feat: add linkerd-helpers (#24)

Author: SweetOps

.github/workflows/helm-lint.yaml

@@ -34,9 +34,9 @@ jobs:
       - name: Run chart-testing (lint)
         run: ct lint --config ct.yaml
 
-      - name: Create kind cluster
-        uses: helm/kind-action@v1.2.0
-        if: steps.list-changed.outputs.changed == 'true'
+      # - name: Create kind cluster
+      #   uses: helm/kind-action@v1.2.0
+      #   if: steps.list-changed.outputs.changed == 'true'
 
-      - name: Run chart-testing (install)
-        run: ct install --config ct.yaml
+      # - name: Run chart-testing (install)
+      #   run: ct install --config ct.yaml

charts/linkerd-helpers/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/linkerd-helpers/Chart.yaml

@@ -0,0 +1,8 @@
+apiVersion: v2
+name: linkerd-helpers
+description: A Helm chart for Kubernetes to provision certificates, prometheus monitors for Linkerd
+type: application
+version: 0.1.0
+appVersion: "stable-2.12.1"
+maintainers:
+  - name: SweetOps

charts/linkerd-helpers/templates/_helpers.tpl

@@ -0,0 +1,51 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "linkerd-helpers.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "linkerd-helpers.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "linkerd-helpers.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "linkerd-helpers.labels" -}}
+helm.sh/chart: {{ include "linkerd-helpers.chart" . }}
+{{ include "linkerd-helpers.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "linkerd-helpers.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "linkerd-helpers.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}

charts/linkerd-helpers/templates/linkerd-certificates.yaml

@@ -0,0 +1,165 @@
+{{- if .Values.linkerd.enabled -}}
+{{- if and .Values.linkerd.trustAnchor.ca.crt .Values.linkerd.trustAnchor.ca.key -}}
+---
+kind: Secret
+apiVersion: v1
+metadata:
+  name: linkerd-trust-anchor
+  namespace: {{ .Values.linkerd.namespace }}
+  labels:
+    linkerd.io/control-plane-component: identity
+    linkerd.io/control-plane-ns: {{ .Values.linkerd.namespace }}
+    {{- include "linkerd-helpers.labels" . | nindent 4 }}
+data:
+  tls.crt: {{ b64enc (.Values.linkerd.trustAnchor.ca.crt | trim )}}
+  tls.key: {{ b64enc (.Values.linkerd.trustAnchor.ca.key | trim )}}
+{{- end }}
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: linkerd-trust-anchor
+  namespace: {{ .Values.linkerd.namespace }}
+  labels:
+    linkerd.io/control-plane-component: identity
+    linkerd.io/control-plane-ns: {{ .Values.linkerd.namespace }}
+    {{- include "linkerd-helpers.labels" . | nindent 4 }}
+spec:
+  ca:
+    secretName: linkerd-trust-anchor
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: linkerd-identity-issuer
+  namespace: {{ .Values.linkerd.namespace }}
+  labels:
+    linkerd.io/control-plane-component: identity
+    linkerd.io/control-plane-ns: {{ .Values.linkerd.namespace }}
+    {{- include "linkerd-helpers.labels" . | nindent 4 }}
+spec:
+  secretName: linkerd-identity-issuer
+  duration: {{ .Values.linkerd.identityIssuer.duration }}
+  renewBefore: {{ .Values.linkerd.identityIssuer.renewBefore }}
+  issuerRef:
+    name: linkerd-trust-anchor
+    kind: Issuer
+  commonName: identity.{{ .Values.linkerd.namespace }}.cluster.local
+  dnsNames:
+  - identity.{{ .Values.linkerd.namespace }}.cluster.local
+  isCA: true
+  privateKey:
+    algorithm: ECDSA
+  usages:
+  - cert sign
+  - crl sign
+  - server auth
+  - client auth
+{{- if and .Values.linkerd.webhook.ca.crt .Values.linkerd.webhook.ca.key -}}
+---
+kind: Secret
+apiVersion: v1
+metadata:
+  name: webhook-issuer-tls
+  namespace: {{ .Values.linkerd.namespace }}
+  labels:
+    linkerd.io/control-plane-component: proxy-injector
+    linkerd.io/control-plane-ns: {{ .Values.linkerd.namespace }}
+    {{- include "linkerd-helpers.labels" . | nindent 4 }}
+data:
+  tls.crt: {{ b64enc (.Values.linkerd.webhook.ca.crt | trim )}}
+  tls.key: {{ b64enc (.Values.linkerd.webhook.ca.key | trim )}}
+{{- end }}
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: webhook-issuer
+  namespace: {{ .Values.linkerd.namespace }}
+  labels:
+    linkerd.io/control-plane-component: webhook
+    linkerd.io/control-plane-ns: {{ .Values.linkerd.namespace }}
+    {{- include "linkerd-helpers.labels" . | nindent 4 }}
+spec:
+  ca:
+    secretName: webhook-issuer-tls
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: linkerd-policy-validator
+  namespace: {{ .Values.linkerd.namespace }}
+  labels:
+    linkerd.io/control-plane-component: policy-validator
+    linkerd.io/control-plane-ns: {{ .Values.linkerd.namespace }}
+    {{- include "linkerd-helpers.labels" . | nindent 4 }}
+spec:
+  secretName: linkerd-policy-validator-k8s-tls
+  duration: {{ .Values.linkerd.webhook.issuer.duration }}
+  renewBefore: {{ .Values.linkerd.webhook.issuer.renewBefore }}
+  issuerRef:
+    name: webhook-issuer
+    kind: Issuer
+  commonName: linkerd-policy-validator.{{ .Values.linkerd.namespace }}.svc
+  dnsNames:
+  - linkerd-policy-validator.{{ .Values.linkerd.namespace }}.svc
+  - linkerd-policy-validator.{{ .Values.linkerd.namespace }}.svc.cluster.local
+  isCA: false
+  privateKey:
+    algorithm: ECDSA
+    encoding: PKCS8
+  usages:
+  - server auth
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: linkerd-proxy-injector
+  namespace: {{ .Values.linkerd.namespace }}
+  labels:
+    linkerd.io/control-plane-component: proxy-injector
+    linkerd.io/control-plane-ns: {{ .Values.linkerd.namespace }}
+    {{- include "linkerd-helpers.labels" . | nindent 4 }}
+spec:
+  secretName: linkerd-proxy-injector-k8s-tls
+  duration: {{ .Values.linkerd.webhook.issuer.duration }}
+  renewBefore: {{ .Values.linkerd.webhook.issuer.renewBefore }}
+  issuerRef:
+    name: webhook-issuer
+    kind: Issuer
+  commonName: linkerd-proxy-injector.{{ .Values.linkerd.namespace }}.svc
+  dnsNames:
+  - linkerd-proxy-injector.{{ .Values.linkerd.namespace }}.svc
+  - linkerd-proxy-injector.{{ .Values.linkerd.namespace }}.svc.cluster.local
+  isCA: false
+  privateKey:
+    algorithm: ECDSA
+  usages:
+  - server auth
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: linkerd-sp-validator
+  namespace: {{ .Values.linkerd.namespace }}
+  labels:
+    linkerd.io/control-plane-component: sp-validator
+    linkerd.io/control-plane-ns: {{ .Values.linkerd.namespace }}
+    {{- include "linkerd-helpers.labels" . | nindent 4 }}
+spec:
+  secretName: linkerd-sp-validator-k8s-tls
+  duration: {{ .Values.linkerd.webhook.issuer.duration }}
+  renewBefore: {{ .Values.linkerd.webhook.issuer.renewBefore }}
+  issuerRef:
+    name: webhook-issuer
+    kind: Issuer
+  commonName: linkerd-sp-validator.{{ .Values.linkerd.namespace }}.svc
+  dnsNames:
+  - linkerd-sp-validator.{{ .Values.linkerd.namespace }}.svc
+  - linkerd-sp-validator.{{ .Values.linkerd.namespace }}.svc.cluster.local
+  isCA: false
+  privateKey:
+    algorithm: ECDSA
+  usages:
+  - server auth
+{{- end }}

charts/linkerd-helpers/templates/linkerd-jaeger-certificates.yaml

@@ -0,0 +1,56 @@
+{{- if .Values.linkerdJaeger.enabled -}}
+{{- if and .Values.linkerdJaeger.webhook.ca.crt .Values.linkerdJaeger.webhook.ca.key -}}
+---
+kind: Secret
+apiVersion: v1
+metadata:
+  name: webhook-issuer-tls
+  namespace: {{ .Values.linkerdJaeger.namespace }}
+  labels:
+    linkerd.io/control-plane-component: proxy-injector
+    linkerd.io/jaeger: {{ .Values.linkerdJaeger.namespace }}
+    {{- include "linkerd-helpers.labels" . | nindent 4 }}
+data:
+  tls.crt: {{ b64enc (.Values.linkerdJaeger.webhook.ca.crt | trim )}}
+  tls.key: {{ b64enc (.Values.linkerdJaeger.webhook.ca.key | trim )}}
+{{- end }}
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: webhook-issuer
+  namespace: {{ .Values.linkerdJaeger.namespace }}
+  labels:
+    linkerd.io/control-plane-component: webhook
+    linkerd.io/jaeger-ns: {{ .Values.linkerdJaeger.namespace }}
+    {{- include "linkerd-helpers.labels" . | nindent 4 }}
+spec:
+  ca:
+    secretName: webhook-issuer-tls
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: jaeger-injector
+  namespace: {{ .Values.linkerdJaeger.namespace }}
+  labels:
+    linkerd.io/control-plane-component: webhook
+    linkerd.io/jaeger-ns: {{ .Values.linkerdJaeger.namespace }}
+    {{- include "linkerd-helpers.labels" . | nindent 4 }}
+spec:
+  secretName: jaeger-injector-k8s-tls
+  duration: {{ .Values.linkerdJaeger.webhook.issuer.duration }}
+  renewBefore: {{ .Values.linkerdJaeger.webhook.issuer.renewBefore }}
+  issuerRef:
+    name: webhook-issuer
+    kind: Issuer
+  commonName: jaeger-injector.{{ .Values.linkerdJaeger.namespace }}.svc
+  dnsNames:
+  - jaeger-injector.{{ .Values.linkerdJaeger.namespace }}.svc
+  - jaeger-injector.{{ .Values.linkerdJaeger.namespace }}.svc.cluster.local
+  isCA: false
+  privateKey:
+    algorithm: ECDSA
+  usages:
+  - server auth
+{{- end }}

charts/linkerd-helpers/templates/linkerd-viz-certificates.yaml

@@ -0,0 +1,57 @@
+{{- if .Values.linkerdViz.enabled -}}
+{{- if .Values.linkerdViz.enabled -}}
+{{- if and .Values.linkerdViz.webhook.ca.crt .Values.linkerdViz.webhook.ca.key -}}
+---
+kind: Secret
+apiVersion: v1
+metadata:
+  name: webhook-issuer-tls
+  namespace: {{ .Values.linkerdViz.namespace }}
+  labels:
+    linkerd.io/control-plane-component: proxy-injector
+    linkerd.io/viz: {{ .Values.linkerdViz.namespace }}
+data:
+  tls.crt: {{ b64enc (.Values.linkerdViz.webhook.ca.crt | trim )}}
+  tls.key: {{ b64enc (.Values.linkerdViz.webhook.ca.key | trim )}}
+{{- end }}
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: webhook-issuer
+  namespace: {{ .Values.linkerdViz.namespace }}
+  labels:
+    linkerd.io/control-plane-component: webhook
+    linkerd.io/viz-ns: {{ .Values.linkerdViz.namespace }}
+    {{- include "linkerd-helpers.labels" . | nindent 4 }}
+spec:
+  ca:
+    secretName: webhook-issuer-tls
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: linkerd-tap-injector
+  namespace: {{ .Values.linkerdViz.namespace }}
+  labels:
+    linkerd.io/control-plane-component: webhook
+    linkerd.io/viz-ns: {{ .Values.linkerdViz.namespace }}
+    {{- include "linkerd-helpers.labels" . | nindent 4 }}
+spec:
+  secretName: tap-injector-k8s-tls
+  duration: {{ .Values.linkerdViz.webhook.issuer.duration }}
+  renewBefore: {{ .Values.linkerdViz.webhook.issuer.renewBefore }}
+  issuerRef:
+    name: webhook-issuer
+    kind: Issuer
+  commonName: tap-injector.{{ .Values.linkerdViz.namespace }}.svc
+  dnsNames:
+  - tap-injector.{{ .Values.linkerdViz.namespace }}.svc
+  - tap-injector.{{ .Values.linkerdViz.namespace }}.svc.cluster.local
+  isCA: false
+  privateKey:
+    algorithm: ECDSA
+  usages:
+  - server auth
+{{- end }}
+{{- end }}