Feat: Install cert-manager for SSL certs

[mrsauravsahu]

Summary by CodeRabbit

• New Features
  • Introduced a comprehensive configuration for cert-manager, enhancing deployment flexibility in Kubernetes.
  • Added new configuration sections for global settings, controller settings, webhook configuration, CA Injector, and ACME Solver.
  • Included a startup API check for verifying webhook availability post-installation.
  • Expanded external dependencies with cert-manager details, including repository, version, and namespace.

These changes improve user control and management of cert-manager deployments.

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

The changes introduce a comprehensive configuration for cert-manager in a Kubernetes environment through a YAML file. This configuration includes global settings, controller settings, webhook configurations, and components like CA Injector and ACME Solver. Additionally, it adds a new entry in the external dependencies configuration, specifying cert-manager's repository, version, and namespace. These modifications enhance the flexibility and control over cert-manager deployment.

Changes

File Path	Change Summary
molecules/cluster-resources/config/externals/cert-manager/values.yaml	Added multiple new configuration sections: global, crds, replicaCount, strategy, webhook, cainjector, acmesolver, startupapicheck, along with fields extraObjects and creator.
molecules/cluster-resources/mrsauravsahu.tfvars	Added a new entry for cert-manager in the externals section with attributes: name, repo, version, and namespace.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant Kubernetes
    participant CertManager

    User->>Kubernetes: Deploy cert-manager
    Kubernetes->>CertManager: Configure with values.yaml
    CertManager->>Kubernetes: Set up global settings
    CertManager->>Kubernetes: Configure controller settings
    CertManager->>Kubernetes: Set up webhook configuration
    CertManager->>Kubernetes: Initialize CA Injector and ACME Solver
    CertManager->>Kubernetes: Run startup API check

Loading

Poem

🐇 In the garden where bunnies play,
New cert-manager leads the way.
With settings bright and paths anew,
Kubernetes sings, "We welcome you!"
Hops of joy in every line,
Configurations dance, all align! 🌼

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 7

🧹 Outside diff range and nitpick comments (2)

molecules/cluster-resources/mrsauravsahu.tfvars (1)

47-52: Consider dependency ordering for reliable installation.

Since cert-manager often works in conjunction with ingress-nginx, consider explicitly ordering these dependencies. While both are present in the externals list, their installation order matters for proper SSL certificate handling.

Consider:

1. Adding a comment documenting the dependency relationship
2. Ensuring the installation workflow (likely in another file) respects this ordering

molecules/cluster-resources/config/externals/cert-manager/values.yaml (1)

212-213: Fix YAML formatting issues

There are several formatting issues in the file:

• Trailing spaces on lines 212-213, 620-621, and 973-974
• Wrong indentation in the webhook configuration
• Missing newline at end of file

Run the file through a YAML formatter to fix these issues.

Also applies to: 620-621, 973-974, 1384-1384

🧰 Tools

🪛 yamllint

[error] 212-212: trailing spaces

(trailing-spaces)

---

[error] 213-213: trailing spaces

(trailing-spaces)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 48df0bb and 25583ce.

📒 Files selected for processing (2)

• molecules/cluster-resources/config/externals/cert-manager/values.yaml (1 hunks)
• molecules/cluster-resources/mrsauravsahu.tfvars (1 hunks)

🧰 Additional context used

🪛 yamllint

molecules/cluster-resources/config/externals/cert-manager/values.yaml

[error] 212-212: trailing spaces

(trailing-spaces)

---

[error] 213-213: trailing spaces

(trailing-spaces)

---

[error] 620-620: trailing spaces

(trailing-spaces)

---

[error] 621-621: trailing spaces

(trailing-spaces)

---

[warning] 712-712: wrong indentation: expected 6 but found 8

(indentation)

---

[warning] 715-715: wrong indentation: expected 10 but found 12

(indentation)

---

[error] 973-973: trailing spaces

(trailing-spaces)

---

[error] 974-974: trailing spaces

(trailing-spaces)

---

[error] 1384-1384: no new line character at the end of file

(new-line-at-end-of-file)

🔇 Additional comments (1)

molecules/cluster-resources/mrsauravsahu.tfvars (1)

47-52: Verify cert-manager values configuration.

The AI summary mentions a values.yaml file at molecules/cluster-resources/config/externals/cert-manager/values.yaml, but it's not included in this review. Ensure that file includes:

1. Proper resource requests/limits
2. High availability configuration if needed
3. Webhook configurations
4. RBAC settings

Let's verify the values file exists:

✅ Verification successful

Based on the values.yaml content, I can provide the final response since I have all the necessary information to verify the configuration:

Cert-manager values configuration looks good with some recommendations

The values.yaml file includes essential configurations, but consider the following recommendations for production use:

• Set replicaCount: 2 or 3 (currently 1) and enable podDisruptionBudget for high availability
• Configure resource requests/limits (currently empty resources: {})
• Review webhook timeoutSeconds (currently set to maximum 30s) if you don't need such a long timeout
• Consider enabling prometheus monitoring (currently enabled but ServiceMonitor/PodMonitor disabled)

The current configuration includes:

• Proper RBAC settings (rbac.create: true)
• Webhook configurations with proper security context
• Node selector configured to run on "pi" node
• Secure defaults for container security context

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check if cert-manager values.yaml exists and show its content
if [ -f "molecules/cluster-resources/config/externals/cert-manager/values.yaml" ]; then
    cat "molecules/cluster-resources/config/externals/cert-manager/values.yaml"
else
    echo "Warning: values.yaml not found at expected location"
fi

Length of output: 50401

[coderabbitai]

💡 Codebase verification

Update cert-manager version to v1.16.1 for latest security patches and features

The current configuration uses cert-manager v1.14.5, while the latest stable version is v1.16.1 (released October 2024). Updating to the latest version is recommended to ensure you have the latest security patches and features.

Update the version field:

- version = "1.14.5"
+ version = "1.16.1"

🔗 Analysis chain

Verify cert-manager version and consider version constraints.

The cert-manager configuration looks good, but version 1.14.5 might not be the latest stable release. Consider:

1. Adding a comment indicating the minimum Kubernetes version requirement
2. Using a version constraint (e.g., >=1.14.5) for better maintainability

Let's verify the latest stable version:

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check latest cert-manager version from their GitHub releases
gh release list --repo jetstack/cert-manager --limit 1

Length of output: 100

[coderabbitai]

⚠️ Potential issue

Enable network policies for webhook security

Network policies are currently disabled, which could expose the webhook to unnecessary traffic.

Enable network policies to restrict traffic to only necessary sources:

-    enabled: false
+    enabled: true

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	networkPolicy:
	# Create network policies for the webhooks.
	enabled: false
	networkPolicy:
	# Create network policies for the webhooks.
	enabled: true

[coderabbitai]

⚠️ Potential issue

Avoid hardcoding node selector to specific hostname

The current node selector configuration restricts pods to a specific node, which limits flexibility and scalability.

Consider using more flexible node selection criteria:

-  nodeSelector:
-    kubernetes.io/hostname: pi
+  nodeSelector:
+    kubernetes.io/os: linux

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	nodeSelector:
	kubernetes.io/hostname: pi
	nodeSelector:
	kubernetes.io/os: linux

[coderabbitai]

⚠️ Potential issue

Resolve conflicting CRD installation settings

There's a conflict in the CRD installation configuration:

• installCRDs: true (deprecated)
• crds.enabled: false

This could lead to unexpected behavior during installation.

Apply this diff to use the recommended approach:

-# This option is equivalent to setting crds.enabled=true and crds.keep=true.
-# Deprecated: use crds.enabled and crds.keep instead.
-installCRDs: true

crds:
-  # This option decides if the CRDs should be installed
-  # as part of the Helm installation.
-  enabled: false
+  enabled: true

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# This option is equivalent to setting crds.enabled=true and crds.keep=true.
	# Deprecated: use crds.enabled and crds.keep instead.
	installCRDs: true
	crds:
	# This option decides if the CRDs should be installed
	# as part of the Helm installation.
	enabled: false
	# This option makes it so that the "helm.sh/resource-policy": keep
	# annotation is added to the CRD. This will prevent Helm from uninstalling
	# the CRD when the Helm release is uninstalled.
	# WARNING: when the CRDs are removed, all cert-manager custom resources
	# (Certificates, Issuers, ...) will be removed too by the garbage collector.
	keep: true
	crds:
	enabled: true
	# This option makes it so that the "helm.sh/resource-policy": keep
	# annotation is added to the CRD. This will prevent Helm from uninstalling
	# the CRD when the Helm release is uninstalled.
	# WARNING: when the CRDs are removed, all cert-manager custom resources
	# (Certificates, Issuers, ...) will be removed too by the garbage collector.
	keep: true

[coderabbitai]

⚠️ Potential issue

Define resource limits for the controller

Missing resource limits could lead to resource contention and affect cluster stability.

Add resource limits and requests:

-resources: {}
+resources:
+  requests:
+    cpu: 100m
+    memory: 128Mi
+  limits:
+    cpu: 500m
+    memory: 512Mi

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	#
	# For example:
	# requests:
	# cpu: 10m
	# memory: 32Mi
	#
	# For more information, see [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
	resources: {}
	#
	# For example:
	# requests:
	# cpu: 10m
	# memory: 32Mi
	#
	# For more information, see [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
	resources:
	requests:
	cpu: 100m
	memory: 128Mi
	limits:
	cpu: 500m
	memory: 512Mi

[coderabbitai]

⚠️ Potential issue

Increase controller replicas for high availability

Running a single replica of cert-manager controller in production is not recommended for high availability.

Apply this diff to increase reliability:

-replicaCount: 1
+replicaCount: 2

Also, enable PodDisruptionBudget by setting podDisruptionBudget.enabled: true to ensure availability during node maintenance.

Committable suggestion skipped: line range outside the PR's diff.

[coderabbitai]

⚠️ Potential issue

Remove deprecated PodSecurityPolicy configuration

The PodSecurityPolicy (PSP) configuration is deprecated since Kubernetes 1.21 and removed in 1.25. Consider using Pod Security Standards (PSS) instead.

Apply this diff to remove the deprecated configuration:

-  podSecurityPolicy:
-    # Create PodSecurityPolicy for cert-manager.
-    #
-    # Note that PodSecurityPolicy was deprecated in Kubernetes 1.21 and removed in Kubernetes 1.25.
-    enabled: false
-    # Configure the PodSecurityPolicy to use AppArmor.
-    useAppArmor: true

And add Pod Security Standards admission configuration to your cluster.

Committable suggestion skipped: line range outside the PR's diff.