Move the ubbagent to inside the main cert-manager deployment

Signed-off-by: Maël Valais <mael@vls.dev>

Author: maelvls

README.md

@@ -494,8 +494,8 @@ helm template "$APP_INSTANCE_NAME" chart/jetstack-secure-gcm \
   --set preflight.image.tag="$TAG" \
   --set preflight.serviceAccount.create=true \
   --set preflight.rbac.create=true \
-  --set ubbagent.image.tag="$TAG" \
-  --set ubbagent.reportingSecretName=$APP_INSTANCE_NAME-license \
+  --set cert-manager.ubbagent.image.tag="$TAG" \
+  --set cert-manager.ubbagent.reportingSecretName=$APP_INSTANCE_NAME-license \
   > "${APP_INSTANCE_NAME}_manifest.yaml"
 ```
 
@@ -508,7 +508,7 @@ helm template "$APP_INSTANCE_NAME" chart/jetstack-secure-gcm \
 > --set cert-manager.webhook.image.repository=marketplace.gcr.io/jetstack-public/jetstack-secure-for-cert-manager/cert-manager-webhook
 > --set google-cas-issuer.image.repository=marketplace.gcr.io/jetstack-public/jetstack-secure-for-cert-manager/cert-manager-google-cas-issuer
 > --set preflight.image.repository=marketplace.gcr.io/jetstack-public/jetstack-secure-for-cert-manager/preflight
-> --set ubbagent.image.repository=marketplace.gcr.io/jetstack-public/jetstack-secure-for-cert-manager/ubbagent
+> --set cert-manager.ubbagent.image.repository=marketplace.gcr.io/jetstack-public/jetstack-secure-for-cert-manager/ubbagent
 > ```
 
 #### Apply the manifest to your Kubernetes cluster

chart/jetstack-secure-gcm/charts/cert-manager/templates/_helpers.tpl

@@ -45,15 +45,6 @@ Create the name of the service account to use
 Webhook templates
 */}}
 
-{{/*
-Expand the name of the chart.
-Manually fix the 'app' and 'name' labels to 'webhook' to maintain
-compatibility with the v0.9 deployment selector.
-*/}}
-{{- define "webhook.name" -}}
-{{- printf "webhook" -}}
-{{- end -}}
-
 {{/*
 Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
@@ -90,15 +81,6 @@ Create the name of the service account to use
 cainjector templates
 */}}
 
-{{/*
-Expand the name of the chart.
-Manually fix the 'app' and 'name' labels to 'cainjector' to maintain
-compatibility with the v0.9 deployment selector.
-*/}}
-{{- define "cainjector.name" -}}
-{{- printf "cainjector" -}}
-{{- end -}}
-
 {{/*
 Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).

chart/jetstack-secure-gcm/charts/cert-manager/templates/deployment.yaml

@@ -69,6 +69,9 @@ spec:
       {{- end }}
       {{- if .Values.volumes }}
       volumes:
+        - name: ubbagent-config
+          configMap:
+            name: ubbagent-config
 {{ toYaml .Values.volumes | indent 8 }}
       {{- end }}
       containers:
@@ -137,6 +140,33 @@ spec:
           {{- end }}
           resources:
 {{ toYaml .Values.resources | indent 12 }}
+        - name: ubbagent
+          image: "{{ .Values.ubbagent.image.repository }}:{{ .Values.ubbagent.image.tag }}"
+          env:
+            - name: AGENT_CONFIG_FILE
+              value: "/etc/ubbagent/config.yaml"
+            - name: AGENT_LOCAL_PORT
+              value: "4567"
+            - name: AGENT_ENCODED_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ default (print (.Release.Name | trunc 63 | trimSuffix "-") "-license") .Values.ubbagent.reportingSecretName }}
+                  key: reporting-key
+            - name: AGENT_CONSUMER_ID
+              valueFrom:
+                secretKeyRef:
+                  name: {{ default (print (.Release.Name | trunc 63 | trimSuffix "-") "-license") .Values.ubbagent.reportingSecretName }}
+                  key: consumer-id
+          volumeMounts:
+            - name: ubbagent-config
+              mountPath: /etc/ubbagent
+          resources:
+            limits:
+              cpu: 200m
+              memory: 100Mi
+            requests:
+              cpu: 10m
+              memory: 20Mi
     {{- with .Values.nodeSelector }}
       nodeSelector:
 {{ toYaml . | indent 8 }}

chart/jetstack-secure-gcm/charts/cert-manager/values.yaml

@@ -1,3 +1,13 @@
+# GCM-specific Helm values added by Mael.
+ubbagent:
+  # By default, the reportingSecretName will be set to
+  #  ${helm-release}-license.
+  #
+  # reportingSecretName: chartname-license
+  image:
+    repository: gcr.io/cloud-marketplace-tools/metering/ubbagent
+    tag: latest
+
 # Default values for cert-manager.
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.
@@ -28,7 +38,8 @@ installCRDs: false
 
 replicaCount: 1
 
-strategy: {}
+strategy:
+  {}
   # type: RollingUpdate
   # rollingUpdate:
   #   maxSurge: 0
@@ -67,7 +78,8 @@ serviceAccount:
   # annotations: {}
 
 # Optional additional arguments
-extraArgs: []
+extraArgs:
+  []
   # Use this flag to set a namespace that cert-manager will use to store
   # supporting resources required for each ClusterIssuer (default is kube-system)
   # - --cluster-resource-namespace=kube-system
@@ -78,7 +90,8 @@ extraEnv: []
 # - name: SOME_VAR
 #   value: 'some value'
 
-resources: {}
+resources:
+  {}
   # requests:
   #   cpu: 10m
   #   memory: 32Mi
@@ -100,14 +113,14 @@ securityContext: {}
 
 # Container Security Context to be set on the controller component container
 # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-containerSecurityContext: {}
+containerSecurityContext:
+  {}
   # capabilities:
   #   drop:
   #   - ALL
   # readOnlyRootFilesystem: true
   # runAsNonRoot: true
 
-
 volumes: []
 
 volumeMounts: []
@@ -133,7 +146,8 @@ podLabels: {}
 
 nodeSelector: {}
 
-ingressShim: {}
+ingressShim:
+  {}
   # defaultIssuerName: ""
   # defaultIssuerKind: ""
   # defaultIssuerGroup: ""
@@ -180,7 +194,8 @@ webhook:
   replicaCount: 1
   timeoutSeconds: 10
 
-  strategy: {}
+  strategy:
+    {}
     # type: RollingUpdate
     # rollingUpdate:
     #   maxSurge: 0
@@ -190,7 +205,8 @@ webhook:
 
   # Container Security Context to be set on the webhook component container
   # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-  containerSecurityContext: {}
+  containerSecurityContext:
+    {}
     # capabilities:
     #   drop:
     #   - ALL
@@ -212,7 +228,8 @@ webhook:
   # Optional additional arguments for webhook
   extraArgs: []
 
-  resources: {}
+  resources:
+    {}
     # requests:
     #   cpu: 10m
     #   memory: 32Mi
@@ -288,7 +305,8 @@ cainjector:
   enabled: true
   replicaCount: 1
 
-  strategy: {}
+  strategy:
+    {}
     # type: RollingUpdate
     # rollingUpdate:
     #   maxSurge: 0
@@ -298,14 +316,14 @@ cainjector:
 
   # Container Security Context to be set on the cainjector component container
   # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-  containerSecurityContext: {}
+  containerSecurityContext:
+    {}
     # capabilities:
     #   drop:
     #   - ALL
     # readOnlyRootFilesystem: true
     # runAsNonRoot: true
 
-
   # Optional additional annotations to add to the cainjector Deployment
   # deploymentAnnotations: {}
 
@@ -315,7 +333,8 @@ cainjector:
   # Optional additional arguments for cainjector
   extraArgs: []
 
-  resources: {}
+  resources:
+    {}
     # requests:
     #   cpu: 10m
     #   memory: 32Mi

chart/jetstack-secure-gcm/templates/billing-agent-deployment.yaml

@@ -35,6 +35,15 @@ cert-manager:
       repository: marketplace.gcr.io/jetstack-public/jetstack-secure-for-cert-manager/cert-manager-cainjector
       tag: 1.1.0-gcm.1
 
+  ubbagent:
+    # By default, the reportingSecretName will be set to
+    #  ${helm-release}-license.
+    #
+    # reportingSecretName: chartname-license
+    image:
+      repository: marketplace.gcr.io/jetstack-public/jetstack-secure-for-cert-manager/ubbagent
+      tag: 1.1.0-gcm.1
+
 google-cas-issuer:
   nameOverride: jetstack-secure-gcm
   installCRDs: true
@@ -54,12 +63,3 @@ preflight:
   image:
     repository: marketplace.gcr.io/jetstack-public/jetstack-secure-for-cert-manager/preflight
     tag: 1.1.0-gcm.1
-
-ubbagent:
-  # By default, the reportingSecretName will be set to
-  #  ${helm-release}-license.
-  #
-  # reportingSecretName: chartname-license
-  image:
-    repository: marketplace.gcr.io/jetstack-public/jetstack-secure-for-cert-manager/ubbagent
-    tag: 1.1.0-gcm.1

chart/jetstack-secure-gcm/values.yaml

@@ -76,9 +76,9 @@ x-google-marketplace:
           type: TAG
     ubbagent:
       properties:
-        ubbagent.image.repository:
+        cert-manager.ubbagent.image.repository:
           type: REPO_WITH_REGISTRY
-        ubbagent.image.tag:
+        cert-manager.ubbagent.image.tag:
           type: TAG
 
   # Allow the deployer to create CRDs and webhook configurations. See:
@@ -388,7 +388,7 @@ properties:
                 verbs: ["get", "list"]
 
   # https://github.com/GoogleCloudPlatform/marketplace-k8s-app-tools/blob/64181be/docs/billing-integration.md
-  ubbagent.reportingSecretName:
+  cert-manager.ubbagent.reportingSecretName:
     type: string
     x-google-marketplace:
       type: REPORTING_SECRET