Upgrade cert-manager to 1.14.1 (#14)

* Initial updates for cert-manager 1.14.1
* Add support for PodMonitor
  Always have the target port
  Fix reference to monitor type
* Refine the monitoring structure and application
  Update cert-manager version in readme

Signed-off-by: Luke Mallon (Nalum) <luke@mallon.ie>

Makefile

@@ -54,6 +54,7 @@ gen-debug-files: ## Generate resources and write to files
 	@yq --yaml-output '. | select(.kind == "Namespace")' all.yaml > output/Namespace.yaml
 	@yq --yaml-output '. | select(.kind == "NetworkPolicy")' all.yaml > output/NetworkPolicy.yaml
 	@yq --yaml-output '. | select(.kind == "PodDisruptionBudget")' all.yaml > output/PodDisruptionBudget.yaml
+	@yq --yaml-output '. | select(.kind == "PodMonitor")' all.yaml > output/PodMonitor.yaml
 	@yq --yaml-output '. | select(.kind == "Role")' all.yaml > output/Role.yaml
 	@yq --yaml-output '. | select(.kind == "RoleBinding")' all.yaml > output/RoleBinding.yaml
 	@yq --yaml-output '. | select(.kind == "Service")' all.yaml > output/Service.yaml
@@ -76,6 +77,7 @@ gen-files: ## Generate resources and write to files
 	@yq --yaml-output '. | select(.kind == "Namespace")' all.yaml > output/Namespace.yaml
 	@yq --yaml-output '. | select(.kind == "NetworkPolicy")' all.yaml > output/NetworkPolicy.yaml
 	@yq --yaml-output '. | select(.kind == "PodDisruptionBudget")' all.yaml > output/PodDisruptionBudget.yaml
+	@yq --yaml-output '. | select(.kind == "PodMonitor")' all.yaml > output/PodMonitor.yaml
 	@yq --yaml-output '. | select(.kind == "Role")' all.yaml > output/Role.yaml
 	@yq --yaml-output '. | select(.kind == "RoleBinding")' all.yaml > output/RoleBinding.yaml
 	@yq --yaml-output '. | select(.kind == "Service")' all.yaml > output/Service.yaml

README.md

@@ -1,6 +1,6 @@
 # cert-manager
 
-[![cert-manager](https://img.shields.io/badge/cert--manager-v1.13.3-00bfff)](https://cert-manager.io)
+[![cert-manager](https://img.shields.io/badge/cert--manager-v1.14.1-00bfff)](https://cert-manager.io)
 [![timoni.sh](https://img.shields.io/badge/timoni.sh-v0.19.0-7e56c2)](https://timoni.sh)
 [![License](https://img.shields.io/github/license/nalum/cert-manager-module)](https://github.com/nalum/cert-manager-module/blob/main/LICENSE)
 [![Release](https://img.shields.io/github/v/release/nalum/cert-manager-module)](https://github.com/nalum/cert-manager-module/releases)

templates/config/components.cue

@@ -17,9 +17,9 @@ import (
 	dns01RecursiveNameservers?: string
 	// Forces cert-manager to only use the recursive nameservers for verification.
 	// Enabling this option could cause the DNS01 self check to take longer due to caching performed by the recursive nameservers
-	dns01RecursiveNameserversOnly: *false | bool
+	dns01RecursiveNameserversOnly: *false | true
 	// When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted
-	enableCertificateOwnerRef: *false | bool
+	enableCertificateOwnerRef: *false | true
 	// Comma separated list of feature gates that should be enabled on the controller pod.
 	featureGates?: string
 	// The maximum number of challenges that can be scheduled as 'processing' at once
@@ -49,12 +49,12 @@ import (
 		kubernetesAPIBurst:        *9000 | int
 		numberOfConcurrentWorkers: *200 | int
 		featureGates?: {
-			AdditionalCertificateOutputFormats:               *true | bool
-			ExperimentalCertificateSigningRequestControllers: *true | bool
-			ExperimentalGatewayAPISupport:                    *true | bool
-			ServerSideApply:                                  *true | bool
-			LiteralCertificateSubject:                        *true | bool
-			UseCertificateRequestBasicConstraints:            *true | bool
+			AdditionalCertificateOutputFormats:               *true | false
+			ExperimentalCertificateSigningRequestControllers: *true | false
+			ExperimentalGatewayAPISupport:                    *true | false
+			ServerSideApply:                                  *true | false
+			LiteralCertificateSubject:                        *true | false
+			UseCertificateRequestBasicConstraints:            *true | false
 		}
 	}
 
@@ -74,7 +74,7 @@ import (
 	// is a comma separated list of feature gates to enable.
 	featureGates?: string
 	// enalbes host networking for the webhook pod.
-	hostNetwork: *false | bool
+	hostNetwork: *false | true
 	// is the IP address to bind to when running the webhook pod.
 	loadBalancerIP?: string
 	// is a map of annotations to add to the mutating webhook configuration.
@@ -139,6 +139,15 @@ import (
 #StartupAPICheck: {
 	#Component
 
+	// Additional command line flags to pass to startupapicheck binary.
+	// To see all available flags run docker run quay.io/jetstack/cert-manager-ctl:<version> --help
+	//
+	// We enable verbose logging by default so that if startupapicheck fails, users
+	// can know what exactly caused the failure. Verbose logs include details of
+	// the webhook URL, IP address and TCP connect errors for example.
+	extraArgs: [...string] | *[
+		"-v",
+	]
 	// is the number of retries before considering a Job as failed.
 	backoffLimit: *4 | int
 	// is a map of annotations to add to the job.

templates/config/config.cue

@@ -35,9 +35,9 @@ import (
 	// Setup the Cluster RBAC roles and bindings
 	rbac: {
 		// Create the roles and bindings for cert-manager
-		enabled: *true | bool
+		enabled: *true | false
 		// Aggregate ClusterRoles to Kubernetes default user-facing roles. Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
-		aggregateClusterRoles: *true | bool
+		aggregateClusterRoles: *true | false
 	}
 
 	podSecurityAdmission: {
@@ -49,7 +49,7 @@ import (
 
 	highAvailability: {
 		// Enable high availability features
-		enabled: *false | bool
+		enabled: *false | true
 		// Number of replicas of the cert-manager controller to run
 		controllerReplicas: *2 | int
 		// Number of replicas of the cert-manager webhook to run
@@ -75,14 +75,19 @@ import (
 		retryPeriod?: #Duration
 	}
 
-	controller: #Controller
+	controller: #Controller & {
+		monitoring: #Monitoring & {
+			namespace: *metadata.namespace | string
+		}
+	}
+
 	webhook:    #Webhook
 	caInjector: #CAInjector
 	acmeSolver: #ACMESolver
 
 	test: {
 		// Enable startupAPICheck to verify the cert-manager API is available
-		enabled:         *true | bool
+		enabled:         *true | false
 		startupAPICheck: #StartupAPICheck
 	}
 }
@@ -91,21 +96,43 @@ import (
 #Percent:  string & =~"^(100|[1-9][0-9]?)%$"
 
 #Monitoring: {
-	// Enable Prometheus monitoring
-	enabled: *false | bool
-	serviceMonitor: {
-		// Enable Prometheus ServiceMonitor monitoring instead of the prometheus shim
-		enabled:            *false | bool
-		prometheusInstance: *"default" | string
-		targetPort:         *"http-metrics" | int | string
-		path:               *"/metrics" | string
-		interval:           *"60s" | #Duration
-		scrapeTimeout:      *"30s" | #Duration
-		labels?:            timoniv1.#Labels
-		annotations?:       timoniv1.#Annotations
-		honorLabels:        *false | bool
-		endpointAdditionalProperties?: {[string]: string}
-	}
+	// Enable Prometheus monitoring for the cert-manager controller to use with the Prometheus Operator.
+	enabled: *false | true
+	// The namespace to create the Monitor in
+	namespace: string
+	// The type of monitoring to enable, can be one of "ServiceMonitor", "PodMonitor" or "Annotations"
+	// If ServiceMonitor is used a Service will also be created
+	type: "ServiceMonitor" | "PodMonitor" | *"Annotations"
+	// Specifies the `prometheus` label on the created PodMonitor/ServiceMonitor, this is
+	// used when different Prometheus instances have label selectors matching
+	// different PodMonitor/ServiceMonitor.
+	prometheusInstance: *"default" | string
+	// The target port to set on the Monitor, should match the port that
+	// cert-manager controller is listening on for metrics
+	targetPort: *"http-metrics" | int | string
+	// The path to scrape for metrics
+	path: *"/metrics" | string
+	// The interval to scrape metrics
+	interval: *"60s" | #Duration
+	// The timeout before a metrics scrape fails
+	scrapeTimeout: *"30s" | #Duration
+	// Additional labels to add to the PodMonitor
+	labels?: timoniv1.#Labels
+	// Additional annotations to add to the PodMonitor
+	annotations?: timoniv1.#Annotations
+	// Keep labels from scraped data, overriding server-side labels.
+	honorLabels: *false | true
+	// EndpointAdditionalProperties allows setting additional properties on the
+	// endpoint such as relabelings, metricRelabelings etc.
+	//
+	// For example:
+	//  endpointAdditionalProperties:
+	//   relabelings:
+	//   - action: replace
+	//     sourceLabels:
+	//     - __meta_kubernetes_pod_node_name
+	//     targetLabel: instance
+	endpointAdditionalProperties?: {[string]: string}
 }
 
 #Proxy: {
@@ -118,21 +145,21 @@ import (
 }
 
 #SecurityContext: {
-	runAsNonRoot: *true | bool
+	runAsNonRoot: *true | false
 	seccompProfile: type: *"RuntimeDefault" | string
 }
 
 #ContainerSecurityContext: corev1.#SecurityContext & {
-	allowPrivilegeEscalation: *false | bool
-	readOnlyRootFilesystem:   *true | bool
-	runAsNonRoot:             *true | bool
+	allowPrivilegeEscalation: *false | true
+	readOnlyRootFilesystem:   *true | false
+	runAsNonRoot:             *true | false
 	capabilities: corev1.#Capabilities & {
 		drop: *["ALL"] | null | [...string]
 	}
 }
 
 #PodDisruptionBudgetData: {
-	enabled:         *true | bool
+	enabled:         *true | false
 	minAvailable?:   int | #Percent
 	maxUnavailable?: int | #Percent
 }

templates/config/images.cue

@@ -1,33 +1,33 @@
 package config
 
-#AppVersion: *"v1.13.3" | string
+#AppVersion: *"v1.14.1" | string
 
 #Controller: image: {
 	repository: *"quay.io/jetstack/cert-manager-controller" | string
 	tag:        #AppVersion
-	digest:     *"sha256:2121d4250f5734ee097df243507d06536fc264140dba3425045a825ef597c79d" | string
+	digest:     *"sha256:3ef9b7e85e89a21c3727f89f6e3f4186853df8de8393e309fa9bcc9a776e69a5" | string
 }
 
 #Webhook: image: {
 	repository: *"quay.io/jetstack/cert-manager-webhook" | string
 	tag:        #AppVersion
-	digest:     *"sha256:f45b21f770bf4676c732f19e2ef17c34f46ac75873a5e0aa25703d808b2e5566" | string
+	digest:     *"sha256:8a0a0c94a67ef1097db79c26a71a05d4cdbebbb6906a8cab21f4bd15c8ed7c3a" | string
 }
 
 #CAInjector: image: {
 	repository: *"quay.io/jetstack/cert-manager-cainjector" | string
 	tag:        #AppVersion
-	digest:     *"sha256:ac5154525f99bd0872671613741aac1b7dcb9c0df988571a7618155ddb6fabd2" | string
+	digest:     *"sha256:fac683efcd03c95ec61063a80bca257ba24544ab7b233a8574a19ec3a4e8c4aa" | string
 }
 
 #StartupAPICheck: image: {
 	repository: *"quay.io/jetstack/cert-manager-ctl" | string
 	tag:        #AppVersion
-	digest:     *"sha256:d0d12f721e01b19973c989646c96905bfca7a0ea5f7888d5e9b4adabb4fbc56c" | string
+	digest:     *"sha256:c15e970af7eb7a51d60d14ed9ea9f9eae0dfbb095a2c4811590cc6bce2d151e7" | string
 }
 
 #ACMESolver: image: {
 	repository: *"quay.io/jetstack/cert-manager-acmesolver" | string
 	tag:        #AppVersion
-	digest:     *"sha256:b1aa36468479fc5ca1a847f9e7cd1dc21978f273d9cec1d4202a632be9d26fad" | string
+	digest:     *"sha256:d31555b1727c3f1ba1de456c8f45abf32ad561c7ecfad70ac674dbd9d231e434" | string
 }

templates/deploymentSpecController.cue

@@ -16,7 +16,7 @@ import (
 	selector: matchLabels: #deployment_meta.#LabelSelector
 
 	template: corev1.#PodTemplateSpec & {
-		if #deployment_monitoring.enabled && !#deployment_monitoring.serviceMonitor.enabled {
+		if #deployment_monitoring.enabled && #deployment_monitoring.type == "Annotations" {
 			metadata: annotations: "prometheus.io/path":   "/metrics"
 			metadata: annotations: "prometheus.io/scrape": "true"
 			metadata: annotations: "prometheus.io/port":   "9402"

templates/instance.cue

@@ -159,10 +159,19 @@ import (
 		}
 	}
 
-	if config.controller.monitoring.enabled && config.controller.monitoring.serviceMonitor.enabled {
-		objects: {
-			service: #ServiceController & {#config: config}
-			serviceMonitor: #ServiceMonitor & {
+	if config.controller.monitoring.enabled {
+		if config.controller.monitoring.type == "ServiceMonitor" {
+			objects: {
+				service: #ServiceController & {#config: config}
+				serviceMonitor: #ServiceMonitor & {
+					#config:    config
+					#component: "controller"
+				}
+			}
+		}
+
+		if config.controller.monitoring.type == "PodMonitor" {
+			objects: podMonitor: #PodMonitor & {
 				#config:    config
 				#component: "controller"
 			}

templates/podMonitor.cue

@@ -0,0 +1,45 @@
+package templates
+
+import (
+	podmonitorv1 "monitoring.coreos.com/podmonitor/v1"
+	timoniv1 "timoni.sh/core/v1alpha1"
+
+	cfg "timoni.sh/cert-manager/templates/config"
+)
+
+#PodMonitor: podmonitorv1.#PodMonitor & {
+	#config:    cfg.#Config
+	#component: string
+
+	#meta: timoniv1.#MetaComponent & {
+		#Meta:      #config.metadata
+		#Component: #component
+	}
+
+	metadata: #meta
+	metadata: labels: prometheus: #config.controller.monitoring.prometheusInstance
+
+	if #config.controller.monitoring.annotations != _|_ {
+		metadata: annotations: #config.controller.monitoring.annotations
+	}
+
+	spec: {
+		jobLabel: #config.metadata.name
+		selector: matchLabels: #meta.#LabelSelector
+		namespaceSelector: matchNames: [#config.controller.monitoring.namespace]
+
+		podMetricsEndpoints: [{
+			port:          #config.controller.monitoring.targetPort
+			path:          #config.controller.monitoring.path
+			interval:      #config.controller.monitoring.interval
+			scrapeTimeout: #config.controller.monitoring.scrapeTimeout
+			honorLabels:   #config.controller.monitoring.honorLabels
+
+			if #config.controller.monitoring.endpointAdditionalProperties != _|_ {
+				for k, v in #config.controller.monitoring.endpointAdditionalProperties {
+					"\(k)": v
+				}
+			}
+		}]
+	}
+}

templates/service.cue

@@ -43,7 +43,7 @@ import (
 			protocol:   "TCP"
 			port:       9402
 			name:       "tcp-prometheus-servicemonitor"
-			targetPort: #config[#component].monitoring.serviceMonitor.targetPort
+			targetPort: #config[#component].monitoring.targetPort
 		}]
 	}
 }

templates/serviceMonitor.cue

@@ -17,29 +17,26 @@ import (
 	}
 
 	metadata: #meta
-	metadata: labels: prometheus: #config.controller.monitoring.serviceMonitor.prometheusInstance
+	metadata: labels: prometheus: #config.controller.monitoring.prometheusInstance
 
-	if #config.controller.monitoring.serviceMonitor.annotations != _|_ {
-		metadata: annotations: #config.controller.monitoring.serviceMonitor.annotations
+	if #config.controller.monitoring.annotations != _|_ {
+		metadata: annotations: #config.controller.monitoring.annotations
 	}
 
 	spec: {
 		jobLabel: #config.metadata.name
 		selector: matchLabels: #meta.#LabelSelector
-
-		if #config.controller.monitoring.serviceMonitor.namespace != _|_ {
-			namespaceSelector: matchNames: [#meta.namespace]
-		}
+		namespaceSelector: matchNames: [#config.controller.monitoring.namespace]
 
 		endpoints: [{
-			targetPort:    #config.controller.monitoring.serviceMonitor.targetPort
-			path:          #config.controller.monitoring.serviceMonitor.path
-			interval:      #config.controller.monitoring.serviceMonitor.interval
-			scrapeTimeout: #config.controller.monitoring.serviceMonitor.scrapeTimeout
-			honorLabels:   #config.controller.monitoring.serviceMonitor.honorLabels
-
-			if #config.controller.monitoring.serviceMonitor.endpointAdditionalProperties != _|_ {
-				for k, v in #config.controller.monitoring.serviceMonitor.endpointAdditionalProperties {
+			targetPort:    #config.controller.monitoring.targetPort
+			path:          #config.controller.monitoring.path
+			interval:      #config.controller.monitoring.interval
+			scrapeTimeout: #config.controller.monitoring.scrapeTimeout
+			honorLabels:   #config.controller.monitoring.honorLabels
+
+			if #config.controller.monitoring.endpointAdditionalProperties != _|_ {
+				for k, v in #config.controller.monitoring.endpointAdditionalProperties {
 					"\(k)": v
 				}
 			}

templates/startupAPICheckJob.cue

@@ -61,12 +61,9 @@ import (
 						"check",
 						"api",
 						"--wait=\(#config.test.startupAPICheck.timeout)",
+						for arg in #config.test.startupAPICheck.extraArgs {arg},
 					]
 
-					if #config.test.startupAPICheck.extraArgs != _|_ {
-						args: #config.test.startupAPICheck.extraArgs
-					}
-
 					if #config.test.startupAPICheck.resources != _|_ {
 						resources: #config.test.startupAPICheck.resources
 					}

test/data/values-monitoring-serviceMonitor.cue

@@ -1,2 +1,2 @@
 values: controller: monitoring: enabled: true
-values: controller: monitoring: serviceMonitor: enabled: true
+values: controller: monitoring: type:    "ServiceMonitor"