[2.2] check capabilities or cert-manager version for its api changes

chart/templates/ingress.yaml

@@ -16,7 +16,12 @@ metadata:
     nginx.ingress.kubernetes.io/ssl-redirect: "false" # turn off ssl redirect for external.
 {{- else }}
   {{- if ne .Values.ingress.tls.source "secret" }}
+    {{- $certmanagerVer :=  split "." .Values.certmanager.version -}}
+    {{- if or (.Capabilities.APIVersions.Has "cert-manager.io/v1alpha2") (and (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 11)) }}
+    cert-manager.io/issuer: {{ template "rancher.fullname" . }}
+    {{- else if or (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1") (and (eq (int $certmanagerVer._0) 0) (lt (int $certmanagerVer._1) 11)) }}
     certmanager.k8s.io/issuer: {{ template "rancher.fullname" . }}
+    {{- end }}
   {{- end }}
 {{- end }}
 {{- if .Values.ingress.extraAnnotations }}

chart/templates/issuer-letsEncrypt.yaml

 {{- if eq .Values.tls "ingress" -}}
   {{- if eq .Values.ingress.tls.source "letsEncrypt" -}}
+    {{- $certmanagerVer :=  split "." .Values.certmanager.version -}}
+    {{- if or (.Capabilities.APIVersions.Has "cert-manager.io/v1alpha2") (and (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 11)) }}
+apiVersion: cert-manager.io/v1alpha2
+kind: ClusterIssuer
+    {{- else if or (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1") (and (eq (int $certmanagerVer._0) 0) (lt (int $certmanagerVer._1) 11)) }}
 apiVersion: certmanager.k8s.io/v1alpha1
 kind: Issuer
+    {{- end }}
 metadata:
   name: {{ template "rancher.fullname" . }}
   labels:
@@ -13,13 +19,19 @@ spec:
   acme:
     {{- if eq .Values.letsEncrypt.environment "production" }}
     server: https://acme-v02.api.letsencrypt.org/directory
-    {{- end }}
-    {{- if eq .Values.letsEncrypt.environment "staging" }}
+    {{- else }}
     server: https://acme-staging-v02.api.letsencrypt.org/directory
     {{- end }}
     email: {{ .Values.letsEncrypt.email }}
     privateKeySecretRef:
       name: letsencrypt-{{ .Values.letsEncrypt.environment }}
+    {{- if or (.Capabilities.APIVersions.Has "cert-manager.io/v1alpha2") (and (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 11)) }}
+    solvers:
+    - http01:
+        ingress:
+          class: nginx
+    {{- else if or (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1") (and (eq (int $certmanagerVer._0) 0) (lt (int $certmanagerVer._1) 11)) }}
     http01: {}
+    {{- end }}
   {{- end -}}
 {{- end -}}

chart/templates/issuer-rancher.yaml

 {{- if eq .Values.tls "ingress" -}}
   {{- if eq .Values.ingress.tls.source "rancher" -}}
+    {{- $certmanagerVer :=  split "." .Values.certmanager.version -}}
+    {{- if or (.Capabilities.APIVersions.Has "cert-manager.io/v1alpha2") (and (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 11)) }}
+apiVersion: cert-manager.io/v1alpha2
+    {{- else if or (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1") (and (eq (int $certmanagerVer._0) 0) (lt (int $certmanagerVer._1) 11)) }}
 apiVersion: certmanager.k8s.io/v1alpha1
+    {{- end }}
 kind: Issuer
 metadata:
   name: {{ template "rancher.fullname" . }}

chart/tests/ingress_test.yaml

@@ -13,7 +13,10 @@ tests:
       path: metadata.annotations.certmanager\.k8s\.io/issuer
   - isNull:
       path: spec.tls
-- it: should set default annotations
+- it: should set default annotations < 0.11.0 using capabilities
+  capabilities:
+    apiversions:
+    - certmanager.k8s.io/v1alpha1
   asserts:
   - equal:
       path: metadata.annotations
@@ -22,7 +25,44 @@ tests:
         nginx.ingress.kubernetes.io/proxy-connect-timeout: "30"
         nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"
         nginx.ingress.kubernetes.io/proxy-send-timeout: "1800"
-- it: should over write proxy-connect-timeout
+- it: should set default annotations < 0.11.0 using parameter
+  set:
+    certmanager.version: 0.9.0
+  asserts:
+  - equal:
+      path: metadata.annotations
+      value:
+        certmanager.k8s.io/issuer: RELEASE-NAME-rancher
+        nginx.ingress.kubernetes.io/proxy-connect-timeout: "30"
+        nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"
+        nginx.ingress.kubernetes.io/proxy-send-timeout: "1800"
+- it: should set default annotations > 0.11.0 using capabilities
+  capabilities:
+    apiversions:
+    - cert-manager.io/v1alpha2
+  asserts:
+  - equal:
+      path: metadata.annotations
+      value:
+        cert-manager.io/issuer: RELEASE-NAME-rancher
+        nginx.ingress.kubernetes.io/proxy-connect-timeout: "30"
+        nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"
+        nginx.ingress.kubernetes.io/proxy-send-timeout: "1800"
+- it: should set default annotations > 0.11.0 using parameter
+  set:
+    certmanager.version: 0.12.0
+  asserts:
+  - equal:
+      path: metadata.annotations
+      value:
+        cert-manager.io/issuer: RELEASE-NAME-rancher
+        nginx.ingress.kubernetes.io/proxy-connect-timeout: "30"
+        nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"
+        nginx.ingress.kubernetes.io/proxy-send-timeout: "1800"
+- it: should over write proxy-connect-timeout < 0.11.0 using capabilities
+  capabilities:
+    apiversions:
+    - certmanager.k8s.io/v1alpha1
   set: 
     ingress.extraAnnotations:
       nginx.ingress.kubernetes.io/proxy-connect-timeout: "15"
@@ -34,7 +74,48 @@ tests:
         nginx.ingress.kubernetes.io/proxy-connect-timeout: "15"
         nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"
         nginx.ingress.kubernetes.io/proxy-send-timeout: "1800"
-- it: should set source secret
+- it: should over write proxy-connect-timeout < 0.11.0 using parameter
+  set: 
+    certmanager.version: 0.9.0
+    ingress.extraAnnotations:
+      nginx.ingress.kubernetes.io/proxy-connect-timeout: "15"
+  asserts:
+  - equal:
+      path: metadata.annotations
+      value:
+        certmanager.k8s.io/issuer: RELEASE-NAME-rancher
+        nginx.ingress.kubernetes.io/proxy-connect-timeout: "15"
+        nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"
+        nginx.ingress.kubernetes.io/proxy-send-timeout: "1800"
+- it: should over write proxy-connect-timeout > 0.11.0 using capabilities
+  capabilities:
+    apiversions:
+    - cert-manager.io/v1alpha2
+  set: 
+    ingress.extraAnnotations:
+      nginx.ingress.kubernetes.io/proxy-connect-timeout: "15"
+  asserts:
+  - equal:
+      path: metadata.annotations
+      value:
+        cert-manager.io/issuer: RELEASE-NAME-rancher
+        nginx.ingress.kubernetes.io/proxy-connect-timeout: "15"
+        nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"
+        nginx.ingress.kubernetes.io/proxy-send-timeout: "1800"
+- it: should over write proxy-connect-timeout > 0.11.0 using parameter
+  set: 
+    certmanager.version: 0.12.0
+    ingress.extraAnnotations:
+      nginx.ingress.kubernetes.io/proxy-connect-timeout: "15"
+  asserts:
+  - equal:
+      path: metadata.annotations
+      value:
+        cert-manager.io/issuer: RELEASE-NAME-rancher
+        nginx.ingress.kubernetes.io/proxy-connect-timeout: "15"
+        nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"
+        nginx.ingress.kubernetes.io/proxy-send-timeout: "1800"
+- it: should set source secret 
   set:
     hostname: test
     ingress.tls.source: secret
@@ -47,7 +128,10 @@ tests:
         hosts:
         - test
         secretName: tls-rancher-ingress
-- it: should set static X-Forwarded-Host header
+- it: should set static X-Forwarded-Host header < 0.11.0 using capabilities
+  capabilities:
+    apiversions:
+    - certmanager.k8s.io/v1alpha1
   set:
     hostname: host.example.com
     ingress:
@@ -63,3 +147,56 @@ tests:
         nginx.ingress.kubernetes.io/proxy-send-timeout: "1800"
         nginx.ingress.kubernetes.io/configuration-snippet: |
           more_set_input_headers X-Forwarded-Host host.example.com;
+- it: should set static X-Forwarded-Host header < 0.11.0 using parameter
+  set:
+    certmanager.version: 0.9.0
+    hostname: host.example.com
+    ingress:
+      configurationSnippet: |
+        more_set_input_headers X-Forwarded-Host {{ .Values.hostname }};
+  asserts:
+  - equal:
+      path: metadata.annotations
+      value:
+        certmanager.k8s.io/issuer: RELEASE-NAME-rancher
+        nginx.ingress.kubernetes.io/proxy-connect-timeout: "30"
+        nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"
+        nginx.ingress.kubernetes.io/proxy-send-timeout: "1800"
+        nginx.ingress.kubernetes.io/configuration-snippet: |
+          more_set_input_headers X-Forwarded-Host host.example.com;
+- it: should set static X-Forwarded-Host header > 0.11.0 using capabilities
+  capabilities:
+    apiversions:
+    - cert-manager.io/v1alpha2
+  set:
+    hostname: host.example.com
+    ingress:
+      configurationSnippet: |
+        more_set_input_headers X-Forwarded-Host {{ .Values.hostname }};
+  asserts:
+  - equal:
+      path: metadata.annotations
+      value:
+        cert-manager.io/issuer: RELEASE-NAME-rancher
+        nginx.ingress.kubernetes.io/proxy-connect-timeout: "30"
+        nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"
+        nginx.ingress.kubernetes.io/proxy-send-timeout: "1800"
+        nginx.ingress.kubernetes.io/configuration-snippet: |
+          more_set_input_headers X-Forwarded-Host host.example.com;
+- it: should set static X-Forwarded-Host header > 0.11.0 using parameter
+  set:
+    certmanager.version: 0.12.0
+    hostname: host.example.com
+    ingress:
+      configurationSnippet: |
+        more_set_input_headers X-Forwarded-Host {{ .Values.hostname }};
+  asserts:
+  - equal:
+      path: metadata.annotations
+      value:
+        cert-manager.io/issuer: RELEASE-NAME-rancher
+        nginx.ingress.kubernetes.io/proxy-connect-timeout: "30"
+        nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"
+        nginx.ingress.kubernetes.io/proxy-send-timeout: "1800"
+        nginx.ingress.kubernetes.io/configuration-snippet: |
+          more_set_input_headers X-Forwarded-Host host.example.com;

chart/tests/issuer_test.yaml

@@ -23,7 +23,10 @@ tests:
   - hasDocuments:
       count: 0
     template: issuer-rancher.yaml
-- it: should render letsEncrypt but not rancher
+- it: should render letsEncrypt but not rancher with cert-manager < 0.11.0 using capabilities
+  capabilities:
+    apiversions:
+    - certmanager.k8s.io/v1alpha1
   set:
     ingress.tls.source: letsEncrypt
   asserts:
@@ -33,7 +36,69 @@ tests:
   - hasDocuments:
       count: 0
     template: issuer-rancher.yaml
-- it: should render rancher but not letsEncrypt
+- it: should render letsEncrypt but not rancher with cert-manager < 0.11.0 using parameter
+  set:
+    certmanager.version: 0.9.0
+    ingress.tls.source: letsEncrypt
+  asserts:
+  - hasDocuments:
+      count: 1
+    template: issuer-letsEncrypt.yaml
+  - hasDocuments:
+      count: 0
+    template: issuer-rancher.yaml
+- it: should render letsEncrypt but not rancher with cert-manager > 0.11.0 using capabilities
+  capabilities:
+    apiversions:
+    - cert-manager.io/v1alpha2
+  set:
+    ingress.tls.source: letsEncrypt
+  asserts:
+  - hasDocuments:
+      count: 1
+    template: issuer-letsEncrypt.yaml
+  - hasDocuments:
+      count: 0
+    template: issuer-rancher.yaml
+- it: should render letsEncrypt but not rancher with cert-manager > 0.11.0 using parameter
+  set:
+    certmanager.version: 0.12.0
+    ingress.tls.source: letsEncrypt
+  asserts:
+  - hasDocuments:
+      count: 1
+    template: issuer-letsEncrypt.yaml
+  - hasDocuments:
+      count: 0
+    template: issuer-rancher.yaml
+- it: should render rancher but not letsEncrypt with cert-manager < 0.11.0 using capabilities
+  capabilities:
+    apiversions:
+    - certmanager.k8s.io/v1alpha1
+  set:
+    ingress.tls.source: rancher
+  asserts:
+  - hasDocuments:
+      count: 0
+    template: issuer-letsEncrypt.yaml
+  - hasDocuments:
+      count: 1
+    template: issuer-rancher.yaml
+- it: should render rancher but not letsEncrypt with cert-manager < 0.11.0 using parameter
+  set:
+    certmanager.version: 0.9.0
+    ingress.tls.source: rancher
+  asserts:
+  - hasDocuments:
+      count: 0
+    template: issuer-letsEncrypt.yaml
+  - hasDocuments:
+      count: 1
+    template: issuer-rancher.yaml
+- it: should render rancher but not letsEncrypt with cert-manager > 0.11.0 using capabilities
+  capabilities:
+    apiversions:
+    - cert-manager.io/v1alpha2
   set:
     ingress.tls.source: rancher
   asserts:
@@ -43,7 +108,21 @@ tests:
   - hasDocuments:
       count: 1
     template: issuer-rancher.yaml
-- it: should set letsEncrypt production by default
+- it: should render rancher but not letsEncrypt with cert-manager > 0.11.0 using parameter
+  set:
+    certmanager.version: 0.12.0
+    ingress.tls.source: rancher
+  asserts:
+  - hasDocuments:
+      count: 0
+    template: issuer-letsEncrypt.yaml
+  - hasDocuments:
+      count: 1
+    template: issuer-rancher.yaml
+- it: should set letsEncrypt production by default with cert-manager < 0.11.0 using capabilities
+  capabilities:
+    apiversions:
+    - certmanager.k8s.io/v1alpha1
   set:
     ingress.tls.source: letsEncrypt
   asserts:
@@ -51,7 +130,39 @@ tests:
       path: spec.acme.server
       value: https://acme-v02.api.letsencrypt.org/directory
     template: issuer-letsEncrypt.yaml
-- it: should set letsEncrypt staging
+- it: should set letsEncrypt production by default with cert-manager < 0.11.0 using parameter
+  set:
+    certmanager.version: 0.9.0
+    ingress.tls.source: letsEncrypt
+  asserts:
+  - equal:
+      path: spec.acme.server
+      value: https://acme-v02.api.letsencrypt.org/directory
+    template: issuer-letsEncrypt.yaml
+- it: should set letsEncrypt production by default with cert-manager > 0.11.0 using capabilities
+  capabilities:
+    apiversions:
+    - cert-manager.io/v1alpha2
+  set:
+    ingress.tls.source: letsEncrypt
+  asserts:
+  - equal:
+      path: spec.acme.server
+      value: https://acme-v02.api.letsencrypt.org/directory
+    template: issuer-letsEncrypt.yaml
+- it: should set letsEncrypt production by default with cert-manager > 0.11.0 using parameter
+  set:
+    certmanager.version: 0.12.0
+    ingress.tls.source: letsEncrypt
+  asserts:
+  - equal:
+      path: spec.acme.server
+      value: https://acme-v02.api.letsencrypt.org/directory
+    template: issuer-letsEncrypt.yaml
+- it: should set letsEncrypt staging with cert-manager < 0.11.0 using capabilities
+  capabilities:
+    apiversions:
+    - certmanager.k8s.io/v1alpha1
   set:
     ingress.tls.source: letsEncrypt
     letsEncrypt.environment: staging
@@ -60,8 +171,75 @@ tests:
       path: spec.acme.server
       value: https://acme-staging-v02.api.letsencrypt.org/directory
     template: issuer-letsEncrypt.yaml
-- it: should set letsEncrypt email address
+- it: should set letsEncrypt staging with cert-manager < 0.11.0 using parameter
+  set:
+    certmanager.version: 0.9.0
+    ingress.tls.source: letsEncrypt
+    letsEncrypt.environment: staging
+  asserts:
+  - equal:
+      path: spec.acme.server
+      value: https://acme-staging-v02.api.letsencrypt.org/directory
+    template: issuer-letsEncrypt.yaml
+- it: should set letsEncrypt staging with cert-manager > 0.11.0 using capabilities
+  capabilities:
+    apiversions:
+    - cert-manager.io/v1alpha2
+  set:
+    ingress.tls.source: letsEncrypt
+    letsEncrypt.environment: staging
+  asserts:
+  - equal:
+      path: spec.acme.server
+      value: https://acme-staging-v02.api.letsencrypt.org/directory
+    template: issuer-letsEncrypt.yaml
+- it: should set letsEncrypt staging with cert-manager > 0.11.0 using parameter
+  set:
+    certmanager.version: 0.12.0
+    ingress.tls.source: letsEncrypt
+    letsEncrypt.environment: staging
+  asserts:
+  - equal:
+      path: spec.acme.server
+      value: https://acme-staging-v02.api.letsencrypt.org/directory
+    template: issuer-letsEncrypt.yaml
+- it: should set letsEncrypt email address with cert-manager < 0.11.0 using capabilities
+  capabilities:
+    apiversions:
+    - certmanager.k8s.io/v1alpha1
+  set:
+    ingress.tls.source: letsEncrypt
+    letsEncrypt.email: test@test.org
+  asserts:
+  - equal:
+      path: spec.acme.email
+      value: test@test.org
+    template: issuer-letsEncrypt.yaml
+- it: should set letsEncrypt email address with cert-manager < 0.11.0 using parameter
+  set:
+    certmanager.version: 0.9.0
+    ingress.tls.source: letsEncrypt
+    letsEncrypt.email: test@test.org
+  asserts:
+  - equal:
+      path: spec.acme.email
+      value: test@test.org
+    template: issuer-letsEncrypt.yaml
+- it: should set letsEncrypt email address with cert-manager > 0.11.0 using capabilities
+  capabilities:
+    apiversions:
+    - cert-manager.io/v1alpha2
+  set:
+    ingress.tls.source: letsEncrypt
+    letsEncrypt.email: test@test.org
+  asserts:
+  - equal:
+      path: spec.acme.email
+      value: test@test.org
+    template: issuer-letsEncrypt.yaml
+- it: should set letsEncrypt email address with cert-manager > 0.11.0 using parameter
   set:
+    certmanager.version: 0.12.0
     ingress.tls.source: letsEncrypt
     letsEncrypt.email: test@test.org
   asserts:

chart/values.yaml

@@ -98,3 +98,7 @@ resources: {}
 # - ingress (default)
 # - external
 tls: ingress
+
+# Certmanager version compatibility
+certmanager: 
+  version: ""