deps: Update cert manager to 1.12.6 (#2700)

* deps: bump cert manager to 1.13.2

* helm: allow minor jump for cert-manager

internal/constellation/helm/BUILD.bazel

@@ -453,6 +453,10 @@ go_library(
         "charts/cilium/templates/spire/server/service.yaml",
         "charts/cilium/templates/spire/server/serviceaccount.yaml",
         "charts/cilium/templates/spire/server/statefulset.yaml",
+        "charts/cert-manager/templates/cainjector-poddisruptionbudget.yaml",
+        "charts/cert-manager/templates/controller-config.yaml",
+        "charts/cert-manager/templates/poddisruptionbudget.yaml",
+        "charts/cert-manager/templates/webhook-poddisruptionbudget.yaml",
     ],
     importpath = "github.com/edgelesssys/constellation/v2/internal/constellation/helm",
     visibility = ["//:__subpackages__"],

internal/constellation/helm/actionfactory.go

@@ -122,7 +122,7 @@ func (a actionFactory) appendNewAction(
 			if err := newVersion.IsUpgradeTo(currentVersion); err != nil {
 				// TODO(3u13r): Remove when Constellation v2.14 is released.
 				// We need to ignore that we jump from Cilium v1.12 to v1.15-pre. We have verified that this works.
-				if !(errors.Is(err, compatibility.ErrMinorDrift) && release.releaseName == "cilium") {
+				if !(errors.Is(err, compatibility.ErrMinorDrift) && (release.releaseName == "cilium" || release.releaseName == "cert-manager")) {
 					return fmt.Errorf("invalid upgrade for %s: %w", release.releaseName, err)
 				}
 			}

internal/constellation/helm/charts/cert-manager/Chart.yaml

@@ -4,7 +4,7 @@ annotations:
     fingerprint: 1020CF3C033D4F35BAE1C19E1226061C665DF13E
     url: https://cert-manager.io/public-keys/cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.gpg
 apiVersion: v1
-appVersion: v1.10.0
+appVersion: v1.12.6
 description: A Helm chart for cert-manager
 home: https://github.com/cert-manager/cert-manager
 icon: https://raw.githubusercontent.com/cert-manager/cert-manager/d53c0b9270f8cd90d908460d69502694e1838f5f/logo/logo-small.png
@@ -13,12 +13,12 @@ keywords:
 - kube-lego
 - letsencrypt
 - tls
-kubeVersion: '>= 1.20.0-0'
+kubeVersion: '>= 1.22.0-0'
 maintainers:
 - email: [email protected]
   name: cert-manager-maintainers
   url: https://cert-manager.io
 name: cert-manager
 sources:
 - https://github.com/cert-manager/cert-manager
-version: v1.10.0
+version: v1.12.6

internal/constellation/helm/charts/cert-manager/templates/cainjector-deployment.yaml

@@ -90,6 +90,10 @@ spec:
           resources:
             {{- toYaml . | nindent 12 }}
           {{- end }}
+          {{- with .Values.cainjector.volumeMounts }}
+          volumeMounts:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
       {{- with .Values.cainjector.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -106,4 +110,8 @@ spec:
       topologySpreadConstraints:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.cainjector.volumes }}
+      volumes:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
 {{- end }}

internal/constellation/helm/charts/cert-manager/templates/cainjector-poddisruptionbudget.yaml

@@ -0,0 +1,26 @@
+{{- if .Values.cainjector.podDisruptionBudget.enabled }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "cainjector.fullname" . }}
+  namespace: {{ include "cert-manager.namespace" . }}
+  labels:
+    app: {{ include "cainjector.name" . }}
+    app.kubernetes.io/name: {{ include "cainjector.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "cainjector"
+    {{- include "labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "cainjector.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+      app.kubernetes.io/component: "cainjector"
+
+  {{- with .Values.cainjector.podDisruptionBudget.minAvailable }}
+  minAvailable: {{ . }}
+  {{- end }}
+  {{- with .Values.cainjector.podDisruptionBudget.maxUnavailable }}
+  maxUnavailable: {{ . }}
+  {{- end }}
+{{- end }}

internal/constellation/helm/charts/cert-manager/templates/cainjector-rbac.yaml

@@ -22,13 +22,13 @@ rules:
     verbs: ["get", "create", "update", "patch"]
   - apiGroups: ["admissionregistration.k8s.io"]
     resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
-    verbs: ["get", "list", "watch", "update"]
+    verbs: ["get", "list", "watch", "update", "patch"]
   - apiGroups: ["apiregistration.k8s.io"]
     resources: ["apiservices"]
-    verbs: ["get", "list", "watch", "update"]
+    verbs: ["get", "list", "watch", "update", "patch"]
   - apiGroups: ["apiextensions.k8s.io"]
     resources: ["customresourcedefinitions"]
-    verbs: ["get", "list", "watch", "update"]
+    verbs: ["get", "list", "watch", "update", "patch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

internal/constellation/helm/charts/cert-manager/templates/controller-config.yaml

@@ -0,0 +1,25 @@
+{{- if .Values.config -}}
+  {{- if not .Values.config.apiVersion -}}
+    {{- fail "config.apiVersion must be set" -}}
+  {{- end -}}
+
+  {{- if not .Values.config.kind -}}
+    {{- fail "config.kind must be set" -}}
+  {{- end -}}
+{{- end -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "cert-manager.fullname" . }}
+  namespace: {{ include "cert-manager.namespace" . }}
+  labels:
+    app: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "controller"
+    {{- include "labels" . | nindent 4 }}
+data:
+  {{- if .Values.config }}
+  config.yaml: |
+    {{ .Values.config | toYaml | nindent 4 }}
+  {{- end }}