helm charts script for cert-manager

Signed-off-by: kunal-511 <[email protected]>

Author: kunal-511

.github/workflows/helm_vs_kustomize_verification.yaml

@@ -1,21 +1,27 @@
 name: Verify Helm vs Kustomize Manifests
+
 on:
   pull_request:
     paths:
     - tests/install_KinD_create_KinD_cluster_install_kustomize.sh
+    - tests/helm_install.sh
     - .github/workflows/helm_vs_kustomize_verification.yaml
     - apps/spark/spark-operator/**
+    - common/cert-manager/**
     - experimental/helm/kubeflow/**
     - experimental/helm/scripts/**
-    - scripts/synchronize-spark-operator-manifests.sh
-    - scripts/synchronize-spark-operator-helm-chart.sh
     - tests/helm_kustomize_compare_manifests.sh
     - tests/helm_kustomize_compare_manifests.py
 
 jobs:
-  verify-spark-operator:
+  verify-components:
     runs-on: ubuntu-latest
-    timeout-minutes: 10
+    timeout-minutes: 15
+    strategy:
+      matrix:
+        component: [spark-operator, cert-manager]
+      fail-fast: false
+
     steps:
     - name: Checkout
       uses: actions/checkout@v4
@@ -30,17 +36,16 @@ jobs:
         chmod +x tests/helm_install.sh
         ./tests/helm_install.sh
 
-    - name: Run Helm vs Kustomize verification for Spark Operator
+    - name: Run Helm vs Kustomize verification for ${{ matrix.component }}
       run: |
         chmod +x tests/helm_kustomize_compare_manifests.sh
-        ./tests/helm_kustomize_compare_manifests.sh spark-operator
+        ./tests/helm_kustomize_compare_manifests.sh ${{ matrix.component }}
 
     - name: Upload artifacts on failure
       if: failure()
       uses: actions/upload-artifact@v4
       with:
-        name: spark-operator-manifest-comparison-artifacts
+        name: ${{ matrix.component }}-manifest-comparison-artifacts
         path: |
-          /tmp/kustomize-spark-operator.yaml
-          /tmp/helm-spark-operator.yaml
-
+          /tmp/kustomize-${{ matrix.component }}.yaml
+          /tmp/helm-aio-${{ matrix.component }}.yaml

experimental/helm/kubeflow/values.yaml

@@ -25,8 +25,17 @@ trainingOperator:
   # Will be added when we sync training-operator
 
 certManager:
-  enabled: false
-  # Will be added when we sync cert-manager
+  enabled: true
+  installCRDs: true
+  global:
+    leaderElection:
+      namespace: kube-system
+  startupapicheck:
+    enabled: false
+  # Kubeflow-specific settings
+  kubeflowIssuer:
+    enabled: true
+    name: kubeflow-self-signing-issuer
 
 istio:
   enabled: false

experimental/helm/scripts/patch-templates.py

@@ -4,12 +4,20 @@
 import os
 from pathlib import Path
 
-def patch_yaml_file(file_path):
-    """Patch a YAML file to add namespace and Istio labels"""
+def patch_yaml_file(file_path, component):
+    """Patch a YAML file to add conditional rendering and namespace"""
     with open(file_path, 'r') as f:
         content = f.read()
 
-    if '{{- if .Values.sparkOperator.enabled }}' in content:
+    component_map = {
+        'spark-operator': 'sparkOperator.enabled',
+        'cert-manager': 'certManager.enabled',
+    }
+    
+    condition = component_map.get(component, f'{component}.enabled')
+    condition_check = f'{{{{- if .Values.{condition} }}}}'
+    
+    if condition_check in content:
         return
 
     try:
@@ -21,9 +29,16 @@ def patch_yaml_file(file_path):
                 if 'metadata' in doc and doc.get('kind') in [
                     'Deployment', 'Service', 'ServiceAccount', 'Role', 'RoleBinding'
                 ]:
-                    doc['metadata']['namespace'] = '{{ include "kubeflow.namespace" . }}'
+                    if not isinstance(doc['metadata'].get('namespace'), str) or '{{' not in doc['metadata'].get('namespace', ''):
+                        if component == 'cert-manager':
+                            if doc.get('kind') in ['Role', 'RoleBinding'] and 'leaderelection' in doc['metadata'].get('name', ''):
+                                doc['metadata']['namespace'] = 'kube-system'
+                            else:
+                                doc['metadata']['namespace'] = '{{ .Values.global.certManagerNamespace }}'
+                        else:
+                            doc['metadata']['namespace'] = '{{ include "kubeflow.namespace" . }}'
 
-                if doc.get('kind') == 'Deployment' and 'spec' in doc:
+                if doc.get('kind') == 'Deployment' and 'spec' in doc and component == 'spark-operator':
                     if 'template' in doc['spec'] and 'metadata' in doc['spec']['template']:
                         template_meta = doc['spec']['template']['metadata']
                         if 'labels' not in template_meta:
@@ -33,7 +48,7 @@ def patch_yaml_file(file_path):
                 patched_docs.append(doc)
 
         with open(file_path, 'w') as f:
-            f.write('{{- if .Values.sparkOperator.enabled }}\n')
+            f.write(f'{condition_check}\n')
             for doc in patched_docs:
                 f.write('---\n')
                 yaml.dump(doc, f, default_flow_style=False, sort_keys=False)
@@ -42,11 +57,16 @@ def patch_yaml_file(file_path):
     except Exception as e:
         print(f"Warning: Could not patch {file_path}: {e}")
         with open(file_path, 'w') as f:
-            f.write('{{- if .Values.sparkOperator.enabled }}\n')
+            f.write(f'{condition_check}\n')
             f.write(content)
             f.write('{{- end }}\n')
 
 if __name__ == "__main__":
+    if len(sys.argv) < 3:
+        print("Usage: patch-templates.py <templates_dir> <component>")
+        sys.exit(1)
+    
     templates_dir = sys.argv[1]
+    component = sys.argv[2]
     for yaml_file in Path(templates_dir).rglob("*.yaml"):
-        patch_yaml_file(str(yaml_file)) 
+        patch_yaml_file(str(yaml_file), component) 

experimental/helm/scripts/synchronize-all-charts.sh

@@ -9,9 +9,9 @@ CHART_DIR="$HELM_DIR/kubeflow"
 
 COMPONENTS=(
     "spark-operator"
+    "cert-manager"
     # Add more components as we implement them
     # "training-operator"
-    # "cert-manager"
     # "istio"
     # "oauth2-proxy"
     # "dex"

experimental/helm/scripts/synchronize-cert-manager.sh

@@ -0,0 +1,78 @@
+#!/usr/bin/env bash
+# Script to sync Cert Manager templates for AIO Helm chart
+
+set -euo pipefail
+
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+HELM_DIR="$(dirname "$SCRIPT_DIR")"
+CHART_DIR="$HELM_DIR/kubeflow"
+
+COMPONENT="cert-manager"
+VERSION="v1.16.1"
+REPO="https://charts.jetstack.io"
+TEMPLATES_DIR="$CHART_DIR/templates/external/${COMPONENT}"
+NAMESPACE="cert-manager"
+
+rm -rf "$TEMPLATES_DIR"
+mkdir -p "$TEMPLATES_DIR"
+
+TEMP_DIR=$(mktemp -d)
+cd "$TEMP_DIR"
+
+# Generate templates using same settings as existing Kustomize setup
+# Disable startupapicheck to match Kustomize manifests that don't include it
+helm template "$COMPONENT" "$COMPONENT" \
+    --version "$VERSION" \
+    --repo "$REPO" \
+    --namespace "$NAMESPACE" \
+    --include-crds \
+    --set installCRDs=true \
+    --set global.leaderElection.namespace="kube-system" \
+    --set startupapicheck.enabled=false \
+    --output-dir .
+
+cp -r "$COMPONENT/templates/"* "$TEMPLATES_DIR/"
+
+[ -d "$COMPONENT/crds" ] && {
+    mkdir -p "$TEMPLATES_DIR/crds"
+    cp -r "$COMPONENT/crds/"* "$TEMPLATES_DIR/crds/"
+}
+
+python3 "$SCRIPT_DIR/patch-templates.py" "$TEMPLATES_DIR" "$COMPONENT"
+
+# Add namespace template since cert-manager chart doesn't include it
+cat > "$TEMPLATES_DIR/namespace.yaml" << 'EOF'
+{{- if .Values.certManager.enabled }}
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ .Values.global.certManagerNamespace }}
+  labels:
+    pod-security.kubernetes.io/enforce: restricted
+{{- end }}
+EOF
+
+# Create kubeflow-issuer template
+mkdir -p "$TEMPLATES_DIR/kubeflow-issuer"
+cat > "$TEMPLATES_DIR/kubeflow-issuer/cluster-issuer.yaml" << 'EOF'
+{{- if .Values.certManager.enabled }}
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: kubeflow-self-signing-issuer
+  labels:
+    {{- include "kubeflow.labels" . | nindent 4 }}
+    app.kubernetes.io/component: cert-manager
+    app.kubernetes.io/name: cert-manager
+    kustomize.component: cert-manager
+spec:
+  selfSigned: {}
+{{- end }}
+EOF
+
+cd "$CHART_DIR"
+rm -rf "$TEMP_DIR"
+
+helm template kubeflow . --debug --dry-run > /dev/null
+
+echo "Cert Manager templates synchronized successfully" 

experimental/helm/scripts/synchronize-spark-operator.sh

@@ -37,7 +37,7 @@ cp -r "$COMPONENT/templates/"* "$TEMPLATES_DIR/"
     cp -r "$COMPONENT/crds/"* "$TEMPLATES_DIR/crds/"
 }
 
-python3 "$SCRIPT_DIR/patch-templates.py" "$TEMPLATES_DIR"
+python3 "$SCRIPT_DIR/patch-templates.py" "$TEMPLATES_DIR" "$COMPONENT"
 
 cd "$CHART_DIR"
 rm -rf "$TEMP_DIR"

tests/helm_kustomize_compare_manifests.py

@@ -13,7 +13,9 @@ def clean_helm_metadata(obj):
                 labels = metadata['labels']
                 helm_specific_labels = [
                     'helm.sh/chart', 
-                    'app.kubernetes.io/managed-by'
+                    'app.kubernetes.io/managed-by',
+                    'app.kubernetes.io/instance',
+                    'app.kubernetes.io/version'
                 ]
                 for label in helm_specific_labels:
                     if label in labels: