Updated Helm Charts

- Optimized the charts - Made the webhook optional - Added cert manager as dependency to be installed while running webhook
2021-08-16 04:24:24 +05:30 · 2021-08-16 04:24:24 +05:30 · 5ca4e0a90c
parent b11ca32d1a
commit 5ca4e0a90c
7 changed files with 55 additions and 15 deletions
--- a/chart/jenkins-operator/Chart.lock
+++ b/chart/jenkins-operator/Chart.lock
@ -0,0 +1,6 @@
+dependencies:
+- name: cert-manager
+  repository: https://charts.jetstack.io
+  version: v1.5.0
+digest: sha256:9113e5b4333cbe0a9b9eb340cb8bc201f5c110a56058a637c18733e36711c513
+generated: "2021-08-16T04:18:49.917544487+05:30"
--- a/chart/jenkins-operator/Chart.yaml
+++ b/chart/jenkins-operator/Chart.yaml
@ -4,3 +4,9 @@ description: Kubernetes native operator which fully manages Jenkins on Kubernete
 name: jenkins-operator
 version: 0.5.2
 icon: https://raw.githubusercontent.com/jenkinsci/kubernetes-operator/master/assets/jenkins-operator-icon.png
+dependencies:
+    - name: cert-manager 
+      version: "1.5.0"
+      condition: webhook.enabled
+      repository: "https://charts.jetstack.io"
+        
--- a/chart/jenkins-operator/charts/cert-manager-v1.5.0.tgz
+++ b/chart/jenkins-operator/charts/cert-manager-v1.5.0.tgz
--- a/chart/jenkins-operator/templates/cert-manager.yaml
+++ b/chart/jenkins-operator/templates/cert-manager.yaml
@ -1,15 +1,16 @@
+{{- if .Values.webhook.enabled }}
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: webhook-certificate
+  name: jenkins-{{ .Values.webhook.certificate.name }}
  namespace: {{ .Release.Namespace }}
 spec:
-  duration: 2160h 
-  renewBefore: 360h
-  secretName: webhook-server-cert
+  duration: {{ .Values.webhook.certificate.duration }}
+  renewBefore: {{ .Values.webhook.certificate.renewbefore }}
+  secretName: jenkins-{{ .Values.webhook.certificate.name }}
  dnsNames:
-  - webhook-service.{{ .Release.Namespace }}.svc 
-  - webhook-service.{{ .Release.Namespace }}.svc.cluster.local 
+  - jenkins-webhook-service.{{ .Release.Namespace }}.svc 
+  - jenkins-webhook-service.{{ .Release.Namespace }}.svc.cluster.local 
  issuerRef:
    kind: Issuer
    name: selfsigned
@ -24,3 +25,4 @@ spec:
  selfSigned: {}

 ---
+{{- end }}
--- a/chart/jenkins-operator/templates/operator.yaml
+++ b/chart/jenkins-operator/templates/operator.yaml
@ -31,11 +31,16 @@ spec:
              protocol: TCP
          command:
            - /manager
-          args: []
+          args: 
+          {{- if .Values.webhook.enabled }}
+          - --validate-security-warnings
+          {{- end }}
+          {{- if .Values.webhook.enabled }}
          volumeMounts:
          - mountPath: /tmp/k8s-webhook-server/serving-certs
-            name: cert
+            name: webhook-certs
            readOnly: true
+          {{- end }}
          env:
            - name: WATCH_NAMESPACE
              value: {{ .Values.jenkins.namespace }}
@ -59,9 +64,11 @@ spec:
      tolerations:
        {{- toYaml . | nindent 8 }}
    {{- end }}
+    {{- if .Values.webhook.enabled }}
      volumes:
-      - name: cert
+      - name: webhook-certs
        secret:
          defaultMode: 420
-          secretName: webhook-server-cert  
-      terminationGracePeriodSeconds: 10
+          secretName: jenkins-{{ .Values.webhook.certificate.name }}
+      terminationGracePeriodSeconds: 10
+    {{- end }}
--- a/chart/jenkins-operator/templates/webhook.yaml
+++ b/chart/jenkins-operator/templates/webhook.yaml
@ -1,16 +1,17 @@
+{{- if .Values.webhook.enabled }}
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
-  name: validating-webhook-configuration
+  name: {{ .Release.Name }}-webhook
  annotations:
-    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/webhook-certificate 
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/jenkins-{{ .Values.webhook.certificate.name }}
 webhooks:
 - admissionReviewVersions:
  - v1
  - v1beta1
  clientConfig:
    service:
-      name: webhook-service
+      name: jenkins-webhook-service
      namespace: {{ .Release.Namespace }}
      path: /validate-jenkins-io-v1alpha2-jenkins
  failurePolicy: Fail
@ -25,13 +26,14 @@ webhooks:
    - UPDATE
    resources:
    - jenkins
+    scope: "Namespaced"
  sideEffects: None

 ---
 apiVersion: v1
 kind: Service
 metadata:
-  name: webhook-service
+  name: jenkins-webhook-service
  namespace: {{ .Release.Namespace }}
 spec:
  ports:
@ -41,3 +43,4 @@ spec:
    app.kubernetes.io/name: {{ include "jenkins-operator.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
 ---
+{{- end }}
--- a/chart/jenkins-operator/values.yaml
+++ b/chart/jenkins-operator/values.yaml
@ -280,3 +280,19 @@ operator:
  nodeSelector: {}
  tolerations: []
  affinity: {}
+
+webhook:
+# TLS certificates for webhook
+  certificate:
+    name: webhook-certificate
+
+    # validity of the certificate
+    duration: 2160h
+  
+    # time after which the certificate will be automatically renewed 
+    renewbefore: 360h
+  # enable or disable the validation webhook
+  enabled: false
+
+cert-manager:
+  installCRDs: true