Support cert-manager for certificate management (chaos-mesh#277)

helm/chaos-mesh/README.md

@@ -0,0 +1,138 @@
+# Chaos Mesh
+
+[Chaos Mesh](https://github.com/pingcap/chaos-mesh) is a cloud-native Chaos Engineering platform that orchestrates chaos on Kubernetes environments.
+
+## Introduction
+
+This chart bootstraps a [Chaos Mesh](https://github.com/pingcap/chaos-mesh) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
+
+## Deploy
+
+Before deploying Chaos Mesh, make sure you have installed the [Prerequisites](https://github.com/pingcap/chaos-mesh/blob/master/doc/deploy.md#prerequisites). And then follow the [deploy](https://github.com/pingcap/chaos-mesh/blob/master/doc/deploy.md) doc step by step.
+
+## Parameters
+
+The following tables list the configurable parameters of the Chaos Mesh chart and their default values.
+
+|                 Parameter                  |                                                     Description                                                      |                         Default                         |
+|--------------------------------------------|----------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------|
+| `clusterScoped`                            | whether chaos-mesh should manage kubernetes cluster wide chaos.Also see rbac.create and controllerManager.serviceAccount | `true` |
+| `rbac.create` |  | `true`                                                |
+| `enableProfiling` | A flag to enable pprof in controller-manager and chaos-daemon  | `false` |
+| `controllerManager.serviceAccount` | The serviceAccount for chaos-controller-manager | `chaos-controller-manager` |
+| `controllerManager.replicaCount` | Replicas for chaos-controller-manager | `1` |
+| `controllerManager.image` | docker image for chaos-controller-manager  | `pingcap/chaos-mesh:latest` |
+| `controllerManager.imagePullPolicy` | Image pull policy | `Always` |
+| `controllerManager.nameOverride` |  |  |
+| `controllerManager.fullnameOverride` |  |  |
+| `controllerManager.service.type` | Kubernetes Service type | `ClusterIP` |
+| `controllerManager.resources` | CPU/Memory resource requests/limits for chaos-controller-manager pod | `requests: { cpu: "250m", memory: "512Mi" }, limits:{ cpu: "500m", memory: "1024Mi" }`   |
+| `controllerManager.nodeSelector` |  Node labels for chaos-controller-manager pod assignment | `{}` |
+| `controllerManager.tolerations` |  Toleration labels for chaos-controller-manager pod assignment | `[]` |
+| `controllerManager.affinity` |  Map of chaos-controller-manager node/pod affinities | `{}` |
+| `controllerManager.podAnnotations` |  Pod annotations of chaos-controller-manager | `{}`|
+| `chaosDaemon.image` | docker image for chaos-daemon | `pingcap/chaos-mesh:latest` |
+| `chaosDaemon.imagePullPolicy` | image pull policy | `Always` |
+| `chaosDaemon.grpcPort` | The port which grpc server listens on | `31767` |
+| `chaosDaemon.httpPort` | The port which http server listens on | `31766` |
+| `chaosDaemon.podAnnotations` | Pod annotations of chaos-daemon | `{}` |
+| `chaosDaemon.runtime` | Runtime specifies which container runtime to use. Currently we only supports docker and containerd. | `docker` |
+| `chaosDaemon.socketPath` | Specifies the container runtime socket | `/var/run/docker.sock` |
+| `dashboard.create` | Enable chaos-dashboard | `false` |
+| `dashboard.serviceAccount` | The serviceAccount for chaos-dashboard  | `chaos-dashboard` |
+| `dashboard.image` | Docker image for chaos-dashboard | `pingcap/chaos-dashboard:latest` |
+| `dashboard.imagePullPolicy` | Image pull policy | `Always` |
+| `dashboard.nodeSelector` | Node labels for chaos-dashboard  pod assignment | `{}` |
+| `dashboard.tolerations` | Toleration labels for chaos-dashboard pod assignment | `[]` |
+| `dashboard.affinity` | Map of chaos-dashboard node/pod affinities | `{}` |
+| `dashboard.podAnnotations` | Deployment chaos-dashboard annotations | `{}` |
+| `dashboard.resources` | CPU/Memory resource requests/limits for chaos-dashboard pod  | `requests: { cpu: "250m", memory: "512Mi" }, limits:{ cpu: "500m", memory: "1024Mi" }`  |
+| `dashboard.volume.storage` | | `3Gi` |
+| `dashboard.volume.storageClassName` | | `standard` |
+| `prometheus.create` | Enable prometheus | `false` |
+| `prometheus.serviceAccount` | The serviceAccount for prometheus | `prometheus` |
+| `prometheus.image` | Docker image for prometheus | `prom/prometheus:v2.15.2` |
+| `prometheus.imagePullPolicy` | Image pull policy | `IfNotPresent` |
+| `prometheus.nodeSelector` | Node labels for prometheus pod assignment | `{}` |
+| `prometheus.tolerations` | Toleration labels for prometheus pod assignment | `[]` |
+| `prometheus.affinity` | Map of prometheus node/pod affinities | `{}` |
+| `prometheus.podAnnotations` | Deployment prometheus annotations | `{}` |
+| `prometheus.resources` | CPU/Memory resource requests/limits for prometheus pod |  `requests: { cpu: "250m", memory: "512Mi" }, limits:{ cpu: "500m", memory: "1024Mi" }`  |
+| `prometheus.service.type` | Kubernetes Service type | `ClusterIP` |
+| `prometheus.volume.storage` | | `2Gi` |
+| `prometheus.volume.storageClassName` | | `standard` |
+| `preJobs.podAnnotations` | | `{}` |
+| `postJobs.podAnnotations` | | `{}` |
+| `webhook.certManager.enabled` | Setup the webhook using cert-manager | `false` |
+| `webhook.deleteSecret` | If true, will create a job to delete the secret. Otherwise, do nothing | `true` |
+| `webhook.FailurePolicy` | Defines how unrecognized errors and timeout errors from the admission webhook are handled | `Ignore` |
+
+
+Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
+```console
+# helm 2.X
+helm install helm/chaos-mesh --name=chaos-mesh --namespace=chaos-testing --set dashboard.create=true
+# helm 3.X
+helm install chaos-mesh helm/chaos-mesh --namespace=chaos-testing --set dashboard.create=true
+```
+
+The above command enable the Chaos Dashboard.
+
+Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
+
+```console
+# helm 2.X
+helm install helm/chaos-mesh --name=chaos-mesh --namespace=chaos-testing -f values.yaml
+# helm 3.X
+helm install chaos-mesh helm/chaos-mesh --namespace=chaos-testing -f values.yaml
+```
+
+> **Tip**: You can use the default [values.yaml](values.yaml)
+
+## Configuration and installation details
+
+### Using cert-manager for certificate management
+
+[Cert-manager](https://github.com/jetstack/cert-manager) may be the default in the K8s world for certificate management now.If you want to install Cert-manager using the [Helm](https://helm.sh) package manager, please refer to the [official documents](https://github.com/jetstack/cert-manager/tree/master/deploy/charts/cert-manager).
+
+Example for deploy Cert-manager
+
+```bash
+kubectl create namespace cert-manager
+kubectl apply --validate=false -f https://raw.githubusercontent.com/jetstack/cert-manager/v0.13.1/deploy/manifests/00-crds.yaml
+helm repo add jetstack https://charts.jetstack.io
+helm repo update
+helm install cert-manager jetstack/cert-manager --namespace cert-manager --version v0.13.1
+```
+
+In case you want to using Cert-manager for certificate management, you can use the `webhook.certManager.enabled` property.
+
+```yaml
+webhook:
+  certManager:
+    enabled: true
+```
+
+The webhook's cert and the [MutatingAdmissionWebhook](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#mutatingadmissionwebhook)'s `caBundle` property will be managed by the [Certificate](https://cert-manager.io/docs/usage/certificate/) of Cert-manager.
+
+In case your Cert-manager's option `enable-certificate-owner-ref` is true, it means that deleting a certificate resource will also delete its secret. You can set the `webhook.deleteSecret` property to `false`.
+
+```yaml
+webhook:
+  certManager:
+    enabled: true
+  deleteSecret: false
+```
+
+Otherwise, when uninstalling Chaos Mesh, we will create a job to delete the secret.
+
+The Cert-manager's option `enable-certificate-owner-ref` refer to the following:
+> https://github.com/jetstack/cert-manager/issues/296
+>
+> https://github.com/jetstack/cert-manager/pull/819
+
+You can install your Cert-manager looks like this.
+
+```bash
+helm install cert-manager jetstack/cert-manager --namespace cert-manager --version v0.13.1 --set extraArgs={"--enable-certificate-owner-ref"="true"}
+```

helm/chaos-mesh/templates/_helpers.tpl

@@ -30,3 +30,31 @@ Create chart name and version as used by the chart label.
 {{- define "chaos-mesh.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
+
+{{/*
+Define the svc's name
+*/}}
+{{- define "chaos-mesh.svc" -}}
+{{- printf "chaos-mesh-controller-manager" -}}
+{{- end -}}
+
+{{/*
+Define the secret's name of certs
+*/}}
+{{- define "chaos-mesh.certs" -}}
+{{- printf "chaos-mesh-webhook-certs" -}}
+{{- end -}}
+
+{{/*
+Define the MutatingWebhookConfiguration's name
+*/}}
+{{- define "chaos-mesh.mutation" -}}
+{{- printf "chaos-mesh-sidecar-injector" -}}
+{{- end -}}
+
+{{/*
+Define the webhook's name
+*/}}
+{{- define "chaos-mesh.webhook" -}}
+{{- printf "admission-webhook.pingcap.com" -}}
+{{- end -}}

helm/chaos-mesh/templates/controller-manager-deployment.yaml

@@ -67,7 +67,7 @@ spec:
       volumes:
         - name: webhook-certs
           secret:
-            secretName: webhook-certs
+            secretName: {{ template "chaos-mesh.certs" . }}
     {{- with .Values.controllerManager.nodeSelector }}
       nodeSelector:
 {{ toYaml . | indent 8 }}

helm/chaos-mesh/templates/controller-manager-service.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: chaos-mesh-controller-manager
+  name: {{ template "chaos-mesh.svc" . }}
   labels:
     app.kubernetes.io/name: {{ template "chaos-mesh.name" . }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}

helm/chaos-mesh/templates/post-install-create-cert-job.yaml

@@ -1,3 +1,4 @@
+{{ if not .Values.webhook.certManager.enabled }}
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -34,8 +35,8 @@ spec:
             - "-c"
             - |
               set -e
-              K8S_SERVICE=chaos-mesh-controller-manager
-              K8S_SECRET=webhook-certs
+              K8S_SERVICE={{ template "chaos-mesh.svc" . }}
+              K8S_SECRET={{ template "chaos-mesh.certs" . }}
               K8S_NAMESPACE={{ .Release.Namespace }}
 
               # test if secret already exists
@@ -119,4 +120,6 @@ spec:
                       --from-file=tls.key=${tmpdir}/server-key.pem \
                       --from-file=tls.crt=${tmpdir}/server-cert.pem \
                       --dry-run -o yaml |
-                  kubectl -n ${K8S_NAMESPACE} apply -f -
+                  kubectl -n ${K8S_NAMESPACE} apply -f -
+
+{{- end }}

helm/chaos-mesh/templates/post-install-mutatingwebhook-job.yaml

@@ -1,3 +1,4 @@
+{{ if not .Values.webhook.certManager.enabled }}
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -46,27 +47,15 @@ spec:
               apiVersion: admissionregistration.k8s.io/v1beta1
               kind: MutatingWebhookConfiguration
               metadata:
-                name: chaos-mesh-sidecar-injector
-                labels:
-                  app.kubernetes.io/name: {{ template "chaos-mesh.name" . }}
-                  app.kubernetes.io/managed-by: {{ .Release.Service }}
-                  app.kubernetes.io/instance: {{ .Release.Name }}
-                  app.kubernetes.io/component: admission-webhook
-                  helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+"  "_" }}
+                name: {{ template "chaos-mesh.mutation" . }}
               webhooks:
-                - name: admission-webhook.pingcap.com
+                - name: {{ template "chaos-mesh.webhook" . }}
                   clientConfig:
+                    caBundle: "${CA_BUNDLE}"
                     service:
-                      name: chaos-mesh-controller-manager
-                      namespace: ${K8S_NAMESPACE}
+                      name: {{ template "chaos-mesh.svc" . }}
+                      namespace: {{ .Release.Namespace }}
                       path: "/inject-v1-pod"
-                    caBundle: "${CA_BUNDLE}"
-                  rules:
-                    - operations: [ "CREATE" ]
-                      apiGroups: [""]
-                      apiVersions: ["v1"]
-                      resources: ["pods"]
-                  namespaceSelector:
-                    matchLabels:
-                      admission-webhook: enabled
               EOF
+
+{{- end }}

helm/chaos-mesh/templates/pre-delete-job.yaml

@@ -1,3 +1,4 @@
+{{ if .Values.webhook.deleteSecret }}
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -34,5 +35,5 @@ spec:
             - "-c"
             - |
               set -e
-              kubectl delete mutatingwebhookconfigurations.admissionregistration.k8s.io chaos-mesh-sidecar-injector || true // Auto Delete mutatingwebhookconfigurations
-              kubectl delete secrets -n {{ .Release.Namespace }} webhook-certs || true
+              kubectl delete secrets -n {{ .Release.Namespace }} {{ template "chaos-mesh.certs" . }} || true
+{{- end }}

helm/chaos-mesh/templates/webhook-configuration.yaml

@@ -0,0 +1,58 @@
+---
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: {{ template "chaos-mesh.mutation" . }}
+  labels:
+    app.kubernetes.io/name: {{ template "chaos-mesh.name" . }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: admission-webhook
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+"  "_" }}
+  {{- if .Values.webhook.certManager.enabled }}
+  annotations:
+    cert-manager.io/inject-ca-from: {{ printf "%s/%s" .Release.Namespace "chaos-mesh-cert" | quote }}
+  {{- end }}
+webhooks:
+  - name: {{ template "chaos-mesh.webhook" . }}
+    clientConfig:
+      service:
+        name: {{ template "chaos-mesh.svc" . }}
+        namespace: {{ .Release.Namespace }}
+        path: "/inject-v1-pod"
+    rules:
+      - operations: [ "CREATE" ]
+        apiGroups: [""]
+        apiVersions: ["v1"]
+        resources: ["pods"]
+    namespaceSelector:
+      matchLabels:
+        admission-webhook: enabled
+    failurePolicy: {{ .Values.webhook.FailurePolicy }}
+
+{{- if .Values.webhook.certManager.enabled }}
+---
+apiVersion: cert-manager.io/v1alpha2
+kind: Issuer
+metadata:
+  name: chaos-mesh-selfsigned
+  namespace: {{ .Release.Namespace }}
+spec:
+  selfSigned: {}
+
+---
+apiVersion: cert-manager.io/v1alpha2
+kind: Certificate
+metadata:
+  name: chaos-mesh-cert
+  namespace: {{ .Release.Namespace }}
+spec:
+  duration: 43800h #5year
+  dnsNames:
+    - {{ template "chaos-mesh.svc" . }}
+    - {{ template "chaos-mesh.svc" . }}.{{ .Release.Namespace }}
+    - {{ template "chaos-mesh.svc" . }}.{{ .Release.Namespace }}.svc
+  secretName: {{ template "chaos-mesh.certs" . }}
+  issuerRef:
+    name: chaos-mesh-selfsigned
+{{- end }}

helm/chaos-mesh/values.yaml

@@ -139,3 +139,15 @@ preJobs:
 
 postJobs:
   podAnnotations: {}
+
+webhook:
+  # Setup the webhook using cert-manager
+  certManager:
+    enabled: false
+
+  # If the deleteSecret is true, we will create a job to delete the secret, Otherwise, do nothing
+  deleteSecret: true
+
+  # FailurePolicy defines how unrecognized errors and timeout errors from the admission webhook are handled.
+  # https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy
+  FailurePolicy: Ignore