Create cert-manager (#238)

* Cert-Manager created

Co-authored-by: Aaron Frey <aaron.frey@cloudogu.com>

---------

Co-authored-by: Aaron Frey <aaron.frey@cloudogu.com>
Co-authored-by: Thomas Michael <thomas.michael@cloudogu.com>

Author: 3 people

README.md

@@ -8,7 +8,7 @@ Creates a complete GitOps-based operational stack on your Kubernetes clusters:
 * Notifications/Alerts: Grafana and ArgoCD can be predefined with either an external mailserver or [MailHog](https://github.com/mailhog/MailHog) for demo purposes.
 * Pipelines: Example applications using [Jenkins](#jenkins) with the [gitops-build-lib](https://github.com/cloudogu/gitops-build-lib) and [SCM-Manager](#scm-manager)
 * Ingress Controller: [ingress-nginx](https://github.com/kubernetes/ingress-nginx/)
-* Certificate Management: (planned)
+* Certificate Management: [cert-manager](#certificate-management)
 * Runs on: 
   * local cluster (try it [with only one command](#tldr)), 
   * in the public cloud, 
@@ -551,6 +551,20 @@ Set the parameter `--vault=[dev|prod]` to enable deployment of secret management
 secrets operator.
 See [Secrets management tools](#secrets-managment-tools) for details.
 
+##### Certificate Management
+Is implemented by cert-manager. 
+Set the parameter `--cert-manager` to enable cert-manager.
+For custom images use this parameters to override defaults:
+- --cert-manager-image 
+- --cert-manager-webhook-image 
+- --cert-manager-cainjector-image 
+- --cert-manager-acme-solver-image
+- --cert-manager-startup-api-check-image
+
+i.e.
+```
+--cert-manager-image someRegistry/cert-manager-controller:latest
+``` 
 ### Remove playground
 
 For k3d, you can just `k3d cluster delete gitops-playground`. This will delete the whole cluster.

applications/cluster-resources/certManager-helm-values.ftl.yaml

@@ -0,0 +1,106 @@
+<#assign DockerImageParser=statics['com.cloudogu.gitops.utils.DockerImageParser']>
+<#if config.registry.createImagePullSecrets == true>
+global:
+  imagePullSecrets:
+    - name: proxy-registry
+</#if>
+
+<#if config.application.podResources == true>
+resources:
+  limits:
+     cpu: '1'
+     memory: 400Mi
+  requests:
+    cpu: 30m
+    memory: 400Mi
+</#if>
+<#if config.application.skipCrds != true>
+crds:
+  enabled: true
+</#if>
+
+<#if config.features.certManager.helm.image?has_content>
+<#assign imageObject = DockerImageParser.parse(config.features.certManager.helm.image)>
+image:
+  repository: ${imageObject.registryAndRepositoryAsString}
+  tag: ${imageObject.tag}
+</#if>
+
+<#--webhookImage-->
+<#if config.application.podResources == true || config.features.certManager.helm.webhookImage?has_content>
+webhook:
+  <#if config.application.podResources == true>
+  resources:
+    limits:
+      cpu: '1'
+      memory: 30Mi
+    requests:
+      cpu: 20m
+      memory: 30Mi
+  </#if>
+  <#if config.features.certManager.helm.webhookImage?has_content>
+    <#assign imageObject = DockerImageParser.parse(config.features.certManager.helm.webhookImage)>
+  image:
+    repository: ${imageObject.registryAndRepositoryAsString}
+    tag: ${imageObject.tag}
+  </#if>
+</#if>
+<#--cainjectorImage-->
+<#if config.application.podResources == true || config.features.certManager.helm.cainjectorImage?has_content>
+cainjector:
+  <#if config.application.podResources >
+  resources:
+    limits:
+      cpu: '1'
+      memory: 400Mi
+    requests:
+      cpu: 30m
+      memory: 400Mi
+  </#if>
+  <#if config.features.certManager.helm.cainjectorImage?has_content>
+    <#assign imageObject = DockerImageParser.parse(config.features.certManager.helm.cainjectorImage)>
+  image:
+    repository: ${imageObject.registryAndRepositoryAsString}
+    tag: ${imageObject.tag}
+  </#if>
+</#if>
+
+<#--acmeSolverImage-->
+<#if config.application.podResources == true || config.features.certManager.helm.acmeSolverImage?has_content>
+acmesolver:
+  <#if config.application.podResources >
+  resources:
+    limits:
+      cpu: '1'
+      memory: 400Mi
+    requests:
+      cpu: 30m
+      memory: 400Mi
+  </#if>
+  <#if config.features.certManager.helm.acmeSolverImage?has_content>
+    <#assign imageObject = DockerImageParser.parse(config.features.certManager.helm.acmeSolverImage)>
+  image:
+    repository: ${imageObject.registryAndRepositoryAsString}
+    tag: ${imageObject.tag}
+  </#if>
+</#if>
+
+<#--startupAPICheckImage-->
+<#if config.application.podResources == true || config.features.certManager.helm.startupAPICheckImage?has_content>
+startupapicheck:
+  <#if config.application.podResources >
+  resources:
+    limits:
+      cpu: '1'
+      memory: 400Mi
+    requests:
+      cpu: 30m
+      memory: 400Mi
+  </#if>
+  <#if config.features.certManager.helm.startupAPICheckImage?has_content>
+    <#assign imageObject = DockerImageParser.parse(config.features.certManager.helm.startupAPICheckImage)>
+  image:
+    repository: ${imageObject.registryAndRepositoryAsString}
+    tag: ${imageObject.tag}
+  </#if>
+</#if>

argocd/argocd/argocd/values.ftl.yaml

@@ -105,6 +105,10 @@ argo-cd:
         name: codecentric
         type: helm
         url: https://codecentric.github.io/helm-charts
+      cert-manager:
+          name: cert-manager
+          type: helm
+          url:  https://charts.jetstack.io
       argo-helm-repo:
         type: helm
         url: https://argoproj.github.io/argo-helm

argocd/argocd/projects/cluster-resources.ftl.yaml

@@ -22,12 +22,14 @@ spec:
   - ${scmm.baseUrl}/repo/3rd-party-dependencies/ingress-nginx
   - ${scmm.baseUrl}/repo/3rd-party-dependencies/external-secrets
   - ${scmm.baseUrl}/repo/3rd-party-dependencies/vault
+  - ${scmm.baseUrl}/repo/3rd-party-dependencies/cert-manager
 <#else>
   - https://prometheus-community.github.io/helm-charts
   - https://codecentric.github.io/helm-charts
   - https://kubernetes.github.io/ingress-nginx
   - https://helm.releases.hashicorp.com
   - https://charts.external-secrets.io
+  - https://charts.jetstack.io
 </#if>
 
   # allow to only see application resources from the specified namespace

docs/configuration.schema.json

@@ -169,6 +169,60 @@
           "additionalProperties" : false,
           "description" : "Configuration Parameter for the ArgoCD Operator"
         },
+        "certManager" : {
+          "type" : "object",
+          "properties" : {
+            "active" : {
+              "type" : "boolean",
+              "description" : "Sets and enables Cert Manager"
+            },
+            "helm" : {
+              "type" : "object",
+              "properties" : {
+                "acmeSolverImage" : {
+                  "type" : "string",
+                  "description" : "Sets acmeSolver Image for Cert Manager"
+                },
+                "cainjectorImage" : {
+                  "type" : "string",
+                  "description" : "Sets cainjector Image for Cert Manager"
+                },
+                "chart" : {
+                  "type" : "string",
+                  "description" : "Name of the Helm chart"
+                },
+                "image" : {
+                  "type" : "string",
+                  "description" : "Sets image for Cert Manager"
+                },
+                "repoURL" : {
+                  "type" : "string",
+                  "description" : "Repository url from which the Helm chart should be obtained"
+                },
+                "startupAPICheckImage" : {
+                  "type" : "string",
+                  "description" : "Sets startupAPICheck Image for Cert Manager"
+                },
+                "values" : {
+                  "$ref" : "#/$defs/Map(String,Object)",
+                  "description" : "Helm values of the chart, allows overriding defaults and setting values that are not exposed as explicit configuration"
+                },
+                "version" : {
+                  "type" : "string",
+                  "description" : "The version of the Helm chart to be installed"
+                },
+                "webhookImage" : {
+                  "type" : "string",
+                  "description" : "Sets webhook Image for Cert Manager"
+                }
+              },
+              "additionalProperties" : false,
+              "description" : "Common Config parameters for the Helm package manager: Name of Chart (chart), URl of Helm-Repository (repoURL) and Chart Version (version). Note: These config is intended to obtain the chart from a different source (e.g. in air-gapped envs), not to use a different version of a helm chart. Using a different helm chart or version to the one used in the GOP version will likely cause errors."
+            }
+          },
+          "additionalProperties" : false,
+          "description" : "Config parameters for the Cert Manager"
+        },
         "exampleApps" : {
           "type" : "object",
           "properties" : {

docs/developers.md

@@ -391,6 +391,7 @@ notary:
 
 Then install it like so:
 ```bash
+helm repo add harbor https://helm.goharbor.io
 helm upgrade -i my-harbor harbor/harbor -f harbor-values.yaml --version 1.14.2 --namespace harbor --create-namespace
 ```
 Once it's up and running either create your own private project or just set the existing `library` to private:
@@ -479,6 +480,11 @@ skopeo copy docker://quay.io/prometheus/prometheus:v2.51.2 --dest-creds Proxy:Pr
 skopeo copy docker://quay.io/prometheus-operator/prometheus-config-reloader:v0.73.2 --dest-creds Proxy:Proxy12345 --dest-tls-verify=false docker://localhost:30000/proxy/prometheus-config-reloader
 skopeo copy docker://grafana/grafana:10.4.1 --dest-creds Proxy:Proxy12345 --dest-tls-verify=false docker://localhost:30000/proxy/grafana
 skopeo copy docker://quay.io/kiwigrid/k8s-sidecar:1.27.4 --dest-creds Proxy:Proxy12345 --dest-tls-verify=false docker://localhost:30000/proxy/k8s-sidecar
+# Cert Manager images
+skopeo copy docker://quay.io/jetstack/cert-manager-controller:v1.16.1 --dest-creds Proxy:Proxy12345 --dest-tls-verify=false docker://localhost:30000/proxy/cert-manager-controller
+skopeo copy docker://quay.io/jetstack/cert-manager-cainjector:v1.16.1 --dest-creds Proxy:Proxy12345 --dest-tls-verify=false docker://localhost:30000/proxy/cert-manager-cainjector
+skopeo copy docker://quay.io/jetstack/cert-manager-webhook:v1.16.1 --dest-creds Proxy:Proxy12345 --dest-tls-verify=false docker://localhost:30000/proxy/cert-manager-webhook
+
 ```
 
 * Deploy playground:

scripts/downloadHelmCharts.sh

@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 set -o errexit -o nounset -o pipefail
 
-charts=( 'monitoring' 'externalSecrets' 'vault' 'mailhog' 'ingressNginx')
+charts=( 'monitoring' 'externalSecrets' 'vault' 'mailhog' 'ingressNginx' 'certManager')
 APPLICATION_CONFIGURATOR_GROOVY="${1:-src/main/groovy/com/cloudogu/gitops/config/ApplicationConfigurator.groovy}"
 
 tmpRepoFile="$(mktemp)"
@@ -10,12 +10,18 @@ mkdir -p charts
 
 for chart in "${charts[@]}"; do
   chartDetails=$(grep -EA10 "${chart}.*:" "${APPLICATION_CONFIGURATOR_GROOVY}" \
-  | grep -m1 -EA5 'helm.*:')
-  
+  | grep -m1 -EA5 'helm.*:' || true)
+  if [[ -z "$chartDetails" ]]; then
+    echo "Did not find chart details for chart $chart in file ${APPLICATION_CONFIGURATOR_GROOVY} " >&2
+    exit 1
+  fi
   repo=$(echo "$chartDetails"  | grep -oP "repoURL\s*:\s*'\K[^']+")
   chart=$(echo "$chartDetails" | grep -oP "chart\s*:\s*'\K[^']+") 
   version=$(echo "$chartDetails" | grep -oP "version\s*:\s*'\K[^']+")
-  
+
+  # avoid Error: failed to untar: a file or directory with the name charts/$chart already exists
+  rm -rf "./charts/$chart"
+
   helm repo add "$chart" "$repo" --repository-config="${tmpRepoFile}"
   helm pull --untar --untardir ./charts "$chart/$chart" --version "$version" --repository-config="${tmpRepoFile}"
   # Note that keeping charts as tgx would need only 1/10 of storage

src/main/groovy/com/cloudogu/gitops/cli/GitopsPlaygroundCli.groovy

@@ -57,7 +57,7 @@ class GitopsPlaygroundCli  implements Runnable {
     private String registryPasswordReadOnly
     @Option(names = ['--create-image-pull-secrets'], description = REGISTRY_CREATE_IMAGE_PULL_SECRETS_DESCRIPTION)
     private Boolean createImagePullSecrets
-    
+
     // args group jenkins
     @Option(names = ['--jenkins-url'], description = JENKINS_URL_DESCRIPTION)
     private String jenkinsUrl
@@ -231,6 +231,28 @@ class GitopsPlaygroundCli  implements Runnable {
     @Option(names = ['--ingress-nginx-image'], description = HELM_CONFIG_IMAGE_DESCRIPTION)
     private String ingressNginxImage
 
+    // args certManager
+    @Option(names = ['--cert-manager'], description = CERTMANAGER_ENABLE_DESCRIPTION)
+    private Boolean certManager
+
+    @Option(names = ['--cert-manager-image'], description = CERTMANAGER_IMAGE_DESCRIPTION)
+    private String certManagerImage
+
+    @Option(names = ['--cert-manager-webhook-image'], description = CERTMANAGER_WEBHOOK_IMAGE_DESCRIPTION)
+    private String webhookImage
+
+    @Option(names = ['--cert-manager-cainjector-image'], description = CERTMANAGER_CAINJECTOR_IMAGE_DESCRIPTION)
+    private String cainjectorImage
+
+    @Option(names = ['--cert-manager-acme-solver-image'], description = CERTMANAGER_ACME_SOLVER_IMAGE_DESCRIPTION)
+    private String acmeSolverImage
+
+    @Option(names = ['--cert-manager-startup-api-check-image'], description = CERTMANAGER_STARTUP_API_CHECK_IMAGE_DESCRIPTION)
+    private String startupAPICheckImage
+
+
+
+
     @Override
     void run() {
         setLogging()
@@ -508,6 +530,16 @@ class GitopsPlaygroundCli  implements Runnable {
                                        image: ingressNginxImage
                                ]
                         ],
+                        certManager: [
+                                active: certManager,
+                                helm: [
+                                    image: certManagerImage,
+                                    webhookImage: webhookImage,
+                                    cainjectorImage: cainjectorImage,
+                                    acmeSolverImage: acmeSolverImage,
+                                    startupAPICheckImage: startupAPICheckImage
+                                ]
+                        ],
 
                 ]
         ]

src/main/groovy/com/cloudogu/gitops/cli/GitopsPlaygroundCliMainScripted.groovy

@@ -116,6 +116,7 @@ class GitopsPlaygroundCliMainScripted {
                         new Content(config,k8sClient),
                         new ArgoCD(config, k8sClient, helmClient, fileSystemUtils, scmmRepoProvider),
                         new IngressNginx(config, fileSystemUtils, deployer, k8sClient, airGappedUtils),
+                        new CertManager(config,fileSystemUtils, deployer, k8sClient, airGappedUtils),
                         new Mailhog(config, fileSystemUtils, deployer, k8sClient, airGappedUtils),
                         new PrometheusStack(config, fileSystemUtils, deployer, k8sClient, airGappedUtils, scmmRepoProvider),
                         new ExternalSecretsOperator(config, fileSystemUtils, deployer, k8sClient, airGappedUtils),