Support Openshifts cert-manager-operator

class/cert-manager.yml

@@ -1,37 +1,67 @@
 parameters:
-  kapitan:
-    dependencies:
-      - type: helm
-        source: https://charts.jetstack.io
-        chart_name: cert-manager
-        version: ${cert_manager:charts:cert-manager}
-        output_path: ${_base_directory}/helmcharts/cert-manager/${cert_manager:charts:cert-manager}/
+  =_kapitan:
+    olm:
+      compile:
+        # common
+        - input_type: jsonnet
+          input_paths:
+            - ${_base_directory}/component/app.jsonnet
+          output_type: yaml
+          output_path: apps/
+        - input_type: jsonnet
+          input_paths:
+            - ${_base_directory}/component/namespace.jsonnet
+          output_type: yaml
+          output_path: cert-manager/
+        - input_type: jsonnet
+          input_paths:
+            - ${_base_directory}/component/main.jsonnet
+          output_type: yaml
+          output_path: cert-manager/02_issuers
+        # install-method specific
+        - input_type: jsonnet
+          input_paths:
+            - ${_base_directory}/component/operator.jsonnet
+          output_type: yaml
+          output_path: cert-manager/01_operator
+    helm:
+      dependencies:
+        - type: helm
+          source: https://charts.jetstack.io
+          chart_name: cert-manager
+          version: ${cert_manager:charts:cert-manager}
+          output_path: ${_base_directory}/helmcharts/cert-manager/${cert_manager:charts:cert-manager}/
+      compile:
+        # common
+        - input_type: jsonnet
+          input_paths:
+            - ${_base_directory}/component/app.jsonnet
+          output_type: yaml
+          output_path: apps/
+        - input_type: jsonnet
+          input_paths:
+            - ${_base_directory}/component/namespace.jsonnet
+          output_type: yaml
+          output_path: cert-manager/
+        - input_type: jsonnet
+          input_paths:
+            - ${_base_directory}/component/main.jsonnet
+          output_type: yaml
+          output_path: cert-manager/02_issuers
+        # install-method specific
+        - input_type: jsonnet
+          input_paths:
+            - ${_base_directory}/component/upgrade.jsonnet
+          output_type: yaml
+          output_path: cert-manager/03_upgrade
+        - input_type: helm
+          input_paths:
+            - ${_base_directory}/helmcharts/cert-manager/${cert_manager:charts:cert-manager}/
+          output_path: cert-manager/01_helmchart
+          helm_values: ${cert_manager:helm_values}
+          helm_params:
+            name: cert-manager
+            namespace: ${cert_manager:namespace}
 
-    compile:
-      - input_paths:
-          - ${_base_directory}/component/app.jsonnet
-        input_type: jsonnet
-        output_path: apps/
-      - output_path: cert-manager/01_helmchart
-        input_type: helm
-        input_paths:
-          - ${_base_directory}/helmcharts/cert-manager/${cert_manager:charts:cert-manager}/
-        helm_values: ${cert_manager:helm_values}
-        helm_params:
-          name: cert-manager
-          namespace: ${cert_manager:namespace}
-      - output_path: cert-manager/
-        input_type: jsonnet
-        output_type: yaml
-        input_paths:
-          - ${_base_directory}/component/namespace.jsonnet
-      - output_path: cert-manager/02_issuers
-        input_type: jsonnet
-        output_type: yaml
-        input_paths:
-          - ${_base_directory}/component/main.jsonnet
-      - output_path: cert-manager/03_upgrade
-        input_type: jsonnet
-        output_type: yaml
-        input_paths:
-          - ${_base_directory}/component/upgrade.jsonnet
+  kapitan:
+    ${_kapitan:${cert_manager:install_method}}

class/defaults.yml

@@ -1,32 +1,40 @@
 parameters:
   cert_manager:
     namespace: syn-cert-manager
-    dns01-recursive-nameservers: "1.1.1.1:53"
+    install_method: helm
+
     charts:
       cert-manager: v1.13.2
+
+    images:
+      kubectl:
+        registry: quay.io
+        image: appuio/oc
+        tag: 'v4.13'
+
     http_proxy: ""
     https_proxy: ""
     no_proxy: ""
+
+    dns01-recursive-nameservers: "1.1.1.1:53"
+
     letsencrypt_clusterissuers:
       staging: true
       production: true
+
     solvers:
       nginx_http01:
         http01:
           ingress:
             class: 'nginx'
+
     secrets: {}
     acme_dns_api: {}
     # acme_dns_api:
     #   endpoint: acme-dns-api.example.com
     #   username: dns_api_registration_user
     #   password: dns_api_registration_password
     #   fqdns: [ "api.cluster.example.com", "apps.cluster.example.com" ]
-    images:
-      kubectl:
-        registry: quay.io
-        image: appuio/oc
-        tag: 'v4.13'
 
     helm_values:
       global:
@@ -60,3 +68,7 @@ parameters:
           requests:
             cpu: 50m
             memory: 512Mi
+
+    olm:
+      channel: stable-v1
+      resources: {}

component/namespace.jsonnet

@@ -5,18 +5,25 @@ local prom = import 'lib/prometheus.libsonnet';
 local inv = kap.inventory();
 local params = inv.parameters.cert_manager;
 
-local namespace = kube.Namespace(params.namespace) {
-  metadata+: {
-    labels+: {
-      'openshift.io/cluster-monitoring': 'true',
-    },
-  },
-};
+local isOpenshift = std.startsWith(inv.parameters.facts.distribution, 'openshift');
+
+local namespace = kube.Namespace(params.namespace);
 
 {
   '00_namespace':
     if std.member(inv.applications, 'prometheus') then
       prom.RegisterNamespace(namespace)
+    else if isOpenshift then
+      namespace {
+        metadata+: {
+          annotations+: {
+            'openshift.io/node-selector': 'infra',
+          },
+          labels+: {
+            'openshift.io/cluster-monitoring': 'true',
+          },
+        },
+      }
     else
       namespace,
 }

component/operator.jsonnet

@@ -0,0 +1,46 @@
+local com = import 'lib/commodore.libjsonnet';
+local kap = import 'lib/kapitan.libjsonnet';
+local kube = import 'lib/kube.libjsonnet';
+local operatorlib = import 'lib/openshift4-operators.libsonnet';
+
+local inv = kap.inventory();
+local params = inv.parameters.cert_manager;
+
+local isOpenshift = std.startsWith(inv.parameters.facts.distribution, 'openshift');
+assert isOpenshift : 'olm install_method only available on Openshift';
+
+local operator_group = operatorlib.OperatorGroup('syn-cert-manager') {
+  metadata+: {
+    labels+: {
+      'app.kubernetes.io/managed-by': 'commodore',
+    },
+    namespace: params.namespace,
+  },
+  spec: {
+    targetNamespaces: [
+      params.namespace,
+    ],
+  },
+};
+
+local subscriptions = operatorlib.namespacedSubscription(
+  params.namespace,
+  'openshift-cert-manager-operator',
+  params.olm.channel,
+  'redhat-operators'
+) {
+  labels+: {
+    'app.kubernetes.io/managed-by': 'commodore',
+  },
+  spec+: {
+    config+: {
+      resources: params.olm.resources,
+    },
+  },
+};
+
+
+{
+  '00_operator_group': operator_group,
+  '10_subscriptions': subscriptions,
+}

tests/golden/defaults/cert-manager/cert-manager/00_namespace.yaml

@@ -5,5 +5,4 @@ metadata:
   labels:
     monitoring.syn.tools/infra-monitoring: 'true'
     name: syn-cert-manager
-    openshift.io/cluster-monitoring: 'true'
   name: syn-cert-manager

tests/golden/operator/cert-manager/apps/cert-manager.yaml

@@ -0,0 +1,13 @@
+spec:
+  ignoreDifferences:
+    - jsonPointers:
+        - /data
+      kind: Secret
+      name: acme-dns-client
+      namespace: syn-cert-manager
+    - group: admissionregistration.k8s.io
+      jqPathExpressions:
+        - .webhooks[].namespaceSelector.matchExpressions[] | select(.key == "control-plane")
+        - .webhooks[].namespaceSelector.matchExpressions[] | select(.key == "kubernetes.azure.com/managedby")
+      kind: ValidatingWebhookConfiguration
+      name: cert-manager-webhook

tests/golden/operator/cert-manager/cert-manager/00_namespace.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  annotations:
+    openshift.io/node-selector: infra
+  labels:
+    name: syn-cert-manager
+    openshift.io/cluster-monitoring: 'true'
+  name: syn-cert-manager

tests/golden/operator/cert-manager/cert-manager/01_operator/00_operator_group.yaml

@@ -0,0 +1,12 @@
+apiVersion: operators.coreos.com/v1
+kind: OperatorGroup
+metadata:
+  annotations: {}
+  labels:
+    app.kubernetes.io/managed-by: commodore
+    name: syn-cert-manager
+  name: syn-cert-manager
+  namespace: syn-cert-manager
+spec:
+  targetNamespaces:
+    - syn-cert-manager

tests/golden/operator/cert-manager/cert-manager/01_operator/10_subscriptions.yaml

@@ -0,0 +1,25 @@
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+labels:
+  app.kubernetes.io/managed-by: commodore
+metadata:
+  annotations: {}
+  labels:
+    name: openshift-cert-manager-operator
+  name: openshift-cert-manager-operator
+  namespace: syn-cert-manager
+spec:
+  channel: stable-v1
+  config:
+    affinity:
+      nodeAffinity:
+        requiredDuringSchedulingIgnoredDuringExecution:
+          nodeSelectorTerms:
+            - matchExpressions:
+                - key: node-role.kubernetes.io/infra
+                  operator: Exists
+    resources: {}
+  installPlanApproval: Automatic
+  name: openshift-cert-manager-operator
+  source: redhat-operators
+  sourceNamespace: openshift-operators-redhat

tests/golden/operator/cert-manager/cert-manager/02_issuers/00_clusterissuer.yaml

@@ -0,0 +1,35 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  annotations: {}
+  labels:
+    name: letsencrypt-staging
+  name: letsencrypt-staging
+spec:
+  acme:
+    email: [email protected]
+    privateKeySecretRef:
+      name: letsencrypt-staging
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    solvers:
+      - http01:
+          ingress:
+            class: nginx
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  annotations: {}
+  labels:
+    name: letsencrypt-production
+  name: letsencrypt-production
+spec:
+  acme:
+    email: [email protected]
+    privateKeySecretRef:
+      name: letsencrypt-production
+    server: https://acme-v02.api.letsencrypt.org/directory
+    solvers:
+      - http01:
+          ingress:
+            class: nginx