add cert-manager manifests

Signed-off-by: Kagaya <kagaya85@outlook.com>
2025-06-18 18:04:55 +08:00 · 2025-06-18 18:04:55 +08:00 · a5c5255ab6
parent 8551b2a437
commit a5c5255ab6
6 changed files with 111 additions and 2 deletions
--- a/versions/kruise-game/next/templates/cert-manager/okg-issuer.yaml
+++ b/versions/kruise-game/next/templates/cert-manager/okg-issuer.yaml
@ -0,0 +1,10 @@
+{{- if and .Values.certificates.certManager.enabled .Values.certificates.certManager.issuer.generate }}
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ .Values.kruiseGame.fullname }}-issuer
+  namespace: {{ .Values.installation.namespace }}
+spec:
+  ca:
+    secretName: {{ .Values.certificates.certManager.caSecretName }}
+{{- end }}
--- a/versions/kruise-game/next/templates/cert-manager/okg-tls-certificate.yaml
+++ b/versions/kruise-game/next/templates/cert-manager/okg-tls-certificate.yaml
@ -0,0 +1,38 @@
+{{- if .Values.certificates.certManager.enabled }}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ .Values.kruiseGame.fullname }}-tls-certificates
+  namespace: {{ .Values.installation.namespace }}
+spec:
+  commonName: {{ .Values.kruiseGame.fullname }}
+  dnsNames:
+  - {{ ..Values.kruiseGame.webhook.serviceName }}.{{ .Values.installation.namespace }}
+  - {{ ..Values.kruiseGame.webhook.serviceName }}.{{ .Values.installation.namespace }}.svc
+  - {{ ..Values.kruiseGame.webhook.serviceName }}.{{ .Values.installation.namespace }}.svc.{{ .Values.clusterDomain }}
+  secretName: {{ .Values.certificates.secretName }}
+  usages:
+    - server auth
+    - client auth
+  privateKey:
+    algorithm: RSA
+    size: 2048
+  duration: {{ .Values.certificates.certManager.duration }}
+  renewBefore: {{ .Values.certificates.certManager.renewBefore }}
+  issuerRef:
+    {{- if .Values.certificates.certManager.issuer.generate }}
+    name: {{ .Values.kruiseGame.fullname }}-issuer
+    kind: Issuer
+    group: cert-manager.io
+    {{- else }}
+    {{- if .Values.certificates.certManager.issuer.name }}
+    name: {{ .Values.certificates.certManager.issuer.name }}
+    {{- end }}
+    {{- if .Values.certificates.certManager.issuer.kind }}
+    kind: {{ .Values.certificates.certManager.issuer.kind }}
+    {{- end }}
+    {{- if .Values.certificates.certManager.issuer.group }}
+    group: {{ .Values.certificates.certManager.issuer.group }}
+    {{- end }}
+    {{- end }}
+{{- end }}
--- a/versions/kruise-game/next/templates/cert-manager/self-ca.yaml
+++ b/versions/kruise-game/next/templates/cert-manager/self-ca.yaml
@ -0,0 +1,20 @@
+{{- if and .Values.certificates.certManager.enabled .Values.certificates.certManager.generateCA .Values.certificates.certManager.issuer.generate }}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ .Values.kruiseGame.fullname }}-ca
+  namespace: {{ .Values.installation.namespace }}
+spec:
+  isCA: true
+  commonName: {{ .Values.kruiseGame.fullname }}
+  secretName: {{ .Values.certificates.certManager.caSecretName }}
+  privateKey:
+    algorithm: RSA
+    size: 2048
+  duration: 8760h0m0s # 1 year
+  renewBefore: 720h0m0s # 1 month
+  issuerRef:
+    name: {{ .Values.operator.name }}-selfsigned-issuer
+    kind: Issuer
+    group: cert-manager.io
+{{- end }}
--- a/versions/kruise-game/next/templates/cert-manager/self-issuer.yaml
+++ b/versions/kruise-game/next/templates/cert-manager/self-issuer.yaml
@ -0,0 +1,13 @@
+{{- if and .Values.certificates.certManager.enabled .Values.certificates.certManager.generateCA .Values.certificates.certManager.issuer.generate }}
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  {{- with .Values.additionalAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  name: {{ .Values.kruiseGame.fullname }}-selfsigned-issuer
+  namespace: {{ .Values.installation.namespace }}
+spec:
+  selfSigned: {}
+{{- end }}
--- a/versions/kruise-game/next/templates/webhook_service.yaml
+++ b/versions/kruise-game/next/templates/webhook_service.yaml
@ -2,7 +2,7 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: kruise-game-webhook-service
+  name: {{ .Values.kruiseGame.webhook.serviceName }}
  namespace: {{ .Values.installation.namespace }}
 spec:
  ports:
--- a/versions/kruise-game/next/values.yaml
+++ b/versions/kruise-game/next/values.yaml
@ -11,6 +11,7 @@ kruiseGame:
  fullname: kruise-game-controller-manager
  healthBindPort: "8082"
  webhook:
+    serviceName: kruise-game-webhook-service
    port: 443
    targetPort: 9876
  apiServerQps: 5
@ -28,6 +29,9 @@ serviceAccount:
  # Annotations to add to the service account
  annotations: {}

+# Kubernetes cluster domain
+clusterDomain: cluster.local
+
 service:
  port: 8443

@ -53,6 +57,7 @@ prometheus:
  enabled: false
  monitorService:
    port: 8080
+
 scale:
  service:
    port: 6000
@ -63,4 +68,27 @@ network:
  probeIntervalTime: 5

 cloudProvider:
-  installCRD: true
+  installCRD: true
+  
+certificates:
+  autoGenerated: true
+  secretName: kruise-game-certs
+  mountPath: /tmp/webhook-certs/
+  certManager:
+    enabled: false
+    duration: 8760h0m0s # 1 year
+    renewBefore: 5840h0m0s # 8 months
+    generateCA: true
+    caSecretName: "kruise-game-ca"
+    secretTemplate: {}
+      # annotations:
+      #   my-secret-annotation-1: "foo"
+      #   my-secret-annotation-2: "bar"
+      # labels:
+      #   my-secret-label: foo
+    # -- Reference to custom Issuer. If issuer.generate is false, then issuer.group, issuer.kind and issuer.name are required
+    issuer:
+      generate: true
+      name: kruise-ca
+      kind: ClusterIssuer
+      group: cert-manager.io