Add an option to generate tls cert during helm install (#700)

Melonbun233 · web-flow · commit 4d02894368e2 · 2025-07-28T07:46:43.000+02:00
#### What this PR does / why we need it For clusters with cert-manager installed, we should have an option to deploy the certificate during Helm Install time. The option should be disabled by default to not alter existing installations. This PR also makes some controller and registry values configurable from values.yaml file * container CPU and memory consumptions * tls secret name #### Which issue(s) this PR fixes Fixed [issue 559](open-component-model/ocm-project#559) --------- Signed-off-by: Henry Zeng <zeng_zh@foxmail.com>
diff --git a/deploy/templates/cert.yaml b/deploy/templates/cert.yaml
@@ -0,0 +1,31 @@
+{{- if .Values.tlsCert.generateTlsCert }}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ .Values.tlsCert.defaultSecretName }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  secretName: {{ .Values.tlsCert.defaultSecretName }}
+  dnsNames:
+    - registry.{{ .Release.Namespace }}.svc.cluster.local
+    - localhost
+  ipAddresses:
+    - 127.0.0.1
+    - ::1
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS8
+    size: 2048
+  issuerRef:
+    name: {{ .Values.tlsCert.defaultIssuerName }}
+    kind: ClusterIssuer
+    group: cert-manager.io
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: {{ .Values.tlsCert.defaultIssuerName }}
+spec:
+  ca:
+    secretName: {{ .Values.tlsCert.defaultSecretName }}
+{{- end}}
diff --git a/deploy/templates/deployment_manager.yaml b/deploy/templates/deployment_manager.yaml
@@ -58,11 +58,7 @@ spec:
           initialDelaySeconds: 5
           periodSeconds: 10
         resources:
-          limits:
-            memory: 1024Mi
-          requests:
-            cpu: 200m
-            memory: 512Mi
+        {{- toYaml .Values.manager.resources | nindent 10 }}
       serviceAccountName: ocm-controller
       terminationGracePeriodSeconds: 10
       {{- if .Values.registry.tls.enabled }}
diff --git a/deploy/templates/deployment_registry.yaml b/deploy/templates/deployment_registry.yaml
@@ -49,6 +49,8 @@ spec:
             periodSeconds: 20
             successThreshold: 1
             failureThreshold: 3
+          resources:
+          {{- toYaml .Values.registry.resources | nindent 10 }}
       volumes:
         - name: registry
           emptyDir: {}
diff --git a/deploy/values.yaml b/deploy/values.yaml
@@ -1,3 +1,10 @@
+# Generate TLS Certificate for registry and manager 
+tlsCert:
+  # If cert-manager is installed, set generateTlsCert to true to generate a cert
+  generateTlsCert: false
+  defaultSecretName: &tlsSecretName "ocm-registry-tls-certs"
+  defaultIssuerName: "ocm-certificate-issuer"
+
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.
 registry:
@@ -16,18 +23,24 @@ registry:
         value: "/certs/key.pem"
     volumeMounts:
       - mountPath: "/certs"
-        name: "ocm-registry-tls-certs"
+        name: *tlsSecretName
     volumes:
-      - name: "ocm-registry-tls-certs"
+      - name: *tlsSecretName
         secret:
-          secretName: "ocm-registry-tls-certs"
+          secretName: *tlsSecretName
           items:
             - key: "tls.crt"
               path: "cert.pem"
             - key: "tls.key"
               path: "key.pem"
             - key: "ca.crt"
               path: "ca.pem"
+  resources:
+    limits:
+      memory: 1024Mi
+    requests:
+      cpu: 200m
+      memory: 512Mi
   nodeSelector: {}
 
 manager:
@@ -46,16 +59,16 @@ manager:
   volumes:
     - name: "certificates"
       secret:
-        secretName: "ocm-registry-tls-certs" # must match with ocm-controller's certificate-secret-name argument
+        secretName: *tlsSecretName # must match with ocm-controller's certificate-secret-name argument
         items:
           - key: "ca.crt"
             path: "registry-root.pem"
   resources:
     limits:
-      memory: 2048Mi
-    requests:
-      cpu: 300m
       memory: 1024Mi
+    requests:
+      cpu: 200m
+      memory: 512Mi
   # optional values defined by the user
   nodeSelector: {}
   tolerations: []
