Update perfectscale-autoscaler chart with new package version v1.0.25

github-actions · github-actions · commit 125158a6e7ec · 2025-06-20T03:06:33.000Z
diff --git a/charts/psc-autoscaler/templates/admission.yaml b/charts/psc-autoscaler/templates/admission.yaml
@@ -2,6 +2,7 @@
 {{- $ca := genCA "psc-autoscaler-ca" 1825 -}}
 {{- $cert := genSignedCert ( include "psc-autoscaler.fullname" . ) nil $altNames 1825 $ca -}}
 ---
+{{- if not .Values.admission.certManager.enabled }}
 apiVersion: v1
 kind: Secret
 type: kubernetes.io/tls
@@ -24,7 +25,7 @@ data:
   tls.crt: {{ $cert.Cert | b64enc }}
   tls.key: {{ $cert.Key | b64enc }}
 {{- end }}
-
+{{- end }}
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
@@ -35,10 +36,16 @@ metadata:
     {{- if .Values.additionalLabels }}
     {{- toYaml .Values.additionalLabels | nindent 4 }}
     {{- end }} 
-  {{- with .Values.admission.annotations }}
+{{- $hasAnnotations := .Values.admission.annotations }}
+{{- if or $hasAnnotations .Values.admission.certManager.enabled }}
   annotations:
+    {{- with $hasAnnotations }}
     {{- toYaml . | nindent 4 }}
-  {{- end }}
+    {{- end }}
+    {{- if .Values.admission.certManager.enabled }}
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "psc-autoscaler.fullname" . }}-ca
+    {{- end }}
+{{- end }}
 webhooks:
   - name: pods.perfectscale.io
     {{- if and (.Values.settings.excludedNamespaces) (ne (.Values.settings.excludedNamespaces | toString) "[]") }}
@@ -55,11 +62,15 @@ webhooks:
         resources: [ "pods" ]
         scope: "Namespaced"
     clientConfig:
-{{- if .Values.admission.staticCerts.enabled }}
+      {{- if not .Values.admission.certManager.enabled }}
+        {{- if .Values.admission.externalCertSecret.enabled }}
+      caBundle: {{ .Values.admission.externalCertSecret.caCert }}
+        {{- else if .Values.admission.staticCerts.enabled }}
       caBundle: {{ .Values.admission.staticCerts.caCert }}
-{{- else }}
+        {{- else }}
       caBundle: {{ $ca.Cert | b64enc }}
-{{- end }}
+        {{- end }}
+      {{- end }}
       service:
         namespace: {{ .Release.Namespace }}
         name: {{ include "psc-autoscaler.fullname" . }}
@@ -79,10 +90,16 @@ metadata:
     {{- if .Values.additionalLabels }}
     {{- toYaml .Values.additionalLabels | nindent 4 }}
     {{- end }} 
-  {{- with .Values.admission.annotations }}
+{{- $hasAnnotations := .Values.admission.annotations }}
+{{- if or $hasAnnotations .Values.admission.certManager.enabled }}
   annotations:
+    {{- with $hasAnnotations }}
     {{- toYaml . | nindent 4 }}
-  {{- end }}
+    {{- end }}
+    {{- if .Values.admission.certManager.enabled }}
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "psc-autoscaler.fullname" . }}-ca
+    {{- end }}
+{{- end }}
 webhooks:
   - name: configs.perfectscale.io
     rules:
@@ -97,11 +114,15 @@ webhooks:
         resources: [ "namespaceautomationconfigs", "workloadautomationconfigs" ]
         scope: "Namespaced"
     clientConfig:
-{{- if .Values.admission.staticCerts.enabled }}
+      {{- if not .Values.admission.certManager.enabled }}
+        {{- if .Values.admission.externalCertSecret.enabled }}
+      caBundle: {{ .Values.admission.externalCertSecret.caCert }}
+        {{- else if .Values.admission.staticCerts.enabled }}
       caBundle: {{ .Values.admission.staticCerts.caCert }}
-{{- else }}
+        {{- else }}
       caBundle: {{ $ca.Cert | b64enc }}
-{{- end }}
+        {{- end }}
+      {{- end }}
       service:
         namespace: {{ .Release.Namespace }}
         name: {{ include "psc-autoscaler.fullname" . }}
diff --git a/charts/psc-autoscaler/templates/certmanager.yaml b/charts/psc-autoscaler/templates/certmanager.yaml
@@ -0,0 +1,68 @@
+{{- if .Values.admission.certManager.enabled }}
+{{- $fullname := include "psc-autoscaler.fullname" . -}}
+{{- $namespace := .Release.Namespace -}}
+{{- $altNames := list (printf "%s.%s" $fullname $namespace) (printf "%s.%s.svc" $fullname $namespace) -}}
+{{- $commonName := printf "%s.%s" $fullname $namespace -}}
+{{- $labels := include "psc-autoscaler.labels" . }}
+
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ $fullname }}-selfsigned
+  namespace: {{ $namespace }}
+spec:
+  selfSigned: {}
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ $fullname }}-ca
+  namespace: {{ $namespace }}
+spec:
+  isCA: true
+  commonName: ca.{{ $fullname }}.psc.local
+  secretName: {{ $fullname }}-ca-keypair
+  duration: 87600h # 10 years
+  renewBefore: 720h
+  issuerRef:
+    name: {{ $fullname }}-selfsigned
+    kind: Issuer
+    group: cert-manager.io
+
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ $fullname }}-ca-issuer
+  namespace: {{ $namespace }}
+spec:
+  ca:
+    secretName: {{ $fullname }}-ca-keypair
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ $fullname }}-tls
+  namespace: {{ $namespace }}
+  labels:
+    {{- $labels | nindent 4 }}
+spec:
+  secretName: {{ $fullname }}-tls
+  duration: 2160h # 90 days
+  renewBefore: 360h # 15 days
+  subject:
+    organizations:
+      - psc-autoscaler
+  commonName: {{ $commonName }}
+  dnsNames:
+    {{- range $altNames }}
+    - {{ . }}
+    {{- end }}
+  issuerRef:
+    name: {{ $fullname }}-ca-issuer
+    kind: Issuer
+    group: cert-manager.io
+{{- end }}
diff --git a/charts/psc-autoscaler/templates/deployment.yaml b/charts/psc-autoscaler/templates/deployment.yaml
@@ -143,7 +143,11 @@ spec:
       volumes:
         - name: tls
           secret:
+      {{- if .Values.admission.externalCertSecret.enabled }}
+            secretName: {{ .Values.admission.externalCertSecret.tlsName }}
+      {{- else }}
             secretName: {{ include "psc-autoscaler.fullname" . }}-tls
+      {{- end }}
 
 ---
 apiVersion: apps/v1
diff --git a/charts/psc-autoscaler/values.yaml b/charts/psc-autoscaler/values.yaml
@@ -3,7 +3,7 @@ revisionHistoryLimit: 10
 image:
   repository: public.ecr.aws/perfectscale-io/psc-autoscaler
   pullPolicy: Always
-  tag: "v1.0.24"
+  tag: "v1.0.25"
 settings:
   port: 8443
   env: "prod"
@@ -116,6 +116,16 @@ admission:
   # Admission Enforcer on AKS excludes kube-system and AKS internal namespaces from being processed by the webhook.
   # To disable this behavior, provide the following annotation:
   # admissions.enforcer/disabled: "true"
+
+  certManager:
+    enabled: false
+  #If you have a Kubernetes secret containing the certificates for the webhook created outside of the Helm chart, 
+  # set enabled: true under externalCertSecret, specify the secret name in the tlsName field, 
+  # and provide the actual base64 encoded CA bundle in the caCert field.
+  externalCertSecret:
+    enabled: false
+    tlsName: "somename"
+    caCert: "someCAbundle"
 integrationTests:
   enabled: true
   image:
