From 4cf42b3ff731b1726bf9e5f8b96adf4b5fefbe8b Mon Sep 17 00:00:00 2001 From: Dmytro Kovalenko Date: Wed, 31 Jan 2024 00:20:31 +0200 Subject: [PATCH] feat(keda): Allow using own Cert-manager Issuer/ClusterIssuer for issuing KEDA TLS certificates (#530) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * feat(keda): :sparkles: Allow providing own cert-manager issuer in TLS certificate Signed-off-by: Dmytro Kovalenko * docs(keda): :memo: Generate Helm docs Signed-off-by: Dmytro Kovalenko * fix(keda): :bug: Inject CA from cert-manager Certificate when providing own Issuer Signed-off-by: Dmytro Kovalenko * refactor(keda): :recycle: Refactor values format Signed-off-by: Dmytro Kovalenko * revert(keda): :rewind: Revert unnecessary auto-formatting Signed-off-by: Dmytro Kovalenko * chore: Improve the CI on PRs to be more efficient (#540) Signed-off-by: Jorge Turrado Signed-off-by: Jorge Turrado Signed-off-by: Dmytro Kovalenko * fix(http-add-on): Refactor the chart for next version (#523) Signed-off-by: Dmytro Kovalenko * feat(add-on): Supporting streamInterval configuration (#541) Signed-off-by: Dmytro Kovalenko * chore(add-on): Ship Release 0.6.0 (#543) Signed-off-by: Dmytro Kovalenko * chore: update versions in README.md (#546) Signed-off-by: Dmytro Kovalenko * feat: update crd to allow vault secret to handle write operation (#548) Signed-off-by: Loïs Postula Signed-off-by: Dmytro Kovalenko * Fix the svc name of webhook to avoid breaking istio (#551) Signed-off-by: Dmytro Kovalenko * Show only logs with a severity level of ERROR or higher in the stderr (#506) Signed-off-by: Adarsh-verma-14 Signed-off-by: Dmytro Kovalenko * Support profiling for keda components (#549) Signed-off-by: yuval weber Signed-off-by: unknown Co-authored-by: Tom Kerkhove Signed-off-by: Dmytro Kovalenko * Fix TriggerAuthentication - added configuration for validation webhook (#553) Signed-off-by: Dmytro Kovalenko * fix: Declare missing port in KEDA operator (#552) Signed-off-by: Dmytro Kovalenko * Allow image registry override for all keda components (#557) Signed-off-by: Dmytro Kovalenko * docs: Clarify that contributors do not have to ship Helm chart (#573) Signed-off-by: Dmytro Kovalenko * add disable-compression arg for both operator and metrics-server (#554) Signed-off-by: Adarsh-verma-14 Signed-off-by: Dmytro Kovalenko * feat: Introduce CloudEventSources CRD and adding ClusterName parameter (#572) * Add CloudEventSources Crd and ClustetName Parameter Signed-off-by: SpiritZhou * Update Signed-off-by: SpiritZhou * Update Signed-off-by: SpiritZhou * Update keda/values.yaml Co-authored-by: Tom Kerkhove Signed-off-by: SpiritZhou * Fix Signed-off-by: SpiritZhou * Update Signed-off-by: SpiritZhou * Revert unnecessary update Signed-off-by: SpiritZhou --------- Signed-off-by: SpiritZhou Co-authored-by: Tom Kerkhove Signed-off-by: Dmytro Kovalenko * store 2.12.1 package at `main` (#577) Signed-off-by: Zbynek Roubalik Signed-off-by: Dmytro Kovalenko * fix: restore http-add-on chart 0.6.0 indexing (#579) Signed-off-by: Dmytro Kovalenko * fix(add-on): Use 'main' tag for KEDA installation during CI (#582) Signed-off-by: Dmytro Kovalenko * set securityContext for http-add-on chart (#561) Co-authored-by: Tom Kerkhove Signed-off-by: Dmytro Kovalenko * Fix http-add-on operator resources (#567) Signed-off-by: Dmytro Kovalenko * Fix http-add-on verbosity configuration (#568) Signed-off-by: Dmytro Kovalenko * chore: Adjust RBAC with code (#585) * chore: Adjust RBAC with code Signed-off-by: Jorge Turrado * fix typo Signed-off-by: Jorge Turrado --------- Signed-off-by: Jorge Turrado Signed-off-by: Dmytro Kovalenko * fix: Don't recreate CA with 8 months until it expires (#586) Signed-off-by: Jorge Turrado Ferrero Signed-off-by: Dmytro Kovalenko * feat(ClusterRole): Add RBAC rule to allow access to `LimitRange` (#588) Signed-off-by: Dmytro Kovalenko * remove not required insecureSkipTLSVerify (#564) Signed-off-by: Frank Kloeker Signed-off-by: Dmytro Kovalenko * Update templates/webhooks deployment (#590) Align deployment for extraVolumes and extraVolumesMount for fix problem Error: YAML parse error on keda/templates/webhooks/deployment.yaml: error converting YAML to JSON: yaml: line 96: did not find expected key Signed-off-by: ferndem <39851927+ferndem@users.noreply.github.com> Signed-off-by: Dmytro Kovalenko * Fix Prometheus metrics handling for the operator. (#555) The current state of the Helm chart is slightly confusing, because: - There's no easy way to really disable prometheus metrics -- `--enable-prometheus-metrics` defaults to true anthe current code either emits `--enable-prometheus-metrics=true` or nothing at all (making it `true` once again). - The `http` container port is actually a `metrics` port (by convention from .e.g. webhook), but is present regardless of whether Prometheus metrics are enabled or not. To make it less confusing, this PR proposes renaming it. Signed-off-by: Milan Plzik Signed-off-by: Jorge Turrado Ferrero Co-authored-by: Jorge Turrado Ferrero Signed-off-by: Dmytro Kovalenko * Fix Remove app.kubernetes.io/instance label in crd (#556) Signed-off-by: choisungwook Signed-off-by: Dmytro Kovalenko * Support crd-specific annotations (#584) * support crd-specific annotations Signed-off-by: Adam Walford * update readme Signed-off-by: Adam Walford * update docs using helm-docs Signed-off-by: Adam Walford --------- Signed-off-by: Adam Walford Co-authored-by: Adam Walford Co-authored-by: Tom Kerkhove Signed-off-by: Dmytro Kovalenko * Add ciliumnetworkpolicies (#558) Signed-off-by: Dmytro Kovalenko * Add tlsConfig for ServiceMonitor (#591) Co-authored-by: guicholeo Signed-off-by: Dmytro Kovalenko * Release 2.13.0 (#593) Signed-off-by: Dmytro Kovalenko * fix: Ship v2.13.1 with missing RoleBinding (#595) Signed-off-by: Jorge Turrado Signed-off-by: Dmytro Kovalenko * chore(add-on): Apply HTTP Add-on changes on Helm chart (#598) Signed-off-by: Dmytro Kovalenko * chore(add-on): Release v0.7.0 (#599) Signed-off-by: Jorge Turrado Signed-off-by: Dmytro Kovalenko * refactor: Unify cert-manager annotations Signed-off-by: Dmytro Kovalenko --------- Signed-off-by: Dmytro Kovalenko Signed-off-by: Jorge Turrado Signed-off-by: Jorge Turrado Signed-off-by: Loïs Postula Signed-off-by: Adarsh-verma-14 Signed-off-by: yuval weber Signed-off-by: unknown Signed-off-by: SpiritZhou Signed-off-by: Zbynek Roubalik Signed-off-by: Jorge Turrado Ferrero Signed-off-by: Frank Kloeker Signed-off-by: ferndem <39851927+ferndem@users.noreply.github.com> Signed-off-by: Milan Plzik Signed-off-by: choisungwook Signed-off-by: Adam Walford Co-authored-by: Dmytro Kovalenko Co-authored-by: Jorge Turrado Ferrero Co-authored-by: Loïs Postula Co-authored-by: Roy Gao <137811914+congzhegao@users.noreply.github.com> Co-authored-by: Adarsh Verma <113962919+Adarsh-verma-14@users.noreply.github.com> Co-authored-by: yuval weber Co-authored-by: Tom Kerkhove Co-authored-by: Radek Fojtik <68660951+radekfojtik@users.noreply.github.com> Co-authored-by: Quentin Bisson Co-authored-by: SpiritZhou Co-authored-by: Zbynek Roubalik Co-authored-by: Frank Kloeker Co-authored-by: Andrew <35912177+aballman@users.noreply.github.com> Co-authored-by: Bhargav Ravuri Co-authored-by: ferndem <39851927+ferndem@users.noreply.github.com> Co-authored-by: Milan Plžík <4592597+mplzik@users.noreply.github.com> Co-authored-by: choisungwook Co-authored-by: Adam Walford <34867732+awalford16@users.noreply.github.com> Co-authored-by: Adam Walford Co-authored-by: guicholeo Co-authored-by: Jan Wozniak --- keda/README.md | 7 +++++++ keda/templates/cert-manager/keda-issuer.yaml | 4 ++-- .../cert-manager/keda-tls-certificate.yaml | 16 ++++++++++++++-- keda/templates/cert-manager/self-ca.yaml | 2 +- keda/templates/cert-manager/self-issuer.yaml | 4 ++-- keda/templates/metrics-server/apiservice.yaml | 6 +++--- .../webhooks/validatingconfiguration.yaml | 6 +++--- keda/values.yaml | 14 ++++++++++++++ 8 files changed, 46 insertions(+), 13 deletions(-) diff --git a/keda/README.md b/keda/README.md index 25c90690..b9137bfa 100644 --- a/keda/README.md +++ b/keda/README.md @@ -64,8 +64,15 @@ their default values. | `asciiArt` | bool | `true` | Capability to turn on/off ASCII art in Helm installation notes | | `certificates.autoGenerated` | bool | `true` | Enables the self generation for KEDA TLS certificates inside KEDA operator | | `certificates.certManager.caSecretName` | string | `"kedaorg-ca"` | Secret name where the CA is stored (generatedby cert-manager or user given) | +| `certificates.certManager.duration` | string | `"8760h0m0s"` | Certificate duration | | `certificates.certManager.enabled` | bool | `false` | Enables Cert-manager for certificate management | | `certificates.certManager.generateCA` | bool | `true` | Generates a self-signed CA with Cert-manager. If generateCA is false, the secret with the CA has to be annotated with `cert-manager.io/allow-direct-injection: "true"` | +| `certificates.certManager.issuer` | object | `{"generate":true,"group":"cert-manager.io","kind":"ClusterIssuer","name":"foo-org-ca"}` | Reference to custom Issuer. If issuer.generate is false, then issuer.group, issuer.kind and issuer.name are required | +| `certificates.certManager.issuer.generate` | bool | `true` | Generates an Issuer resource with Cert-manager | +| `certificates.certManager.issuer.group` | string | `"cert-manager.io"` | Custom Issuer group. Required when generate: false | +| `certificates.certManager.issuer.kind` | string | `"ClusterIssuer"` | Custom Issuer kind. Required when generate: false | +| `certificates.certManager.issuer.name` | string | `"foo-org-ca"` | Custom Issuer name. Required when generate: false | +| `certificates.certManager.renewBefore` | string | `"5840h0m0s"` | Certificate renewal time before expiration | | `certificates.certManager.secretTemplate` | object | `{}` | Add labels/annotations to secrets created by Certificate resources [docs](https://cert-manager.io/docs/usage/certificate/#creating-certificate-resources) | | `certificates.mountPath` | string | `"/certs"` | Path where KEDA TLS certificates are mounted | | `certificates.secretName` | string | `"kedaorg-certs"` | Secret name to be mounted with KEDA TLS certificates | diff --git a/keda/templates/cert-manager/keda-issuer.yaml b/keda/templates/cert-manager/keda-issuer.yaml index 3840f276..1f3d28d4 100644 --- a/keda/templates/cert-manager/keda-issuer.yaml +++ b/keda/templates/cert-manager/keda-issuer.yaml @@ -1,4 +1,4 @@ -{{- if .Values.certificates.certManager.enabled }} +{{- if and .Values.certificates.certManager.enabled .Values.certificates.certManager.issuer.generate }} apiVersion: cert-manager.io/v1 kind: Issuer metadata: @@ -11,4 +11,4 @@ metadata: spec: ca: secretName: {{ .Values.certificates.certManager.caSecretName }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/keda/templates/cert-manager/keda-tls-certificate.yaml b/keda/templates/cert-manager/keda-tls-certificate.yaml index 8b4e210f..8b74bc11 100644 --- a/keda/templates/cert-manager/keda-tls-certificate.yaml +++ b/keda/templates/cert-manager/keda-tls-certificate.yaml @@ -25,10 +25,22 @@ spec: privateKey: algorithm: RSA size: 2048 - duration: 8760h0m0s # 1 year - renewBefore: 5840h0m0s # 8 months + duration: {{ .Values.certificates.certManager.duration }} + renewBefore: {{ .Values.certificates.certManager.renewBefore }} issuerRef: + {{- if .Values.certificates.certManager.issuer.generate }} name: {{ .Values.operator.name }}-issuer kind: Issuer group: cert-manager.io + {{- else }} + {{- if .Values.certificates.certManager.issuer.name }} + name: {{ .Values.certificates.certManager.issuer.name }} + {{- end }} + {{- if .Values.certificates.certManager.issuer.kind }} + kind: {{ .Values.certificates.certManager.issuer.kind }} + {{- end }} + {{- if .Values.certificates.certManager.issuer.group }} + group: {{ .Values.certificates.certManager.issuer.group }} + {{- end }} + {{- end }} {{- end }} diff --git a/keda/templates/cert-manager/self-ca.yaml b/keda/templates/cert-manager/self-ca.yaml index 6389cefb..7eb1f82b 100644 --- a/keda/templates/cert-manager/self-ca.yaml +++ b/keda/templates/cert-manager/self-ca.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.certificates.certManager.enabled .Values.certificates.certManager.generateCA }} +{{- if and .Values.certificates.certManager.enabled .Values.certificates.certManager.generateCA .Values.certificates.certManager.issuer.generate }} apiVersion: cert-manager.io/v1 kind: Certificate metadata: diff --git a/keda/templates/cert-manager/self-issuer.yaml b/keda/templates/cert-manager/self-issuer.yaml index b2ce2a55..55a8b5c1 100644 --- a/keda/templates/cert-manager/self-issuer.yaml +++ b/keda/templates/cert-manager/self-issuer.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.certificates.certManager.enabled .Values.certificates.certManager.generateCA }} +{{- if and .Values.certificates.certManager.enabled .Values.certificates.certManager.generateCA .Values.certificates.certManager.issuer.generate }} apiVersion: cert-manager.io/v1 kind: Issuer metadata: @@ -10,4 +10,4 @@ metadata: namespace: {{ .Release.Namespace }} spec: selfSigned: {} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/keda/templates/metrics-server/apiservice.yaml b/keda/templates/metrics-server/apiservice.yaml index ac7424fe..ec44d6b2 100644 --- a/keda/templates/metrics-server/apiservice.yaml +++ b/keda/templates/metrics-server/apiservice.yaml @@ -4,10 +4,10 @@ metadata: {{- if or .Values.certificates.certManager.enabled .Values.additionalAnnotations }} annotations: {{- if .Values.certificates.certManager.enabled }} - {{- if .Values.certificates.certManager.generateCA }} - cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Values.operator.name }}-ca - {{- else }} + {{- if and (not .Values.certificates.certManager.generateCA) .Values.certificates.certManager.issuer.generate }} cert-manager.io/inject-ca-from-secret: {{ .Release.Namespace }}/{{ .Values.certificates.certManager.caSecretName }} + {{- else }} + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Values.operator.name }}-tls-certificates {{- end }} {{- end }} {{- if .Values.additionalAnnotations }} diff --git a/keda/templates/webhooks/validatingconfiguration.yaml b/keda/templates/webhooks/validatingconfiguration.yaml index 0b4ccf5f..0b462309 100644 --- a/keda/templates/webhooks/validatingconfiguration.yaml +++ b/keda/templates/webhooks/validatingconfiguration.yaml @@ -5,10 +5,10 @@ metadata: {{- if or .Values.certificates.certManager.enabled .Values.additionalAnnotations }} annotations: {{- if .Values.certificates.certManager.enabled }} - {{- if .Values.certificates.certManager.generateCA }} - cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Values.operator.name }}-ca - {{- else }} + {{- if and (not .Values.certificates.certManager.generateCA) .Values.certificates.certManager.issuer.generate }} cert-manager.io/inject-ca-from-secret: {{ .Release.Namespace }}/{{ .Values.certificates.certManager.caSecretName }} + {{- else }} + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Values.operator.name }}-tls-certificates {{- end }} {{- end }} {{- if .Values.additionalAnnotations }} diff --git a/keda/values.yaml b/keda/values.yaml index db64c63a..6bedab51 100644 --- a/keda/values.yaml +++ b/keda/values.yaml @@ -738,6 +738,10 @@ certificates: certManager: # -- Enables Cert-manager for certificate management enabled: false + # -- Certificate duration + duration: 8760h0m0s # 1 year + # -- Certificate renewal time before expiration + renewBefore: 5840h0m0s # 8 months # -- Generates a self-signed CA with Cert-manager. # If generateCA is false, the secret with the CA # has to be annotated with `cert-manager.io/allow-direct-injection: "true"` @@ -752,6 +756,16 @@ certificates: # my-secret-annotation-2: "bar" # labels: # my-secret-label: foo + # -- Reference to custom Issuer. + issuer: + # -- Generates an Issuer resource with Cert-manager + generate: true + # -- Custom Issuer name. Required when generate: false + name: foo-org-ca + # -- Custom Issuer kind. Required when generate: false + kind: ClusterIssuer + # -- Custom Issuer group. Required when generate: false + group: cert-manager.io permissions: metricServer: