chore: Simplify cert-manager certs and support existingIssuer

Signed-off-by: Marco Kilchhofer <[email protected]>

keda/README.md

@@ -62,9 +62,10 @@ their default values.
 | `additionalLabels` | object | `{}` | Custom labels to add into metadata |
 | `affinity` | object | `{}` | [Affinity] for pod scheduling for both KEDA operator and Metrics API Server |
 | `certificates.autoGenerated` | bool | `true` | Enables the self generation for KEDA TLS certificates inside KEDA operator |
-| `certificates.certManager.caSecretName` | string | `"kedaorg-ca"` | Secret name where the CA is stored (generatedby cert-manager or user given) |
 | `certificates.certManager.enabled` | bool | `false` | Enables Cert-manager for certificate management |
-| `certificates.certManager.generateCA` | bool | `true` | Generates a self-signed CA with Cert-manager. If generateCA is false, the secret with the CA has to be annotated with `cert-manager.io/allow-direct-injection: "true"` |
+| `certificates.certManager.existingIssuer.enabled` | bool | `false` | Use an existing cert-manager issuer |
+| `certificates.certManager.existingIssuer.kind` | string | `"ClusterIssuer"` | Kind of the existing cert-manager issuer |
+| `certificates.certManager.existingIssuer.name` | string | `""` | Name of the existing cert-manager issuer |
 | `certificates.certManager.secretTemplate` | object | `{}` | Add labels/annotations to secrets created by Certificate resources [docs](https://cert-manager.io/docs/usage/certificate/#creating-certificate-resources) |
 | `certificates.mountPath` | string | `"/certs"` | Path where KEDA TLS certificates are mounted |
 | `certificates.secretName` | string | `"kedaorg-certs"` | Secret name to be mounted with KEDA TLS certificates |

keda/templates/cert-manager/keda-issuer.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.certificates.certManager.enabled }}
+{{- if and .Values.certificates.certManager.enabled (not .Values.certificates.certManager.existingIssuer.enabled) }}
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
@@ -7,6 +7,5 @@ metadata:
   name: {{ .Values.operator.name }}-issuer
   namespace: {{ .Release.Namespace }}
 spec:
-  ca:
-    secretName: {{ .Values.certificates.certManager.caSecretName }}
-{{- end }}
+  selfSigned: {}
+{{- end }}

keda/templates/cert-manager/keda-tls-certificate.yaml

@@ -28,7 +28,12 @@ spec:
   duration: 8760h0m0s # 1 year
   renewBefore: 5840h0m0s # 8 months
   issuerRef:
+    {{- if .Values.certificates.certManager.existingIssuer.enabled }}
+    name: {{ .Values.certificates.certManager.existingIssuer.name }}
+    kind: {{ .Values.certificates.certManager.existingIssuer.kind }}
+    {{- else }}
     name: {{ .Values.operator.name }}-issuer
     kind: Issuer
+    {{- end }}
     group: cert-manager.io
 {{- end }}

keda/templates/metrics-server/apiservice.yaml

@@ -3,11 +3,7 @@ kind: APIService
 metadata:
   annotations:
     {{- if .Values.certificates.certManager.enabled }}
-    {{- if .Values.certificates.certManager.generateCA }}
-    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Values.operator.name }}-ca
-    {{- else }}
-    cert-manager.io/inject-ca-from-secret: {{ .Release.Namespace }}/{{ .Values.certificates.certManager.caSecretName }}
-    {{- end }}
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Values.operator.name }}-tls-certificates
     {{- end }}
     {{- if .Values.additionalAnnotations }}
     {{- toYaml .Values.additionalAnnotations | nindent 4 }}

keda/templates/webhooks/validatingconfiguration.yaml

@@ -4,11 +4,7 @@ kind: ValidatingWebhookConfiguration
 metadata:
   annotations:
     {{- if .Values.certificates.certManager.enabled }}
-    {{- if .Values.certificates.certManager.generateCA }}
-    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Values.operator.name }}-ca
-    {{- else }}
-    cert-manager.io/inject-ca-from-secret: {{ .Release.Namespace }}/{{ .Values.certificates.certManager.caSecretName }}
-    {{- end }}
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Values.operator.name }}-tls-certificates
     {{- end }}
     {{- if .Values.additionalAnnotations }}
     {{- toYaml .Values.additionalAnnotations | nindent 4 }}

keda/values.yaml

@@ -594,12 +594,6 @@ certificates:
   certManager:
     # -- Enables Cert-manager for certificate management
     enabled: false
-    # -- Generates a self-signed CA with Cert-manager.
-    # If generateCA is false, the secret with the CA
-    # has to be annotated with `cert-manager.io/allow-direct-injection: "true"`
-    generateCA: true
-    # -- Secret name where the CA is stored (generatedby cert-manager or user given)
-    caSecretName: "kedaorg-ca"
     # -- Add labels/annotations to secrets created by Certificate resources
     # [docs](https://cert-manager.io/docs/usage/certificate/#creating-certificate-resources)
     secretTemplate: {}
@@ -608,6 +602,13 @@ certificates:
       #   my-secret-annotation-2: "bar"
       # labels:
       #   my-secret-label: foo
+    existingIssuer:
+      # -- Use an existing cert-manager issuer
+      enabled: false
+      # -- Kind of the existing cert-manager issuer
+      kind: ClusterIssuer
+      # -- Name of the existing cert-manager issuer
+      name: ""
 
 permissions:
   metricServer:
@@ -631,4 +632,4 @@ extraObjects: []
   #       provider: aws-eks
 
 # -- Capability to turn on/off ASCII art in Helm installation notes
-asciiArt: true
+asciiArt: true