kubernetes
diff --git a/‎vertical-pod-autoscaler/charts/vertical-pod-autoscaler/README.md‎
Lines changed: 23 additions & 1 deletion b/‎vertical-pod-autoscaler/charts/vertical-pod-autoscaler/README.md‎
Lines changed: 23 additions & 1 deletion
diff --git a/‎vertical-pod-autoscaler/charts/vertical-pod-autoscaler/templates/_helpers.tpl‎
Lines changed: 52 additions & 2 deletions b/‎vertical-pod-autoscaler/charts/vertical-pod-autoscaler/templates/_helpers.tpl‎
Lines changed: 52 additions & 2 deletions
diff --git a/‎vertical-pod-autoscaler/charts/vertical-pod-autoscaler/templates/admission-controller-certgen-clusterrole.yaml‎
Lines changed: 21 additions & 0 deletions b/‎vertical-pod-autoscaler/charts/vertical-pod-autoscaler/templates/admission-controller-certgen-clusterrole.yaml‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎vertical-pod-autoscaler/charts/vertical-pod-autoscaler/templates/admission-controller-certgen-clusterrolebinding.yaml‎
Lines changed: 20 additions & 0 deletions b/‎vertical-pod-autoscaler/charts/vertical-pod-autoscaler/templates/admission-controller-certgen-clusterrolebinding.yaml‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎vertical-pod-autoscaler/charts/vertical-pod-autoscaler/templates/admission-controller-certgen-patch.yaml‎
Lines changed: 70 additions & 0 deletions b/‎vertical-pod-autoscaler/charts/vertical-pod-autoscaler/templates/admission-controller-certgen-patch.yaml‎
Lines changed: 70 additions & 0 deletions
diff --git a/‎vertical-pod-autoscaler/charts/vertical-pod-autoscaler/templates/admission-controller-certgen-role.yaml‎
Lines changed: 21 additions & 0 deletions b/‎vertical-pod-autoscaler/charts/vertical-pod-autoscaler/templates/admission-controller-certgen-role.yaml‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎vertical-pod-autoscaler/charts/vertical-pod-autoscaler/templates/admission-controller-certgen-rolebinding.yaml‎
Lines changed: 21 additions & 0 deletions b/‎vertical-pod-autoscaler/charts/vertical-pod-autoscaler/templates/admission-controller-certgen-rolebinding.yaml‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎vertical-pod-autoscaler/charts/vertical-pod-autoscaler/templates/admission-controller-certgen-serviceaccount.yaml‎
Lines changed: 13 additions & 0 deletions b/‎vertical-pod-autoscaler/charts/vertical-pod-autoscaler/templates/admission-controller-certgen-serviceaccount.yaml‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎vertical-pod-autoscaler/charts/vertical-pod-autoscaler/templates/admission-controller-certgen.yaml‎
Lines changed: 70 additions & 0 deletions b/‎vertical-pod-autoscaler/charts/vertical-pod-autoscaler/templates/admission-controller-certgen.yaml‎
Lines changed: 70 additions & 0 deletions
@@ -23,18 +23,35 @@ The Vertical Pod Autoscaler (VPA) automatically adjusts the CPU and memory resou
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | admissionController.affinity | object | `{}` |  |
+| admissionController.certGen.affinity | object | `{}` |  |
+| admissionController.certGen.env | object | `{}` | Additional environment variables to be added to the certgen container. Format is KEY: Value format |
+| admissionController.certGen.image.pullPolicy | string | `"IfNotPresent"` | The pull policy for the certgen image. Recommend not changing this |
+| admissionController.certGen.image.repository | string | `"registry.k8s.io/ingress-nginx/kube-webhook-certgen"` | An image that contains certgen for creating certificates. Only used if admissionController.generateCertificate is true |
+| admissionController.certGen.image.tag | string | `"v20231011-8b53cabe0"` | An image tag for the admissionController.certGen.image.repository image. Only used if admissionController.generateCertificate is true |
+| admissionController.certGen.nodeSelector | object | `{}` |  |
+| admissionController.certGen.podSecurityContext | object | `{"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | The securityContext block for the certgen pod(s) |
+| admissionController.certGen.resources | object | `{}` | The resources block for the certgen pod |
+| admissionController.certGen.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true}` | The securityContext block for the certgen container(s) |
+| admissionController.certGen.tolerations | list | `[]` |  |
 | admissionController.enabled | bool | `true` |  |
 | admissionController.extraArgs | list | `[]` |  |
 | admissionController.extraEnv | list | `[]` |  |
+| admissionController.generateCertificate | bool | `true` |  |
 | admissionController.image.pullPolicy | string | `"IfNotPresent"` |  |
 | admissionController.image.repository | string | `"registry.k8s.io/autoscaling/vpa-admission-controller"` |  |
 | admissionController.image.tag | string | `nil` |  |
+| admissionController.mutatingWebhookConfiguration.annotations | object | `{}` | Additional annotations for the MutatingWebhookConfiguration |
+| admissionController.mutatingWebhookConfiguration.failurePolicy | string | `"Ignore"` | The failurePolicy for the mutating webhook. Allowed values are: Ignore, Fail |
+| admissionController.mutatingWebhookConfiguration.namespaceSelector | object | `{}` | The namespaceSelector controls which namespaces are affected by the webhook |
+| admissionController.mutatingWebhookConfiguration.objectSelector | object | `{}` | The objectSelector can filter objects on e.g. labels |
+| admissionController.mutatingWebhookConfiguration.timeoutSeconds | int | `5` | Sets the amount of time the API server will wait on a response from the webhook service |
 | admissionController.nodeSelector | object | `{}` |  |
 | admissionController.podAnnotations | object | `{}` |  |
 | admissionController.podDisruptionBudget.enabled | bool | `true` |  |
 | admissionController.podDisruptionBudget.maxUnavailable | int or string | `nil` | Maximum number/percentage of pods that can be unavailable after the eviction. IMPORTANT: You can specify either 'minAvailable' or 'maxUnavailable', but not both. |
 | admissionController.podDisruptionBudget.minAvailable | int or string | `1` | Minimum number/percentage of pods that must be available after the eviction. IMPORTANT: You can specify either 'minAvailable' or 'maxUnavailable', but not both. |
 | admissionController.podLabels | object | `{}` |  |
+| admissionController.registerWebhook | bool | `false` |  |
 | admissionController.replicas | int | `2` |  |
 | admissionController.resources.limits.cpu | string | `"200m"` |  |
 | admissionController.resources.limits.memory | string | `"500Mi"` |  |
@@ -50,7 +67,6 @@ The Vertical Pod Autoscaler (VPA) automatically adjusts the CPU and memory resou
 | admissionController.serviceAccount.labels | object | `{}` |  |
 | admissionController.tls.caCert | string | `""` |  |
 | admissionController.tls.cert | string | `""` |  |
-| admissionController.tls.existingSecret | string | `""` |  |
 | admissionController.tls.key | string | `""` |  |
 | admissionController.tls.secretName | string | `"vpa-tls-certs"` |  |
 | admissionController.tolerations | list | `[]` |  |
@@ -59,6 +75,12 @@ The Vertical Pod Autoscaler (VPA) automatically adjusts the CPU and memory resou
 | admissionController.volumeMounts[0].readOnly | bool | `true` |  |
 | admissionController.volumes[0].name | string | `"tls-certs"` |  |
 | admissionController.volumes[0].secret.defaultMode | int | `420` |  |
+| admissionController.volumes[0].secret.items[0].key | string | `"ca"` |  |
+| admissionController.volumes[0].secret.items[0].path | string | `"caCert.pem"` |  |
+| admissionController.volumes[0].secret.items[1].key | string | `"cert"` |  |
+| admissionController.volumes[0].secret.items[1].path | string | `"serverCert.pem"` |  |
+| admissionController.volumes[0].secret.items[2].key | string | `"key"` |  |
+| admissionController.volumes[0].secret.items[2].path | string | `"serverKey.pem"` |  |
 | admissionController.volumes[0].secret.secretName | string | `"vpa-tls-certs"` |  |
 | commonLabels | object | `{}` |  |
 | containerSecurityContext | object | `{}` |  |
 
@@ -66,13 +66,63 @@ app.kubernetes.io/component: admission-controller
 Create the name of the tls secret to use
 */}}
 {{- define "vertical-pod-autoscaler.admissionController.tls.secretName" -}}
-{{- if .Values.admissionController.tls.existingSecret -}}
-    {{ .Values.admissionController.tls.existingSecret }}
+{{- if .Values.admissionController.tls.secretName -}}
+    {{ .Values.admissionController.tls.secretName }}
 {{- else -}}
     {{- printf "%s-%s" (include "vertical-pod-autoscaler.admissionController.fullname" .) "tls" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 {{- end -}}
 
+{{/*
+admissionController webhook
+*/}}
+{{- define "vertical-pod-autoscaler.admissionController.webhook.name" -}}
+{{ include "vertical-pod-autoscaler.fullname" . }}-webhook
+{{- end }}
+
+{{- define "vertical-pod-autoscaler.admissionController.webhook.configName" -}}
+{{ include "vertical-pod-autoscaler.fullname" . }}-webhook-config
+{{- end }}
+
+{{/*
+See if we can upgrade the mutatingWebhookConfiguration
+Checks if the webhook exists and is managed by this Helm release
+*/}}
+{{- define "vertical-pod-autoscaler.admissionController.webhook.upgradable" -}}
+{{- $webhookName := include "vertical-pod-autoscaler.admissionController.webhook.configName" . -}}
+{{- $webhook := (lookup "admissionregistration.k8s.io/v1" "MutatingWebhookConfiguration" "" $webhookName) -}}
+{{- if $webhook -}}
+  {{- if and
+    (hasKey $webhook.metadata "labels")
+    (hasKey $webhook.metadata "annotations")
+    (hasKey $webhook.metadata.labels "app.kubernetes.io/managed-by")
+    (hasKey $webhook.metadata.annotations "meta.helm.sh/release-name")
+    (hasKey $webhook.metadata.annotations "meta.helm.sh/release-namespace")
+    (eq (get $webhook.metadata.labels "app.kubernetes.io/managed-by") "Helm")
+    (eq (get $webhook.metadata.annotations "meta.helm.sh/release-name") .Release.Name)
+    (eq (get $webhook.metadata.annotations "meta.helm.sh/release-namespace") .Release.Namespace)
+  -}}
+    {{- "true" -}}
+  {{- else -}}
+    {{- "" -}}
+  {{- end -}}
+{{- else -}}
+  {{- "true" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+admissionController certGen
+*/}}
+{{- define "vertical-pod-autoscaler.admissionController.certGen.fullname" -}}
+{{ include "vertical-pod-autoscaler.fullname" . }}-admission-certgen
+{{- end }}
+
+{{- define "vertical-pod-autoscaler.admissionController.certGen.labels" -}}
+{{ include "vertical-pod-autoscaler.labels" . }}
+app.kubernetes.io/component: admission-certgen
+{{- end }}
+
 
 {{/*
 updater
 
@@ -0,0 +1,21 @@
+{{- if and .Values.admissionController.enabled .Values.admissionController.generateCertificate -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "vertical-pod-autoscaler.admissionController.certGen.fullname" . }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+    "helm.sh/hook-weight": "-10"
+  labels:
+    {{- include "vertical-pod-autoscaler.admissionController.certGen.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - admissionregistration.k8s.io
+    resources:
+      - mutatingwebhookconfigurations
+    verbs:
+      - get
+      - update
+      - patch
+{{- end -}}
@@ -0,0 +1,20 @@
+{{- if and .Values.admissionController.enabled .Values.admissionController.generateCertificate -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "vertical-pod-autoscaler.admissionController.certGen.fullname" . }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+    "helm.sh/hook-weight": "-10"
+  labels:
+    {{- include "vertical-pod-autoscaler.admissionController.certGen.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "vertical-pod-autoscaler.admissionController.certGen.fullname" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "vertical-pod-autoscaler.admissionController.certGen.fullname" . }}
+    namespace: {{ .Release.Namespace }}
+{{- end -}}
@@ -0,0 +1,70 @@
+{{- if and .Values.admissionController.enabled .Values.admissionController.generateCertificate -}}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "vertical-pod-autoscaler.admissionController.certGen.fullname" . }}-patch
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  labels:
+    {{- include "vertical-pod-autoscaler.admissionController.certGen.labels" . | nindent 4 }}
+spec:
+  ttlSecondsAfterFinished: 300
+  template:
+    metadata:
+      name: {{ include "vertical-pod-autoscaler.admissionController.certGen.fullname" . }}-patch
+      labels:
+        {{- include "vertical-pod-autoscaler.admissionController.certGen.labels" . | nindent 8 }}
+    spec:
+      restartPolicy: OnFailure
+      serviceAccountName: {{ include "vertical-pod-autoscaler.admissionController.certGen.fullname" . }}
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.priorityClassName }}
+      priorityClassName: {{ . }}
+      {{- end }}
+      containers:
+        - name: patch
+          image: {{ printf "%s:%s" .Values.admissionController.certGen.image.repository .Values.admissionController.certGen.image.tag }}
+          imagePullPolicy: {{ .Values.admissionController.certGen.image.pullPolicy }}
+          args:
+            - patch
+            - --webhook-name={{ include "vertical-pod-autoscaler.admissionController.webhook.configName" . }}
+            - --namespace={{ .Release.Namespace }}
+            - --secret-name={{ include "vertical-pod-autoscaler.admissionController.tls.secretName" . }}
+            - --patch-validating=false
+          {{- with .Values.admissionController.certGen.env }}
+          env:
+            {{- range $key, $value := . }}
+            - name: {{ $key }}
+              value: {{ $value | quote }}
+            {{- end }}
+          {{- end }}
+          {{- with .Values.admissionController.certGen.resources }}
+          resources:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.admissionController.certGen.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+      {{- with .Values.admissionController.certGen.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.admissionController.certGen.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.admissionController.certGen.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.admissionController.certGen.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+{{- end -}}
@@ -0,0 +1,21 @@
+{{- if and .Values.admissionController.enabled .Values.admissionController.generateCertificate -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "vertical-pod-autoscaler.admissionController.certGen.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+    "helm.sh/hook-weight": "-10"
+  labels:
+    {{- include "vertical-pod-autoscaler.admissionController.certGen.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - create
+{{- end -}}
@@ -0,0 +1,21 @@
+{{- if and .Values.admissionController.enabled .Values.admissionController.generateCertificate -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "vertical-pod-autoscaler.admissionController.certGen.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+    "helm.sh/hook-weight": "-10"
+  labels:
+    {{- include "vertical-pod-autoscaler.admissionController.certGen.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "vertical-pod-autoscaler.admissionController.certGen.fullname" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "vertical-pod-autoscaler.admissionController.certGen.fullname" . }}
+    namespace: {{ .Release.Namespace }}
+{{- end -}}
@@ -0,0 +1,13 @@
+{{- if and .Values.admissionController.enabled .Values.admissionController.generateCertificate -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "vertical-pod-autoscaler.admissionController.certGen.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+    "helm.sh/hook-weight": "-10"
+  labels:
+    {{- include "vertical-pod-autoscaler.admissionController.certGen.labels" . | nindent 4 }}
+{{- end -}}
@@ -0,0 +1,70 @@
+{{- if and .Values.admissionController.enabled .Values.admissionController.generateCertificate -}}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "vertical-pod-autoscaler.admissionController.certGen.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+    "helm.sh/hook-weight": "-5"
+  labels:
+    {{- include "vertical-pod-autoscaler.admissionController.certGen.labels" . | nindent 4 }}
+spec:
+  ttlSecondsAfterFinished: 300
+  template:
+    metadata:
+      name: {{ include "vertical-pod-autoscaler.admissionController.certGen.fullname" . }}
+      labels:
+        {{- include "vertical-pod-autoscaler.admissionController.certGen.labels" . | nindent 8 }}
+    spec:
+      restartPolicy: OnFailure
+      serviceAccountName: {{ include "vertical-pod-autoscaler.admissionController.certGen.fullname" . }}
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.priorityClassName }}
+      priorityClassName: {{ . }}
+      {{- end }}
+      containers:
+        - name: create
+          image: {{ printf "%s:%s" .Values.admissionController.certGen.image.repository .Values.admissionController.certGen.image.tag }}
+          imagePullPolicy: {{ .Values.admissionController.certGen.image.pullPolicy }}
+          args:
+            - create
+            - --host={{ include "vertical-pod-autoscaler.admissionController.webhook.name" . }},{{ include "vertical-pod-autoscaler.admissionController.webhook.name" . }}.{{ .Release.Namespace }}.svc
+            - --namespace={{ .Release.Namespace }}
+            - --secret-name={{ include "vertical-pod-autoscaler.admissionController.tls.secretName" . }}
+          {{- with .Values.admissionController.certGen.env }}
+          env:
+            {{- range $key, $value := . }}
+            - name: {{ $key }}
+              value: {{ $value | quote }}
+            {{- end }}
+          {{- end }}
+          {{- with .Values.admissionController.certGen.resources }}
+          resources:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.admissionController.certGen.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+      {{- with .Values.admissionController.certGen.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.admissionController.certGen.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.admissionController.certGen.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.admissionController.certGen.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+{{- end -}}