Merge pull request #1598 from allenmun197/issuer

helm: add ability to use a custom issuer
2024-12-14 11:57:51 +00:00 · 2024-03-06 23:51:53 -08:00 · 2024-03-06 23:51:53 -08:00 · decaafe255
commit decaafe255
parent 890a029085 8bd52594ab
4 changed files with 21 additions and 4 deletions
--- a/deployment/helm/node-feature-discovery/templates/cert-manager-certs.yaml
+++ b/deployment/helm/node-feature-discovery/templates/cert-manager-certs.yaml
@ -19,8 +19,12 @@ spec:
  - {{ include "node-feature-discovery.fullname" . }}-master.{{ include "node-feature-discovery.namespace" .  }}.svc
  - {{ include "node-feature-discovery.fullname" . }}-master.{{ include "node-feature-discovery.namespace" .  }}.svc.cluster.local
  issuerRef:
-    name: nfd-ca-issuer
+    name: {{ default "nfd-ca-issuer" .Values.tls.certManagerCertificate.issuerName }}
+    {{- if and .Values.tls.certManagerCertificate.issuerName .Values.tls.certManagerCertificate.issuerKind }}
+    kind: {{ .Values.tls.certManagerCertificate.issuerKind }}
+    {{- else }}
    kind: Issuer
+    {{- end }}
    group: cert-manager.io
 {{- end }}
 ---
@ -39,8 +43,12 @@ spec:
  dnsNames:
  - {{ include "node-feature-discovery.fullname" . }}-worker.{{ include "node-feature-discovery.namespace" .  }}.svc.cluster.local
  issuerRef:
-    name: nfd-ca-issuer
+    name: {{ default "nfd-ca-issuer" .Values.tls.certManagerCertificate.issuerName }}
+    {{- if and .Values.tls.certManagerCertificate.issuerName .Values.tls.certManagerCertificate.issuerKind }}
+    kind: {{ .Values.tls.certManagerCertificate.issuerKind }}
+    {{- else }}
    kind: Issuer
+    {{- end }}
    group: cert-manager.io
 {{- end }}

@ -60,8 +68,12 @@ spec:
  dnsNames:
  - {{ include "node-feature-discovery.fullname" . }}-topology-updater.{{ include "node-feature-discovery.namespace" .  }}.svc.cluster.local
  issuerRef:
-    name: nfd-ca-issuer
+    name: {{ default "nfd-ca-issuer" .Values.tls.certManagerCertificate.issuerName }}
+    {{- if and .Values.tls.certManagerCertificate.issuerName .Values.tls.certManagerCertificate.issuerKind }}
+    kind: {{ .Values.tls.certManagerCertificate.issuerKind }}
+    {{- else }}
    kind: Issuer
+    {{- end }}
    group: cert-manager.io
 {{- end }}

--- a/deployment/helm/node-feature-discovery/templates/cert-manager-issuer.yaml
+++ b/deployment/helm/node-feature-discovery/templates/cert-manager-issuer.yaml
@ -1,4 +1,4 @@
-{{- if .Values.tls.certManager }}
+{{- if and .Values.tls.certManager (not .Values.tls.certManagerCertificate.issuerName ) }}
 # See https://cert-manager.io/docs/configuration/selfsigned/#bootstrapping-ca-issuers
 # - Create a self signed issuer
 # - Use this to create a CA cert
--- a/deployment/helm/node-feature-discovery/values.yaml
+++ b/deployment/helm/node-feature-discovery/values.yaml
@ -530,6 +530,9 @@ gc:
 tls:
  enable: false
  certManager: false
+  certManagerCertificate:
+    issuerKind:
+    issuerName:

 prometheus:
  enable: false
--- a/docs/deployment/helm.md
+++ b/docs/deployment/helm.md
@ -96,6 +96,8 @@ Chart parameters are available.
 | `fullnameOverride`    | string |                                         | Override a default fully qualified app name                                                                                                 |
 | `tls.enable`          | bool   | false                                   | Specifies whether to use TLS for communications between components. **NOTE**: this parameter is related to the deprecated gRPC API and will be removed with it in a future release  |
 | `tls.certManager`     | bool   | false                                   | If enabled, requires [cert-manager](https://cert-manager.io/docs/) to be installed and will automatically create the required TLS certificates. **NOTE**: this parameter is related to the deprecated gRPC API and will be removed with it in a future release |
+| `tls.certManager.certManagerCertificate.issuerName` | string |           | If specified, it will use a pre-existing issuer instead for the required TLS certificates. **NOTE**: this parameter is related to the deprecated gRPC API and will be removed with it in a future release |
+| `tls.certManager.certManagerCertificate.issuerKind` | string |           | Specifies on what kind of issuer is used, can be either ClusterIssuer or Issuer (default).  Requires `tls.certManager.certManagerCertificate.issuerName` to be set.  **NOTE**: this parameter is related to the deprecated gRPC API and will be removed with it in a future release |
 | `enableNodeFeatureApi`| bool   | true                                    | Enable the [NodeFeature](../usage/custom-resources.md#nodefeature) CRD API for communicating node features. This will automatically disable the gRPC communication. **NOTE**: this parameter is related to the deprecated gRPC API and will be removed with it in a future release    |
 | `prometheus.enable`   | bool   | false                                   | Specifies whether to expose metrics using prometheus operator                                                                                |
 | `prometheus.labels`   | dict   | {}                                      | Specifies labels for use with the prometheus operator to control how it is selected                                                        |