helm: allow minor jump for cert-manager

internal/constellation/helm/actionfactory.go

@@ -122,7 +122,7 @@ func (a actionFactory) appendNewAction(
 			if err := newVersion.IsUpgradeTo(currentVersion); err != nil {
 				// TODO(3u13r): Remove when Constellation v2.14 is released.
 				// We need to ignore that we jump from Cilium v1.12 to v1.15-pre. We have verified that this works.
-				if !(errors.Is(err, compatibility.ErrMinorDrift) && release.releaseName == "cilium") {
+				if !(errors.Is(err, compatibility.ErrMinorDrift) && (release.releaseName == "cilium" || release.releaseName == "cert-manager")) {
 					return fmt.Errorf("invalid upgrade for %s: %w", release.releaseName, err)
 				}
 			}

internal/constellation/helm/charts/cert-manager/Chart.yaml

@@ -1,11 +1,10 @@
 annotations:
-  artifacthub.io/license: Apache-2.0
   artifacthub.io/prerelease: "false"
   artifacthub.io/signKey: |
     fingerprint: 1020CF3C033D4F35BAE1C19E1226061C665DF13E
     url: https://cert-manager.io/public-keys/cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.gpg
 apiVersion: v1
-appVersion: v1.13.2
+appVersion: v1.12.6
 description: A Helm chart for cert-manager
 home: https://github.com/cert-manager/cert-manager
 icon: https://raw.githubusercontent.com/cert-manager/cert-manager/d53c0b9270f8cd90d908460d69502694e1838f5f/logo/logo-small.png
@@ -22,4 +21,4 @@ maintainers:
 name: cert-manager
 sources:
 - https://github.com/cert-manager/cert-manager
-version: v1.13.2
+version: v1.12.6

internal/constellation/helm/charts/cert-manager/templates/cainjector-deployment.yaml

@@ -45,7 +45,6 @@ spec:
       {{- if hasKey .Values.cainjector "automountServiceAccountToken" }}
       automountServiceAccountToken: {{ .Values.cainjector.automountServiceAccountToken }}
       {{- end }}
-      enableServiceLinks: {{ .Values.cainjector.enableServiceLinks }}
       {{- with .Values.global.priorityClassName }}
       priorityClassName: {{ . | quote }}
       {{- end }}

internal/constellation/helm/charts/cert-manager/templates/cainjector-poddisruptionbudget.yaml

@@ -17,13 +17,10 @@ spec:
       app.kubernetes.io/instance: {{ .Release.Name }}
       app.kubernetes.io/component: "cainjector"
 
-  {{- if not (or (hasKey .Values.cainjector.podDisruptionBudget "minAvailable") (hasKey .Values.cainjector.podDisruptionBudget "maxUnavailable")) }}
-  minAvailable: 1 # Default value because minAvailable and maxUnavailable are not set
+  {{- with .Values.cainjector.podDisruptionBudget.minAvailable }}
+  minAvailable: {{ . }}
   {{- end }}
-  {{- if hasKey .Values.cainjector.podDisruptionBudget "minAvailable" }}
-  minAvailable: {{ .Values.cainjector.podDisruptionBudget.minAvailable }}
-  {{- end }}
-  {{- if hasKey .Values.cainjector.podDisruptionBudget "maxUnavailable" }}
-  maxUnavailable: {{ .Values.cainjector.podDisruptionBudget.maxUnavailable }}
+  {{- with .Values.cainjector.podDisruptionBudget.maxUnavailable }}
+  maxUnavailable: {{ . }}
   {{- end }}
 {{- end }}

internal/constellation/helm/charts/cert-manager/templates/deployment.yaml

@@ -52,24 +52,16 @@ spec:
       {{- if hasKey .Values "automountServiceAccountToken" }}
       automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
       {{- end }}
-      enableServiceLinks: {{ .Values.enableServiceLinks }}
       {{- with .Values.global.priorityClassName }}
       priorityClassName: {{ . | quote }}
       {{- end }}
       {{- with .Values.securityContext }}
       securityContext:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- if or .Values.volumes .Values.config}}
+      {{- with .Values.volumes }}
       volumes:
-        {{- if .Values.config }} 
-        - name: config 
-          configMap: 
-            name: {{ include "cert-manager.fullname" . }} 
-        {{- end }}
-        {{ with .Values.volumes }}
         {{- toYaml . | nindent 8 }}
-        {{- end }}
       {{- end }}
       containers:
         - name: {{ .Chart.Name }}-controller
@@ -81,10 +73,6 @@ spec:
           {{- if .Values.global.logLevel }}
           - --v={{ .Values.global.logLevel }}
           {{- end }}
-          {{- if .Values.config }}
-          - --config=/var/cert-manager/config/config.yaml
-          {{- end }}
-          {{- $config := default .Values.config "" }}
           {{- if .Values.clusterResourceNamespace }}
           - --cluster-resource-namespace={{ .Values.clusterResourceNamespace }}
           {{- else }}
@@ -145,15 +133,9 @@ spec:
           securityContext:
             {{- toYaml . | nindent 12 }}
           {{- end }}
-          {{- if or .Values.config .Values.volumeMounts }}
+          {{- with .Values.volumeMounts }}
           volumeMounts:
-            {{- if .Values.config}} 
-            - name: config 
-              mountPath: /var/cert-manager/config
-            {{- end }}
-            {{- with .Values.volumeMounts }} 
             {{- toYaml . | nindent 12 }}
-            {{- end }}
           {{- end }}
           env:
           - name: POD_NAMESPACE

internal/constellation/helm/charts/cert-manager/templates/networkpolicy-webhooks.yaml

@@ -12,13 +12,13 @@ spec:
     {{- end }}
   podSelector:
     matchLabels:
-      app: {{ include "webhook.name" . }}
-      app.kubernetes.io/name: {{ include "webhook.name" . }}
-      app.kubernetes.io/instance: {{ .Release.Name }}
-      app.kubernetes.io/component: "webhook"
-      {{- with .Values.webhook.podLabels }}
-      {{- toYaml . | nindent 6 }}
-      {{- end }}
+        app: {{ include "webhook.name" . }}
+        app.kubernetes.io/name: {{ include "webhook.name" . }}
+        app.kubernetes.io/instance: {{ .Release.Name }}
+        app.kubernetes.io/component: "webhook"
+        {{- with .Values.webhook.podLabels }}
+        {{- toYaml . | nindent 6 }}
+        {{- end }}
   policyTypes:
   - Ingress
 

internal/constellation/helm/charts/cert-manager/templates/poddisruptionbudget.yaml

@@ -17,13 +17,10 @@ spec:
       app.kubernetes.io/instance: {{ .Release.Name }}
       app.kubernetes.io/component: "controller"
 
-  {{- if not (or (hasKey .Values.podDisruptionBudget "minAvailable") (hasKey .Values.podDisruptionBudget "maxUnavailable")) }}
-  minAvailable: 1 # Default value because minAvailable and maxUnavailable are not set
+  {{- with .Values.podDisruptionBudget.minAvailable }}
+  minAvailable: {{ . }}
   {{- end }}
-  {{- if hasKey .Values.podDisruptionBudget "minAvailable" }}
-  minAvailable: {{ .Values.podDisruptionBudget.minAvailable }}
-  {{- end }}
-  {{- if hasKey .Values.podDisruptionBudget "maxUnavailable" }}
-  maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
+  {{- with .Values.podDisruptionBudget.maxUnavailable }}
+  maxUnavailable: {{ . }}
   {{- end }}
 {{- end }}

internal/constellation/helm/charts/cert-manager/templates/rbac.yaml

@@ -398,26 +398,6 @@ subjects:
     namespace: {{ include "cert-manager.namespace" . }}
     kind: ServiceAccount
 
-{{- if .Values.global.rbac.aggregateClusterRoles }}
----
-
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ template "cert-manager.fullname" . }}-cluster-view
-  labels:
-    app: {{ include "cert-manager.name" . }}
-    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/component: "controller"
-    {{- include "labels" . | nindent 4 }}
-    rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
-rules:
-  - apiGroups: ["cert-manager.io"]
-    resources: ["clusterissuers"]
-    verbs: ["get", "list", "watch"]
-
-{{- end }}
 ---
 
 apiVersion: rbac.authorization.k8s.io/v1
@@ -434,7 +414,6 @@ metadata:
     rbac.authorization.k8s.io/aggregate-to-view: "true"
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
-    rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
     {{- end }}
 rules:
   - apiGroups: ["cert-manager.io"]

internal/constellation/helm/charts/cert-manager/templates/serviceaccount.yaml

@@ -20,6 +20,6 @@ metadata:
     app.kubernetes.io/component: "controller"
     {{- include "labels" . | nindent 4 }}
     {{- with .Values.serviceAccount.labels }}
-      {{- toYaml . | nindent 4 }}
+      {{ toYaml . | nindent 4 }}
     {{- end }}
 {{- end }}

internal/constellation/helm/charts/cert-manager/templates/servicemonitor.yaml

@@ -42,7 +42,4 @@ spec:
     interval: {{ .Values.prometheus.servicemonitor.interval }}
     scrapeTimeout: {{ .Values.prometheus.servicemonitor.scrapeTimeout }}
     honorLabels: {{ .Values.prometheus.servicemonitor.honorLabels }}
-    {{- with .Values.prometheus.servicemonitor.endpointAdditionalProperties }}
-    {{- toYaml . | nindent 4 }}
-    {{- end }}
 {{- end }}

internal/constellation/helm/charts/cert-manager/templates/startupapicheck-job.yaml

@@ -37,7 +37,6 @@ spec:
       {{- if hasKey .Values.startupapicheck "automountServiceAccountToken" }}
       automountServiceAccountToken: {{ .Values.startupapicheck.automountServiceAccountToken }}
       {{- end }}
-      enableServiceLinks: {{ .Values.startupapicheck.enableServiceLinks }}
       {{- with .Values.global.priorityClassName }}
       priorityClassName: {{ . | quote }}
       {{- end }}

internal/constellation/helm/charts/cert-manager/templates/webhook-deployment.yaml

@@ -44,7 +44,6 @@ spec:
       {{- if hasKey .Values.webhook "automountServiceAccountToken" }}
       automountServiceAccountToken: {{ .Values.webhook.automountServiceAccountToken }}
       {{- end }}
-      enableServiceLinks: {{ .Values.webhook.enableServiceLinks }}
       {{- with .Values.global.priorityClassName }}
       priorityClassName: {{ . | quote }}
       {{- end }}
@@ -55,9 +54,6 @@ spec:
       {{- if .Values.webhook.hostNetwork }}
       hostNetwork: true
       {{- end }}
-      {{- if .Values.webhook.hostNetwork }}
-      dnsPolicy: ClusterFirstWithHostNet
-      {{- end }}
       containers:
         - name: {{ .Chart.Name }}-webhook
           {{- with .Values.webhook.image }}
@@ -75,8 +71,8 @@ spec:
           {{ if not $config.securePort -}}
           - --secure-port={{ .Values.webhook.securePort }}
           {{- end }}
-          {{- if .Values.webhook.featureGates }}
-          - --feature-gates={{ .Values.webhook.featureGates }}
+          {{- if .Values.featureGates }}
+          - --feature-gates={{ .Values.featureGates }}
           {{- end }}
           {{- $tlsConfig := default $config.tlsConfig "" }}
           {{ if or (not $config.tlsConfig) (and (not $tlsConfig.dynamic) (not $tlsConfig.filesystem) ) -}}

internal/constellation/helm/charts/cert-manager/templates/webhook-poddisruptionbudget.yaml

@@ -17,13 +17,10 @@ spec:
       app.kubernetes.io/instance: {{ .Release.Name }}
       app.kubernetes.io/component: "webhook"
 
-  {{- if not (or (hasKey .Values.webhook.podDisruptionBudget "minAvailable") (hasKey .Values.webhook.podDisruptionBudget "maxUnavailable")) }}
-  minAvailable: 1 # Default value because minAvailable and maxUnavailable are not set
+  {{- with .Values.webhook.podDisruptionBudget.minAvailable }}
+  minAvailable: {{ . }}
   {{- end }}
-  {{- if hasKey .Values.webhook.podDisruptionBudget "minAvailable" }}
-  minAvailable: {{ .Values.webhook.podDisruptionBudget.minAvailable }}
-  {{- end }}
-  {{- if hasKey .Values.webhook.podDisruptionBudget "maxUnavailable" }}
-  maxUnavailable: {{ .Values.webhook.podDisruptionBudget.maxUnavailable }}
+  {{- with .Values.webhook.podDisruptionBudget.maxUnavailable }}
+  maxUnavailable: {{ . }}
   {{- end }}
 {{- end }}

internal/constellation/helm/charts/cert-manager/templates/webhook-validating-webhook.yaml

@@ -21,6 +21,10 @@ webhooks:
         operator: "NotIn"
         values:
         - "true"
+      - key: "name"
+        operator: "NotIn"
+        values:
+        - {{ include "cert-manager.namespace" . }}
     rules:
       - apiGroups:
           - "cert-manager.io"