trust-manager icon indicating copy to clipboard operation
trust-manager copied to clipboard

Published 20 hours ago verified publisher icon cert-manager

Add support for image pullsecret and installing the CRD - helm chart

Open earlgrey88 opened this issue 3 years ago • 1 comments

Hello,

I wonder if it would be possible to add functionality to the helm chart so that:

  1. provide a image pullsecret (you already allow to provide a custom repo in the values, but if a pullsecret is required there's no option).
  2. install the CRD

Thanks for your time..

earlgrey88 avatar Jan 25 '22 21:01 earlgrey88

Hey @earlgrey88 - I think with v0.2.0 this is solved and is now available as an input: https://github.com/cert-manager/trust-manager/blob/main/deploy/charts/trust-manager/values.yaml#L4-L5

Also the CRD does install as part of that version of the chart (or it did for me :) )

So we can probably close this one?

hawksight avatar Sep 28 '22 11:09 hawksight

@hawksight At least the CRD installation can be optimized. At the moment, CRDs are applied as manifests by HELM. There is an option to put CRD definitions into a special subdirectory crds. This allows the user to skip the CRD installation using HELM's command line flag. In addition to that, HELM will not fail if the CRDs are already available. This can be the case if you install all CRDs for your cluster manually before installing HELM chart releases. A possible use case is the Terraform Kubernetes Provider which requires that supported CRDs must be available before execution.

AFAICS, moving the CRD definition to the crds directory should be enough.

Ref.: https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#method-1-let-helm-do-it-for-you

bephinix avatar Nov 18 '22 07:11 bephinix

I came here looking for a way to install the Bundle CRD separately from the trust-manager chart. I want to make trust-manager a subchart dependency of my application, but Helm will not install the subchart first to satisfy the CRD requirement of my chart, so I need to peel off the /crds in advance, then install my chart which depends on trust-manager. This is how it works with cert-manager.

qrkourier avatar Feb 23 '23 02:02 qrkourier

Thanks @bephinix & @qrkourier for the notes. Just taking a look at #102 it seems that the CRDs are now optional through the values options, see here. Released in v0.4.0

So the CRDs are now installed automatically for a default helm installation, but can be disabled. That seems like it resolves the initial issue's request.

I don't think it's exactly the way that the helm docs suggest, but it is similar to cert-manager's configuration.

So an install without CRDs can be applied with:

# Assuming repo is added and up to date
helm template -n cert-manager jetstack/trust-manager --set crds.enabled=false

And applying the CRDs manually can be done with:

k apply -f https://raw.githubusercontent.com/cert-manager/trust-manager/v0.4.0/deploy/crds/trust.cert-manager.io_bundles.yaml

Does that help your use case @qrkourier with the sub chart or not? If it doesn't I'd suggest we open a separate issue for that use case.

hawksight avatar Feb 23 '23 15:02 hawksight

That worked around it for me! Thanks so much.

qrkourier avatar Feb 23 '23 16:02 qrkourier

I think this issue can be closed. The support for image pull secrets was introduced in https://github.com/cert-manager/trust-manager/pull/15. For the CRDs, cert-manager projects have implemented another approach for Helm: https://cert-manager.io/docs/installation/helm/#helm-installation. That Helm lacks proper support for CRDs is well-known, and I think the cert-manager approach is by far the least evil solution to this problem.

erikgb avatar Aug 28 '23 15:08 erikgb

Closing as per @erikgb 's comment - thanks all!

SgtCoDFish avatar Sep 01 '23 11:09 SgtCoDFish