Add minimal cert-manager addon

docs/addons.md

@@ -26,7 +26,20 @@ spec:
 
 Read more about cluster autoscaler in the [official documentation](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler).
 
+## Cert-manager
+{{ kops_feature_table(kops_added_default='1.20', k8s_min='1.16') }}
 
+Cert-manager handles x509 certificates for your cluster.
+
+```yaml
+spec:
+  certManager:
+    enabled: true
+```
+
+**Warning: cert-manager only supports one installation per cluster. If you are already running cert-manager, you need to remove this installation prior to enabling this addon. As long as you are using v1 versions of the cert-manager resources, it is safe to remove existing installs and replace it with this addon**
+
+Read more about cert-managre in the [official documentation](https://cert-manager.io/docs/)
 
 #### Metrics server
 {{ kops_feature_table(kops_added_default='1.19') }}

k8s/crds/kops.k8s.io_clusters.yaml

@@ -167,6 +167,13 @@ spec:
                   rbac:
                     type: object
                 type: object
+              certManager:
+                description: CertManager determines the metrics server configuration.
+                properties:
+                  enabled:
+                    description: 'Enabled enables the cert manager. Default: false'
+                    type: boolean
+                type: object
               channel:
                 description: The Channel we are following
                 type: string
@@ -2143,7 +2150,7 @@ spec:
                 description: MasterPublicName is the external DNS name for the master nodes
                 type: string
               metricsServer:
-                description: MetricsServerConfig determines the metrics server configuration.
+                description: MetricsServer determines the metrics server configuration.
                 properties:
                   enabled:
                     description: 'Enabled enables the metrics server. Default: false'
@@ -2749,7 +2756,7 @@ spec:
                   type: string
                 type: array
               nodeTerminationHandler:
-                description: NodeTerminationHandlerConfig determines the cluster autoscaler configuration.
+                description: NodeTerminationHandler determines the cluster autoscaler configuration.
                 properties:
                   enableScheduledEventDraining:
                     description: 'EnableScheduledEventDraining makes node termination handler drain nodes before the maintenance window starts for an EC2 instance scheduled event. Default: false'

pkg/apis/kops/cluster.go

@@ -158,10 +158,12 @@ type ClusterSpec struct {
 	CloudConfig                    *CloudConfiguration           `json:"cloudConfig,omitempty"`
 	ExternalDNS                    *ExternalDNSConfig            `json:"externalDns,omitempty"`
 
-	// NodeTerminationHandlerConfig determines the cluster autoscaler configuration.
+	// NodeTerminationHandler determines the cluster autoscaler configuration.
 	NodeTerminationHandler *NodeTerminationHandlerConfig `json:"nodeTerminationHandler,omitempty"`
-	// MetricsServerConfig determines the metrics server configuration.
+	// MetricsServer determines the metrics server configuration.
 	MetricsServer *MetricsServerConfig `json:"metricsServer,omitempty"`
+	// CertManager determines the metrics server configuration.
+	CertManager *CertManagerConfig `json:"certManager,omitempty"`
 
 	// Networking configuration
 	Networking *NetworkingSpec `json:"networking,omitempty"`

pkg/apis/kops/componentconfig.go

@@ -839,6 +839,13 @@ type MetricsServerConfig struct {
 	Image *string `json:"image,omitempty"`
 }
 
+// CertManagerConfig determines the cert manager configuration.
+type CertManagerConfig struct {
+	// Enabled enables the cert manager.
+	// Default: false
+	Enabled *bool `json:"enabled,omitempty"`
+}
+
 // HasAdmissionController checks if a specific admission controller is enabled
 func (c *KubeAPIServerConfig) HasAdmissionController(name string) bool {
 	for _, x := range c.AdmissionControl {

pkg/apis/kops/v1alpha2/cluster.go

@@ -157,10 +157,12 @@ type ClusterSpec struct {
 	CloudConfig                    *CloudConfiguration           `json:"cloudConfig,omitempty"`
 	ExternalDNS                    *ExternalDNSConfig            `json:"externalDns,omitempty"`
 
-	// NodeTerminationHandlerConfig determines the cluster autoscaler configuration.
+	// NodeTerminationHandler determines the cluster autoscaler configuration.
 	NodeTerminationHandler *NodeTerminationHandlerConfig `json:"nodeTerminationHandler,omitempty"`
-	// MetricsServerConfig determines the metrics server configuration.
+	// MetricsServer determines the metrics server configuration.
 	MetricsServer *MetricsServerConfig `json:"metricsServer,omitempty"`
+	// CertManager determines the metrics server configuration.
+	CertManager *CertManagerConfig `json:"certManager,omitempty"`
 
 	// Networking configuration
 	Networking *NetworkingSpec `json:"networking,omitempty"`

pkg/apis/kops/v1alpha2/componentconfig.go

@@ -838,6 +838,13 @@ type MetricsServerConfig struct {
 	Image *string `json:"image,omitempty"`
 }
 
+// CertManagerConfig determines the cert manager configuration.
+type CertManagerConfig struct {
+	// Enabled enables the cert manager.
+	// Default: false
+	Enabled *bool `json:"enabled,omitempty"`
+}
+
 // HasAdmissionController checks if a specific admission controller is enabled
 func (c *KubeAPIServerConfig) HasAdmissionController(name string) bool {
 	for _, x := range c.AdmissionControl {

pkg/apis/kops/v1alpha2/zz_generated.conversion.go

@@ -163,6 +163,16 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
+	if err := s.AddGeneratedConversionFunc((*CertManagerConfig)(nil), (*kops.CertManagerConfig)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha2_CertManagerConfig_To_kops_CertManagerConfig(a.(*CertManagerConfig), b.(*kops.CertManagerConfig), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*kops.CertManagerConfig)(nil), (*CertManagerConfig)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_kops_CertManagerConfig_To_v1alpha2_CertManagerConfig(a.(*kops.CertManagerConfig), b.(*CertManagerConfig), scope)
+	}); err != nil {
+		return err
+	}
 	if err := s.AddGeneratedConversionFunc((*CiliumNetworkingSpec)(nil), (*kops.CiliumNetworkingSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_v1alpha2_CiliumNetworkingSpec_To_kops_CiliumNetworkingSpec(a.(*CiliumNetworkingSpec), b.(*kops.CiliumNetworkingSpec), scope)
 	}); err != nil {
@@ -1436,6 +1446,26 @@ func Convert_kops_CanalNetworkingSpec_To_v1alpha2_CanalNetworkingSpec(in *kops.C
 	return autoConvert_kops_CanalNetworkingSpec_To_v1alpha2_CanalNetworkingSpec(in, out, s)
 }
 
+func autoConvert_v1alpha2_CertManagerConfig_To_kops_CertManagerConfig(in *CertManagerConfig, out *kops.CertManagerConfig, s conversion.Scope) error {
+	out.Enabled = in.Enabled
+	return nil
+}
+
+// Convert_v1alpha2_CertManagerConfig_To_kops_CertManagerConfig is an autogenerated conversion function.
+func Convert_v1alpha2_CertManagerConfig_To_kops_CertManagerConfig(in *CertManagerConfig, out *kops.CertManagerConfig, s conversion.Scope) error {
+	return autoConvert_v1alpha2_CertManagerConfig_To_kops_CertManagerConfig(in, out, s)
+}
+
+func autoConvert_kops_CertManagerConfig_To_v1alpha2_CertManagerConfig(in *kops.CertManagerConfig, out *CertManagerConfig, s conversion.Scope) error {
+	out.Enabled = in.Enabled
+	return nil
+}
+
+// Convert_kops_CertManagerConfig_To_v1alpha2_CertManagerConfig is an autogenerated conversion function.
+func Convert_kops_CertManagerConfig_To_v1alpha2_CertManagerConfig(in *kops.CertManagerConfig, out *CertManagerConfig, s conversion.Scope) error {
+	return autoConvert_kops_CertManagerConfig_To_v1alpha2_CertManagerConfig(in, out, s)
+}
+
 func autoConvert_v1alpha2_CiliumNetworkingSpec_To_kops_CiliumNetworkingSpec(in *CiliumNetworkingSpec, out *kops.CiliumNetworkingSpec, s conversion.Scope) error {
 	out.Version = in.Version
 	out.AccessLog = in.AccessLog
@@ -2095,6 +2125,15 @@ func autoConvert_v1alpha2_ClusterSpec_To_kops_ClusterSpec(in *ClusterSpec, out *
 	} else {
 		out.MetricsServer = nil
 	}
+	if in.CertManager != nil {
+		in, out := &in.CertManager, &out.CertManager
+		*out = new(kops.CertManagerConfig)
+		if err := Convert_v1alpha2_CertManagerConfig_To_kops_CertManagerConfig(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.CertManager = nil
+	}
 	if in.Networking != nil {
 		in, out := &in.Networking, &out.Networking
 		*out = new(kops.NetworkingSpec)
@@ -2444,6 +2483,15 @@ func autoConvert_kops_ClusterSpec_To_v1alpha2_ClusterSpec(in *kops.ClusterSpec,
 	} else {
 		out.MetricsServer = nil
 	}
+	if in.CertManager != nil {
+		in, out := &in.CertManager, &out.CertManager
+		*out = new(CertManagerConfig)
+		if err := Convert_kops_CertManagerConfig_To_v1alpha2_CertManagerConfig(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.CertManager = nil
+	}
 	if in.Networking != nil {
 		in, out := &in.Networking, &out.Networking
 		*out = new(NetworkingSpec)

pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go

@@ -339,6 +339,27 @@ func (in *CanalNetworkingSpec) DeepCopy() *CanalNetworkingSpec {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CertManagerConfig) DeepCopyInto(out *CertManagerConfig) {
+	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertManagerConfig.
+func (in *CertManagerConfig) DeepCopy() *CertManagerConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(CertManagerConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CiliumNetworkingSpec) DeepCopyInto(out *CiliumNetworkingSpec) {
 	*out = *in
@@ -850,6 +871,11 @@ func (in *ClusterSpec) DeepCopyInto(out *ClusterSpec) {
 		*out = new(MetricsServerConfig)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.CertManager != nil {
+		in, out := &in.CertManager, &out.CertManager
+		*out = new(CertManagerConfig)
+		(*in).DeepCopyInto(*out)
+	}
 	if in.Networking != nil {
 		in, out := &in.Networking, &out.Networking
 		*out = new(NetworkingSpec)

pkg/apis/kops/zz_generated.deepcopy.go

@@ -355,6 +355,27 @@ func (in *CanalNetworkingSpec) DeepCopy() *CanalNetworkingSpec {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CertManagerConfig) DeepCopyInto(out *CertManagerConfig) {
+	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertManagerConfig.
+func (in *CertManagerConfig) DeepCopy() *CertManagerConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(CertManagerConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Channel) DeepCopyInto(out *Channel) {
 	*out = *in
@@ -950,6 +971,11 @@ func (in *ClusterSpec) DeepCopyInto(out *ClusterSpec) {
 		*out = new(MetricsServerConfig)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.CertManager != nil {
+		in, out := &in.CertManager, &out.CertManager
+		*out = new(CertManagerConfig)
+		(*in).DeepCopyInto(*out)
+	}
 	if in.Networking != nil {
 		in, out := &in.Networking, &out.Networking
 		*out = new(NetworkingSpec)

upup/pkg/fi/cloudup/bootstrapchannelbuilder.go

@@ -488,6 +488,26 @@ func (b *BootstrapChannelBuilder) buildAddons(c *fi.ModelBuilderContext) (*chann
 		}
 	}
 
+	if b.Cluster.Spec.CertManager != nil && fi.BoolValue(b.Cluster.Spec.CertManager.Enabled) {
+		{
+			key := "certmanager.io"
+			version := "1.0.4"
+
+			{
+				location := key + "/k8s-1.16.yaml"
+				id := "k8s-1.16"
+
+				addons.Spec.Addons = append(addons.Spec.Addons, &channelsapi.AddonSpec{
+					Name:     fi.String(key),
+					Version:  fi.String(version),
+					Selector: map[string]string{"app.kubernetes.io/name": "cert-manager"},
+					Manifest: fi.String(location),
+					Id:       id,
+				})
+			}
+		}
+	}
+
 	nth := b.Cluster.Spec.NodeTerminationHandler
 
 	if nth != nil && fi.BoolValue(nth.Enabled) {