From 967773e71d209ce3ffe2472050673deef28ead1d Mon Sep 17 00:00:00 2001 From: Shubham Gupta <69793468+shubham-cmyk@users.noreply.github.com> Date: Sat, 9 Sep 2023 19:10:43 +0530 Subject: [PATCH] Fix : Helm Chart Cert Issues (#134) * Fix : Helm Chart Signed-off-by: Shubham Gupta * fix : markdown lint Signed-off-by: Shubham Gupta --------- Signed-off-by: Shubham Gupta --- charts/redis-operator/Chart.lock | 6 +- charts/redis-operator/Chart.yaml | 2 +- charts/redis-operator/readme.md | 87 +++++++++++++++++++ .../templates/cert-manager.yaml | 20 ++++- charts/redis-operator/values.yaml | 12 ++- 5 files changed, 117 insertions(+), 10 deletions(-) create mode 100644 charts/redis-operator/readme.md diff --git a/charts/redis-operator/Chart.lock b/charts/redis-operator/Chart.lock index 7f5e278b..da0c6637 100644 --- a/charts/redis-operator/Chart.lock +++ b/charts/redis-operator/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: cert-manager repository: https://charts.jetstack.io - version: v1.12.0 -digest: sha256:53d7c67c6ffe1c0bd5f85483d855353541d829127716ffc07b385b43c46e8e06 -generated: "2023-09-05T12:33:57.385581085+05:30" + version: v1.12.4 +digest: sha256:59620acecec8286044638610b9aeeb0df7282987a8d5251dfa52c9742df41198 +generated: "2023-09-09T00:52:20.011999198+05:30" diff --git a/charts/redis-operator/Chart.yaml b/charts/redis-operator/Chart.yaml index e30b5c6a..e39156bd 100644 --- a/charts/redis-operator/Chart.yaml +++ b/charts/redis-operator/Chart.yaml @@ -22,7 +22,7 @@ keywords: dependencies: - name: cert-manager - version: v1.12.0 + version: v1.12.4 repository: https://charts.jetstack.io alias: cert-manager condition: cert-manager.enabled \ No newline at end of file diff --git a/charts/redis-operator/readme.md b/charts/redis-operator/readme.md new file mode 100644 index 00000000..f4f03236 --- /dev/null +++ b/charts/redis-operator/readme.md @@ -0,0 +1,87 @@ +# Redis Operator Helm Chart + +## Introduction + +This Helm chart deploys the redis-operator into your Kubernetes cluster. The operator facilitates the deployment, scaling, and management of Redis clusters and other Redis resources provided by the OpsTree Solutions team. + +## Pre-requisites + +- Helm v3+ +- Kubernetes v1.16+ +- If you intend to use the cert-manager, ensure that the cert-manager CRDs are installed before deploying the redis-operator. + +## Installation Steps + +### 1. Add Helm Repository + +```bash +helm repo add ot-helm https://ot-container-kit.github.io/helm-charts +``` + +### 2. Install Cert-Manager CRDs (if using cert-manager) + +If you plan to use cert-manager with the redis-operator, you need to install the cert-manager CRDs before deploying the operator. + +```bash +kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.4/cert-manager.crds.yaml +``` + +### 3. Install Redis Operator + +Replace `` and `` with your specific values. + +```bash +helm install ot-helm/redis-operator --version=0.15.4 --appVersion=0.15.1 --set certificate.secretName= --set cert-manager=true --namespace --create-namespace +``` + +### 4. Patch the CA Bundle (if using cert-manager) + +```bash +kubectl patch crd redis.redis.redis.opstreelabs.in -p '{"metadata":{"annotations":{"cert-manager.io/inject-ca-from":"/"}}}' + +kubectl patch crd redisclusters.redis.redis.opstreelabs.in -p '{"metadata":{"annotations":{"cert-manager.io/inject-ca-from":"/"}}}' + +kubectl patch crd redisreplications.redis.redis.opstreelabs.in -p '{"metadata":{"annotations":{"cert-manager.io/inject-ca-from":"/"}}}' + +kubectl patch crd redissentinels.redis.redis.opstreelabs.in -p '{"metadata":{"annotations":{"cert-manager.io/inject-ca-from":"/"}}}' +``` + +> Note: Replace `` and `` with your specific values i.e. release name and certificate name. + +#### You can verify the patch by running the following commands + +```bash +kubectl get crd redis.redis.redis.opstreelabs.in -o=jsonpath='{.metadata.annotations}' +kubectl get crd redisclusters.redis.redis.opstreelabs.in -o=jsonpath='{.metadata.annotations}' +kubectl get crd redisreplications.redis.redis.opstreelabs.in -o=jsonpath='{.metadata.annotations}' +kubectl get crd redissentinels.redis.redis.opstreelabs.in -o=jsonpath='{.metadata.annotations}' +``` + +### How to generate private key + +```bash +openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt +kubectl create secret tls --key tls.key --cert tls.crt -n +``` + +## Default Values + +| Parameter | Description | Default | +|-------------------------------------|------------------------------------|--------------------------------------------------------------| +| `redisOperator.name` | Operator name | `redis-operator` | +| `redisOperator.imageName` | Image repository | `quay.io/opstree/redis-operator` | +| `redisOperator.imageTag` | Image tag | | +| `redisOperator.imagePullPolicy` | Image pull policy | `Always` | +| `resources.limits.cpu` | CPU limit | `500m` | +| `resources.limits.memory` | Memory limit | `500Mi` | +| `resources.requests.cpu` | CPU request | `500m` | +| `resources.requests.memory` | Memory request | `500Mi` | +| `replicas` | Number of replicas | `1` | +| `serviceAccountName` | Service account name | `redis-operator` | +| `certificate.name` | Certificate name | `serving-cert` | +| `certificate.secretName` | Certificate secret name | `webhook-server-cert` | +| `issuer.name` | Issuer name | `letsencrypt-prod` | +| `issuer.email` | Issuer email | `shubham.gupta@opstree.com` | +| `issuer.server` | Issuer server URL | `https://acme-v02.api.letsencrypt.org/directory` | +| `issuer.privateKeySecretName` | Private key secret name | `letsencrypt-prod` | +| `cert-manager.enabled` | Enable cert-manager | `true` | diff --git a/charts/redis-operator/templates/cert-manager.yaml b/charts/redis-operator/templates/cert-manager.yaml index b9ebc244..13e830d2 100644 --- a/charts/redis-operator/templates/cert-manager.yaml +++ b/charts/redis-operator/templates/cert-manager.yaml @@ -1,7 +1,8 @@ +{{ if ".Values.cert-manager.enabled" }} apiVersion: cert-manager.io/v1 kind: Issuer metadata: - name: redis-operator-issuer + name: {{ .Values.issuer.name }} namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: {{ .Values.redisOperator.name }} @@ -13,6 +14,15 @@ metadata: app.kubernetes.io/part-of: {{ .Release.Name }} spec: selfSigned: {} + # acme: + # email: {{ .Values.issuer.email }} + # server: {{ .Values.issuer.server }} + # privateKeySecretRef: + # name: {{ .Values.issuer.privateKeySecretName }} + # solvers: + # - http01: + # ingress: + # class: {{ .Values.issuer.solver.ingressClass }} --- @@ -31,9 +41,11 @@ metadata: app.kubernetes.io/part-of: {{ .Release.Name }} spec: dnsNames: - - {{ .Values.service.name }}.{{ .Values.service.namespace }}.svc - - {{ .Values.service.name }}.{{ .Values.service.namespace }}.svc.cluster.local + - {{ .Values.service.name }}.{{ .Values.service.namespace }}.svc + - {{ .Values.service.name }}.{{ .Values.service.namespace }}.svc.cluster.local issuerRef: kind: Issuer - name: redis-operator-issuer + name: {{ .Values.issuer.name }} secretName: {{ .Values.certificate.secretName }} + +{{ end }} \ No newline at end of file diff --git a/charts/redis-operator/values.yaml b/charts/redis-operator/values.yaml index da7cb698..c7acb233 100644 --- a/charts/redis-operator/values.yaml +++ b/charts/redis-operator/values.yaml @@ -44,6 +44,14 @@ certificate: name: serving-cert secretName: webhook-server-cert +issuer: + name: letsencrypt-prod + email: shubham.gupta@opstree.com + server: https://acme-v02.api.letsencrypt.org/directory + privateKeySecretName: letsencrypt-prod + solver: + enabled: true + ingressClass: nginx + cert-manager: - enabled: true - installCRDs: true \ No newline at end of file + enabled: true \ No newline at end of file