helm: upgrade cert-manager from v1.12.6 to v1.15.0 (#3177)

Signed-off-by: Daniel Weiße <dw@edgeless.systems>

internal/constellation/helm/BUILD.bazel

@@ -462,6 +462,9 @@ go_library(
         "charts/edgeless/csi/charts/aws-csi-driver/templates/ebs-csi-default-sc.yaml",
         "charts/edgeless/csi/charts/aws-csi-driver/templates/role-leases.yaml",
         "charts/edgeless/csi/charts/aws-csi-driver/templates/rolebinding-leases.yaml",
+        "charts/cert-manager/templates/cainjector-config.yaml",
+        "charts/cert-manager/templates/extras-objects.yaml",
+        "charts/cert-manager/templates/podmonitor.yaml",
     ],
     importpath = "github.com/edgelesssys/constellation/v2/internal/constellation/helm",
     visibility = ["//:__subpackages__"],

internal/constellation/helm/charts/cert-manager/Chart.yaml

@@ -1,13 +1,15 @@
 annotations:
+  artifacthub.io/category: security
+  artifacthub.io/license: Apache-2.0
   artifacthub.io/prerelease: "false"
   artifacthub.io/signKey: |
     fingerprint: 1020CF3C033D4F35BAE1C19E1226061C665DF13E
     url: https://cert-manager.io/public-keys/cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.gpg
-apiVersion: v1
+apiVersion: v2
-appVersion: v1.12.6
+appVersion: v1.15.0
 description: A Helm chart for cert-manager
-home: https://github.com/cert-manager/cert-manager
+home: https://cert-manager.io
-icon: https://raw.githubusercontent.com/cert-manager/cert-manager/d53c0b9270f8cd90d908460d69502694e1838f5f/logo/logo-small.png
+icon: https://raw.githubusercontent.com/cert-manager/community/4d35a69437d21b76322157e6284be4cd64e6d2b7/logo/logo-small.png
 keywords:
 - cert-manager
 - kube-lego
@@ -21,4 +23,4 @@ maintainers:
 name: cert-manager
 sources:
 - https://github.com/cert-manager/cert-manager
-version: v1.12.6
+version: v1.15.0

internal/constellation/helm/charts/cert-manager/templates/NOTES.txt

@@ -1,3 +1,6 @@
+{{- if .Values.installCRDs }}
+⚠️  WARNING: `installCRDs` is deprecated, use `crds.enabled` instead.
+{{- end }}
 cert-manager {{ .Chart.AppVersion }} has been deployed successfully!
 
 In order to begin issuing certificates, you will need to set up a ClusterIssuer

internal/constellation/helm/charts/cert-manager/templates/_helpers.tpl

@@ -172,3 +172,31 @@ https://github.com/helm/helm/issues/5358
 {{- define "cert-manager.namespace" -}}
     {{ .Values.namespace | default .Release.Namespace }}
 {{- end -}}
+
+{{/*
+Util function for generating the image URL based on the provided options.
+IMPORTANT: This function is standarized across all charts in the cert-manager GH organization.
+Any changes to this function should also be made in cert-manager, trust-manager, approver-policy, ...
+See https://github.com/cert-manager/cert-manager/issues/6329 for a list of linked PRs.
+*/}}
+{{- define "image" -}}
+{{- $defaultTag := index . 1 -}}
+{{- with index . 0 -}}
+{{- if .registry -}}{{ printf "%s/%s" .registry .repository }}{{- else -}}{{- .repository -}}{{- end -}}
+{{- if .digest -}}{{ printf "@%s" .digest }}{{- else -}}{{ printf ":%s" (default $defaultTag .tag) }}{{- end -}}
+{{- end }}
+{{- end }}
+
+{{/*
+Check that the user has not set both .installCRDs and .crds.enabled or
+set .installCRDs and disabled .crds.keep.
+.installCRDs is deprecated and users should use .crds.enabled and .crds.keep instead.
+*/}}
+{{- define "cert-manager.crd-check" -}}
+  {{- if and (.Values.installCRDs) (.Values.crds.enabled) }}
+    {{- fail "ERROR: the deprecated .installCRDs option cannot be enabled at the same time as its replacement .crds.enabled" }}
+  {{- end }}
+  {{- if and (.Values.installCRDs) (not .Values.crds.keep) }}
+    {{- fail "ERROR: .crds.keep is not compatible with .installCRDs, please use .crds.enabled and .crds.keep instead" }}
+  {{- end }}
+{{- end -}}

internal/constellation/helm/charts/cert-manager/templates/cainjector-config.yaml

@@ -0,0 +1,18 @@
+{{- if .Values.cainjector.config -}}
+{{- $_ := .Values.cainjector.config.apiVersion | required ".Values.cainjector.config.apiVersion must be set !" -}}
+{{- $_ := .Values.cainjector.config.kind | required ".Values.cainjector.config.kind must be set !" -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "cainjector.fullname" . }}
+  namespace: {{ include "cert-manager.namespace" . }}
+  labels:
+    app: {{ include "cainjector.name" . }}
+    app.kubernetes.io/name: {{ include "cainjector.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "cainjector"
+    {{- include "labels" . | nindent 4 }}
+data:
+  config.yaml: |
+    {{- .Values.cainjector.config | toYaml | nindent 4 }}
+{{- end -}}

internal/constellation/helm/charts/cert-manager/templates/cainjector-deployment.yaml

@@ -16,6 +16,10 @@ metadata:
   {{- end }}
 spec:
   replicas: {{ .Values.cainjector.replicaCount }}
+  {{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
+  {{- if not (has (quote .Values.global.revisionHistoryLimit) (list "" (quote ""))) }}
+  revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }}
+  {{- end }}
   selector:
     matchLabels:
       app.kubernetes.io/name: {{ include "cainjector.name" . }}
@@ -45,6 +49,7 @@ spec:
       {{- if hasKey .Values.cainjector "automountServiceAccountToken" }}
       automountServiceAccountToken: {{ .Values.cainjector.automountServiceAccountToken }}
       {{- end }}
+      enableServiceLinks: {{ .Values.cainjector.enableServiceLinks }}
       {{- with .Values.global.priorityClassName }}
       priorityClassName: {{ . | quote }}
       {{- end }}
@@ -54,14 +59,16 @@ spec:
       {{- end }}
       containers:
         - name: {{ .Chart.Name }}-cainjector
-          {{- with .Values.cainjector.image }}
+          image: "{{ template "image" (tuple .Values.cainjector.image $.Chart.AppVersion) }}"
-          image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}"
-          {{- end }}
           imagePullPolicy: {{ .Values.cainjector.image.pullPolicy }}
           args:
-          {{- if .Values.global.logLevel }}
+          {{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
+          {{- if not (has (quote .Values.global.logLevel) (list "" (quote ""))) }}
           - --v={{ .Values.global.logLevel }}
           {{- end }}
+          {{- if .Values.cainjector.config }}
+          - --config=/var/cert-manager/config/config.yaml
+          {{- end }}
           {{- with .Values.global.leaderElection }}
           - --leader-election-namespace={{ .namespace }}
           {{- if .leaseDuration }}
@@ -74,6 +81,9 @@ spec:
           - --leader-election-retry-period={{ .retryPeriod }}
           {{- end }}
           {{- end }}
+          {{- with .Values.cainjector.featureGates}}
+          - --feature-gates={{ . }}
+          {{- end}}
           {{- with .Values.cainjector.extraArgs }}
           {{- toYaml . | nindent 10 }}
           {{- end }}
@@ -90,10 +100,16 @@ spec:
           resources:
             {{- toYaml . | nindent 12 }}
           {{- end }}
-          {{- with .Values.cainjector.volumeMounts }}
+          {{- if or .Values.cainjector.config .Values.cainjector.volumeMounts }}
           volumeMounts:
+            {{- if .Values.cainjector.config }}
+            - name: config 
+              mountPath: /var/cert-manager/config
+            {{- end }}
+            {{- with .Values.cainjector.volumeMounts }}
             {{- toYaml . | nindent 12 }}
             {{- end }}
+          {{- end }}
       {{- with .Values.cainjector.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -110,8 +126,15 @@ spec:
       topologySpreadConstraints:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.cainjector.volumes }}
+      {{- if or .Values.cainjector.volumes .Values.cainjector.config }}
       volumes:
+        {{- if .Values.cainjector.config }}
+        - name: config 
+          configMap: 
+            name: {{ include "cainjector.fullname" . }}
+        {{- end }}
+        {{ with .Values.cainjector.volumes }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
+      {{- end }}
 {{- end }}

internal/constellation/helm/charts/cert-manager/templates/cainjector-poddisruptionbudget.yaml

@@ -17,10 +17,13 @@ spec:
       app.kubernetes.io/instance: {{ .Release.Name }}
       app.kubernetes.io/component: "cainjector"
 
-  {{- with .Values.cainjector.podDisruptionBudget.minAvailable }}
+  {{- if not (or (hasKey .Values.cainjector.podDisruptionBudget "minAvailable") (hasKey .Values.cainjector.podDisruptionBudget "maxUnavailable")) }}
-  minAvailable: {{ . }}
+  minAvailable: 1 # Default value because minAvailable and maxUnavailable are not set
   {{- end }}
-  {{- with .Values.cainjector.podDisruptionBudget.maxUnavailable }}
+  {{- if hasKey .Values.cainjector.podDisruptionBudget "minAvailable" }}
-  maxUnavailable: {{ . }}
+  minAvailable: {{ .Values.cainjector.podDisruptionBudget.minAvailable }}
+  {{- end }}
+  {{- if hasKey .Values.cainjector.podDisruptionBudget "maxUnavailable" }}
+  maxUnavailable: {{ .Values.cainjector.podDisruptionBudget.maxUnavailable }}
   {{- end }}
 {{- end }}

internal/constellation/helm/charts/cert-manager/templates/controller-config.yaml

@@ -1,12 +1,6 @@
 {{- if .Values.config -}}
-  {{- if not .Values.config.apiVersion -}}
+{{- $_ := .Values.config.apiVersion | required ".Values.config.apiVersion must be set !" -}}
-    {{- fail "config.apiVersion must be set" -}}
+{{- $_ := .Values.config.kind | required ".Values.config.kind must be set !" -}}
-  {{- end -}}
-
-  {{- if not .Values.config.kind -}}
-    {{- fail "config.kind must be set" -}}
-  {{- end -}}
-{{- end -}}
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -19,7 +13,6 @@ metadata:
     app.kubernetes.io/component: "controller"
     {{- include "labels" . | nindent 4 }}
 data:
-  {{- if .Values.config }}
   config.yaml: |
-    {{ .Values.config | toYaml | nindent 4 }}
+    {{- .Values.config | toYaml | nindent 4 }}
-  {{- end }}
+{{- end -}}

internal/constellation/helm/charts/cert-manager/templates/deployment.yaml

@@ -15,6 +15,10 @@ metadata:
   {{- end }}
 spec:
   replicas: {{ .Values.replicaCount }}
+  {{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
+  {{- if not (has (quote .Values.global.revisionHistoryLimit) (list "" (quote ""))) }}
+  revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }}
+  {{- end }}
   selector:
     matchLabels:
       app.kubernetes.io/name: {{ template "cert-manager.name" . }}
@@ -39,7 +43,7 @@ spec:
       annotations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- if and .Values.prometheus.enabled (not .Values.prometheus.servicemonitor.enabled) }}
+      {{- if and .Values.prometheus.enabled (not (or .Values.prometheus.servicemonitor.enabled .Values.prometheus.podmonitor.enabled)) }}
       {{- if not .Values.podAnnotations }}
       annotations:
       {{- end }}
@@ -52,6 +56,7 @@ spec:
       {{- if hasKey .Values "automountServiceAccountToken" }}
       automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
       {{- end }}
+      enableServiceLinks: {{ .Values.enableServiceLinks }}
       {{- with .Values.global.priorityClassName }}
       priorityClassName: {{ . | quote }}
       {{- end }}
@@ -59,20 +64,30 @@ spec:
       securityContext:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.volumes }}
+      {{- if or .Values.volumes .Values.config}}
       volumes:
+        {{- if .Values.config }}
+        - name: config 
+          configMap: 
+            name: {{ include "cert-manager.fullname" . }}
+        {{- end }}
+        {{ with .Values.volumes }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
+      {{- end }}
       containers:
         - name: {{ .Chart.Name }}-controller
-          {{- with .Values.image }}
+          image: "{{ template "image" (tuple .Values.image $.Chart.AppVersion) }}"
-          image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}"
-          {{- end }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           args:
-          {{- if .Values.global.logLevel }}
+          {{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
+          {{- if not (has (quote .Values.global.logLevel) (list "" (quote ""))) }}
           - --v={{ .Values.global.logLevel }}
           {{- end }}
+          {{- if .Values.config }}
+          - --config=/var/cert-manager/config/config.yaml
+          {{- end }}
+          {{- $config := default .Values.config "" }}
           {{- if .Values.clusterResourceNamespace }}
           - --cluster-resource-namespace={{ .Values.clusterResourceNamespace }}
           {{- else }}
@@ -122,6 +137,9 @@ spec:
           {{- with .Values.dns01RecursiveNameservers }}
           - --dns01-recursive-nameservers={{ . }}
           {{- end }}
+          {{- if .Values.disableAutoApproval }}
+          - --controllers=-certificaterequests-approver
+          {{- end }}
           ports:
           - containerPort: 9402
             name: http-metrics
@@ -133,10 +151,16 @@ spec:
           securityContext:
             {{- toYaml . | nindent 12 }}
           {{- end }}
-          {{- with .Values.volumeMounts }}
+          {{- if or .Values.config .Values.volumeMounts }}
           volumeMounts:
+            {{- if .Values.config }}
+            - name: config 
+              mountPath: /var/cert-manager/config
+            {{- end }}
+            {{- with .Values.volumeMounts }}
             {{- toYaml . | nindent 12 }}
             {{- end }}
+          {{- end }}
           env:
           - name: POD_NAMESPACE
             valueFrom:
@@ -202,3 +226,6 @@ spec:
       dnsConfig:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.hostAliases }}
+      hostAliases: {{ toYaml . | nindent 8 }}
+      {{- end }}

internal/constellation/helm/charts/cert-manager/templates/extras-objects.yaml

@@ -0,0 +1,4 @@
+{{ range .Values.extraObjects }}
+---
+{{ tpl . $ }}
+{{ end }}

internal/constellation/helm/charts/cert-manager/templates/networkpolicy-egress.yaml

@@ -11,13 +11,9 @@ spec:
     {{- end }}
   podSelector:
     matchLabels:
-      app: {{ include "webhook.name" . }}
       app.kubernetes.io/name: {{ include "webhook.name" . }}
       app.kubernetes.io/instance: {{ .Release.Name }}
       app.kubernetes.io/component: "webhook"
-      {{- with .Values.webhook.podLabels }}
-      {{- toYaml . | nindent 6 }}
-      {{- end }}
   policyTypes:
   - Egress
 {{- end }}

internal/constellation/helm/charts/cert-manager/templates/networkpolicy-webhooks.yaml

@@ -12,13 +12,9 @@ spec:
     {{- end }}
   podSelector:
     matchLabels:
-        app: {{ include "webhook.name" . }}
       app.kubernetes.io/name: {{ include "webhook.name" . }}
       app.kubernetes.io/instance: {{ .Release.Name }}
       app.kubernetes.io/component: "webhook"
-        {{- with .Values.webhook.podLabels }}
-        {{- toYaml . | nindent 6 }}
-        {{- end }}
   policyTypes:
   - Ingress
 

internal/constellation/helm/charts/cert-manager/templates/poddisruptionbudget.yaml

@@ -17,10 +17,13 @@ spec:
       app.kubernetes.io/instance: {{ .Release.Name }}
       app.kubernetes.io/component: "controller"
 
-  {{- with .Values.podDisruptionBudget.minAvailable }}
+  {{- if not (or (hasKey .Values.podDisruptionBudget "minAvailable") (hasKey .Values.podDisruptionBudget "maxUnavailable")) }}
-  minAvailable: {{ . }}
+  minAvailable: 1 # Default value because minAvailable and maxUnavailable are not set
   {{- end }}
-  {{- with .Values.podDisruptionBudget.maxUnavailable }}
+  {{- if hasKey .Values.podDisruptionBudget "minAvailable" }}
-  maxUnavailable: {{ . }}
+  minAvailable: {{ .Values.podDisruptionBudget.minAvailable }}
+  {{- end }}
+  {{- if hasKey .Values.podDisruptionBudget "maxUnavailable" }}
+  maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
   {{- end }}
 {{- end }}

internal/constellation/helm/charts/cert-manager/templates/podmonitor.yaml

@@ -0,0 +1,50 @@
+{{- if and .Values.prometheus.enabled (and .Values.prometheus.podmonitor.enabled .Values.prometheus.servicemonitor.enabled) }}
+{{- fail "Either .Values.prometheus.podmonitor.enabled or .Values.prometheus.servicemonitor.enabled can be enabled at a time, but not both." }}
+{{- else if and .Values.prometheus.enabled .Values.prometheus.podmonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: {{ template "cert-manager.fullname" . }}
+{{- if .Values.prometheus.podmonitor.namespace }}
+  namespace: {{ .Values.prometheus.podmonitor.namespace }}
+{{- else }}
+  namespace: {{ include "cert-manager.namespace" . }}
+{{- end }}
+  labels:
+    app: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "controller"
+    {{- include "labels" . | nindent 4 }}
+    prometheus: {{ .Values.prometheus.podmonitor.prometheusInstance }}
+    {{- with .Values.prometheus.podmonitor.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+{{- if .Values.prometheus.podmonitor.annotations }}
+  annotations:
+    {{- with .Values.prometheus.podmonitor.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+{{- end }}
+spec:
+  jobLabel: {{ template "cert-manager.fullname" . }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ template "cert-manager.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+      app.kubernetes.io/component: "controller"
+{{- if .Values.prometheus.podmonitor.namespace }}
+  namespaceSelector:
+    matchNames:
+      - {{ include "cert-manager.namespace" . }}
+{{- end }}
+  podMetricsEndpoints:
+    - port: http-metrics
+      path: {{ .Values.prometheus.podmonitor.path }}
+      interval: {{ .Values.prometheus.podmonitor.interval }}
+      scrapeTimeout: {{ .Values.prometheus.podmonitor.scrapeTimeout }}
+      honorLabels: {{ .Values.prometheus.podmonitor.honorLabels }}
+      {{- with .Values.prometheus.servicemonitor.endpointAdditionalProperties }}
+      {{- toYaml . | nindent 4 }}
+      {{- end }}
+{{- end }}

internal/constellation/helm/charts/cert-manager/templates/rbac.yaml

@@ -398,6 +398,26 @@ subjects:
     namespace: {{ include "cert-manager.namespace" . }}
     kind: ServiceAccount
 
+{{- if .Values.global.rbac.aggregateClusterRoles }}
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "cert-manager.fullname" . }}-cluster-view
+  labels:
+    app: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "controller"
+    {{- include "labels" . | nindent 4 }}
+    rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
+rules:
+  - apiGroups: ["cert-manager.io"]
+    resources: ["clusterissuers"]
+    verbs: ["get", "list", "watch"]
+
+{{- end }}
 ---
 
 apiVersion: rbac.authorization.k8s.io/v1
@@ -414,6 +434,7 @@ metadata:
     rbac.authorization.k8s.io/aggregate-to-view: "true"
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
     {{- end }}
 rules:
   - apiGroups: ["cert-manager.io"]
@@ -453,6 +474,8 @@ rules:
 
 ---
 
+{{- if not .Values.disableAutoApproval -}}
+
 # Permission to approve CertificateRequests referencing cert-manager.io Issuers and ClusterIssuers
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -468,7 +491,12 @@ rules:
   - apiGroups: ["cert-manager.io"]
     resources: ["signers"]
     verbs: ["approve"]
-    resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
+    {{- with .Values.approveSignerNames }}
+    resourceNames:
+    {{- range . }}
+    - {{ . | quote }}
+    {{- end  }}
+    {{- end }}
 
 ---
 
@@ -493,6 +521,8 @@ subjects:
 
 ---
 
+{{- end -}}
+
 # Permission to:
 # - Update and sign CertificatSigningeRequests referencing cert-manager.io Issuers and ClusterIssuers
 # - Perform SubjectAccessReviews to test whether users are able to reference Namespaced Issuers

internal/constellation/helm/charts/cert-manager/templates/service.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.prometheus.enabled }}
+{{- if and .Values.prometheus.enabled (not .Values.prometheus.podmonitor.enabled) }}
 apiVersion: v1
 kind: Service
 metadata:
@@ -19,6 +19,12 @@ metadata:
     {{- end }}
 spec:
   type: ClusterIP
+  {{- if .Values.serviceIPFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.serviceIPFamilyPolicy }}
+  {{- end }}
+  {{- if .Values.serviceIPFamilies }}
+  ipFamilies: {{ .Values.serviceIPFamilies | toYaml | nindent 2 }}
+  {{- end }}
   ports:
   - protocol: TCP
     port: 9402

internal/constellation/helm/charts/cert-manager/templates/serviceaccount.yaml

@@ -20,6 +20,6 @@ metadata:
     app.kubernetes.io/component: "controller"
     {{- include "labels" . | nindent 4 }}
     {{- with .Values.serviceAccount.labels }}
-      {{ toYaml . | nindent 4 }}
+      {{- toYaml . | nindent 4 }}
     {{- end }}
 {{- end }}

internal/constellation/helm/charts/cert-manager/templates/servicemonitor.yaml

@@ -1,4 +1,6 @@
-{{- if and .Values.prometheus.enabled .Values.prometheus.servicemonitor.enabled }}
+{{- if and .Values.prometheus.enabled (and .Values.prometheus.podmonitor.enabled .Values.prometheus.servicemonitor.enabled) }}
+{{- fail "Either .Values.prometheus.podmonitor.enabled or .Values.prometheus.servicemonitor.enabled can be enabled at a time, but not both." }}
+{{- else if and .Values.prometheus.enabled .Values.prometheus.servicemonitor.enabled }}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
@@ -42,4 +44,7 @@ spec:
     interval: {{ .Values.prometheus.servicemonitor.interval }}
     scrapeTimeout: {{ .Values.prometheus.servicemonitor.scrapeTimeout }}
     honorLabels: {{ .Values.prometheus.servicemonitor.honorLabels }}
+    {{- with .Values.prometheus.servicemonitor.endpointAdditionalProperties }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
 {{- end }}

internal/constellation/helm/charts/cert-manager/templates/startupapicheck-job.yaml

@@ -37,6 +37,7 @@ spec:
       {{- if hasKey .Values.startupapicheck "automountServiceAccountToken" }}
       automountServiceAccountToken: {{ .Values.startupapicheck.automountServiceAccountToken }}
       {{- end }}
+      enableServiceLinks: {{ .Values.startupapicheck.enableServiceLinks }}
       {{- with .Values.global.priorityClassName }}
       priorityClassName: {{ . | quote }}
       {{- end }}
@@ -46,9 +47,7 @@ spec:
       {{- end }}
       containers:
         - name: {{ .Chart.Name }}-startupapicheck
-          {{- with .Values.startupapicheck.image }}
+          image: "{{ template "image" (tuple .Values.startupapicheck.image $.Chart.AppVersion) }}"
-          image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}"
-          {{- end }}
           imagePullPolicy: {{ .Values.startupapicheck.image.pullPolicy }}
           args:
           - check

internal/constellation/helm/charts/cert-manager/templates/webhook-config.yaml

@@ -1,12 +1,6 @@
 {{- if .Values.webhook.config -}}
-  {{- if not .Values.webhook.config.apiVersion -}}
+{{- $_ := .Values.webhook.config.apiVersion | required ".Values.webhook.config.apiVersion must be set !" -}}
-    {{- fail "webhook.config.apiVersion must be set" -}}
+{{- $_ := .Values.webhook.config.kind | required ".Values.webhook.config.kind must be set !" -}}
-  {{- end -}}
-
-  {{- if not .Values.webhook.config.kind -}}
-    {{- fail "webhook.config.kind must be set" -}}
-  {{- end -}}
-{{- end -}}
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -19,7 +13,6 @@ metadata:
     app.kubernetes.io/component: "webhook"
     {{- include "labels" . | nindent 4 }}
 data:
-  {{- if .Values.webhook.config }}
   config.yaml: |
-    {{ .Values.webhook.config | toYaml | nindent 4 }}
+    {{- .Values.webhook.config | toYaml | nindent 4 }}
-  {{- end }}
+{{- end -}}

internal/constellation/helm/charts/cert-manager/templates/webhook-deployment.yaml

@@ -15,6 +15,10 @@ metadata:
   {{- end }}
 spec:
   replicas: {{ .Values.webhook.replicaCount }}
+  {{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
+  {{- if not (has (quote .Values.global.revisionHistoryLimit) (list "" (quote ""))) }}
+  revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }}
+  {{- end }}
   selector:
     matchLabels:
       app.kubernetes.io/name: {{ include "webhook.name" . }}
@@ -44,6 +48,7 @@ spec:
       {{- if hasKey .Values.webhook "automountServiceAccountToken" }}
       automountServiceAccountToken: {{ .Values.webhook.automountServiceAccountToken }}
       {{- end }}
+      enableServiceLinks: {{ .Values.webhook.enableServiceLinks }}
       {{- with .Values.global.priorityClassName }}
       priorityClassName: {{ . | quote }}
       {{- end }}
@@ -54,14 +59,16 @@ spec:
       {{- if .Values.webhook.hostNetwork }}
       hostNetwork: true
       {{- end }}
+      {{- if .Values.webhook.hostNetwork }}
+      dnsPolicy: ClusterFirstWithHostNet
+      {{- end }}
       containers:
         - name: {{ .Chart.Name }}-webhook
-          {{- with .Values.webhook.image }}
+          image: "{{ template "image" (tuple .Values.webhook.image $.Chart.AppVersion) }}"
-          image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}"
-          {{- end }}
           imagePullPolicy: {{ .Values.webhook.image.pullPolicy }}
           args:
-          {{- if .Values.global.logLevel }}
+          {{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
+          {{- if not (has (quote .Values.global.logLevel) (list "" (quote ""))) }}
           - --v={{ .Values.global.logLevel }}
           {{- end }}
           {{- if .Values.webhook.config }}
@@ -71,8 +78,8 @@ spec:
           {{ if not $config.securePort -}}
           - --secure-port={{ .Values.webhook.securePort }}
           {{- end }}
-          {{- if .Values.featureGates }}
+          {{- if .Values.webhook.featureGates }}
-          - --feature-gates={{ .Values.featureGates }}
+          - --feature-gates={{ .Values.webhook.featureGates }}
           {{- end }}
           {{- $tlsConfig := default $config.tlsConfig "" }}
           {{ if or (not $config.tlsConfig) (and (not $tlsConfig.dynamic) (not $tlsConfig.filesystem) ) -}}
@@ -152,8 +159,8 @@ spec:
             - name: config
               mountPath: /var/cert-manager/config
             {{- end }}
-            {{- if .Values.webhook.volumeMounts }}
+            {{- with .Values.webhook.volumeMounts }}
-            {{- toYaml .Values.webhook.volumeMounts | nindent 12 }}
+            {{- toYaml . | nindent 12 }}
             {{- end }}
           {{- end }}
       {{- with .Values.webhook.nodeSelector }}
@@ -179,7 +186,7 @@ spec:
           configMap:
             name: {{ include "webhook.fullname" . }}
         {{- end }}
-        {{- if .Values.webhook.volumes }}
+        {{- with .Values.webhook.volumes }}
-        {{- toYaml .Values.webhook.volumes | nindent 8 }}
+        {{- toYaml . | nindent 8 }}
         {{- end }}
       {{- end }}

internal/constellation/helm/charts/cert-manager/templates/webhook-mutating-webhook.yaml

@@ -15,17 +15,19 @@ metadata:
     {{- end }}
 webhooks:
   - name: webhook.cert-manager.io
+    {{- with .Values.webhook.mutatingWebhookConfiguration.namespaceSelector }}
+    namespaceSelector:
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
     rules:
       - apiGroups:
           - "cert-manager.io"
-          - "acme.cert-manager.io"
         apiVersions:
           - "v1"
         operations:
           - CREATE
-          - UPDATE
         resources:
-          - "*/*"
+          - "certificaterequests"
     admissionReviewVersions: ["v1"]
     # This webhook only accepts v1 cert-manager resources.
     # Equivalent matchPolicy ensures that non-v1 resource requests are sent to

internal/constellation/helm/charts/cert-manager/templates/webhook-poddisruptionbudget.yaml

@@ -17,10 +17,13 @@ spec:
       app.kubernetes.io/instance: {{ .Release.Name }}
       app.kubernetes.io/component: "webhook"
 
-  {{- with .Values.webhook.podDisruptionBudget.minAvailable }}
+  {{- if not (or (hasKey .Values.webhook.podDisruptionBudget "minAvailable") (hasKey .Values.webhook.podDisruptionBudget "maxUnavailable")) }}
-  minAvailable: {{ . }}
+  minAvailable: 1 # Default value because minAvailable and maxUnavailable are not set
   {{- end }}
-  {{- with .Values.webhook.podDisruptionBudget.maxUnavailable }}
+  {{- if hasKey .Values.webhook.podDisruptionBudget "minAvailable" }}
-  maxUnavailable: {{ . }}
+  minAvailable: {{ .Values.webhook.podDisruptionBudget.minAvailable }}
+  {{- end }}
+  {{- if hasKey .Values.webhook.podDisruptionBudget "maxUnavailable" }}
+  maxUnavailable: {{ .Values.webhook.podDisruptionBudget.maxUnavailable }}
   {{- end }}
 {{- end }}

internal/constellation/helm/charts/cert-manager/templates/webhook-service.yaml

@@ -18,6 +18,12 @@ metadata:
     {{- end }}
 spec:
   type: {{ .Values.webhook.serviceType }}
+  {{- if .Values.webhook.serviceIPFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.webhook.serviceIPFamilyPolicy }}
+  {{- end }}
+  {{- if .Values.webhook.serviceIPFamilies }}
+  ipFamilies: {{ .Values.webhook.serviceIPFamilies | toYaml | nindent 2 }}
+  {{- end }}
   {{- with .Values.webhook.loadBalancerIP }}
   loadBalancerIP: {{ . }}
   {{- end }}

internal/constellation/helm/charts/cert-manager/templates/webhook-validating-webhook.yaml

@@ -15,16 +15,10 @@ metadata:
     {{- end }}
 webhooks:
   - name: webhook.cert-manager.io
+    {{- with .Values.webhook.validatingWebhookConfiguration.namespaceSelector }}
     namespaceSelector:
-      matchExpressions:
+      {{- toYaml . | nindent 6 }}
-      - key: "cert-manager.io/disable-validation"
+    {{- end }}
-        operator: "NotIn"
-        values:
-        - "true"
-      - key: "name"
-        operator: "NotIn"
-        values:
-        - {{ include "cert-manager.namespace" . }}
     rules:
       - apiGroups:
           - "cert-manager.io"

internal/constellation/helm/generateCertManager.sh

@@ -5,7 +5,7 @@ set -o errtrace
 shopt -s inherit_errexit
 
 echo "Pulling cert-manager Helm chart..."
-version="1.12.6"
+version="1.15.0"
 
 function cleanup {
   rm -rf "charts/cert-manager/README.md" "charts/cert-manager-v${version}.tgz"
@@ -38,7 +38,7 @@ yq eval -i '.cainjector.image.digest = "sha256:'"${v}"'"' charts/cert-manager/va
 v=$(get_sha256_hash "cert-manager-acmesolver")
 yq eval -i '.acmesolver.image.digest = "sha256:'"${v}"'"' charts/cert-manager/values.yaml
 
-v=$(get_sha256_hash "cert-manager-ctl")
+v=$(get_sha256_hash "cert-manager-startupapicheck")
 yq eval -i '.startupapicheck.image.digest = "sha256:'"${v}"'"' charts/cert-manager/values.yaml
 
 echo # final newline

internal/constellation/helm/helm_test.go

@@ -194,7 +194,7 @@ func TestHelmApply(t *testing.T) {
 				awsLbVersion = *tc.clusterAWSLBVersion
 			}
 
-			certManagerVersion := "v1.12.6" // current version
+			certManagerVersion := "v1.15.0" // current version
 			if tc.clusterCertManagerVersion != nil {
 				certManagerVersion = *tc.clusterCertManagerVersion
 			}