feat(keda): Allow using own Cert-manager Issuer/ClusterIssuer for iss…

…uing KEDA TLS certificates (#530) * feat(keda): ✨ Allow providing own cert-manager issuer in TLS certificate Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * docs(keda): 📝 Generate Helm docs Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * fix(keda): 🐛 Inject CA from cert-manager Certificate when providing own Issuer Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * refactor(keda): ♻️ Refactor values format Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * revert(keda): ⏪ Revert unnecessary auto-formatting Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * chore: Improve the CI on PRs to be more efficient (#540) Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es> Signed-off-by: Jorge Turrado <jorge.turrado@scrm.lidl> Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * fix(http-add-on): Refactor the chart for next version (#523) Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * feat(add-on): Supporting streamInterval configuration (#541) Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * chore(add-on): Ship Release 0.6.0 (#543) Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * chore: update versions in README.md (#546) Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * feat: update crd to allow vault secret to handle write operation (#548) Signed-off-by: Loïs Postula <lois@postu.la> Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * Fix the svc name of webhook to avoid breaking istio (#551) Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * Show only logs with a severity level of ERROR or higher in the stderr (#506) Signed-off-by: Adarsh-verma-14 <t_adarsh.verma@india.nec.com> Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * Support profiling for keda components (#549) Signed-off-by: yuval weber <yuval199985@gmail.com> Signed-off-by: unknown <yuval199985@gmail.com> Co-authored-by: Tom Kerkhove <kerkhove.tom@gmail.com> Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * Fix TriggerAuthentication - added configuration for validation webhook (#553) Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * fix: Declare missing port in KEDA operator (#552) Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * Allow image registry override for all keda components (#557) Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * docs: Clarify that contributors do not have to ship Helm chart (#573) Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * add disable-compression arg for both operator and metrics-server (#554) Signed-off-by: Adarsh-verma-14 <t_adarsh.verma@india.nec.com> Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * feat: Introduce CloudEventSources CRD and adding ClusterName parameter (#572) * Add CloudEventSources Crd and ClustetName Parameter Signed-off-by: SpiritZhou <iammrzhouzhenghan@gmail.com> * Update Signed-off-by: SpiritZhou <iammrzhouzhenghan@gmail.com> * Update Signed-off-by: SpiritZhou <iammrzhouzhenghan@gmail.com> * Update keda/values.yaml Co-authored-by: Tom Kerkhove <kerkhove.tom@gmail.com> Signed-off-by: SpiritZhou <iammrzhouzhenghan@gmail.com> * Fix Signed-off-by: SpiritZhou <iammrzhouzhenghan@gmail.com> * Update Signed-off-by: SpiritZhou <iammrzhouzhenghan@gmail.com> * Revert unnecessary update Signed-off-by: SpiritZhou <iammrzhouzhenghan@gmail.com> --------- Signed-off-by: SpiritZhou <iammrzhouzhenghan@gmail.com> Co-authored-by: Tom Kerkhove <kerkhove.tom@gmail.com> Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * store 2.12.1 package at `main` (#577) Signed-off-by: Zbynek Roubalik <zroubalik@gmail.com> Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * fix: restore http-add-on chart 0.6.0 indexing (#579) Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * fix(add-on): Use 'main' tag for KEDA installation during CI (#582) Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * set securityContext for http-add-on chart (#561) Co-authored-by: Tom Kerkhove <kerkhove.tom@gmail.com> Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * Fix http-add-on operator resources (#567) Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * Fix http-add-on verbosity configuration (#568) Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * chore: Adjust RBAC with code (#585) * chore: Adjust RBAC with code Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es> * fix typo Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es> --------- Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es> Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * fix: Don't recreate CA with 8 months until it expires (#586) Signed-off-by: Jorge Turrado Ferrero <Jorge_turrado@hotmail.es> Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * feat(ClusterRole): Add RBAC rule to allow access to `LimitRange` (#588) Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * remove not required insecureSkipTLSVerify (#564) Signed-off-by: Frank Kloeker <f.kloeker@telekom.de> Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * Update templates/webhooks deployment (#590) Align deployment for extraVolumes and extraVolumesMount for fix problem Error: YAML parse error on keda/templates/webhooks/deployment.yaml: error converting YAML to JSON: yaml: line 96: did not find expected key Signed-off-by: ferndem <39851927+ferndem@users.noreply.github.com> Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * Fix Prometheus metrics handling for the operator. (#555) The current state of the Helm chart is slightly confusing, because: - There's no easy way to really disable prometheus metrics -- `--enable-prometheus-metrics` defaults to true anthe current code either emits `--enable-prometheus-metrics=true` or nothing at all (making it `true` once again). - The `http` container port is actually a `metrics` port (by convention from .e.g. webhook), but is present regardless of whether Prometheus metrics are enabled or not. To make it less confusing, this PR proposes renaming it. Signed-off-by: Milan Plzik <milan.plzik@grafana.com> Signed-off-by: Jorge Turrado Ferrero <Jorge_turrado@hotmail.es> Co-authored-by: Jorge Turrado Ferrero <Jorge_turrado@hotmail.es> Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * Fix Remove app.kubernetes.io/instance label in crd (#556) Signed-off-by: choisungwook <kgg1959@naver.com> Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * Support crd-specific annotations (#584) * support crd-specific annotations Signed-off-by: Adam Walford <adamw@speechmatics.com> * update readme Signed-off-by: Adam Walford <adamw@speechmatics.com> * update docs using helm-docs Signed-off-by: Adam Walford <adamw@speechmatics.com> --------- Signed-off-by: Adam Walford <adamw@speechmatics.com> Co-authored-by: Adam Walford <adamw@speechmatics.com> Co-authored-by: Tom Kerkhove <kerkhove.tom@gmail.com> Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * Add ciliumnetworkpolicies (#558) Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * Add tlsConfig for ServiceMonitor (#591) Co-authored-by: guicholeo <leo.sanchez@resideo.com> Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * Release 2.13.0 (#593) Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * fix: Ship v2.13.1 with missing RoleBinding (#595) Signed-off-by: Jorge Turrado <jorge.turrado@scrm.lidl> Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * chore(add-on): Apply HTTP Add-on changes on Helm chart (#598) Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * chore(add-on): Release v0.7.0 (#599) Signed-off-by: Jorge Turrado <jorge.turrado@scrm.lidl> Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * refactor: Unify cert-manager annotations Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> --------- Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es> Signed-off-by: Jorge Turrado <jorge.turrado@scrm.lidl> Signed-off-by: Loïs Postula <lois@postu.la> Signed-off-by: Adarsh-verma-14 <t_adarsh.verma@india.nec.com> Signed-off-by: yuval weber <yuval199985@gmail.com> Signed-off-by: unknown <yuval199985@gmail.com> Signed-off-by: SpiritZhou <iammrzhouzhenghan@gmail.com> Signed-off-by: Zbynek Roubalik <zroubalik@gmail.com> Signed-off-by: Jorge Turrado Ferrero <Jorge_turrado@hotmail.es> Signed-off-by: Frank Kloeker <f.kloeker@telekom.de> Signed-off-by: ferndem <39851927+ferndem@users.noreply.github.com> Signed-off-by: Milan Plzik <milan.plzik@grafana.com> Signed-off-by: choisungwook <kgg1959@naver.com> Signed-off-by: Adam Walford <adamw@speechmatics.com> Co-authored-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> Co-authored-by: Jorge Turrado Ferrero <Jorge_turrado@hotmail.es> Co-authored-by: Loïs Postula <lois@postu.la> Co-authored-by: Roy Gao <137811914+congzhegao@users.noreply.github.com> Co-authored-by: Adarsh Verma <113962919+Adarsh-verma-14@users.noreply.github.com> Co-authored-by: yuval weber <yuval199985@gmail.com> Co-authored-by: Tom Kerkhove <kerkhove.tom@gmail.com> Co-authored-by: Radek Fojtik <68660951+radekfojtik@users.noreply.github.com> Co-authored-by: Quentin Bisson <quentin.bisson@gmail.com> Co-authored-by: SpiritZhou <iammrzhouzhenghan@gmail.com> Co-authored-by: Zbynek Roubalik <zroubalik@gmail.com> Co-authored-by: Frank Kloeker <eumel@arcor.de> Co-authored-by: Andrew <35912177+aballman@users.noreply.github.com> Co-authored-by: Bhargav Ravuri <bhargav.ravuri@infracloud.io> Co-authored-by: ferndem <39851927+ferndem@users.noreply.github.com> Co-authored-by: Milan Plžík <4592597+mplzik@users.noreply.github.com> Co-authored-by: choisungwook <sungwook0724@lguplus.co.kr> Co-authored-by: Adam Walford <34867732+awalford16@users.noreply.github.com> Co-authored-by: Adam Walford <adamw@speechmatics.com> Co-authored-by: guicholeo <leo.sanchez@resideo.com> Co-authored-by: Jan Wozniak <wozniak.jan@gmail.com>
kedacore · Jan 30, 2024 · 4cf42b3 · 4cf42b3
1 parent 6493bd1
commit 4cf42b3
Show file tree

Hide file tree

Showing 8 changed files with 46 additions and 13 deletions.
diff --git a/keda/README.md b/keda/README.md
@@ -64,8 +64,15 @@ their default values.
 | `asciiArt` | bool | `true` | Capability to turn on/off ASCII art in Helm installation notes |
 | `certificates.autoGenerated` | bool | `true` | Enables the self generation for KEDA TLS certificates inside KEDA operator |
 | `certificates.certManager.caSecretName` | string | `"kedaorg-ca"` | Secret name where the CA is stored (generatedby cert-manager or user given) |
+| `certificates.certManager.duration` | string | `"8760h0m0s"` | Certificate duration |
 | `certificates.certManager.enabled` | bool | `false` | Enables Cert-manager for certificate management |
 | `certificates.certManager.generateCA` | bool | `true` | Generates a self-signed CA with Cert-manager. If generateCA is false, the secret with the CA has to be annotated with `cert-manager.io/allow-direct-injection: "true"` |
+| `certificates.certManager.issuer` | object | `{"generate":true,"group":"cert-manager.io","kind":"ClusterIssuer","name":"foo-org-ca"}` | Reference to custom Issuer. If issuer.generate is false, then issuer.group, issuer.kind and issuer.name are required |
+| `certificates.certManager.issuer.generate` | bool | `true` | Generates an Issuer resource with Cert-manager |
+| `certificates.certManager.issuer.group` | string | `"cert-manager.io"` | Custom Issuer group. Required when generate: false |
+| `certificates.certManager.issuer.kind` | string | `"ClusterIssuer"` | Custom Issuer kind. Required when generate: false |
+| `certificates.certManager.issuer.name` | string | `"foo-org-ca"` | Custom Issuer name. Required when generate: false |
+| `certificates.certManager.renewBefore` | string | `"5840h0m0s"` | Certificate renewal time before expiration |
 | `certificates.certManager.secretTemplate` | object | `{}` | Add labels/annotations to secrets created by Certificate resources [docs](https://cert-manager.io/docs/usage/certificate/#creating-certificate-resources) |
 | `certificates.mountPath` | string | `"/certs"` | Path where KEDA TLS certificates are mounted |
 | `certificates.secretName` | string | `"kedaorg-certs"` | Secret name to be mounted with KEDA TLS certificates |

diff --git a/keda/templates/cert-manager/keda-issuer.yaml b/keda/templates/cert-manager/keda-issuer.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.certificates.certManager.enabled }}
+{{- if and .Values.certificates.certManager.enabled .Values.certificates.certManager.issuer.generate }}
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
@@ -11,4 +11,4 @@ metadata:
 spec:
   ca:
     secretName: {{ .Values.certificates.certManager.caSecretName }}
-{{- end }}
+{{- end }}
diff --git a/keda/templates/cert-manager/keda-tls-certificate.yaml b/keda/templates/cert-manager/keda-tls-certificate.yaml
@@ -25,10 +25,22 @@ spec:
   privateKey:
     algorithm: RSA
     size: 2048
-  duration: 8760h0m0s # 1 year
-  renewBefore: 5840h0m0s # 8 months
+  duration: {{ .Values.certificates.certManager.duration }}
+  renewBefore: {{ .Values.certificates.certManager.renewBefore }}
   issuerRef:
+    {{- if .Values.certificates.certManager.issuer.generate }}
     name: {{ .Values.operator.name }}-issuer
     kind: Issuer
     group: cert-manager.io
+    {{- else }}
+    {{- if .Values.certificates.certManager.issuer.name }}
+    name: {{ .Values.certificates.certManager.issuer.name }}
+    {{- end }}
+    {{- if .Values.certificates.certManager.issuer.kind }}
+    kind: {{ .Values.certificates.certManager.issuer.kind }}
+    {{- end }}
+    {{- if .Values.certificates.certManager.issuer.group }}
+    group: {{ .Values.certificates.certManager.issuer.group }}
+    {{- end }}
+    {{- end }}
 {{- end }}
diff --git a/keda/templates/cert-manager/self-ca.yaml b/keda/templates/cert-manager/self-ca.yaml
@@ -1,4 +1,4 @@
-{{- if and .Values.certificates.certManager.enabled .Values.certificates.certManager.generateCA }}
+{{- if and .Values.certificates.certManager.enabled .Values.certificates.certManager.generateCA .Values.certificates.certManager.issuer.generate }}
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:

diff --git a/keda/templates/cert-manager/self-issuer.yaml b/keda/templates/cert-manager/self-issuer.yaml
@@ -1,4 +1,4 @@
-{{- if and .Values.certificates.certManager.enabled .Values.certificates.certManager.generateCA }}
+{{- if and .Values.certificates.certManager.enabled .Values.certificates.certManager.generateCA .Values.certificates.certManager.issuer.generate }}
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
@@ -10,4 +10,4 @@ metadata:
   namespace: {{ .Release.Namespace }}
 spec:
   selfSigned: {}
-{{- end }}
+{{- end }}
diff --git a/keda/templates/metrics-server/apiservice.yaml b/keda/templates/metrics-server/apiservice.yaml
@@ -4,10 +4,10 @@ metadata:
   {{- if or .Values.certificates.certManager.enabled .Values.additionalAnnotations }}
   annotations:
     {{- if .Values.certificates.certManager.enabled }}
-    {{- if .Values.certificates.certManager.generateCA }}
-    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Values.operator.name }}-ca
-    {{- else }}
+    {{- if and (not .Values.certificates.certManager.generateCA) .Values.certificates.certManager.issuer.generate }}
     cert-manager.io/inject-ca-from-secret: {{ .Release.Namespace }}/{{ .Values.certificates.certManager.caSecretName }}
+    {{- else }}
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Values.operator.name }}-tls-certificates
     {{- end }}
     {{- end }}
     {{- if .Values.additionalAnnotations }}

diff --git a/keda/templates/webhooks/validatingconfiguration.yaml b/keda/templates/webhooks/validatingconfiguration.yaml
@@ -5,10 +5,10 @@ metadata:
   {{- if or .Values.certificates.certManager.enabled .Values.additionalAnnotations }}
   annotations:
     {{- if .Values.certificates.certManager.enabled }}
-    {{- if .Values.certificates.certManager.generateCA }}
-    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Values.operator.name }}-ca
-    {{- else }}
+    {{- if and (not .Values.certificates.certManager.generateCA) .Values.certificates.certManager.issuer.generate }}
     cert-manager.io/inject-ca-from-secret: {{ .Release.Namespace }}/{{ .Values.certificates.certManager.caSecretName }}
+    {{- else }}
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Values.operator.name }}-tls-certificates
     {{- end }}
     {{- end }}
     {{- if .Values.additionalAnnotations }}

diff --git a/keda/values.yaml b/keda/values.yaml
@@ -738,6 +738,10 @@ certificates:
   certManager:
     # -- Enables Cert-manager for certificate management
     enabled: false
+    # -- Certificate duration
+    duration: 8760h0m0s # 1 year
+    # -- Certificate renewal time before expiration
+    renewBefore: 5840h0m0s # 8 months
     # -- Generates a self-signed CA with Cert-manager.
     # If generateCA is false, the secret with the CA
     # has to be annotated with `cert-manager.io/allow-direct-injection: "true"`
@@ -752,6 +756,16 @@ certificates:
       #   my-secret-annotation-2: "bar"
       # labels:
       #   my-secret-label: foo
+    # -- Reference to custom Issuer.
+    issuer:
+      # -- Generates an Issuer resource with Cert-manager
+      generate: true
+      # -- Custom Issuer name. Required when generate: false
+      name: foo-org-ca
+      # -- Custom Issuer kind. Required when generate: false
+      kind: ClusterIssuer
+      # -- Custom Issuer group. Required when generate: false
+      group: cert-manager.io
 
 permissions:
   metricServer: