Fix : Helm Chart Cert Issues (#134)

* Fix : Helm Chart

Signed-off-by: Shubham Gupta <[email protected]>

* fix : markdown lint

Signed-off-by: Shubham Gupta <[email protected]>

---------

Signed-off-by: Shubham Gupta <[email protected]>

charts/redis-operator/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: cert-manager
   repository: https://charts.jetstack.io
-  version: v1.12.0
-digest: sha256:53d7c67c6ffe1c0bd5f85483d855353541d829127716ffc07b385b43c46e8e06
-generated: "2023-09-05T12:33:57.385581085+05:30"
+  version: v1.12.4
+digest: sha256:59620acecec8286044638610b9aeeb0df7282987a8d5251dfa52c9742df41198
+generated: "2023-09-09T00:52:20.011999198+05:30"

charts/redis-operator/Chart.yaml

@@ -22,7 +22,7 @@ keywords:
 
 dependencies:
   - name: cert-manager
-    version: v1.12.0
+    version: v1.12.4
     repository: https://charts.jetstack.io
     alias: cert-manager
     condition: cert-manager.enabled

charts/redis-operator/readme.md

@@ -0,0 +1,87 @@
+# Redis Operator Helm Chart
+
+## Introduction
+
+This Helm chart deploys the redis-operator into your Kubernetes cluster. The operator facilitates the deployment, scaling, and management of Redis clusters and other Redis resources provided by the OpsTree Solutions team.
+
+## Pre-requisites
+
+- Helm v3+
+- Kubernetes v1.16+
+- If you intend to use the cert-manager, ensure that the cert-manager CRDs are installed before deploying the redis-operator.
+
+## Installation Steps
+
+### 1. Add Helm Repository
+
+```bash
+helm repo add ot-helm https://ot-container-kit.github.io/helm-charts
+```
+
+### 2. Install Cert-Manager CRDs (if using cert-manager)
+
+If you plan to use cert-manager with the redis-operator, you need to install the cert-manager CRDs before deploying the operator.
+
+```bash
+kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.4/cert-manager.crds.yaml
+```
+
+### 3. Install Redis Operator
+
+Replace `<YourCertSecretName>` and `<YourPrivateKey>` with your specific values.
+
+```bash
+helm install <redis-operator> ot-helm/redis-operator --version=0.15.4 --appVersion=0.15.1 --set certificate.secretName=<YourCertSecretName> --set cert-manager=true --namespace <redis-operator> --create-namespace
+```
+
+### 4. Patch the CA Bundle (if using cert-manager)
+
+```bash
+kubectl patch crd redis.redis.redis.opstreelabs.in -p '{"metadata":{"annotations":{"cert-manager.io/inject-ca-from":"<redis-operator>/<serving-cert>"}}}'
+
+kubectl patch crd redisclusters.redis.redis.opstreelabs.in -p '{"metadata":{"annotations":{"cert-manager.io/inject-ca-from":"<redis-operator>/<serving-cert>"}}}'
+
+kubectl patch crd redisreplications.redis.redis.opstreelabs.in -p '{"metadata":{"annotations":{"cert-manager.io/inject-ca-from":"<redis-operator>/<serving-cert>"}}}'
+
+kubectl patch crd redissentinels.redis.redis.opstreelabs.in -p '{"metadata":{"annotations":{"cert-manager.io/inject-ca-from":"<redis-operator>/<serving-cert>"}}}'
+```
+
+> Note: Replace `<redis-operator>` and `<serving-cert>` with your specific values i.e. release name and certificate name.
+
+#### You can verify the patch by running the following commands
+
+```bash
+kubectl get crd redis.redis.redis.opstreelabs.in -o=jsonpath='{.metadata.annotations}'
+kubectl get crd redisclusters.redis.redis.opstreelabs.in -o=jsonpath='{.metadata.annotations}'
+kubectl get crd redisreplications.redis.redis.opstreelabs.in -o=jsonpath='{.metadata.annotations}'
+kubectl get crd redissentinels.redis.redis.opstreelabs.in -o=jsonpath='{.metadata.annotations}'
+```
+
+### How to generate private key
+
+```bash
+openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt
+kubectl create secret tls <webhook-server-cert> --key tls.key --cert tls.crt -n <redis-operator>
+```
+
+## Default Values
+
+| Parameter                           | Description                        | Default                                                      |
+|-------------------------------------|------------------------------------|--------------------------------------------------------------|
+| `redisOperator.name`                | Operator name                      | `redis-operator`                                             |
+| `redisOperator.imageName`           | Image repository                   | `quay.io/opstree/redis-operator`                             |
+| `redisOperator.imageTag`            | Image tag                          |                                                              |
+| `redisOperator.imagePullPolicy`     | Image pull policy                  | `Always`                                                     |
+| `resources.limits.cpu`              | CPU limit                          | `500m`                                                      |
+| `resources.limits.memory`           | Memory limit                       | `500Mi`                                                     |
+| `resources.requests.cpu`            | CPU request                        | `500m`                                                      |
+| `resources.requests.memory`         | Memory request                     | `500Mi`                                                     |
+| `replicas`                          | Number of replicas                 | `1`                                                         |
+| `serviceAccountName`                | Service account name               | `redis-operator`                                             |
+| `certificate.name`                  | Certificate name                   | `serving-cert`                                               |
+| `certificate.secretName`            | Certificate secret name            | `webhook-server-cert`                                        |
+| `issuer.name`                       | Issuer name                        | `letsencrypt-prod`                                           |
+| `issuer.email`                      | Issuer email                       | `[email protected]`                                  |
+| `issuer.server`                     | Issuer server URL                  | `https://acme-v02.api.letsencrypt.org/directory`            |
+| `issuer.privateKeySecretName`       | Private key secret name            | `letsencrypt-prod`                                           |
+| `cert-manager.enabled`              | Enable cert-manager                | `true`                                                       |

charts/redis-operator/templates/cert-manager.yaml

@@ -1,7 +1,8 @@
+{{ if ".Values.cert-manager.enabled" }}
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
-  name: redis-operator-issuer
+  name: {{ .Values.issuer.name }}
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: {{ .Values.redisOperator.name }}
@@ -13,6 +14,15 @@ metadata:
     app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   selfSigned: {}
+  # acme:
+  #   email: {{ .Values.issuer.email }}
+  #   server: {{ .Values.issuer.server }}
+  #   privateKeySecretRef:
+  #     name: {{ .Values.issuer.privateKeySecretName }}
+  #   solvers:
+  #   - http01:
+  #       ingress:
+  #         class: {{ .Values.issuer.solver.ingressClass }}
 
 ---
 
@@ -31,9 +41,11 @@ metadata:
     app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   dnsNames:
-  - {{ .Values.service.name }}.{{ .Values.service.namespace }}.svc
-  - {{ .Values.service.name }}.{{ .Values.service.namespace }}.svc.cluster.local
+    - {{ .Values.service.name }}.{{ .Values.service.namespace }}.svc
+    - {{ .Values.service.name }}.{{ .Values.service.namespace }}.svc.cluster.local
   issuerRef:
     kind: Issuer
-    name: redis-operator-issuer
+    name: {{ .Values.issuer.name }}
   secretName: {{ .Values.certificate.secretName }}
+
+{{ end }}

charts/redis-operator/values.yaml

@@ -44,6 +44,14 @@ certificate:
   name: serving-cert
   secretName: webhook-server-cert
 
+issuer:
+  name: letsencrypt-prod
+  email: [email protected]
+  server: https://acme-v02.api.letsencrypt.org/directory
+  privateKeySecretName: letsencrypt-prod
+  solver:
+    enabled: true
+    ingressClass: nginx
+
 cert-manager:
-  enabled: true
-  installCRDs: true
+  enabled: true