- Fix enalbe checks and test job (#13)

- List k8s versions in test
- Force enable probes
- Update k8s version note

Signed-off-by: Luke Mallon (Nalum) <luke@mallon.ie>

README.md

@@ -2,14 +2,19 @@
 
 [![cert-manager](https://img.shields.io/badge/cert--manager-v1.13.3-00bfff)](https://cert-manager.io)
 [![timoni.sh](https://img.shields.io/badge/timoni.sh-v0.19.0-7e56c2)](https://timoni.sh)
-[![kubernetes](https://img.shields.io/badge/kubernetes-v1.29.0-326CE5?logo=kubernetes&logoColor=white)](https://kubernetes.io)
 [![License](https://img.shields.io/github/license/nalum/cert-manager-module)](https://github.com/nalum/cert-manager-module/blob/main/LICENSE)
 [![Release](https://img.shields.io/github/v/release/nalum/cert-manager-module)](https://github.com/nalum/cert-manager-module/releases)
 
 A [timoni.sh](http://timoni.sh) module for deploying cert-manager to Kubernetes clusters.
 
 [![Timoni cert-manager](https://asciinema.org/a/631238.svg)](https://asciinema.org/a/631238)
 
+This module is applied to these Kubernetes version in CI:
+
+- [![kubernetes](https://img.shields.io/badge/kubernetes-v1.27.10-326CE5?logo=kubernetes&logoColor=white)](https://kubernetes.io)
+- [![kubernetes](https://img.shields.io/badge/kubernetes-v1.28.6-326CE5?logo=kubernetes&logoColor=white)](https://kubernetes.io)
+- [![kubernetes](https://img.shields.io/badge/kubernetes-v1.29.1-326CE5?logo=kubernetes&logoColor=white)](https://kubernetes.io)
+
 ## Install
 
 To create an instance using the default values:

templates/config/components.cue

@@ -17,9 +17,9 @@ import (
 	dns01RecursiveNameservers?: string
 	// Forces cert-manager to only use the recursive nameservers for verification.
 	// Enabling this option could cause the DNS01 self check to take longer due to caching performed by the recursive nameservers
-	dns01RecursiveNameserversOnly?: *false | bool
+	dns01RecursiveNameserversOnly: *false | bool
 	// When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted
-	enableCertificateOwnerRef?: *false | bool
+	enableCertificateOwnerRef: *false | bool
 	// Comma separated list of feature gates that should be enabled on the controller pod.
 	featureGates?: string
 	// The maximum number of challenges that can be scheduled as 'processing' at once

templates/config/config.cue

@@ -65,14 +65,14 @@ import (
 		// leadership renewal until attempting to acquire leadership of a led but
 		// unrenewed leader slot. This is effectively the maximum duration that a
 		// leader can be stopped before it is replaced by another candidate.
-		leaseDuration?: *"60s" | #Duration
+		leaseDuration?: #Duration
 		// The interval between attempts by the acting master to renew a leadership
 		// slot before it stops leading. This must be less than or equal to the
 		// lease duration.
-		renewDeadline?: *"40s" | #Duration
+		renewDeadline?: #Duration
 		// The duration the clients should wait between attempting acquisition and
 		// renewal of a leadership.
-		retryPeriod?: *"15s" | #Duration
+		retryPeriod?: #Duration
 	}
 
 	controller: #Controller
@@ -132,6 +132,7 @@ import (
 }
 
 #PodDisruptionBudgetData: {
-	enabled:      *true | bool
-	minAvailable: *1 | int | #Percent
+	enabled:         *true | bool
+	minAvailable?:   int | #Percent
+	maxUnavailable?: int | #Percent
 }

templates/deployment.cue

@@ -14,8 +14,6 @@ import (
 	#meta:      timoniv1.#MetaComponent
 	#component: string
 
-	#monitoring?: #config[#component].monitoring
-
 	if #config[#component].deploymentLabels != _|_ {
 		metadata: labels: #config[#component].deploymentLabels
 	}
@@ -29,7 +27,6 @@ import (
 	metadata:   #meta
 
 	spec: appsv1.#DeploymentSpec & {
-
 		selector: matchLabels: #meta.#LabelSelector
 
 		if #config.highAvailability.enabled {
@@ -39,6 +36,7 @@ import (
 		if !#config.highAvailability.enabled {
 			replicas: #config[#component].replicas
 		}
+
 		if #config[#component].strategy != _|_ {
 			strategy: appsv1.#DeploymentStrategy & #config[#component].strategy
 		}
@@ -55,20 +53,17 @@ import (
 			}
 
 			spec: corev1.#PodSpec & {
-
 				containers: [...corev1.#Container] & [
 					{
 						name:            #meta.name
 						image:           #config[#component].image.reference
 						imagePullPolicy: #config[#component].image.pullPolicy
-
-						if #config[#component].containerSecurityContext != _|_ {
-							securityContext: #config[#component].containerSecurityContext
-						}
+						securityContext: #config[#component].containerSecurityContext
 
 						if #config[#component].resources != _|_ {
 							resources: #config[#component].resources
 						}
+
 						env: [
 							{
 								name: "POD_NAMESPACE"
@@ -79,24 +74,19 @@ import (
 								for e in #config[#component].extraEnvs {e}
 							},
 						]
-					}]
-				serviceAccountName: #meta.name
-				securityContext:    #config[#component].securityContext
-
-				if #config[#component].automountServiceAccountToken != _|_ {
-					automountServiceAccountToken: #config[#component].automountServiceAccountToken
-				}
-
-				if #config[#component].enableServiceLinks != _|_ {
+					},
+				]
+				serviceAccountName:           #meta.name
+				securityContext:              #config[#component].securityContext
+				nodeSelector:                 #config[#component].nodeSelector
+				automountServiceAccountToken: #config[#component].automountServiceAccountToken
+
+				if #config[#component].enableServiceLinks {
 					enableServiceLinks: #config[#component].enableServiceLinks
 				}
 
-				if #config.priorityClass != _|_ {
-					priorityClassName: #config.priorityClass
-				}
-
-				if #config[#component].nodeSelector != _|_ {
-					nodeSelector: #config[#component].nodeSelector
+				if #config.priorityClassName != _|_ {
+					priorityClassName: #config.priorityClassName
 				}
 
 				if #config[#component].affinity != _|_ {
@@ -110,18 +100,9 @@ import (
 				if #config[#component].topologySpreadConstraints != _|_ {
 					topologySpreadConstraints: #config[#component].topologySpreadConstraints
 				}
-
-				if #config[#component].podDNSPolicy != _|_ {
-					dnsPolicy: #config[#component].podDNSPolicy
-				}
-
-				if #config[#component].podDNSConfig != _|_ {
-					dnsConfig: #config[#component].podDNSConfig
-				}
 			}
 		}
 	}
-
 }
 
 #ControllerDeployment: #Deployment & {
@@ -132,34 +113,40 @@ import (
 		#Meta:      #config.metadata
 		#Component: strings.ToLower(#component)
 	}
+
 	spec: #ControllerDeploymentSpec & {
-		#config:          #config
-		#deployment_meta: #meta
+		#main_config:            #config
+		#deployment_meta:        #meta
+		#deployment_monitoring?: #config.controller.monitoring
 	}
 }
 
 #WebhookDeployment: #Deployment & {
 	#config:    cfg.#Config
 	#component: "webhook"
+
 	#meta: timoniv1.#MetaComponent & {
 		#Meta:      #config.metadata
 		#Component: strings.ToLower(#component)
 	}
+
 	spec: #WebhookDeploymentSpec & {
-		#config:          #config
+		#main_config:     #config
 		#deployment_meta: #meta
 	}
 }
 
 #CaInjectorrDeployment: #Deployment & {
 	#config:    cfg.#Config
 	#component: "caInjector"
+
 	#meta: timoniv1.#MetaComponent & {
 		#Meta:      #config.metadata
 		#Component: strings.ToLower(#component)
 	}
+
 	spec: #CAInjectorDeploymentSpec & {
-		#config:          #config
+		#main_config:     #config
 		#deployment_meta: #meta
 	}
 }

templates/deploymentSpecCAInjector.cue

@@ -15,9 +15,7 @@ import (
 	selector: matchLabels: #deployment_meta.#LabelSelector
 
 	template: corev1.#PodTemplateSpec & {
-
 		spec: corev1.#PodSpec & {
-
 			containers: [...corev1.#Container] & [
 				{
 					args: [

templates/deploymentSpecController.cue

@@ -9,57 +9,47 @@ import (
 )
 
 #ControllerDeploymentSpec: appsv1.#DeploymentSpec & {
-	#main_config:            cfg.#Config
-	#deployment_meta:        timoniv1.#MetaComponent
-	#deployment_strategy?:   appsv1.#DeploymentStrategy
-	#deployment_monitoring?: cfg.#Monitoring
+	#main_config:           cfg.#Config
+	#deployment_meta:       timoniv1.#MetaComponent
+	#deployment_monitoring: cfg.#Monitoring
 
 	selector: matchLabels: #deployment_meta.#LabelSelector
 
-	if #deployment_strategy != _|_ {
-		strategy: #deployment_strategy
-	}
-
 	template: corev1.#PodTemplateSpec & {
-
-		if #deployment_monitoring != _|_ && #deployment_monitoring.serviceMonitor == _|_ {
+		if #deployment_monitoring.enabled && !#deployment_monitoring.serviceMonitor.enabled {
 			metadata: annotations: "prometheus.io/path":   "/metrics"
 			metadata: annotations: "prometheus.io/scrape": "true"
 			metadata: annotations: "prometheus.io/port":   "9402"
 		}
 
 		spec: corev1.#PodSpec & {
+			volumes: [
+				for k, v in #main_config.controller.volumes {v},
 
-			if #main_config.controller.volumes != _|_ || #main_config.controller.config != _|_ {
-				volumes: [
-					if #main_config.controller.config != _|_ {
-						{
-							name: "config"
-							configMap: name: #deployment_meta.name
-						}
-					},
-					if #main_config.controller.volumes != _|_ {
-						for k, v in #main_config.controller.volumes {
-							v
-						}
-					},
-				]
+				if #main_config.controller.config != _|_ {
+					{
+						name: "config"
+						configMap: name: #deployment_meta.name
+					}
+				},
+			]
+
+			dnsPolicy: #main_config.controller.podDNSPolicy
+
+			if #main_config.controller.podDNSConfig != _|_ {
+				dnsConfig: #main_config.controller.podDNSConfig
 			}
 
 			containers: [...corev1.#Container] & [
 				{
+					volumeMounts: [
+						for k, v in #main_config.controller.volumeMounts {v},
 
-					if #main_config.controller.volumeMounts != _|_ || #main_config.controller.config != _|_ {
-						volumeMounts: [
-							if #main_config.controller.config != _|_ {
-								name:      "config"
-								mountPath: "/var/cert-manager/config"
-							},
-							if #main_config.controller.volumeMounts != _|_ {
-								for k, v in #main_config.controller.volumeMounts {v}
-							},
-						]
-					}
+						if #main_config.controller.config != _|_ {
+							name:      "config"
+							mountPath: "/var/cert-manager/config"
+						},
+					]
 
 					ports: [{
 						containerPort: 9402
@@ -75,6 +65,7 @@ import (
 						"--v=\(#main_config.logLevel)",
 						"--leader-election-namespace=\(#main_config.leaderElection.namespace)",
 						"--acme-http01-solver-image=\(#main_config.acmeSolver.image.reference)",
+						"--max-concurrent-challenges=\(#main_config.controller.maxConcurrentChallenges)",
 
 						if #main_config.controller.config != _|_ {
 							"--config=/var/cert-manager/config/config.yaml"
@@ -116,15 +107,11 @@ import (
 							"--feature-gates=\(#main_config.controller.featureGates)"
 						},
 
-						if #main_config.controller.maxConcurrentChallenges != _|_ {
-							"--max-concurrent-challenges=\(#main_config.controller.maxConcurrentChallenges)"
-						},
-
-						if #main_config.controller.enableCertificateOwnerRef != _|_ {
+						if #main_config.controller.enableCertificateOwnerRef {
 							"--enable-certificate-owner-ref=true"
 						},
 
-						if #main_config.controller.dns01RecursiveNameserversOnly != _|_ {
+						if #main_config.controller.dns01RecursiveNameserversOnly {
 							"--dns01-recursive-nameservers-only=true"
 						},
 
@@ -147,32 +134,30 @@ import (
 							},
 							if #main_config.controller.proxy.httpsProxy != _|_ {
 								{
-									name:  "HTTP_PROXY"
+									name:  "HTTPS_PROXY"
 									value: #main_config.controller.proxy.httpsProxy
 								}
 							},
 							if #main_config.controller.proxy.noProxy != _|_ {
 								{
-									name:  "HTTP_PROXY"
+									name:  "NO_PROXY"
 									value: #main_config.controller.proxy.noProxy
 								}
 							},
 						]
 					}
 
-					if #main_config.controller.livenessProbe != _|_ {
-						livenessProbe: #main_config.controller.livenessProbe & {
-							httpGet: {
-								port:   "http-healthz"
-								path:   "/livez"
-								scheme: "HTTP"
-							}
-							initialDelaySeconds: *10 | int
-							periodSeconds:       *10 | int
-							timeoutSeconds:      *15 | int
-							successThreshold:    *1 | int
-							failureThreshold:    *8 | int
+					livenessProbe: #main_config.controller.livenessProbe & {
+						httpGet: {
+							port:   "http-healthz"
+							path:   "/livez"
+							scheme: "HTTP"
 						}
+						initialDelaySeconds: *10 | int
+						periodSeconds:       *10 | int
+						timeoutSeconds:      *15 | int
+						successThreshold:    *1 | int
+						failureThreshold:    *8 | int
 					}
 				},
 			]