolerations: [] +# A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core +# +# For example: +# affinity: +# nodeAffinity: +# requiredDuringSchedulingIgnoredDuringExecution: +# nodeSelectorTerms: +# - matchExpressions: +# - key: foo.bar.com/role +# operator: In +# values: +# - master affinity: {} -# expects input structure as per specification https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#topologyspreadconstraint-v1-core -# for example: +# List of Kubernetes TopologySpreadConstraints; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core +# +# For example: # topologySpreadConstraints: # - maxSkew: 1 # topologyKey: topology.kubernetes.io/zone @@ -80,8 +110,11 @@ affinity: {} # app.kubernetes.io/name: aws-privateca-issuer topologySpreadConstraints: [] +# Additional environment variables to set in the Pod +# +docs:type=object env: +# Additional labels to add to the Pod podLabels: {} # Additional volumes on the operator container. @@ -90,21 +123,60 @@ volumes: [] # Additional VolumeMounts on the operator container. volumeMounts: [] -# expects input structure similar to https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#poddisruptionbudgetspec-v1-policy -# EXCEPT pod selector is defined by this helm template's `aws-privateca-issuer.selectorLabels` template function. per -# https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#poddisruptionbudgetspec-v1-policy, `maxUnavailable` is mutually -# exclusive with `minAvailable`. you cannot choose both. +# Configures a disruption budget for the deployment. +# +# Expects input structure similar to https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#poddisruptionbudgetspec-v1-policy +# WITHOUT the pod selector, which is handled by the chart. +# Per https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#poddisruptionbudgetspec-v1-policy, `maxUnavailable` is mutually +# exclusive with `minAvailable`, you cannot set both. # -# for example: +# For example: # podDisruptionBudget: # maxUnavailable: 1 # -# or: +# Or: # podDisruptionBudget: # minAvailable: 1 # -# but NOT: +# But NOT: # podDisruptionBudget: # minAvailable: 1 # maxUnavailable: 1 podDisruptionBudget: {} + +# +docs:section=Autoscaling + +autoscaling: + # Enable auto scaling using a HorizontalPodAutoscaler + enabled: false + # Minimum number of replicas to deploy + minReplicas: 1 + # Maximum number of replicas to deploy + maxReplicas: 100 + # CPU threshold to scale at as a percentage of the requested CPUs + targetCPUUtilizationPercentage: 80 + # Memory threshold to scale at as a percentage of the requested memory + # +docs:property + # targetMemoryUtilizationPercentage: 80 + +# +docs:section=Approver Role +# Options for configuring a target ServiceAccount with the role to approve +# all awspca.cert-manager.io requests. + +approverRole: + # Create the ClusterRole to allow the issuer to approve certificate requests + enabled: true + # Service account give approval permission + serviceAccountName: cert-manager + # Namespace the service account resides in + namespace: cert-manager + +# +docs:section=Monitoring + +serviceMonitor: + # Create Prometheus ServiceMonitor + create: false + # Annotations to add to the Prometheus ServiceMonitor + annotations: {} + # Labels to add to the Prometheus ServiceMonitor + labels: {} \ No newline at end of file