Charts CI

```
Updated:
  argo/argo-cd:
    - 5.34.4
  bitnami/postgresql:
    - 12.5.5
  bitnami/wordpress:
    - 16.1.8
  crowdstrike/falcon-sensor:
    - 1.19.1
  datadog/datadog:
    - 3.30.7
  datadog/datadog-operator:
    - 1.0.3
  gitlab/gitlab:
    - 7.0.1
  jaeger/jaeger-operator:
    - 2.45.0
  jfrog/artifactory-ha:
    - 107.55.14
  jfrog/artifactory-jcr:
    - 107.55.14
  redpanda/redpanda:
    - 4.0.22
  speedscale/speedscale-operator:
    - 1.3.6
  sysdig/sysdig:
    - 1.15.89
```

charts/argo/argo-cd/Chart.yaml

@@ -1,7 +1,7 @@
 annotations:
   artifacthub.io/changes: |
-    - kind: added
+    - kind: fixed
-      description: Add new bitbucket cloud SSH key to configs.ssh.knownHosts
+      description: Allow to disable containerSecurityContext
   artifacthub.io/signKey: |
     fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252
     url: https://argoproj.github.io/argo-helm/pgp_keys.asc
@@ -32,4 +32,4 @@ name: argo-cd
 sources:
 - https://github.com/argoproj/argo-helm/tree/main/charts/argo-cd
 - https://github.com/argoproj/argo-cd
-version: 5.34.1
+version: 5.34.4

charts/argo/argo-cd/templates/argocd-application-controller/statefulset.yaml

@@ -255,8 +255,10 @@ spec:
           failureThreshold: {{ .Values.controller.readinessProbe.failureThreshold }}
         resources:
           {{- toYaml .Values.controller.resources | nindent 10 }}
+        {{- with .Values.controller.containerSecurityContext }}
         securityContext:
-          {{- toYaml .Values.controller.containerSecurityContext | nindent 10 }}
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
         workingDir: /home/argocd
         volumeMounts:
         {{- with .Values.controller.volumeMounts }}

charts/argo/argo-cd/templates/argocd-applicationset/deployment.yaml

@@ -182,8 +182,10 @@ spec:
           {{- end }}
           resources:
             {{- toYaml .Values.applicationSet.resources | nindent 12 }}
+          {{- with .Values.applicationSet.containerSecurityContext }}
           securityContext:
-            {{- toYaml .Values.applicationSet.containerSecurityContext | nindent 12 }}
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           volumeMounts:
             {{- with .Values.applicationSet.extraVolumeMounts }}
               {{- toYaml . | nindent 12 }}

charts/argo/argo-cd/templates/argocd-notifications/deployment.yaml

@@ -80,8 +80,10 @@ spec:
             protocol: TCP
           resources:
             {{- toYaml .Values.notifications.resources | nindent 12 }}
+          {{- with .Values.notifications.containerSecurityContext }}
           securityContext:
-            {{- toYaml .Values.notifications.containerSecurityContext | nindent 12 }}
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           workingDir: /app
           volumeMounts:
             - name: tls-certs

charts/argo/argo-cd/templates/argocd-repo-server/deployment.yaml

@@ -273,8 +273,10 @@ spec:
           failureThreshold: {{ .Values.repoServer.readinessProbe.failureThreshold }}
         resources:
           {{- toYaml .Values.repoServer.resources | nindent 10 }}
+        {{- with .Values.repoServer.containerSecurityContext }}
         securityContext:
-          {{- toYaml .Values.repoServer.containerSecurityContext | nindent 10 }}
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
         {{- with .Values.repoServer.lifecycle }}
         lifecycle:
           {{- toYaml . | nindent 10 }}

charts/argo/argo-cd/templates/argocd-server/deployment.yaml

@@ -334,8 +334,10 @@ spec:
           failureThreshold: {{ .Values.server.readinessProbe.failureThreshold }}
         resources:
           {{- toYaml .Values.server.resources | nindent 10 }}
+        {{- with .Values.server.containerSecurityContext }}
         securityContext:
-          {{- toYaml .Values.server.containerSecurityContext | nindent 10 }}
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
         {{- with .Values.server.lifecycle }}
         lifecycle:
           {{- toYaml . | nindent 10 }}
@@ -346,8 +348,10 @@ spec:
         imagePullPolicy: {{ .Values.server.extensions.image.imagePullPolicy }}
         resources:
           {{- toYaml .Values.server.extensions.resources | nindent 10 }}
+        {{- with .Values.server.extensions.containerSecurityContext }}
         securityContext:
-          {{- toYaml .Values.server.extensions.containerSecurityContext | nindent 10 }}
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
         volumeMounts:
           - name: extensions
             mountPath: /tmp/extensions/

charts/argo/argo-cd/templates/argocd-server/role.yaml

@@ -23,7 +23,9 @@ rules:
   - argoproj.io
   resources:
   - applications
+  {{- if .Values.applicationSet.enabled }}
   - applicationsets
+  {{- end }}
   - appprojects
   {{- if .Values.server.extensions.enabled }}
   - argocdextensions

charts/argo/argo-cd/templates/dex/deployment.yaml

@@ -117,8 +117,10 @@ spec:
         {{- end }}
         resources:
           {{- toYaml .Values.dex.resources | nindent 10 }}
+        {{- with .Values.dex.containerSecurityContext }}
         securityContext:
-          {{- toYaml .Values.dex.containerSecurityContext | nindent 10 }}
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
         volumeMounts:
         {{- with .Values.dex.volumeMounts }}
           {{- toYaml . | nindent 8 }}
@@ -136,7 +138,7 @@ spec:
       - name: copyutil
         image: {{ default .Values.global.image.repository .Values.dex.initImage.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.dex.initImage.tag }}
         imagePullPolicy: {{ default .Values.global.image.imagePullPolicy .Values.dex.initImage.imagePullPolicy }}
-        args:
+        command:
         - /bin/cp
         - -n
         - /usr/local/bin/argocd
@@ -148,8 +150,10 @@ spec:
           name: dexconfig
         resources:
           {{- toYaml .Values.dex.resources | nindent 10 }}
+        {{- with .Values.dex.containerSecurityContext }}
         securityContext:
-          {{- toYaml .Values.dex.containerSecurityContext | nindent 10 }}
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
       {{- with .Values.dex.initContainers }}
         {{- tpl (toYaml .) $ | nindent 6 }}
       {{- end }}

charts/argo/argo-cd/templates/redis/deployment.yaml

@@ -75,8 +75,10 @@ spec:
           protocol: TCP
         resources:
           {{- toYaml .Values.redis.resources | nindent 10 }}
+        {{- with .Values.redis.containerSecurityContext }}
         securityContext:
-          {{- toYaml .Values.redis.containerSecurityContext | nindent 10 }}
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
         {{- with .Values.redis.volumeMounts }}
         volumeMounts:
           {{- toYaml . | nindent 10 }}
@@ -99,8 +101,10 @@ spec:
           protocol: TCP
         resources:
           {{- toYaml .Values.redis.exporter.resources | nindent 10 }}
+        {{- with .Values.redis.exporter.containerSecurityContext }}
         securityContext:
-          {{- toYaml .Values.redis.exporter.containerSecurityContext | nindent 10 }}
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
       {{- end }}
       {{- with .Values.redis.extraContainers }}
         {{- tpl (toYaml .) $ | nindent 6 }}

charts/bitnami/postgresql/Chart.yaml

@@ -31,4 +31,4 @@ maintainers:
 name: postgresql
 sources:
 - https://github.com/bitnami/charts/tree/main/bitnami/postgresql
-version: 12.5.3
+version: 12.5.5

charts/bitnami/postgresql/README.md

@@ -98,7 +98,7 @@ kubectl delete pvc -l release=my-release
 | ---------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- |
 | `image.registry`                         | PostgreSQL image registry                                                                                                                                                                                                                                                                                                                     | `docker.io`                |
 | `image.repository`                       | PostgreSQL image repository                                                                                                                                                                                                                                                                                                                   | `bitnami/postgresql`       |
-| `image.tag`                              | PostgreSQL image tag (immutable tags are recommended)                                                                                                                                                                                                                                                                                         | `15.3.0-debian-11-r3`      |
+| `image.tag`                              | PostgreSQL image tag (immutable tags are recommended)                                                                                                                                                                                                                                                                                         | `15.3.0-debian-11-r4`      |
 | `image.digest`                           | PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag                                                                                                                                                                                                                                    | `""`                       |
 | `image.pullPolicy`                       | PostgreSQL image pull policy                                                                                                                                                                                                                                                                                                                  | `IfNotPresent`             |
 | `image.pullSecrets`                      | Specify image pull secrets                                                                                                                                                                                                                                                                                                                    | `[]`                       |

charts/bitnami/postgresql/templates/primary/statefulset.yaml

@@ -218,7 +218,7 @@ spec:
             {{- if .Values.auth.enablePostgresUser }}
             {{- if .Values.auth.usePasswordFiles }}
             - name: POSTGRES_POSTGRES_PASSWORD_FILE
-              value: "/opt/bitnami/postgresql/secrets/postgres-password"
+              value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.adminPasswordKey" .) }}
             {{- else }}
             - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
@@ -230,7 +230,7 @@ spec:
           {{- end }}
             {{- if .Values.auth.usePasswordFiles }}
             - name: POSTGRES_PASSWORD_FILE
-              value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (ternary "password" "postgres-password" (and (not (empty $customUser)) (ne $customUser "postgres"))) }}
+              value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.userPasswordKey" .) }}
             {{- else }}
             - name: POSTGRES_PASSWORD
               valueFrom:
@@ -250,7 +250,7 @@ spec:
               value: {{ .Values.auth.replicationUsername | quote }}
             {{- if .Values.auth.usePasswordFiles }}
             - name: POSTGRES_REPLICATION_PASSWORD_FILE
-              value: "/opt/bitnami/postgresql/secrets/replication-password"
+              value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.replicationPasswordKey" .) }}
             {{- else }}
             - name: POSTGRES_REPLICATION_PASSWORD
               valueFrom:
@@ -498,7 +498,7 @@ spec:
               value: {{ printf "127.0.0.1:%d/%s?sslmode=disable" (int (include "postgresql.service.port" .)) $database }}
             {{- if .Values.auth.usePasswordFiles }}
             - name: DATA_SOURCE_PASS_FILE
-              value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (ternary "password" "postgres-password" (and (not (empty $customUser)) (ne $customUser "postgres"))) }}
+              value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.userPasswordKey" .) }}
             {{- else }}
             - name: DATA_SOURCE_PASS
               valueFrom:

charts/bitnami/postgresql/templates/read/statefulset.yaml

@@ -213,7 +213,7 @@ spec:
           {{- if and (not (empty $customUser)) (ne $customUser "postgres") .Values.auth.enablePostgresUser }}
             {{- if .Values.auth.usePasswordFiles }}
             - name: POSTGRES_POSTGRES_PASSWORD_FILE
-              value: "/opt/bitnami/postgresql/secrets/postgres-password"
+              value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.adminPasswordKey" .) }}
             {{- else }}
             - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
@@ -224,7 +224,7 @@ spec:
           {{- end }}
             {{- if .Values.auth.usePasswordFiles }}
             - name: POSTGRES_PASSWORD_FILE
-              value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (ternary "password" "postgres-password" (and (not (empty $customUser)) (ne $customUser "postgres"))) }}
+              value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.userPasswordKey" .) }}
             {{- else }}
             - name: POSTGRES_PASSWORD
               valueFrom:
@@ -239,7 +239,7 @@ spec:
               value: {{ .Values.auth.replicationUsername | quote }}
             {{- if .Values.auth.usePasswordFiles }}
             - name: POSTGRES_REPLICATION_PASSWORD_FILE
-              value: "/opt/bitnami/postgresql/secrets/replication-password"
+              value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.replicationPasswordKey" .) }}
             {{- else }}
             - name: POSTGRES_REPLICATION_PASSWORD
               valueFrom:
@@ -409,7 +409,7 @@ spec:
                 value: {{ printf "127.0.0.1:%d/%s?sslmode=disable" (int (include "postgresql.service.port" .)) $database }}
               {{- if .Values.auth.usePasswordFiles }}
               - name: DATA_SOURCE_PASS_FILE
-                value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (ternary "password" "postgres-password" (and (not (empty $customUser)) (ne $customUser "postgres"))) }}
+              value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.userPasswordKey" .) }}
               {{- else }}
               - name: DATA_SOURCE_PASS
                 valueFrom:

charts/bitnami/postgresql/values.yaml

@@ -95,7 +95,7 @@ diagnosticMode:
 image:
   registry: docker.io
   repository: bitnami/postgresql
-  tag: 15.3.0-debian-11-r3
+  tag: 15.3.0-debian-11-r4
   digest: ""
   ## Specify a imagePullPolicy
   ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'

charts/bitnami/wordpress/Chart.lock

@@ -1,12 +1,12 @@
 dependencies:
 - name: memcached
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 6.5.1
+  version: 6.5.2
 - name: mariadb
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 12.2.3
+  version: 12.2.4
 - name: common
   repository: oci://registry-1.docker.io/bitnamicharts
   version: 2.4.0
-digest: sha256:f91611db01189c8aa9d44ef11478df1f5b9dd47289936ddfad8dbf50f29f9d08
+digest: sha256:4be6e447ef427ae68dd94decc3295e3a1d1415a2bb9f455f2a3ff4ea33a4a101
-generated: "2023-05-21T17:08:37.275529069Z"
+generated: "2023-05-23T08:42:16.375569322Z"

charts/bitnami/wordpress/Chart.yaml

@@ -40,4 +40,4 @@ maintainers:
 name: wordpress
 sources:
 - https://github.com/bitnami/charts/tree/main/bitnami/wordpress
-version: 16.1.6
+version: 16.1.8

charts/bitnami/wordpress/README.md

@@ -80,7 +80,7 @@ The command removes all the Kubernetes components associated with the chart and
 | ------------------- | --------------------------------------------------------------------------------------------------------- | -------------------- |
 | `image.registry`    | WordPress image registry                                                                                  | `docker.io`          |
 | `image.repository`  | WordPress image repository                                                                                | `bitnami/wordpress`  |
-| `image.tag`         | WordPress image tag (immutable tags are recommended)                                                      | `6.2.2-debian-11-r0` |
+| `image.tag`         | WordPress image tag (immutable tags are recommended)                                                      | `6.2.2-debian-11-r2` |
 | `image.digest`      | WordPress image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""`                 |
 | `image.pullPolicy`  | WordPress image pull policy                                                                               | `IfNotPresent`       |
 | `image.pullSecrets` | WordPress image pull secrets                                                                              | `[]`                 |

charts/bitnami/wordpress/charts/mariadb/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: common
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 2.2.5
+  version: 2.4.0
-digest: sha256:318f438acfeaced11d9060877d615caf1985417d2865810defaa886d3496f8d3
+digest: sha256:8c1a5dc923412d11d4d841420494b499cb707305c8b9f87f45ea1a8bf3172cb3
-generated: "2023-05-03T08:30:13.051138201Z"
+generated: "2023-05-21T18:46:17.326179513Z"

charts/bitnami/wordpress/charts/mariadb/Chart.yaml

@@ -26,4 +26,4 @@ maintainers:
 name: mariadb
 sources:
 - https://github.com/bitnami/charts/tree/main/bitnami/mariadb
-version: 12.2.3
+version: 12.2.4

charts/bitnami/wordpress/charts/mariadb/README.md

@@ -84,7 +84,7 @@ The command removes all the Kubernetes components associated with the chart and
 | -------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------- |
 | `image.registry`           | MariaDB image registry                                                                                                                                                                                                                                                        | `docker.io`            |
 | `image.repository`         | MariaDB image repository                                                                                                                                                                                                                                                      | `bitnami/mariadb`      |
-| `image.tag`                | MariaDB image tag (immutable tags are recommended)                                                                                                                                                                                                                            | `10.11.3-debian-11-r1` |
+| `image.tag`                | MariaDB image tag (immutable tags are recommended)                                                                                                                                                                                                                            | `10.11.3-debian-11-r5` |
 | `image.digest`             | MariaDB image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag                                                                                                                                                                       | `""`                   |
 | `image.pullPolicy`         | MariaDB image pull policy                                                                                                                                                                                                                                                     | `IfNotPresent`         |
 | `image.pullSecrets`        | Specify docker-registry secret names as an array                                                                                                                                                                                                                              | `[]`                   |
@@ -306,7 +306,7 @@ The command removes all the Kubernetes components associated with the chart and
 | `volumePermissions.enabled`            | Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup`              | `false`                 |
 | `volumePermissions.image.registry`     | Init container volume-permissions image registry                                                                                  | `docker.io`             |
 | `volumePermissions.image.repository`   | Init container volume-permissions image repository                                                                                | `bitnami/bitnami-shell` |
-| `volumePermissions.image.tag`          | Init container volume-permissions image tag (immutable tags are recommended)                                                      | `11-debian-11-r114`     |
+| `volumePermissions.image.tag`          | Init container volume-permissions image tag (immutable tags are recommended)                                                      | `11-debian-11-r118`     |
 | `volumePermissions.image.digest`       | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""`                    |
 | `volumePermissions.image.pullPolicy`   | Init container volume-permissions image pull policy                                                                               | `IfNotPresent`          |
 | `volumePermissions.image.pullSecrets`  | Specify docker-registry secret names as an array                                                                                  | `[]`                    |
@@ -320,7 +320,7 @@ The command removes all the Kubernetes components associated with the chart and
 | `metrics.enabled`                                           | Start a side-car prometheus exporter                                                                                                      | `false`                   |
 | `metrics.image.registry`                                    | Exporter image registry                                                                                                                   | `docker.io`               |
 | `metrics.image.repository`                                  | Exporter image repository                                                                                                                 | `bitnami/mysqld-exporter` |
-| `metrics.image.tag`                                         | Exporter image tag (immutable tags are recommended)                                                                                       | `0.14.0-debian-11-r116`   |
+| `metrics.image.tag`                                         | Exporter image tag (immutable tags are recommended)                                                                                       | `0.14.0-debian-11-r119`   |
 | `metrics.image.digest`                                      | Exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag                                  | `""`                      |
 | `metrics.image.pullPolicy`                                  | Exporter image pull policy                                                                                                                | `IfNotPresent`            |
 | `metrics.image.pullSecrets`                                 | Specify docker-registry secret names as an array                                                                                          | `[]`                      |

charts/bitnami/wordpress/charts/mariadb/charts/common/Chart.yaml

@@ -2,10 +2,10 @@ annotations:
   category: Infrastructure
   licenses: Apache-2.0
 apiVersion: v2
-appVersion: 2.2.5
+appVersion: 2.4.0
 description: A Library Helm Chart for grouping common logic between bitnami charts.
   This chart is not deployable by itself.
-home: https://github.com/bitnami/charts/tree/main/bitnami/common
+home: https://bitnami.com
 icon: https://bitnami.com/downloads/logos/bitnami-mark.png
 keywords:
 - common
@@ -14,11 +14,10 @@ keywords:
 - function
 - bitnami
 maintainers:
-- name: Bitnami
+- name: VMware, Inc.
   url: https://github.com/bitnami/charts
 name: common
 sources:
 - https://github.com/bitnami/charts
-- https://www.bitnami.com/
 type: library
-version: 2.2.5
+version: 2.4.0

charts/bitnami/wordpress/charts/mariadb/charts/common/README.md

@@ -2,6 +2,8 @@
 
 A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between Bitnami charts.
 
+Looking to use our applications in production? Try [VMware Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog.
+
 ## TL;DR
 
 ```yaml

charts/bitnami/wordpress/charts/mariadb/charts/common/templates/_capabilities.tpl

@@ -48,6 +48,17 @@ Return the appropriate apiVersion for cronjob.
 {{- end -}}
 {{- end -}}
 
+{{/*
+Return the appropriate apiVersion for daemonset.
+*/}}
+{{- define "common.capabilities.daemonset.apiVersion" -}}
+{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "extensions/v1beta1" -}}
+{{- else -}}
+{{- print "apps/v1" -}}
+{{- end -}}
+{{- end -}}
+
 {{/*
 Return the appropriate apiVersion for deployment.
 */}}
@@ -141,6 +152,21 @@ Return the appropriate apiVersion for Horizontal Pod Autoscaler.
 {{- end -}}
 {{- end -}}
 
+{{/*
+Return the appropriate apiVersion for Vertical Pod Autoscaler.
+*/}}
+{{- define "common.capabilities.vpa.apiVersion" -}}
+{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .context) -}}
+{{- if .beta2 -}}
+{{- print "autoscaling/v2beta2" -}}
+{{- else -}}
+{{- print "autoscaling/v2beta1" -}}
+{{- end -}}
+{{- else -}}
+{{- print "autoscaling/v2" -}}
+{{- end -}}
+{{- end -}}
+
 {{/*
 Returns true if the used Helm version is 3.3+.
 A way to check the used Helm version was not introduced until version 3.3.0 with .Capabilities.HelmVersion, which contains an additional "{}}"  structure.

charts/bitnami/wordpress/charts/mariadb/charts/common/templates/_images.tpl

@@ -45,7 +45,7 @@ Return the proper Docker Image Registry Secret Names (deprecated: use common.ima
 
   {{- if (not (empty $pullSecrets)) }}
 imagePullSecrets:
-    {{- range $pullSecrets }}
+    {{- range $pullSecrets | uniq }}
   - name: {{ . }}
     {{- end }}
   {{- end }}
@@ -73,7 +73,7 @@ Return the proper Docker Image Registry Secret Names evaluating values as templa
 
   {{- if (not (empty $pullSecrets)) }}
 imagePullSecrets:
-    {{- range $pullSecrets }}
+    {{- range $pullSecrets | uniq }}
   - name: {{ . }}
     {{- end }}
   {{- end }}

charts/bitnami/wordpress/charts/mariadb/values.yaml

@@ -87,7 +87,7 @@ serviceBindings:
 image:
   registry: docker.io
   repository: bitnami/mariadb
-  tag: 10.11.3-debian-11-r1
+  tag: 10.11.3-debian-11-r5
   digest: ""
   ## Specify a imagePullPolicy
   ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
@@ -1001,7 +1001,7 @@ volumePermissions:
   image:
     registry: docker.io
     repository: bitnami/bitnami-shell
-    tag: 11-debian-11-r114
+    tag: 11-debian-11-r118
     digest: ""
     pullPolicy: IfNotPresent
     ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace)
@@ -1037,7 +1037,7 @@ metrics:
   image:
     registry: docker.io
     repository: bitnami/mysqld-exporter
-    tag: 0.14.0-debian-11-r116
+    tag: 0.14.0-debian-11-r119
     digest: ""
     pullPolicy: IfNotPresent
     ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace)

charts/bitnami/wordpress/charts/memcached/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: common
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 2.3.0
+  version: 2.4.0
-digest: sha256:11bbe86be64062d37b725f4dbc909aba3585b4976624ee9d27522366d3f956ea
+digest: sha256:8c1a5dc923412d11d4d841420494b499cb707305c8b9f87f45ea1a8bf3172cb3
-generated: "2023-05-13T00:58:36.826773609Z"
+generated: "2023-05-21T18:31:06.275175617Z"

charts/bitnami/wordpress/charts/memcached/Chart.yaml

@@ -23,4 +23,4 @@ maintainers:
 name: memcached
 sources:
 - https://github.com/bitnami/charts/tree/main/bitnami/memcached
-version: 6.5.1
+version: 6.5.2

charts/bitnami/wordpress/charts/memcached/README.md

@@ -78,7 +78,7 @@ The command removes all the Kubernetes components associated with the chart and
 | ----------------------------- | --------------------------------------------------------------------------------------------------------- | --------------------- |
 | `image.registry`              | Memcached image registry                                                                                  | `docker.io`           |
 | `image.repository`            | Memcached image repository                                                                                | `bitnami/memcached`   |
-| `image.tag`                   | Memcached image tag (immutable tags are recommended)                                                      | `1.6.20-debian-11-r0` |
+| `image.tag`                   | Memcached image tag (immutable tags are recommended)                                                      | `1.6.20-debian-11-r3` |
 | `image.digest`                | Memcached image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""`                  |
 | `image.pullPolicy`            | Memcached image pull policy                                                                               | `IfNotPresent`        |
 | `image.pullSecrets`           | Specify docker-registry secret names as an array                                                          | `[]`                  |
@@ -205,7 +205,7 @@ The command removes all the Kubernetes components associated with the chart and
 | `volumePermissions.enabled`                            | Enable init container that changes the owner and group of the persistent volume                                                   | `false`                      |
 | `volumePermissions.image.registry`                     | Init container volume-permissions image registry                                                                                  | `docker.io`                  |
 | `volumePermissions.image.repository`                   | Init container volume-permissions image repository                                                                                | `bitnami/bitnami-shell`      |
-| `volumePermissions.image.tag`                          | Init container volume-permissions image tag (immutable tags are recommended)                                                      | `11-debian-11-r115`          |
+| `volumePermissions.image.tag`                          | Init container volume-permissions image tag (immutable tags are recommended)                                                      | `11-debian-11-r118`          |
 | `volumePermissions.image.digest`                       | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""`                         |
 | `volumePermissions.image.pullPolicy`                   | Init container volume-permissions image pull policy                                                                               | `IfNotPresent`               |
 | `volumePermissions.image.pullSecrets`                  | Init container volume-permissions image pull secrets                                                                              | `[]`                         |
@@ -215,7 +215,7 @@ The command removes all the Kubernetes components associated with the chart and
 | `metrics.enabled`                                      | Start a side-car prometheus exporter                                                                                              | `false`                      |
 | `metrics.image.registry`                               | Memcached exporter image registry                                                                                                 | `docker.io`                  |
 | `metrics.image.repository`                             | Memcached exporter image repository                                                                                               | `bitnami/memcached-exporter` |
-| `metrics.image.tag`                                    | Memcached exporter image tag (immutable tags are recommended)                                                                     | `0.11.3-debian-11-r10`       |
+| `metrics.image.tag`                                    | Memcached exporter image tag (immutable tags are recommended)                                                                     | `0.11.3-debian-11-r12`       |
 | `metrics.image.digest`                                 | Memcached exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag                | `""`                         |
 | `metrics.image.pullPolicy`                             | Image pull policy                                                                                                                 | `IfNotPresent`               |
 | `metrics.image.pullSecrets`                            | Specify docker-registry secret names as an array                                                                                  | `[]`                         |

charts/bitnami/wordpress/charts/memcached/charts/common/Chart.yaml

@@ -2,7 +2,7 @@ annotations:
   category: Infrastructure
   licenses: Apache-2.0
 apiVersion: v2
-appVersion: 2.3.0
+appVersion: 2.4.0
 description: A Library Helm Chart for grouping common logic between bitnami charts.
   This chart is not deployable by itself.
 home: https://bitnami.com
@@ -20,4 +20,4 @@ name: common
 sources:
 - https://github.com/bitnami/charts
 type: library
-version: 2.3.0
+version: 2.4.0

charts/bitnami/wordpress/charts/memcached/charts/common/templates/_capabilities.tpl

@@ -48,6 +48,17 @@ Return the appropriate apiVersion for cronjob.
 {{- end -}}
 {{- end -}}
 
+{{/*
+Return the appropriate apiVersion for daemonset.
+*/}}
+{{- define "common.capabilities.daemonset.apiVersion" -}}
+{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "extensions/v1beta1" -}}
+{{- else -}}
+{{- print "apps/v1" -}}
+{{- end -}}
+{{- end -}}
+
 {{/*
 Return the appropriate apiVersion for deployment.
 */}}
@@ -141,6 +152,21 @@ Return the appropriate apiVersion for Horizontal Pod Autoscaler.
 {{- end -}}
 {{- end -}}
 
+{{/*
+Return the appropriate apiVersion for Vertical Pod Autoscaler.
+*/}}
+{{- define "common.capabilities.vpa.apiVersion" -}}
+{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .context) -}}
+{{- if .beta2 -}}
+{{- print "autoscaling/v2beta2" -}}
+{{- else -}}
+{{- print "autoscaling/v2beta1" -}}
+{{- end -}}
+{{- else -}}
+{{- print "autoscaling/v2" -}}
+{{- end -}}
+{{- end -}}
+
 {{/*
 Returns true if the used Helm version is 3.3+.
 A way to check the used Helm version was not introduced until version 3.3.0 with .Capabilities.HelmVersion, which contains an additional "{}}"  structure.

charts/bitnami/wordpress/charts/memcached/values.yaml

@@ -70,7 +70,7 @@ diagnosticMode:
 image:
   registry: docker.io
   repository: bitnami/memcached
-  tag: 1.6.20-debian-11-r0
+  tag: 1.6.20-debian-11-r3
   digest: ""
   ## Specify a imagePullPolicy
   ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
@@ -512,7 +512,7 @@ volumePermissions:
   image:
     registry: docker.io
     repository: bitnami/bitnami-shell
-    tag: 11-debian-11-r115
+    tag: 11-debian-11-r118
     digest: ""
     pullPolicy: IfNotPresent
     ## Optionally specify an array of imagePullSecrets.
@@ -557,7 +557,7 @@ metrics:
   image:
     registry: docker.io
     repository: bitnami/memcached-exporter
-    tag: 0.11.3-debian-11-r10
+    tag: 0.11.3-debian-11-r12
     digest: ""
     pullPolicy: IfNotPresent
     ## Optionally specify an array of imagePullSecrets.

charts/bitnami/wordpress/values.yaml

@@ -73,7 +73,7 @@ diagnosticMode:
 image:
   registry: docker.io
   repository: bitnami/wordpress
-  tag: 6.2.2-debian-11-r0
+  tag: 6.2.2-debian-11-r2
   digest: ""
   ## Specify a imagePullPolicy
   ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'

charts/crowdstrike/falcon-sensor/Chart.yaml

@@ -1,10 +1,10 @@
 annotations:
   catalog.cattle.io/certified: partner
   catalog.cattle.io/display-name: CrowdStrike Falcon Platform
-  catalog.cattle.io/kube-version: '>1.15.0-0'
+  catalog.cattle.io/kube-version: '>1.22.0-0'
   catalog.cattle.io/release-name: falcon-sensor
 apiVersion: v2
-appVersion: 1.19.0
+appVersion: 1.19.1
 description: A Helm chart to deploy CrowdStrike Falcon sensors into Kubernetes clusters.
 home: https://crowdstrike.com
 icon: https://raw.githubusercontent.com/CrowdStrike/falcon-helm/main/images/crowdstrike-logo.svg
@@ -16,7 +16,7 @@ keywords:
 - security
 - monitoring
 - alerting
-kubeVersion: '>1.15.0-0'
+kubeVersion: '>1.22.0-0'
 maintainers:
 - email: integrations@crowdstrike.com
   name: CrowdStrike Solutions Architecture
@@ -24,4 +24,4 @@ name: falcon-sensor
 sources:
 - https://github.com/CrowdStrike/falcon-helm
 type: application
-version: 1.19.0
+version: 1.19.1

charts/crowdstrike/falcon-sensor/README.md

@@ -13,9 +13,8 @@ The Falcon Helm chart has been tested to deploy on the following Kubernetes dist
   * Daemonset (node) sensor supprt for EKS nodes
   * Container sensor support for EKS Fargate nodes
 * Azure Kubernetes Service (AKS)
-* Google Kubernetes Engine (GKE) - DaemonSet support for Ubuntu nodes only, Container sensor for GCOS nodes.
+* Google Kubernetes Engine (GKE)
 * Rancher K3s
-* Red Hat OpenShift Container Platform 4.6+
 
 # Dependencies
 

charts/datadog/datadog-operator/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## 1.0.3
+
+* Add `list` and `watch` permissions of `customresourcedefinitions` for the KSM core check to collect CRD resources.
+
 ## 1.0.2
 
 * Use `.Release.Name` for reference to conversion webhook certificate in datadog-operator deployment.yaml

charts/datadog/datadog-operator/Chart.yaml

@@ -26,4 +26,4 @@ name: datadog-operator
 sources:
 - https://app.datadoghq.com/account/settings#agent/kubernetes
 - https://github.com/DataDog/datadog-agent
-version: 1.0.2
+version: 1.0.3

charts/datadog/datadog-operator/README.md

@@ -1,6 +1,6 @@
 # Datadog Operator
 
-![Version: 1.0.2](https://img.shields.io/badge/Version-1.0.2-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square)
+![Version: 1.0.3](https://img.shields.io/badge/Version-1.0.3-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square)
 
 ## Values
 

charts/datadog/datadog-operator/templates/clusterrole.yaml

@@ -330,6 +330,13 @@ rules:
   verbs:
   - list
   - watch
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - list
+  - watch
 - apiGroups:
   - autoscaling.k8s.io
   resources:

charts/datadog/datadog/CHANGELOG.md

@@ -1,8 +1,41 @@
 # Datadog changelog
 
+## 3.30.7
+
+* Fix Windows support of `agents.customAgentConfig` to avoid bind mount of a file.
+
+## 3.30.6
+
+* Adds `datadog.kubeStateMetricsCore.collectApiServicesMetrics` (`false` by default) to collect apiservices metrics in Kube State Metrics Core.
+  Note: APIServices metrics collection requires Cluster Agent 7.45.0+.
+
+## 3.30.5
+
+* Add `list` and `watch` permissions of `apiservices` resources for the `kubernetes_state_core` check.
+
+## 3.30.4
+
+* Remove USM private beta comments.
+
+## 3.30.3
+
+* Remove resourceName field from `create` permission of `leases` in `cluster-agent-rbac`.
+
+## 3.30.2
+
+* Add `get`, `create`, `update` permissions of `leases` to `cluster-agent-rbac`.
+
+## 3.30.1
+
+* Remove guidance that users must manually convert tag syntax for `labelsAsTags`
+
+## 3.30.0
+
+* Add `datadog.dataStreamsMonitoring.enabled` parameter to enable Data Stream Monitoring.
+
 ## 3.29.3
 
-* Add `inotify_add_watch`, `inotify_init`, `inotify_init1`, and `inotify_rm_watch` to the default seccomp profile of system-probe. 
+* Add `inotify_add_watch`, `inotify_init`, `inotify_init1`, and `inotify_rm_watch` to the default seccomp profile of system-probe.
 
 ## 3.29.2
 

charts/datadog/datadog/Chart.yaml

@@ -19,4 +19,4 @@ name: datadog
 sources:
 - https://app.datadoghq.com/account/settings#agent/kubernetes
 - https://github.com/DataDog/datadog-agent
-version: 3.29.3
+version: 3.30.7

charts/datadog/datadog/README.md

@@ -1,6 +1,6 @@
 # Datadog
 
-![Version: 3.29.3](https://img.shields.io/badge/Version-3.29.3-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square)
+![Version: 3.30.7](https://img.shields.io/badge/Version-3.30.7-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square)
 
 [Datadog](https://www.datadoghq.com/) is a hosted infrastructure monitoring platform. This chart adds the Datadog Agent to all nodes in your cluster via a DaemonSet. It also optionally depends on the [kube-state-metrics chart](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-state-metrics). For more information about monitoring Kubernetes with Datadog, please refer to the [Datadog documentation website](https://docs.datadoghq.com/agent/basic_agent_usage/kubernetes/).
 
@@ -613,6 +613,7 @@ helm install <RELEASE_NAME> \
 | datadog.containerIncludeMetrics | string | `nil` | Include metrics in the Agent Autodiscovery, as a space-separated list |
 | datadog.containerRuntimeSupport.enabled | bool | `true` | Set this to false to disable agent access to container runtime. |
 | datadog.criSocketPath | string | `nil` | Path to the container runtime socket (if different from Docker) |
+| datadog.dataStreamsMonitoring.enabled | bool | `false` | Enable Data Streams Monitoring. |
 | datadog.dd_url | string | `nil` | The host of the Datadog intake server to send Agent data to, only set this option if you need the Agent to send data to a custom URL |
 | datadog.dockerSocketPath | string | `nil` | Path to the docker socket |
 | datadog.dogstatsd.hostSocketPath | string | `"/var/run/datadog/"` | Host path to the DogStatsD socket |
@@ -636,6 +637,7 @@ helm install <RELEASE_NAME> \
 | datadog.hostVolumeMountPropagation | string | `"None"` | Allow to specify the `mountPropagation` value on all volumeMounts using HostPath |
 | datadog.ignoreAutoConfig | list | `[]` | List of integration to ignore auto_conf.yaml. |
 | datadog.kubeStateMetricsCore.annotationsAsTags | object | `{}` | Extra annotations to collect from resources and to turn into datadog tag. |
+| datadog.kubeStateMetricsCore.collectApiServicesMetrics | bool | `false` | Enable watching apiservices objects and collecting their corresponding metrics kubernetes_state.apiservice.* (Requires Cluster Agent 7.45.0+) |
 | datadog.kubeStateMetricsCore.collectCrdMetrics | bool | `false` | Enable watching CRD objects and collecting their corresponding metrics kubernetes_state.crd.* |
 | datadog.kubeStateMetricsCore.collectSecretMetrics | bool | `true` | Enable watching secret objects and collecting their corresponding metrics kubernetes_state.secret.* |
 | datadog.kubeStateMetricsCore.collectVpaMetrics | bool | `false` | Enable watching VPA objects and collecting their corresponding metrics kubernetes_state.vpa.* |

charts/datadog/datadog/templates/_container-agent.yaml

@@ -174,7 +174,7 @@
     {{- end }}
     {{- include "container-crisocket-volumemounts" . | nindent 4 }}
     {{- include "container-cloudinit-volumemounts" . | nindent 4 }}
-    {{- if .Values.agents.useConfigMap }}
+    {{- if and .Values.agents.useConfigMap (eq .Values.targetSystem "linux")}}
     - name: datadog-yaml
       mountPath: {{ template "datadog.confPath" . }}/datadog.yaml
       subPath: datadog.yaml

charts/datadog/datadog/templates/_container-process-agent.yaml

@@ -77,7 +77,7 @@
     {{- end }}
     {{- include "container-crisocket-volumemounts" . | nindent 4 }}
     {{- include "container-cloudinit-volumemounts" . | nindent 4 }}
-    {{- if .Values.agents.useConfigMap }}
+    {{- if and .Values.agents.useConfigMap (eq .Values.targetSystem "linux")}}
     - name: datadog-yaml
       mountPath: {{ template "datadog.confPath" . }}/datadog.yaml
       subPath: datadog.yaml

charts/datadog/datadog/templates/_container-security-agent.yaml

@@ -78,7 +78,7 @@
     {{- end }}
     {{- include "container-crisocket-volumemounts" . | nindent 4 }}
     {{- include "container-cloudinit-volumemounts" . | nindent 4 }}
-    {{- if .Values.agents.useConfigMap }}
+    {{- if and .Values.agents.useConfigMap (eq .Values.targetSystem "linux")}}
     - name: datadog-yaml
       mountPath: {{ template "datadog.confPath" . }}/datadog.yaml
       subPath: datadog.yaml

charts/datadog/datadog/templates/_container-system-probe.yaml

@@ -47,7 +47,7 @@
       mountPath: {{ template "datadog.confPath" . }}
       readOnly: true
     {{- include "container-cloudinit-volumemounts" . | nindent 4 }}
-    {{- if .Values.agents.useConfigMap }}
+    {{- if and .Values.agents.useConfigMap (eq .Values.targetSystem "linux")}}
     - name: datadog-yaml
       mountPath: {{ template "datadog.confPath" . }}/datadog.yaml
       subPath: datadog.yaml

charts/datadog/datadog/templates/_container-trace-agent.yaml

@@ -61,7 +61,7 @@
       mountPath: {{ template "datadog.confPath" . }}/auth
       readOnly: true
     {{- end }}
-    {{- if .Values.agents.useConfigMap }}
+    {{- if and .Values.agents.useConfigMap (eq .Values.targetSystem "linux")}}
     - name: datadog-yaml
       mountPath: {{ template "datadog.confPath" . }}/datadog.yaml
       subPath: datadog.yaml

charts/datadog/datadog/templates/_containers-init-windows.yaml

@@ -7,6 +7,9 @@
     - |
       Copy-Item -Recurse -Force {{ template "datadog.confPath" . }} C:/Temp
       Copy-Item -Force C:/Temp/install_info/install_info C:/Temp/Datadog/install_info
+      {{- if .Values.agents.useConfigMap }}
+      Copy-Item -Force C:/Temp/datadog_yaml/datadog.yaml C:/Temp/Datadog/datadog.yaml
+      {{- end}}
   volumeMounts:
     - name: config
       mountPath: C:/Temp/Datadog
@@ -14,6 +17,11 @@
     - name: installinfo
       mountPath: C:/Temp/install_info
       readOnly: true
+    {{- if .Values.agents.useConfigMap }}
+    - name: datadog-yaml
+      mountPath: C:/Temp/datadog_yaml
+      readOnly: true
+    {{- end}}
   resources:
 {{ toYaml .Values.agents.containers.initContainers.resources | indent 4 }}
 - name: init-config

charts/datadog/datadog/templates/_helpers.tpl

@@ -275,7 +275,7 @@ Return a remote image path based on `.Values` (passed as root) and `.` (any `.im
 Return true if a system-probe feature is enabled.
 */}}
 {{- define "system-probe-feature" -}}
-{{- if or .Values.datadog.securityAgent.runtime.enabled .Values.datadog.securityAgent.runtime.fimEnabled .Values.datadog.networkMonitoring.enabled .Values.datadog.systemProbe.enableTCPQueueLength .Values.datadog.systemProbe.enableOOMKill .Values.datadog.serviceMonitoring.enabled -}}
+{{- if or .Values.datadog.securityAgent.runtime.enabled .Values.datadog.securityAgent.runtime.fimEnabled .Values.datadog.networkMonitoring.enabled .Values.datadog.systemProbe.enableTCPQueueLength .Values.datadog.systemProbe.enableOOMKill .Values.datadog.serviceMonitoring.enabled .Values.datadog.dataStreamsMonitoring.enabled -}}
 true
 {{- else -}}
 false
@@ -632,7 +632,7 @@ Return the local service name
 Return true if runtime compilation is enabled in the system-probe
 */}}
 {{- define "runtime-compilation-enabled" -}}
-{{- if or .Values.datadog.systemProbe.enableTCPQueueLength .Values.datadog.systemProbe.enableOOMKill .Values.datadog.serviceMonitoring.enabled -}}
+{{- if or .Values.datadog.systemProbe.enableTCPQueueLength .Values.datadog.systemProbe.enableOOMKill .Values.datadog.serviceMonitoring.enabled .Values.datadog.dataStreamsMonitoring.enabled -}}
 true
 {{- else -}}
 false

charts/datadog/datadog/templates/_kubernetes_state_core_config.yaml

@@ -12,6 +12,9 @@ kubernetes_state_core.yaml.default: |-
 {{- if .Values.datadog.kubeStateMetricsCore.collectVpaMetrics }}
       - verticalpodautoscalers
 {{- end }}
+{{- if .Values.datadog.kubeStateMetricsCore.collectApiServicesMetrics }}
+      - apiservices
+{{- end }}
 {{- if .Values.datadog.kubeStateMetricsCore.collectCrdMetrics }}
       - customresourcedefinitions
 {{- end }}

charts/datadog/datadog/templates/cluster-agent-rbac.yaml

@@ -66,6 +66,21 @@ rules:
   verbs:
   - get
   - update
+- apiGroups:
+  - "coordination.k8s.io"
+  resources:
+  - leases
+  resourceNames:
+  - {{ template "datadog.fullname" . }}-leader-election  # Leader election token
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - "coordination.k8s.io"
+  resources:
+  - leases
+  verbs:
+  - create
 {{- if .Values.clusterAgent.metricsProvider.enabled }}
 - apiGroups:
   - ""
@@ -180,7 +195,7 @@ rules:
   - get
   - watch
 - apiGroups:
-    - "apiextensions.k8s.io"
+    - apiextensions.k8s.io
   resources:
     - customresourcedefinitions
   verbs:

charts/datadog/datadog/templates/kube-state-metrics-core-rbac.yaml

@@ -83,7 +83,7 @@ rules:
   verbs:
   - list
   - watch
-{{- end }}    
+{{- end }}
 - apiGroups:
   - networking.k8s.io
   resources:
@@ -98,6 +98,15 @@ rules:
   verbs:
     - list
     - watch
+{{- if .Values.datadog.kubeStateMetricsCore.collectApiServicesMetrics }}
+- apiGroups:
+    - apiregistration.k8s.io
+  resources:
+    - apiservices
+  verbs:
+    - list
+    - watch
+{{- end }}
 ---
 apiVersion: {{ template "rbac.apiVersion" . }}
 kind: ClusterRoleBinding

charts/datadog/datadog/templates/system-probe-configmap.yaml

@@ -43,6 +43,8 @@ data:
       conntrack_init_timeout: {{ $.Values.datadog.systemProbe.conntrackInitTimeout }}
     service_monitoring_config:
       enabled: {{ $.Values.datadog.serviceMonitoring.enabled }}
+    data_streams_config:
+      enabled: {{ $.Values.datadog.dataStreamsMonitoring.enabled }}
     runtime_security_config:
       enabled: {{ $.Values.datadog.securityAgent.runtime.enabled }}
       fim_enabled: {{ $.Values.datadog.securityAgent.runtime.fimEnabled }}

charts/datadog/datadog/values.yaml

@@ -161,6 +161,11 @@ datadog:
     ## Configuring this field will change the default kubernetes_state_core check configuration to run the kubernetes_state_core check.
     collectCrdMetrics: false
 
+    # datadog.kubeStateMetricsCore.collectApiServicesMetrics -- Enable watching apiservices objects and collecting their corresponding metrics kubernetes_state.apiservice.* (Requires Cluster Agent 7.45.0+)
+
+    ## Configuring this field will change the default kubernetes_state_core check configuration and the RBACs granted to Datadog Cluster Agent to run the kubernetes_state_core check.
+    collectApiServicesMetrics: false
+
     # datadog.kubeStateMetricsCore.useClusterCheckRunners -- For large clusters where the Kubernetes State Metrics Check Core needs to be distributed on dedicated workers.
 
     ## Configuring this field will create a separate deployment which will run Cluster Checks, including Kubernetes State Metrics Core.
@@ -178,8 +183,6 @@ datadog:
     ##   <resource2>:
     ##     <label3>: <tag3>
     ##
-    ## Warning: the label must match the transformation done by kube-state-metrics,
-    ## for example tags.datadoghq.com/version becomes tags_datadoghq_com_version.
     labelsAsTags: {}
     #  pod:
     #    app: app
@@ -646,13 +649,14 @@ datadog:
     # datadog.networkMonitoring.enabled -- Enable network performance monitoring
     enabled: false
 
-  ## Universal Service Monitoring is currently in private beta.
-
-  ## See https://www.datadoghq.com/blog/universal-service-monitoring-datadog/ for more details and private beta signup.
   serviceMonitoring:
     # datadog.serviceMonitoring.enabled -- Enable Universal Service Monitoring
     enabled: false
 
+  dataStreamsMonitoring:
+    # datadog.dataStreamsMonitoring.enabled -- Enable Data Streams Monitoring.
+    enabled: false
+
   ## Enable security agent and provide custom configs
   securityAgent:
     compliance:

charts/gitlab/gitlab/CHANGELOG.md

@@ -2,10 +2,60 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
 
-## 6.11.5 (2023-05-19)
+## 7.0.1 (2023-05-22)
 
 No changes.
 
+## 7.0.0 (2023-05-18)
+
+### Added (5 changes)
+
+- [Registry; add support for database discovery for primary records](gitlab-org/charts/gitlab@02618c9b63bfac6c6baf257bc020439a45d3f220) ([merge request](gitlab-org/charts/gitlab!3142))
+- [Add SMTP read and write timeout values](gitlab-org/charts/gitlab@843467c988f90f358d58ace7c6514634443b384f) ([merge request](gitlab-org/charts/gitlab!3156))
+- [Add annotations to upgradeCheck ConfigMap](gitlab-org/charts/gitlab@9bd462052cc3ca33994ff262c66208ec8d70a7c8) by @LukasAuerbeck ([merge request](gitlab-org/charts/gitlab!3116))
+- [ Adding containerSecurityContext logic to geo chart](gitlab-org/charts/gitlab@10d9b8c945f10f9e84f1b280e88a040e33586f5b) ([merge request](gitlab-org/charts/gitlab!3127))
+- [Allow configuring an embedding database](gitlab-org/charts/gitlab@6a923ec7421e814add2fef3069320c13f28f354c) ([merge request](gitlab-org/charts/gitlab!3107))
+
+### Fixed (7 changes)
+
+- [Fix backup spec navigation](gitlab-org/charts/gitlab@76a7ce992586471bfb6c99efb58be1dc1cfce373) ([merge request](gitlab-org/charts/gitlab!3183))
+- [Mount the microsoft_graph_mailer client secret in the backup-job pod](gitlab-org/charts/gitlab@fe175620908510f3b1eb3728bc164cc4bad68e81) ([merge request](gitlab-org/charts/gitlab!3168))
+- [Geo: add geo psql SSL mounts](gitlab-org/charts/gitlab@0ed7ea60b8e3d37e1b9b71977c23f085a8df6250) ([merge request](gitlab-org/charts/gitlab!3170))
+- [Skip pages backup on database upgrade](gitlab-org/charts/gitlab@5efab9266397750252a457a230cddffee87c9143) ([merge request](gitlab-org/charts/gitlab!3167))
+- [Validate that SMTP settings do not enable both TLS and STARTTLS](gitlab-org/charts/gitlab@aefcfb104aaa871a70203fc04a07686d935761f5) ([merge request](gitlab-org/charts/gitlab!3158))
+- [Support configuring proxy_download for each object store type](gitlab-org/charts/gitlab@4db1b9b2b5c0e8da53bb43439d267343be34b447) ([merge request](gitlab-org/charts/gitlab!3154))
+- [Fix possessive](gitlab-org/charts/gitlab@68f0f088cdc7b3be96d92e65c8b21a3ed8104c2f) ([merge request](gitlab-org/charts/gitlab!3097))
+
+### Changed (14 changes)
+
+- [Update gitlab-org/container-registry from 3.73.0-gitlab to 3.73.1-gitlab](gitlab-org/charts/gitlab@5f160022cc68e214ea083189649f8332bdc5df34) ([merge request](gitlab-org/charts/gitlab!3185))
+- [Update bundled Redis sub-chart and add upgrade docs](gitlab-org/charts/gitlab@6e07c473134100d7b63b92d2eac8a369179e9d98) ([merge request](gitlab-org/charts/gitlab!3140))
+- [Use PostgreSQL Chart 11.9.13](gitlab-org/charts/gitlab@5b1febf0757464eac61744a3388acd14667d0d1b) ([merge request](gitlab-org/charts/gitlab!3143))
+- [Enable Sidekiq JSON logs by default](gitlab-org/charts/gitlab@92bb399c4fd13321c51114b2529171cbf71c8e24) ([merge request](gitlab-org/charts/gitlab!3169))
+- [Switch gitlab-shell logs to JSON by default](gitlab-org/charts/gitlab@59a722892c5421621e5a0af640a732ef0cbc8504) ([merge request](gitlab-org/charts/gitlab!3171))
+- [Update gitlab-org/gitlab-exporter from 12.1.1 to 13.0.0](gitlab-org/charts/gitlab@6e9477a65a963a5ae8e3197e76920b21193287ba) ([merge request](gitlab-org/charts/gitlab!3166))
+- [Update gitlab-org/container-registry from 3.72.0-gitlab to 3.73.0-gitlab](gitlab-org/charts/gitlab@aa8116c54b4014647c21044113b02043462c87f4) ([merge request](gitlab-org/charts/gitlab!3165))
+- [Default GitLab chart to have main, and ci connections](gitlab-org/charts/gitlab@f42289a275cb6886c5978c0546dcdb50ee04d991) ([merge request](gitlab-org/charts/gitlab!3132))
+- [Bump certmanager to 1.11.1](gitlab-org/charts/gitlab@e4f2bf7d6d7ed7ff02174957fa8408ebbca63322) ([merge request](gitlab-org/charts/gitlab!3108))
+- [Ensure upgrade path to 7.0](gitlab-org/charts/gitlab@0cdbf193e90b67c30a0cb6b6d02b0a9e8f8562ee) ([merge request](gitlab-org/charts/gitlab!3104))
+- [Unpin mail_room version](gitlab-org/charts/gitlab@ec946052deae64dea6cb7d49b34c26361874a233) ([merge request](gitlab-org/charts/gitlab!3075))
+- [Update gitlab-org/charts/gitlab-runner from 0.51.1 to 0.52.0](gitlab-org/charts/gitlab@7d54b3f3539b63ee661418f0a519c4509b5e1a2a) ([merge request](gitlab-org/charts/gitlab!3121))
+- [NGINX: tweak NGINX upstream configuration](gitlab-org/charts/gitlab@9cf76a7bf6c4c3487820103cb1bb48ef2bca2dbb) ([merge request](gitlab-org/charts/gitlab!3090))
+- [Bump default image to ubuntu:22.04](gitlab-org/charts/gitlab@70452769e698e6187e625cdc7db4d60555b07f4b) by @tlindsay42 ([merge request](gitlab-org/charts/gitlab!2986))
+
+### Removed (4 changes)
+
+- [Remove registry compatibility section](gitlab-org/charts/gitlab@b4a3e47b96a2ddc3b1c0250510f875e114d02445) ([merge request](gitlab-org/charts/gitlab!3117))
+- [Remove bundled Grafana chart and related configuration](gitlab-org/charts/gitlab@24d6c76d54e7800fd8fee20ee5fbba2180d36aae) ([merge request](gitlab-org/charts/gitlab!3112))
+- [Remove deprecated KAS `metrics.port` config](gitlab-org/charts/gitlab@b1bf1b4686c74015b8d93bd24dcef350490fac1b) ([merge request](gitlab-org/charts/gitlab!3040))
+- [Remove 'default_can_create_group' setting](gitlab-org/charts/gitlab@0d58ba1ea5b7d29da3891d6643afe2e72e1480a8) ([merge request](gitlab-org/charts/gitlab!3105))
+
+### Other (3 changes)
+
+- [Consolidate webservice TLS configuration](gitlab-org/charts/gitlab@7412c984cda3683c60ba3c3e48bf2474ec88209e) ([merge request](gitlab-org/charts/gitlab!3135))
+- [Update extraEnvFrom docs](gitlab-org/charts/gitlab@994ab9824f518701ed7059e28c7fdf1b2c97e446) ([merge request](gitlab-org/charts/gitlab!3025))
+- [Add tests for Webservice ConfigMap name](gitlab-org/charts/gitlab@6d51d3fe5475a84166f23d5c5a0f23a1b38ce489) ([merge request](gitlab-org/charts/gitlab!3091))
+
 ## 6.11.4 (2023-05-16)
 
 ### Added (1 change)
@@ -60,6 +110,22 @@ No changes.
 - [Remove references to unused 'fullnameOverride' key](gitlab-org/charts/gitlab@34b9c0d5d1f5227b8bb1b2496e3be6f9ff3a9ec0) ([merge request](gitlab-org/charts/gitlab!3092))
 - [checkConfig: verify format of omniauth provider content](gitlab-org/charts/gitlab@f419b34386799a83587eeecfea142070477e8029) ([merge request](gitlab-org/charts/gitlab!3054))
 
+## 6.10.7 (2023-05-10)
+
+No changes.
+
+## 6.10.6 (2023-05-03)
+
+No changes.
+
+## 6.10.5 (2023-05-01)
+
+No changes.
+
+## 6.10.4 (2023-04-21)
+
+No changes.
+
 ## 6.10.3 (2023-04-14)
 
 No changes.
@@ -105,6 +171,22 @@ No changes.
 - [Add more context to sidekiq pod deprecation notices](gitlab-org/charts/gitlab@fdaef9d08c68beac06b0bcff16d0ec6b1bc274aa) ([merge request](gitlab-org/charts/gitlab!2966))
 - [Add more context to sidekiq pod deprecation notices](gitlab-org/charts/gitlab@378fd9116dc5147d9d4c23d81a72e0e8089f138e) ([merge request](gitlab-org/charts/gitlab!2972))
 
+## 6.9.8 (2023-05-10)
+
+No changes.
+
+## 6.9.7 (2023-05-03)
+
+No changes.
+
+## 6.9.6 (2023-05-01)
+
+No changes.
+
+## 6.9.5 (2023-04-21)
+
+No changes.
+
 ## 6.9.4 (2023-03-30)
 
 No changes.

charts/gitlab/gitlab/Chart.yaml

@@ -3,7 +3,7 @@ annotations:
   catalog.cattle.io/display-name: GitLab
   catalog.cattle.io/release-name: gitlab
 apiVersion: v1
-appVersion: v15.11.5
+appVersion: v16.0.1
 description: The One DevOps Platform
 home: https://about.gitlab.com/
 icon: https://gitlab.com/gitlab-com/gitlab-artwork/raw/master/logo/logo-square.png
@@ -15,4 +15,4 @@ maintainers:
 name: gitlab
 sources:
 - https://gitlab.com/gitlab-org/charts/gitlab
-version: 6.11.5
+version: 7.0.1

charts/gitlab/gitlab/charts/cert-manager/Chart.yaml

@@ -1,19 +1,24 @@
 annotations:
   artifacthub.io/prerelease: "false"
+  artifacthub.io/signKey: |
+    fingerprint: 1020CF3C033D4F35BAE1C19E1226061C665DF13E
+    url: https://cert-manager.io/public-keys/cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.gpg
 apiVersion: v1
-appVersion: v1.5.4
+appVersion: v1.11.1
 description: A Helm chart for cert-manager
-home: https://github.com/jetstack/cert-manager
+home: https://github.com/cert-manager/cert-manager
-icon: https://raw.githubusercontent.com/jetstack/cert-manager/master/logo/logo.png
+icon: https://raw.githubusercontent.com/cert-manager/cert-manager/d53c0b9270f8cd90d908460d69502694e1838f5f/logo/logo-small.png
 keywords:
 - cert-manager
 - kube-lego
 - letsencrypt
 - tls
+kubeVersion: '>= 1.21.0-0'
 maintainers:
 - email: cert-manager-maintainers@googlegroups.com
   name: cert-manager-maintainers
+  url: https://cert-manager.io
 name: cert-manager
 sources:
-- https://github.com/jetstack/cert-manager
+- https://github.com/cert-manager/cert-manager
-version: v1.5.4
+version: v1.11.1

charts/gitlab/gitlab/charts/cert-manager/README.md

@@ -8,7 +8,7 @@ to renew certificates at an appropriate time before expiry.
 
 ## Prerequisites
 
-- Kubernetes 1.16+
+- Kubernetes 1.20+
 
 ## Installing the Chart
 
@@ -19,7 +19,7 @@ Before installing the chart, you must first install the cert-manager CustomResou
 This is performed in a separate step to allow you to easily uninstall and reinstall cert-manager without deleting your installed custom resources.
 
 ```bash
-$ kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.5.4/cert-manager.crds.yaml
+$ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.11.1/cert-manager.crds.yaml
 ```
 
 To install the chart with the release name `my-release`:
@@ -29,7 +29,7 @@ To install the chart with the release name `my-release`:
 $ helm repo add jetstack https://charts.jetstack.io
 
 ## Install the cert-manager helm chart
-$ helm install my-release --namespace cert-manager --version v1.5.4 jetstack/cert-manager
+$ helm install my-release --namespace cert-manager --version v1.11.1 jetstack/cert-manager
 ```
 
 In order to begin issuing certificates, you will need to set up a ClusterIssuer
@@ -65,7 +65,7 @@ If you want to completely uninstall cert-manager from your cluster, you will als
 delete the previously installed CustomResourceDefinition resources:
 
 ```console
-$ kubectl delete -f https://github.com/jetstack/cert-manager/releases/download/v1.5.4/cert-manager.crds.yaml
+$ kubectl delete -f https://github.com/cert-manager/cert-manager/releases/download/v1.11.1/cert-manager.crds.yaml
 ```
 
 ## Configuration
@@ -75,6 +75,7 @@ The following table lists the configurable parameters of the cert-manager chart
 | Parameter | Description | Default |
 | --------- | ----------- | ------- |
 | `global.imagePullSecrets` | Reference to one or more secrets to be used when pulling images | `[]` |
+| `global.commonLabels` | Labels to apply to all resources | `{}` |
 | `global.rbac.create` | If `true`, create and use RBAC resources (includes sub-charts) | `true` |
 | `global.priorityClassName`| Priority class name for cert-manager and webhook pods | `""` |
 | `global.podSecurityPolicy.enabled` | If `true`, create and use PodSecurityPolicy (includes sub-charts) | `false` |
@@ -85,11 +86,11 @@ The following table lists the configurable parameters of the cert-manager chart
 | `global.leaderElection.retryPeriod` | The duration the clients should wait between attempting acquisition and renewal of a leadership |  |
 | `installCRDs` | If true, CRD resources will be installed as part of the Helm chart. If enabled, when uninstalling CRD resources will be deleted causing all installed custom resources to be DELETED | `false` |
 | `image.repository` | Image repository | `quay.io/jetstack/cert-manager-controller` |
-| `image.tag` | Image tag | `v1.5.4` |
+| `image.tag` | Image tag | `v1.11.1` |
 | `image.pullPolicy` | Image pull policy | `IfNotPresent` |
 | `replicaCount`  | Number of cert-manager replicas  | `1` |
 | `clusterResourceNamespace` | Override the namespace used to store DNS provider credentials etc. for ClusterIssuer resources | Same namespace as cert-manager pod |
-| `featureGates` | Comma-separated list of feature gates to enable on the controller pod | `` |
+| `featureGates` | Set of comma-separated key=value pairs that describe feature gates on the controller. Some feature gates may also have to be enabled on other components, and can be set supplying the `feature-gate` flag to `<component>.extraArgs` | `` |
 | `extraArgs` | Optional flags for cert-manager | `[]` |
 | `extraEnv` | Optional environment variables for cert-manager | `[]` |
 | `serviceAccount.create` | If `true`, create a new service account | `true` |
@@ -99,12 +100,12 @@ The following table lists the configurable parameters of the cert-manager chart
 | `volumes` | Optional volumes for cert-manager | `[]` |
 | `volumeMounts` | Optional volume mounts for cert-manager | `[]` |
 | `resources` | CPU/memory resource requests/limits | `{}` |
-| `securityContext` | Optional security context. The yaml block should adhere to the [SecurityContext spec](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.16/#securitycontext-v1-core) | `{}` |
+| `securityContext` | Security context for the controller pod assignment | refer to [Default Security Contexts](#default-security-contexts) |
-| `securityContext.enabled` | Deprecated (use `securityContext`) - Enable security context | `false` |
+| `containerSecurityContext` | Security context to be set on the controller component container | refer to [Default Security Contexts](#default-security-contexts) |
-| `containerSecurityContext` | Security context to be set on the controller component container | `{}` |
 | `nodeSelector` | Node labels for pod assignment | `{}` |
 | `affinity` | Node affinity for pod assignment | `{}` |
 | `tolerations` | Node tolerations for pod assignment | `[]` |
+| `topologySpreadConstraints` | Topology spread constraints for pod assignment | `[]` |
 | `ingressShim.defaultIssuerName` | Optional default issuer to use for ingress resources |  |
 | `ingressShim.defaultIssuerKind` | Optional default issuer kind to use for ingress resources |  |
 | `ingressShim.defaultIssuerGroup` | Optional default issuer group to use for ingress resources |  |
@@ -117,12 +118,14 @@ The following table lists the configurable parameters of the cert-manager chart
 | `prometheus.servicemonitor.interval` | Prometheus scrape interval | `60s` |
 | `prometheus.servicemonitor.labels` | Add custom labels to ServiceMonitor | |
 | `prometheus.servicemonitor.scrapeTimeout` | Prometheus scrape timeout | `30s` |
+| `prometheus.servicemonitor.honorLabels` | Enable label honoring for metrics scraped by Prometheus (see [Prometheus scrape config docs](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config) for details). By setting `honorLabels` to `true`, Prometheus will prefer label contents given by cert-manager on conflicts. Can be used to remove the "exported_namespace" label for example.  | `false` |
 | `podAnnotations` | Annotations to add to the cert-manager pod | `{}` |
 | `deploymentAnnotations` | Annotations to add to the cert-manager deployment | `{}` |
 | `podDnsPolicy` | Optional cert-manager pod [DNS policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pods-dns-policy) |  |
 | `podDnsConfig` | Optional cert-manager pod [DNS configurations](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pods-dns-config) |  |
 | `podLabels` | Labels to add to the cert-manager pod | `{}` |
 | `serviceLabels` | Labels to add to the cert-manager controller service | `{}` |
+| `serviceAnnotations` | Annotations to add to the cert-manager service | `{}` |
 | `http_proxy` | Value of the `HTTP_PROXY` environment variable in the cert-manager pod | |
 | `https_proxy` | Value of the `HTTPS_PROXY` environment variable in the cert-manager pod | |
 | `no_proxy` | Value of the `NO_PROXY` environment variable in the cert-manager pod | |
@@ -134,6 +137,8 @@ The following table lists the configurable parameters of the cert-manager chart
 | `webhook.deploymentAnnotations` | Annotations to add to the webhook deployment | `{}` |
 | `webhook.mutatingWebhookConfigurationAnnotations` | Annotations to add to the mutating webhook configuration | `{}` |
 | `webhook.validatingWebhookConfigurationAnnotations` | Annotations to add to the validating webhook configuration | `{}` |
+| `webhook.serviceAnnotations` | Annotations to add to the webhook service | `{}` |
+| `webhook.config` | WebhookConfiguration YAML used to configure flags for the webhook. Generates a ConfigMap containing contents of the field. See `values.yaml` for example. | `{}` |
 | `webhook.extraArgs` | Optional flags for cert-manager webhook component | `[]` |
 | `webhook.serviceAccount.create` | If `true`, create a new service account for the webhook component | `true` |
 | `webhook.serviceAccount.name` | Service account for the webhook component to be used. If not set and `webhook.serviceAccount.create` is `true`, a name is generated using the fullname template |  |
@@ -141,14 +146,18 @@ The following table lists the configurable parameters of the cert-manager chart
 | `webhook.serviceAccount.automountServiceAccountToken` | Automount API credentials for the webhook Service Account |  |
 | `webhook.resources` | CPU/memory resource requests/limits for the webhook pods | `{}` |
 | `webhook.nodeSelector` | Node labels for webhook pod assignment | `{}` |
+| `webhook.networkPolicy.enabled` | Enable default network policies for webhooks egress and ingress traffic | `false` |
+| `webhook.networkPolicy.ingress` | Sets ingress policy block. See NetworkPolicy documentation. See `values.yaml` for example. | `{}` |
+| `webhook.networkPolicy.egress` | Sets ingress policy block. See NetworkPolicy documentation. See `values.yaml` for example. | `{}` |
 | `webhook.affinity` | Node affinity for webhook pod assignment | `{}` |
 | `webhook.tolerations` | Node tolerations for webhook pod assignment | `[]` |
+| `webhook.topologySpreadConstraints` | Topology spread constraints for webhook pod assignment | `[]` |
 | `webhook.image.repository` | Webhook image repository | `quay.io/jetstack/cert-manager-webhook` |
-| `webhook.image.tag` | Webhook image tag | `v1.5.4` |
+| `webhook.image.tag` | Webhook image tag | `v1.11.1` |
 | `webhook.image.pullPolicy` | Webhook image pull policy | `IfNotPresent` |
 | `webhook.securePort` | The port that the webhook should listen on for requests. | `10250` |
-| `webhook.securityContext` | Security context for webhook pod assignment | `{}` |
+| `webhook.securityContext` | Security context for webhook pod assignment | refer to [Default Security Contexts](#default-security-contexts) |
-| `webhook.containerSecurityContext` | Security context to be set on the webhook component container | `{}` |
+| `webhook.containerSecurityContext` | Security context to be set on the webhook component container | refer to [Default Security Contexts](#default-security-contexts) |
 | `webhook.hostNetwork` | If `true`, run the Webhook on the host network. | `false` |
 | `webhook.serviceType` | The type of the `Service`. | `ClusterIP` |
 | `webhook.loadBalancerIP` | The specific load balancer IP to use (when `serviceType` is `LoadBalancer`). |  |
@@ -177,13 +186,18 @@ The following table lists the configurable parameters of the cert-manager chart
 | `cainjector.nodeSelector` | Node labels for cainjector pod assignment | `{}` |
 | `cainjector.affinity` | Node affinity for cainjector pod assignment | `{}` |
 | `cainjector.tolerations` | Node tolerations for cainjector pod assignment | `[]` |
+| `cainjector.topologySpreadConstraints` | Topology spread constraints for cainjector pod assignment | `[]` |
 | `cainjector.image.repository` | cainjector image repository | `quay.io/jetstack/cert-manager-cainjector` |
-| `cainjector.image.tag` | cainjector image tag | `v1.5.4` |
+| `cainjector.image.tag` | cainjector image tag | `v1.11.1` |
 | `cainjector.image.pullPolicy` | cainjector image pull policy | `IfNotPresent` |
-| `cainjector.securityContext` | Security context for cainjector pod assignment | `{}` |
+| `cainjector.securityContext` | Security context for cainjector pod assignment | refer to [Default Security Contexts](#default-security-contexts) |
-| `cainjector.containerSecurityContext` | Security context to be set on cainjector component container | `{}` |
+| `cainjector.containerSecurityContext` | Security context to be set on cainjector component container | refer to [Default Security Contexts](#default-security-contexts) |
+| `acmesolver.image.repository` | acmesolver image repository | `quay.io/jetstack/cert-manager-acmesolver` |
+| `acmesolver.image.tag` | acmesolver image tag | `v1.11.1` |
+| `acmesolver.image.pullPolicy` | acmesolver image pull policy | `IfNotPresent` |
 | `startupapicheck.enabled` | Toggles whether the startupapicheck Job should be installed | `true` |
-| `startupapicheck.securityContext` | Pod Security Context to be set on the startupapicheck component Pod | `{}` |
+| `startupapicheck.securityContext` | Security context for startupapicheck pod assignment | refer to [Default Security Contexts](#default-security-contexts) |
+| `startupapicheck.containerSecurityContext` | Security context to be set on startupapicheck component container | refer to [Default Security Contexts](#default-security-contexts) |
 | `startupapicheck.timeout` | Timeout for 'kubectl check api' command | `1m` |
 | `startupapicheck.backoffLimit` | Job backoffLimit | `4` |
 | `startupapicheck.jobAnnotations` | Optional additional annotations to add to the startupapicheck Job | `{}` |
@@ -195,12 +209,34 @@ The following table lists the configurable parameters of the cert-manager chart
 | `startupapicheck.tolerations` | Node tolerations for startupapicheck pod assignment | `[]` |
 | `startupapicheck.podLabels` | Optional additional labels to add to the startupapicheck Pods | `{}` |
 | `startupapicheck.image.repository` | startupapicheck image repository | `quay.io/jetstack/cert-manager-ctl` |
-| `startupapicheck.image.tag` | startupapicheck image tag | `v1.5.4` |
+| `startupapicheck.image.tag` | startupapicheck image tag | `v1.11.1` |
 | `startupapicheck.image.pullPolicy` | startupapicheck image pull policy | `IfNotPresent` |
 | `startupapicheck.serviceAccount.create` | If `true`, create a new service account for the startupapicheck component | `true` |
 | `startupapicheck.serviceAccount.name` | Service account for the startupapicheck component to be used. If not set and `startupapicheck.serviceAccount.create` is `true`, a name is generated using the fullname template |  |
 | `startupapicheck.serviceAccount.annotations` | Annotations to add to the service account for the startupapicheck component |  |
 | `startupapicheck.serviceAccount.automountServiceAccountToken` | Automount API credentials for the startupapicheck Service Account | `true` |
+| `maxConcurrentChallenges` | The maximum number of challenges that can be scheduled as 'processing' at once | `60` |
+
+### Default Security Contexts
+
+The default pod-level and container-level security contexts, below, adhere to the [restricted](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted) Pod Security Standards policies.
+
+Default pod-level securityContext:
+```yaml
+runAsNonRoot: true
+seccompProfile:
+  type: RuntimeDefault
+```
+
+Default containerSecurityContext:
+```yaml
+allowPrivilegeEscalation: false
+capabilities:
+  drop:
+  - ALL
+```
+
+### Assigning Values
 
 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.
 
@@ -209,8 +245,8 @@ Alternatively, a YAML file that specifies the values for the above parameters ca
 ```console
 $ helm install my-release -f values.yaml .
 ```
-> **Tip**: You can use the default [values.yaml](https://github.com/jetstack/cert-manager/blob/master/deploy/charts/cert-manager/values.yaml)
+> **Tip**: You can use the default [values.yaml](https://github.com/cert-manager/cert-manager/blob/master/deploy/charts/cert-manager/values.yaml)
 
 ## Contributing
 
-This chart is maintained at [github.com/jetstack/cert-manager](https://github.com/jetstack/cert-manager/tree/master/deploy/charts/cert-manager).
+This chart is maintained at [github.com/cert-manager/cert-manager](https://github.com/cert-manager/cert-manager/tree/master/deploy/charts/cert-manager).

charts/gitlab/gitlab/charts/cert-manager/templates/_helpers.tpl

@@ -58,7 +58,7 @@ If release name contains chart name it will be used as a full name.
 {{- end -}}
 
 {{- define "webhook.caRef" -}}
-{{ .Release.Namespace}}/{{ template "webhook.fullname" . }}-ca
+{{- template "cert-manager.namespace" }}/{{ template "webhook.fullname" . }}-ca
 {{- end -}}
 
 {{/*
@@ -156,4 +156,19 @@ app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 helm.sh/chart: {{ include "chartName" . }}
 {{- end -}}
+{{- if .Values.global.commonLabels}}
+{{ toYaml .Values.global.commonLabels }}
+{{- end }}
+{{- end -}}
+
+{{/*
+Namespace for all resources to be installed into
+If not defined in values file then the helm release namespace is used
+By default this is not set so the helm release namespace will be used
+
+This gets around an problem within helm discussed here
+https://github.com/helm/helm/issues/5358
+*/}}
+{{- define "cert-manager.namespace" -}}
+    {{ .Values.namespace | default .Release.Namespace }}
 {{- end -}}

charts/gitlab/gitlab/charts/cert-manager/templates/cainjector-deployment.yaml

@@ -1,18 +1,18 @@
-{{- if .Values.cainjector.enabled -}}
+{{- if .Values.cainjector.enabled }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ include "cainjector.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "cert-manager.namespace" . }}
   labels:
     app: {{ include "cainjector.name" . }}
     app.kubernetes.io/name: {{ include "cainjector.name" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/component: "cainjector"
     {{- include "labels" . | nindent 4 }}
-  {{- if .Values.cainjector.deploymentAnnotations }}
+  {{- with .Values.cainjector.deploymentAnnotations }}
   annotations:
-{{ toYaml .Values.cainjector.deploymentAnnotations | indent 4 }}
+    {{- toYaml . | nindent 4 }}
   {{- end }}
 spec:
   replicas: {{ .Values.cainjector.replicaCount }}
@@ -23,7 +23,7 @@ spec:
       app.kubernetes.io/component: "cainjector"
   {{- with .Values.cainjector.strategy }}
   strategy:
-    {{- . | toYaml | nindent 4 }}
+    {{- toYaml . | nindent 4 }}
   {{- end }}
   template:
     metadata:
@@ -33,26 +33,29 @@ spec:
         app.kubernetes.io/instance: {{ .Release.Name }}
         app.kubernetes.io/component: "cainjector"
         {{- include "labels" . | nindent 8 }}
-{{- if .Values.cainjector.podLabels }}
+        {{- with .Values.cainjector.podLabels }}
-{{ toYaml .Values.cainjector.podLabels | indent 8 }}
+        {{- toYaml . | nindent 8 }}
-{{- end }}
+        {{- end }}
-      {{- if .Values.cainjector.podAnnotations }}
+      {{- with .Values.cainjector.podAnnotations }}
       annotations:
-{{ toYaml .Values.cainjector.podAnnotations | indent 8 }}
+        {{- toYaml . | nindent 8 }}
       {{- end }}
     spec:
       serviceAccountName: {{ template "cainjector.serviceAccountName" . }}
-      {{- if .Values.global.priorityClassName }}
+      {{- if hasKey .Values.cainjector "automountServiceAccountToken" }}
-      priorityClassName: {{ .Values.global.priorityClassName | quote }}
+      automountServiceAccountToken: {{ .Values.cainjector.automountServiceAccountToken }}
       {{- end }}
-      {{- if .Values.cainjector.securityContext}}
+      {{- with .Values.global.priorityClassName }}
+      priorityClassName: {{ . | quote }}
+      {{- end }}
+      {{- with .Values.cainjector.securityContext }}
       securityContext:
-{{ toYaml .Values.cainjector.securityContext | indent 8 }}
+        {{- toYaml . | nindent 8 }}
       {{- end }}
       containers:
-        - name: {{ .Chart.Name }}
+        - name: {{ .Chart.Name }}-cainjector
           {{- with .Values.cainjector.image }}
-          image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{.digest}}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}"
+          image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}"
           {{- end }}
           imagePullPolicy: {{ .Values.cainjector.image.pullPolicy }}
           args:
@@ -71,30 +74,36 @@ spec:
           - --leader-election-retry-period={{ .retryPeriod }}
           {{- end }}
           {{- end }}
-          {{- if .Values.cainjector.extraArgs }}
+          {{- with .Values.cainjector.extraArgs }}
-{{ toYaml .Values.cainjector.extraArgs | indent 10 }}
+          {{- toYaml . | nindent 10 }}
           {{- end }}
           env:
           - name: POD_NAMESPACE
             valueFrom:
               fieldRef:
                 fieldPath: metadata.namespace
-          {{- if .Values.cainjector.containerSecurityContext }}
+          {{- with .Values.cainjector.containerSecurityContext }}
           securityContext:
-            {{- toYaml .Values.cainjector.containerSecurityContext | nindent 12 }}
+            {{- toYaml . | nindent 12 }}
           {{- end }}
+          {{- with .Values.cainjector.resources }}
           resources:
-{{ toYaml .Values.cainjector.resources | indent 12 }}
+            {{- toYaml . | nindent 12 }}
-    {{- with .Values.cainjector.nodeSelector }}
+          {{- end }}
+      {{- with .Values.cainjector.nodeSelector }}
       nodeSelector:
-{{ toYaml . | indent 8 }}
+        {{- toYaml . | nindent 8 }}
-    {{- end }}
+      {{- end }}
-    {{- with .Values.cainjector.affinity }}
+      {{- with .Values.cainjector.affinity }}
       affinity:
-{{ toYaml . | indent 8 }}
+        {{- toYaml . | nindent 8 }}
-    {{- end }}
+      {{- end }}
-    {{- with .Values.cainjector.tolerations }}
+      {{- with .Values.cainjector.tolerations }}
       tolerations:
-{{ toYaml . | indent 8 }}
+        {{- toYaml . | nindent 8 }}
-    {{- end }}
+      {{- end }}
-{{- end -}}
+      {{- with  .Values.cainjector.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+{{- end }}

charts/gitlab/gitlab/charts/cert-manager/templates/cainjector-psp-clusterrole.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.cainjector.enabled -}}
+{{- if .Values.cainjector.enabled }}
 {{- if .Values.global.podSecurityPolicy.enabled }}
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1

charts/gitlab/gitlab/charts/cert-manager/templates/cainjector-psp-clusterrolebinding.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.cainjector.enabled -}}
+{{- if .Values.cainjector.enabled }}
 {{- if .Values.global.podSecurityPolicy.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -17,6 +17,6 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: {{ template "cainjector.serviceAccountName" . }}
-    namespace: {{ .Release.Namespace }}
+    namespace: {{ include "cert-manager.namespace" . }}
 {{- end }}
 {{- end }}

charts/gitlab/gitlab/charts/cert-manager/templates/cainjector-psp.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.cainjector.enabled -}}
+{{- if .Values.cainjector.enabled }}
 {{- if .Values.global.podSecurityPolicy.enabled }}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
@@ -47,5 +47,5 @@ spec:
     ranges:
     - min: 1000
       max: 1000
-{{- end -}}
+{{- end }}
-{{- end -}}
+{{- end }}

charts/gitlab/gitlab/charts/cert-manager/templates/cainjector-rbac.yaml

@@ -1,5 +1,5 @@
-{{- if .Values.cainjector.enabled -}}
+{{- if .Values.cainjector.enabled }}
-{{- if .Values.global.rbac.create -}}
+{{- if .Values.global.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -29,9 +29,6 @@ rules:
   - apiGroups: ["apiextensions.k8s.io"]
     resources: ["customresourcedefinitions"]
     verbs: ["get", "list", "watch", "update"]
-  - apiGroups: ["auditregistration.k8s.io"]
-    resources: ["auditsinks"]
-    verbs: ["get", "list", "watch", "update"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -49,7 +46,7 @@ roleRef:
   name: {{ template "cainjector.fullname" . }}
 subjects:
   - name: {{ template "cainjector.serviceAccountName" . }}
-    namespace: {{ .Release.Namespace | quote }}
+    namespace: {{ include "cert-manager.namespace" . }}
     kind: ServiceAccount
 
 ---
@@ -71,14 +68,6 @@ rules:
   #   see cmd/cainjector/start.go#L113
   # cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller
   #   see cmd/cainjector/start.go#L137
-  # See also: https://github.com/kubernetes-sigs/controller-runtime/pull/1144#discussion_r480173688
-  - apiGroups: [""]
-    resources: ["configmaps"]
-    resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
-    verbs: ["get", "update", "patch"]
-  - apiGroups: [""]
-    resources: ["configmaps"]
-    verbs: ["create"]
   - apiGroups: ["coordination.k8s.io"]
     resources: ["leases"]
     resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
@@ -109,6 +98,6 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: {{ template "cainjector.serviceAccountName" . }}
-    namespace: {{ .Release.Namespace }}
+    namespace: {{ include "cert-manager.namespace" . }}
-{{- end -}}
+{{- end }}
-{{- end -}}
+{{- end }}

charts/gitlab/gitlab/charts/cert-manager/templates/cainjector-serviceaccount.yaml

@@ -1,14 +1,14 @@
-{{- if .Values.cainjector.enabled -}}
+{{- if .Values.cainjector.enabled }}
-{{- if .Values.cainjector.serviceAccount.create -}}
+{{- if .Values.cainjector.serviceAccount.create }}
 apiVersion: v1
 kind: ServiceAccount
 automountServiceAccountToken: {{ .Values.cainjector.serviceAccount.automountServiceAccountToken }}
 metadata:
   name: {{ template "cainjector.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "cert-manager.namespace" . }}
-  {{- if .Values.cainjector.serviceAccount.annotations }}
+  {{- with .Values.cainjector.serviceAccount.annotations }}
   annotations:
-{{ toYaml .Values.cainjector.serviceAccount.annotations | indent 4 }}
+    {{- toYaml . | nindent 4 }}
   {{- end }}
   labels:
     app: {{ include "cainjector.name" . }}
@@ -16,8 +16,12 @@ metadata:
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/component: "cainjector"
     {{- include "labels" . | nindent 4 }}
-{{- if .Values.global.imagePullSecrets }}
+    {{- with .Values.cainjector.serviceAccount.labels }}
-imagePullSecrets: {{ toYaml .Values.global.imagePullSecrets | nindent 2 }}
+      {{ toYaml . | nindent 4 }}
+    {{- end }}
+{{- with .Values.global.imagePullSecrets }}
+imagePullSecrets:
+  {{- toYaml . | nindent 2 }}
+{{- end }}
+{{- end }}
 {{- end }}
-{{- end -}}
-{{- end -}}

charts/gitlab/gitlab/charts/cert-manager/templates/deployment.yaml

@@ -2,16 +2,16 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ template "cert-manager.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "cert-manager.namespace" . }}
   labels:
     app: {{ template "cert-manager.name" . }}
     app.kubernetes.io/name: {{ template "cert-manager.name" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/component: "controller"
     {{- include "labels" . | nindent 4 }}
-  {{- if .Values.deploymentAnnotations }}
+  {{- with .Values.deploymentAnnotations }}
   annotations:
-{{ toYaml .Values.deploymentAnnotations | indent 4 }}
+    {{- toYaml . | nindent 4 }}
   {{- end }}
 spec:
   replicas: {{ .Values.replicaCount }}
@@ -22,7 +22,7 @@ spec:
       app.kubernetes.io/component: "controller"
   {{- with .Values.strategy }}
   strategy:
-    {{- . | toYaml | nindent 4 }}
+    {{- toYaml . | nindent 4 }}
   {{- end }}
   template:
     metadata:
@@ -32,12 +32,12 @@ spec:
         app.kubernetes.io/instance: {{ .Release.Name }}
         app.kubernetes.io/component: "controller"
         {{- include "labels" . | nindent 8 }}
-{{- if .Values.podLabels }}
+        {{- with .Values.podLabels }}
-{{ toYaml .Values.podLabels | indent 8 }}
+        {{- toYaml . | nindent 8 }}
-{{- end }}
+        {{- end }}
-      {{- if .Values.podAnnotations }}
+      {{- with .Values.podAnnotations }}
       annotations:
-{{ toYaml .Values.podAnnotations | indent 8 }}
+        {{- toYaml . | nindent 8 }}
       {{- end }}
       {{- if and .Values.prometheus.enabled (not .Values.prometheus.servicemonitor.enabled) }}
       {{- if not .Values.podAnnotations }}
@@ -49,56 +49,53 @@ spec:
       {{- end }}
     spec:
       serviceAccountName: {{ template "cert-manager.serviceAccountName" . }}
-      {{- if .Values.global.priorityClassName }}
+      {{- if hasKey .Values "automountServiceAccountToken" }}
-      priorityClassName: {{ .Values.global.priorityClassName | quote }}
+      automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
       {{- end }}
-      {{- $enabledDefined := gt (len (keys (pick .Values.securityContext "enabled"))) 0 }}
+      {{- with .Values.global.priorityClassName }}
-      {{- $legacyEnabledExplicitlyOff := and $enabledDefined (not .Values.securityContext.enabled) }}
+      priorityClassName: {{ . | quote }}
-      {{- if and .Values.securityContext (not $legacyEnabledExplicitlyOff) }}
+      {{- end }}
+      {{- with .Values.securityContext }}
       securityContext:
-        {{- if .Values.securityContext.enabled -}}
+        {{- toYaml . | nindent 8 }}
-        {{/* support legacy securityContext.enabled and its two parameters */}}
-        fsGroup: {{ default 1001 .Values.securityContext.fsGroup }}
-        runAsUser: {{ default 1001 .Values.securityContext.runAsUser }}
-        {{- else -}}
-        {{/* this is the way forward: support an arbitrary yaml block */}}
-{{ toYaml .Values.securityContext | indent 8 }}
-        {{- end }}
       {{- end }}
-      {{- if .Values.volumes }}
+      {{- with .Values.volumes }}
       volumes:
-{{ toYaml .Values.volumes | indent 8 }}
+        {{- toYaml . | nindent 8 }}
       {{- end }}
       containers:
-        - name: {{ .Chart.Name }}
+        - name: {{ .Chart.Name }}-controller
           {{- with .Values.image }}
-          image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{.digest}}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}"
+          image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}"
           {{- end }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           args:
-        {{- if .Values.global.logLevel }}
+          {{- if .Values.global.logLevel }}
           - --v={{ .Values.global.logLevel }}
-        {{- end }}
+          {{- end }}
-        {{- if .Values.clusterResourceNamespace }}
+          {{- if .Values.clusterResourceNamespace }}
           - --cluster-resource-namespace={{ .Values.clusterResourceNamespace }}
-        {{- else }}
+          {{- else }}
           - --cluster-resource-namespace=$(POD_NAMESPACE)
-        {{- end }}
+          {{- end }}
-        {{- with .Values.global.leaderElection }}
+          {{- with .Values.global.leaderElection }}
           - --leader-election-namespace={{ .namespace }}
-        {{- if .leaseDuration }}
+          {{- if .leaseDuration }}
           - --leader-election-lease-duration={{ .leaseDuration }}
-        {{- end }}
+          {{- end }}
-        {{- if .renewDeadline }}
+          {{- if .renewDeadline }}
           - --leader-election-renew-deadline={{ .renewDeadline }}
-        {{- end }}
+          {{- end }}
-        {{- if .retryPeriod }}
+          {{- if .retryPeriod }}
           - --leader-election-retry-period={{ .retryPeriod }}
-        {{- end }}
+          {{- end }}
-        {{- end }}
+          {{- end }}
-        {{- if .Values.extraArgs }}
+          {{- with .Values.acmesolver.image }}
-{{ toYaml .Values.extraArgs | indent 10 }}
+          - --acme-http01-solver-image={{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}
-        {{- end }}
+          {{- end }}
+          {{- with .Values.extraArgs }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
           {{- with .Values.ingressShim }}
           {{- if .defaultIssuerName }}
           - --default-issuer-name={{ .defaultIssuerName }}
@@ -113,55 +110,65 @@ spec:
           {{- if .Values.featureGates }}
           - --feature-gates={{ .Values.featureGates }}
           {{- end }}
+          {{- if .Values.maxConcurrentChallenges }}
+          - --max-concurrent-challenges={{ .Values.maxConcurrentChallenges }}
+          {{- end }}
           ports:
           - containerPort: 9402
+            name: http-metrics
             protocol: TCP
-          {{- if .Values.containerSecurityContext }}
+          {{- with .Values.containerSecurityContext }}
           securityContext:
-            {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+            {{- toYaml . | nindent 12 }}
           {{- end }}
-          {{- if .Values.volumeMounts }}
+          {{- with .Values.volumeMounts }}
           volumeMounts:
-{{ toYaml .Values.volumeMounts | indent 12 }}
+            {{- toYaml . | nindent 12 }}
           {{- end }}
           env:
           - name: POD_NAMESPACE
             valueFrom:
               fieldRef:
                 fieldPath: metadata.namespace
-        {{- if .Values.extraEnv }}
+          {{- with .Values.extraEnv }}
-{{ toYaml .Values.extraEnv | indent 10 }}
+          {{- toYaml . | nindent 10 }}
-        {{- end }}
+          {{- end }}
-          {{- if .Values.http_proxy }}
+          {{- with .Values.http_proxy }}
           - name: HTTP_PROXY
-            value: {{ .Values.http_proxy }}
+            value: {{ . }}
           {{- end }}
-          {{- if .Values.https_proxy }}
+          {{- with .Values.https_proxy }}
           - name: HTTPS_PROXY
-            value: {{ .Values.https_proxy }}
+            value: {{ . }}
           {{- end }}
-          {{- if .Values.no_proxy }}
+          {{- with .Values.no_proxy }}
           - name: NO_PROXY
-            value: {{ .Values.no_proxy }}
+            value: {{ . }}
           {{- end }}
+          {{- with .Values.resources }}
           resources:
-{{ toYaml .Values.resources | indent 12 }}
+            {{- toYaml . | nindent 12 }}
-    {{- with .Values.nodeSelector }}
+          {{- end }}
+      {{- with .Values.nodeSelector }}
       nodeSelector:
-{{ toYaml . | indent 8 }}
+        {{- toYaml . | nindent 8 }}
-    {{- end }}
+      {{- end }}
-    {{- with .Values.affinity }}
+      {{- with .Values.affinity }}
       affinity:
-{{ toYaml . | indent 8 }}
+        {{- toYaml . | nindent 8 }}
-    {{- end }}
+      {{- end }}
-    {{- with .Values.tolerations }}
+      {{- with .Values.tolerations }}
       tolerations:
-{{ toYaml . | indent 8 }}
+        {{- toYaml . | nindent 8 }}
-    {{- end }}
+      {{- end }}
-{{- if .Values.podDnsPolicy }}
+      {{- with  .Values.topologySpreadConstraints }}
-      dnsPolicy: {{ .Values.podDnsPolicy }}
+      topologySpreadConstraints:
-{{- end }}
+        {{- toYaml . | nindent 8 }}
-{{- if .Values.podDnsConfig }}
+      {{- end }}
+      {{- with .Values.podDnsPolicy }}
+      dnsPolicy: {{ . }}
+      {{- end }}
+      {{- with .Values.podDnsConfig }}
       dnsConfig:
-{{ toYaml .Values.podDnsConfig | indent 8 }}
+        {{- toYaml . | nindent 8 }}
-{{- end }}
+      {{- end }}

charts/gitlab/gitlab/charts/cert-manager/templates/networkpolicy-egress.yaml

@@ -0,0 +1,23 @@
+{{- if .Values.webhook.networkPolicy.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ template "webhook.fullname" . }}-allow-egress
+  namespace: {{ include "cert-manager.namespace" . }}
+spec:
+  egress:
+    {{- with .Values.webhook.networkPolicy.egress }}
+      {{- toYaml . | nindent 2 }}
+    {{- end }}
+  podSelector:
+    matchLabels:
+      app: {{ include "webhook.name" . }}
+      app.kubernetes.io/name: {{ include "webhook.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+      app.kubernetes.io/component: "webhook"
+      {{- with .Values.webhook.podLabels }}
+      {{- toYaml . | nindent 6 }}
+      {{- end }}
+  policyTypes:
+  - Egress
+{{- end }}

charts/gitlab/gitlab/charts/cert-manager/templates/networkpolicy-webhooks.yaml

@@ -0,0 +1,25 @@
+{{- if .Values.webhook.networkPolicy.enabled }}
+
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ template "webhook.fullname" . }}-allow-ingress
+  namespace: {{ include "cert-manager.namespace" . }}
+spec:
+  ingress:
+    {{- with .Values.webhook.networkPolicy.ingress }}
+      {{- toYaml . | nindent 2 }}
+    {{- end }}
+  podSelector:
+    matchLabels:
+        app: {{ include "webhook.name" . }}
+        app.kubernetes.io/name: {{ include "webhook.name" . }}
+        app.kubernetes.io/instance: {{ .Release.Name }}
+        app.kubernetes.io/component: "webhook"
+        {{- with .Values.webhook.podLabels }}
+        {{- toYaml . | nindent 6 }}
+        {{- end }}
+  policyTypes:
+  - Ingress
+
+{{- end }}

charts/gitlab/gitlab/charts/cert-manager/templates/psp-clusterrolebinding.yaml

@@ -16,5 +16,5 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: {{ template "cert-manager.serviceAccountName" . }}
-    namespace: {{ .Release.Namespace }}
+    namespace: {{ include "cert-manager.namespace" . }}
 {{- end }}

charts/gitlab/gitlab/charts/cert-manager/templates/rbac.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.global.rbac.create -}}
+{{- if .Values.global.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@@ -11,15 +11,6 @@ metadata:
     app.kubernetes.io/component: "controller"
     {{- include "labels" . | nindent 4 }}
 rules:
-  # Used for leader election by the controller
-  # See also: https://github.com/kubernetes-sigs/controller-runtime/pull/1144#discussion_r480173688
-  - apiGroups: [""]
-    resources: ["configmaps"]
-    resourceNames: ["cert-manager-controller"]
-    verbs: ["get", "update", "patch"]
-  - apiGroups: [""]
-    resources: ["configmaps"]
-    verbs: ["create"]
   - apiGroups: ["coordination.k8s.io"]
     resources: ["leases"]
     resourceNames: ["cert-manager-controller"]
@@ -51,7 +42,7 @@ subjects:
   - apiGroup: ""
     kind: ServiceAccount
     name: {{ template "cert-manager.serviceAccountName" . }}
-    namespace: {{ .Release.Namespace }}
+    namespace: {{ include "cert-manager.namespace" . }}
 
 ---
 
@@ -69,7 +60,7 @@ metadata:
 rules:
   - apiGroups: ["cert-manager.io"]
     resources: ["issuers", "issuers/status"]
-    verbs: ["update"]
+    verbs: ["update", "patch"]
   - apiGroups: ["cert-manager.io"]
     resources: ["issuers"]
     verbs: ["get", "list", "watch"]
@@ -96,7 +87,7 @@ metadata:
 rules:
   - apiGroups: ["cert-manager.io"]
     resources: ["clusterissuers", "clusterissuers/status"]
-    verbs: ["update"]
+    verbs: ["update", "patch"]
   - apiGroups: ["cert-manager.io"]
     resources: ["clusterissuers"]
     verbs: ["get", "list", "watch"]
@@ -123,7 +114,7 @@ metadata:
 rules:
   - apiGroups: ["cert-manager.io"]
     resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
-    verbs: ["update"]
+    verbs: ["update", "patch"]
   - apiGroups: ["cert-manager.io"]
     resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
     verbs: ["get", "list", "watch"]
@@ -138,7 +129,7 @@ rules:
     verbs: ["create", "delete", "get", "list", "watch"]
   - apiGroups: [""]
     resources: ["secrets"]
-    verbs: ["get", "list", "watch", "create", "update", "delete"]
+    verbs: ["get", "list", "watch", "create", "update", "delete", "patch"]
   - apiGroups: [""]
     resources: ["events"]
     verbs: ["create", "patch"]
@@ -159,7 +150,7 @@ metadata:
 rules:
   - apiGroups: ["acme.cert-manager.io"]
     resources: ["orders", "orders/status"]
-    verbs: ["update"]
+    verbs: ["update", "patch"]
   - apiGroups: ["acme.cert-manager.io"]
     resources: ["orders", "challenges"]
     verbs: ["get", "list", "watch"]
@@ -199,7 +190,7 @@ rules:
   # Use to update challenge resource status
   - apiGroups: ["acme.cert-manager.io"]
     resources: ["challenges", "challenges/status"]
-    verbs: ["update"]
+    verbs: ["update", "patch"]
   # Used to watch challenge resources
   - apiGroups: ["acme.cert-manager.io"]
     resources: ["challenges"]
@@ -223,7 +214,7 @@ rules:
   - apiGroups: ["networking.k8s.io"]
     resources: ["ingresses"]
     verbs: ["get", "list", "watch", "create", "delete", "update"]
-  - apiGroups: [ "networking.x-k8s.io" ]
+  - apiGroups: [ "gateway.networking.k8s.io" ]
     resources: [ "httproutes" ]
     verbs: ["get", "list", "watch", "create", "delete", "update"]
   # We require the ability to specify a custom hostname when we are creating
@@ -272,10 +263,10 @@ rules:
   - apiGroups: ["networking.k8s.io"]
     resources: ["ingresses/finalizers"]
     verbs: ["update"]
-  - apiGroups: ["networking.x-k8s.io"]
+  - apiGroups: ["gateway.networking.k8s.io"]
     resources: ["gateways", "httproutes"]
     verbs: ["get", "list", "watch"]
-  - apiGroups: ["networking.x-k8s.io"]
+  - apiGroups: ["gateway.networking.k8s.io"]
     resources: ["gateways/finalizers", "httproutes/finalizers"]
     verbs: ["update"]
   - apiGroups: [""]
@@ -300,7 +291,7 @@ roleRef:
   name: {{ template "cert-manager.fullname" . }}-controller-issuers
 subjects:
   - name: {{ template "cert-manager.serviceAccountName" . }}
-    namespace: {{ .Release.Namespace | quote }}
+    namespace: {{ include "cert-manager.namespace" . }}
     kind: ServiceAccount
 
 ---
@@ -321,7 +312,7 @@ roleRef:
   name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers
 subjects:
   - name: {{ template "cert-manager.serviceAccountName" . }}
-    namespace: {{ .Release.Namespace | quote }}
+    namespace: {{ include "cert-manager.namespace" . }}
     kind: ServiceAccount
 
 ---
@@ -342,7 +333,7 @@ roleRef:
   name: {{ template "cert-manager.fullname" . }}-controller-certificates
 subjects:
   - name: {{ template "cert-manager.serviceAccountName" . }}
-    namespace: {{ .Release.Namespace | quote }}
+    namespace: {{ include "cert-manager.namespace" . }}
     kind: ServiceAccount
 
 ---
@@ -363,7 +354,7 @@ roleRef:
   name: {{ template "cert-manager.fullname" . }}-controller-orders
 subjects:
   - name: {{ template "cert-manager.serviceAccountName" . }}
-    namespace: {{ .Release.Namespace | quote }}
+    namespace: {{ include "cert-manager.namespace" . }}
     kind: ServiceAccount
 
 ---
@@ -384,7 +375,7 @@ roleRef:
   name: {{ template "cert-manager.fullname" . }}-controller-challenges
 subjects:
   - name: {{ template "cert-manager.serviceAccountName" . }}
-    namespace: {{ .Release.Namespace | quote }}
+    namespace: {{ include "cert-manager.namespace" . }}
     kind: ServiceAccount
 
 ---
@@ -405,7 +396,7 @@ roleRef:
   name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim
 subjects:
   - name: {{ template "cert-manager.serviceAccountName" . }}
-    namespace: {{ .Release.Namespace | quote }}
+    namespace: {{ include "cert-manager.namespace" . }}
     kind: ServiceAccount
 
 ---
@@ -420,9 +411,11 @@ metadata:
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/component: "controller"
     {{- include "labels" . | nindent 4 }}
+    {{- if .Values.global.rbac.aggregateClusterRoles }}
     rbac.authorization.k8s.io/aggregate-to-view: "true"
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    {{- end }}
 rules:
   - apiGroups: ["cert-manager.io"]
     resources: ["certificates", "certificaterequests", "issuers"]
@@ -444,12 +437,17 @@ metadata:
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/component: "controller"
     {{- include "labels" . | nindent 4 }}
+    {{- if .Values.global.rbac.aggregateClusterRoles }}
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    {{- end }}
 rules:
   - apiGroups: ["cert-manager.io"]
     resources: ["certificates", "certificaterequests", "issuers"]
     verbs: ["create", "delete", "deletecollection", "patch", "update"]
+  - apiGroups: ["cert-manager.io"]
+    resources: ["certificates/status"]
+    verbs: ["update"]
   - apiGroups: ["acme.cert-manager.io"]
     resources: ["challenges", "orders"]
     verbs: ["create", "delete", "deletecollection", "patch", "update"]
@@ -491,7 +489,7 @@ roleRef:
   name: {{ template "cert-manager.fullname" . }}-controller-approve:cert-manager-io
 subjects:
   - name: {{ template "cert-manager.serviceAccountName" . }}
-    namespace: {{ .Release.Namespace | quote }}
+    namespace: {{ include "cert-manager.namespace" . }}
     kind: ServiceAccount
 
 ---
@@ -515,7 +513,7 @@ rules:
     verbs: ["get", "list", "watch", "update"]
   - apiGroups: ["certificates.k8s.io"]
     resources: ["certificatesigningrequests/status"]
-    verbs: ["update"]
+    verbs: ["update", "patch"]
   - apiGroups: ["certificates.k8s.io"]
     resources: ["signers"]
     resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
@@ -542,6 +540,6 @@ roleRef:
   name: {{ template "cert-manager.fullname" . }}-controller-certificatesigningrequests
 subjects:
   - name: {{ template "cert-manager.serviceAccountName" . }}
-    namespace: {{ .Release.Namespace | quote }}
+    namespace: {{ include "cert-manager.namespace" . }}
     kind: ServiceAccount
 {{- end }}

charts/gitlab/gitlab/charts/cert-manager/templates/service.yaml

@@ -3,23 +3,27 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ template "cert-manager.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "cert-manager.namespace" . }}
+{{- with .Values.serviceAnnotations }}
+  annotations:
+{{ toYaml . | indent 4 }}
+{{- end }}
   labels:
     app: {{ include "cert-manager.name" . }}
     app.kubernetes.io/name: {{ include "cert-manager.name" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/component: "controller"
     {{- include "labels" . | nindent 4 }}
-{{- if .Values.serviceLabels }}
+    {{- with .Values.serviceLabels }}
-{{ toYaml .Values.serviceLabels | indent 4 }}
+    {{- toYaml . | nindent 4 }}
-{{- end }}
+    {{- end }}
 spec:
   type: ClusterIP
   ports:
-    - protocol: TCP
+  - protocol: TCP
-      port: 9402
+    port: 9402
-      name: tcp-prometheus-servicemonitor
+    name: tcp-prometheus-servicemonitor
-      targetPort: {{ .Values.prometheus.servicemonitor.targetPort }}
+    targetPort: {{ .Values.prometheus.servicemonitor.targetPort }}
   selector:
     app.kubernetes.io/name: {{ include "cert-manager.name" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}

charts/gitlab/gitlab/charts/cert-manager/templates/serviceaccount.yaml

@@ -1,16 +1,17 @@
-{{- if .Values.serviceAccount.create -}}
+{{- if .Values.serviceAccount.create }}
 apiVersion: v1
 kind: ServiceAccount
-{{- if .Values.global.imagePullSecrets }}
+{{- with .Values.global.imagePullSecrets }}
-imagePullSecrets: {{ toYaml .Values.global.imagePullSecrets | nindent 2 }}
+imagePullSecrets:
+  {{- toYaml . | nindent 2 }}
 {{- end }}
 automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
 metadata:
   name: {{ template "cert-manager.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "cert-manager.namespace" . }}
-  {{- if .Values.serviceAccount.annotations }}
+  {{- with .Values.serviceAccount.annotations }}
   annotations:
-{{ toYaml .Values.serviceAccount.annotations | indent 4 }}
+    {{- toYaml . | nindent 4 }}
   {{- end }}
   labels:
     app: {{ include "cert-manager.name" . }}
@@ -18,4 +19,7 @@ metadata:
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/component: "controller"
     {{- include "labels" . | nindent 4 }}
+    {{- with .Values.serviceAccount.labels }}
+      {{ toYaml . | nindent 4 }}
+    {{- end }}
 {{- end }}

charts/gitlab/gitlab/charts/cert-manager/templates/servicemonitor.yaml

@@ -6,7 +6,7 @@ metadata:
 {{- if .Values.prometheus.servicemonitor.namespace }}
   namespace: {{ .Values.prometheus.servicemonitor.namespace }}
 {{- else }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "cert-manager.namespace" . }}
 {{- end }}
   labels:
     app: {{ include "cert-manager.name" . }}
@@ -15,8 +15,14 @@ metadata:
     app.kubernetes.io/component: "controller"
     {{- include "labels" . | nindent 4 }}
     prometheus: {{ .Values.prometheus.servicemonitor.prometheusInstance }}
-{{- if .Values.prometheus.servicemonitor.labels }}
+    {{- with .Values.prometheus.servicemonitor.labels }}
-{{ toYaml .Values.prometheus.servicemonitor.labels | indent 4}}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+{{- if .Values.prometheus.servicemonitor.annotations }}
+  annotations:
+    {{- with .Values.prometheus.servicemonitor.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
 {{- end }}
 spec:
   jobLabel: {{ template "cert-manager.fullname" . }}
@@ -25,12 +31,15 @@ spec:
       app.kubernetes.io/name: {{ template "cert-manager.name" . }}
       app.kubernetes.io/instance: {{ .Release.Name }}
       app.kubernetes.io/component: "controller"
+{{- if .Values.prometheus.servicemonitor.namespace }}
   namespaceSelector:
     matchNames:
-      - {{ .Release.Namespace }}
+      - {{ include "cert-manager.namespace" . }}
+{{- end }}
   endpoints:
   - targetPort: {{ .Values.prometheus.servicemonitor.targetPort }}
     path: {{ .Values.prometheus.servicemonitor.path }}
     interval: {{ .Values.prometheus.servicemonitor.interval }}
     scrapeTimeout: {{ .Values.prometheus.servicemonitor.scrapeTimeout }}
+    honorLabels: {{ .Values.prometheus.servicemonitor.honorLabels }}
 {{- end }}

charts/gitlab/gitlab/charts/cert-manager/templates/startupapicheck-job.yaml

@@ -1,18 +1,18 @@
-{{- if .Values.startupapicheck.enabled -}}
+{{- if .Values.startupapicheck.enabled }}
 apiVersion: batch/v1
 kind: Job
 metadata:
   name: {{ include "startupapicheck.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "cert-manager.namespace" . }}
   labels:
     app: {{ include "startupapicheck.name" . }}
     app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/component: "startupapicheck"
     {{- include "labels" . | nindent 4 }}
-  {{- if .Values.startupapicheck.jobAnnotations }}
+  {{- with .Values.startupapicheck.jobAnnotations }}
   annotations:
-{{ toYaml .Values.startupapicheck.jobAnnotations | indent 4 }}
+    {{- toYaml . | nindent 4 }}
   {{- end }}
 spec:
   backoffLimit: {{ .Values.startupapicheck.backoffLimit }}
@@ -24,52 +24,54 @@ spec:
         app.kubernetes.io/instance: {{ .Release.Name }}
         app.kubernetes.io/component: "startupapicheck"
         {{- include "labels" . | nindent 8 }}
-{{- if .Values.startupapicheck.podLabels }}
+        {{- with .Values.startupapicheck.podLabels }}
-{{ toYaml .Values.startupapicheck.podLabels | indent 8 }}
+        {{- toYaml . | nindent 8 }}
-{{- end }}
+        {{- end }}
-      {{- if .Values.startupapicheck.podAnnotations }}
+      {{- with .Values.startupapicheck.podAnnotations }}
       annotations:
-{{ toYaml .Values.startupapicheck.podAnnotations | indent 8 }}
+        {{- toYaml . | nindent 8 }}
       {{- end }}
     spec:
       restartPolicy: OnFailure
       serviceAccountName: {{ template "startupapicheck.serviceAccountName" . }}
-      {{- if .Values.global.priorityClassName }}
+      {{- with .Values.global.priorityClassName }}
-      priorityClassName: {{ .Values.global.priorityClassName | quote }}
+      priorityClassName: {{ . | quote }}
       {{- end }}
-      {{- if .Values.startupapicheck.securityContext}}
+      {{- with .Values.startupapicheck.securityContext }}
       securityContext:
-{{ toYaml .Values.startupapicheck.securityContext | indent 8 }}
+        {{- toYaml . | nindent 8 }}
       {{- end }}
       containers:
-        - name: {{ .Chart.Name }}
+        - name: {{ .Chart.Name }}-startupapicheck
           {{- with .Values.startupapicheck.image }}
-          image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{.digest}}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}"
+          image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}"
           {{- end }}
           imagePullPolicy: {{ .Values.startupapicheck.image.pullPolicy }}
           args:
           - check
           - api
           - --wait={{ .Values.startupapicheck.timeout }}
-          {{- if .Values.startupapicheck.extraArgs }}
+          {{- with .Values.startupapicheck.extraArgs }}
-{{ toYaml .Values.startupapicheck.extraArgs | indent 10 }}
+          {{- toYaml . | nindent 10 }}
           {{- end }}
-          {{- if .Values.startupapicheck.containerSecurityContext }}
+          {{- with .Values.startupapicheck.containerSecurityContext }}
           securityContext:
-            {{- toYaml .Values.startupapicheck.containerSecurityContext | nindent 12 }}
+            {{- toYaml . | nindent 12 }}
           {{- end }}
+          {{- with .Values.startupapicheck.resources }}
           resources:
-{{ toYaml .Values.startupapicheck.resources | indent 12 }}
+            {{- toYaml . | nindent 12 }}
-    {{- with .Values.startupapicheck.nodeSelector }}
+          {{- end }}
+      {{- with .Values.startupapicheck.nodeSelector }}
       nodeSelector:
-{{ toYaml . | indent 8 }}
+        {{- toYaml . | nindent 8 }}
-    {{- end }}
+      {{- end }}
-    {{- with .Values.startupapicheck.affinity }}
+      {{- with .Values.startupapicheck.affinity }}
       affinity:
-{{ toYaml . | indent 8 }}
+        {{- toYaml . | nindent 8 }}
-    {{- end }}
+      {{- end }}
-    {{- with .Values.startupapicheck.tolerations }}
+      {{- with .Values.startupapicheck.tolerations }}
       tolerations:
-{{ toYaml . | indent 8 }}
+        {{- toYaml . | nindent 8 }}
-    {{- end }}
+      {{- end }}
-{{- end -}}
+{{- end }}

charts/gitlab/gitlab/charts/cert-manager/templates/startupapicheck-psp-clusterrole.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.startupapicheck.enabled -}}
+{{- if .Values.startupapicheck.enabled }}
 {{- if .Values.global.podSecurityPolicy.enabled }}
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
@@ -10,9 +10,9 @@ metadata:
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/component: "startupapicheck"
     {{- include "labels" . | nindent 4 }}
-  {{- if .Values.startupapicheck.rbac.annotations }}
+  {{- with .Values.startupapicheck.rbac.annotations }}
   annotations:
-    {{ toYaml .Values.startupapicheck.rbac.annotations | nindent 4 }}
+    {{- toYaml . | nindent 4 }}
   {{- end }}
 rules:
 - apiGroups: ['policy']

charts/gitlab/gitlab/charts/cert-manager/templates/startupapicheck-psp-clusterrolebinding.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.startupapicheck.enabled -}}
+{{- if .Values.startupapicheck.enabled }}
 {{- if .Values.global.podSecurityPolicy.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -10,9 +10,9 @@ metadata:
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/component: "startupapicheck"
     {{- include "labels" . | nindent 4 }}
-  {{- if .Values.startupapicheck.rbac.annotations }}
+  {{- with .Values.startupapicheck.rbac.annotations }}
   annotations:
-    {{ toYaml .Values.startupapicheck.rbac.annotations | nindent 4 }}
+    {{- toYaml . | nindent 4 }}
   {{- end }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -21,6 +21,6 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: {{ template "startupapicheck.serviceAccountName" . }}
-    namespace: {{ .Release.Namespace }}
+    namespace: {{ include "cert-manager.namespace" . }}
 {{- end }}
 {{- end }}

charts/gitlab/gitlab/charts/cert-manager/templates/startupapicheck-psp.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.startupapicheck.enabled -}}
+{{- if .Values.startupapicheck.enabled }}
 {{- if .Values.global.podSecurityPolicy.enabled }}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
@@ -17,8 +17,8 @@ metadata:
     apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
     apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
     {{- end }}
-    {{- if .Values.startupapicheck.rbac.annotations }}
+    {{- with .Values.startupapicheck.rbac.annotations }}
-    {{ toYaml .Values.startupapicheck.rbac.annotations | nindent 4 }}
+    {{- toYaml . | nindent 4 }}
     {{- end }}
 spec:
   privileged: false
@@ -47,5 +47,5 @@ spec:
     ranges:
     - min: 1000
       max: 1000
-{{- end -}}
+{{- end }}
-{{- end -}}
+{{- end }}

charts/gitlab/gitlab/charts/cert-manager/templates/startupapicheck-rbac.yaml

@@ -1,41 +1,40 @@
-{{- if .Values.startupapicheck.enabled -}}
+{{- if .Values.startupapicheck.enabled }}
-{{- if .Values.global.rbac.create -}}
+{{- if .Values.global.rbac.create }}
 # create certificate role
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: {{ template "startupapicheck.fullname" . }}:create-cert
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "cert-manager.namespace" . }}
   labels:
     app: {{ include "startupapicheck.name" . }}
     app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/component: "startupapicheck"
     {{- include "labels" . | nindent 4 }}
-  {{- if .Values.startupapicheck.rbac.annotations }}
+  {{- with .Values.startupapicheck.rbac.annotations }}
   annotations:
-{{ toYaml .Values.startupapicheck.rbac.annotations | indent 4 }}
+    {{- toYaml . | nindent 4 }}
   {{- end }}
 rules:
   - apiGroups: ["cert-manager.io"]
     resources: ["certificates"]
     verbs: ["create"]
-
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: {{ include "startupapicheck.fullname" . }}:create-cert
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "cert-manager.namespace" . }}
   labels:
     app: {{ include "startupapicheck.name" . }}
     app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/component: "startupapicheck"
     {{- include "labels" . | nindent 4 }}
-  {{- if .Values.startupapicheck.rbac.annotations }}
+  {{- with .Values.startupapicheck.rbac.annotations }}
   annotations:
-{{ toYaml .Values.startupapicheck.rbac.annotations | indent 4 }}
+    {{- toYaml . | nindent 4 }}
   {{- end }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -44,6 +43,6 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: {{ template "startupapicheck.serviceAccountName" . }}
-    namespace: {{ .Release.Namespace }}
+    namespace: {{ include "cert-manager.namespace" . }}
-{{- end -}}
+{{- end }}
-{{- end -}}
+{{- end }}

charts/gitlab/gitlab/charts/cert-manager/templates/startupapicheck-serviceaccount.yaml

@@ -1,14 +1,14 @@
-{{- if .Values.startupapicheck.enabled -}}
+{{- if .Values.startupapicheck.enabled }}
-{{- if .Values.startupapicheck.serviceAccount.create -}}
+{{- if .Values.startupapicheck.serviceAccount.create }}
 apiVersion: v1
 kind: ServiceAccount
 automountServiceAccountToken: {{ .Values.startupapicheck.serviceAccount.automountServiceAccountToken }}
 metadata:
   name: {{ template "startupapicheck.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "cert-manager.namespace" . }}
-  {{- if .Values.startupapicheck.serviceAccount.annotations }}
+  {{- with .Values.startupapicheck.serviceAccount.annotations }}
   annotations:
-{{ toYaml .Values.startupapicheck.serviceAccount.annotations | indent 4 }}
+    {{- toYaml . | nindent 4 }}
   {{- end }}
   labels:
     app: {{ include "startupapicheck.name" . }}
@@ -16,8 +16,12 @@ metadata:
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/component: "startupapicheck"
     {{- include "labels" . | nindent 4 }}
-{{- if .Values.global.imagePullSecrets }}
+    {{- with .Values.startupapicheck.serviceAccount.labels }}
-imagePullSecrets: {{ toYaml .Values.global.imagePullSecrets | nindent 2 }}
+      {{ toYaml . | nindent 4 }}
+    {{- end }}
+{{- with .Values.global.imagePullSecrets }}
+imagePullSecrets:
+  {{- toYaml . | nindent 2 }}
+{{- end }}
+{{- end }}
 {{- end }}
-{{- end -}}
-{{- end -}}

charts/gitlab/gitlab/charts/cert-manager/templates/webhook-config.yaml

@@ -0,0 +1,25 @@
+{{- if .Values.webhook.config -}}
+  {{- if not .Values.webhook.config.apiVersion -}}
+    {{- fail "webhook.config.apiVersion must be set" -}}
+  {{- end -}}
+
+  {{- if not .Values.webhook.config.kind -}}
+    {{- fail "webhook.config.kind must be set" -}}
+  {{- end -}}
+{{- end -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "webhook.fullname" . }}
+  namespace: {{ include "cert-manager.namespace" . }}
+  labels:
+    app: {{ include "webhook.name" . }}
+    app.kubernetes.io/name: {{ include "webhook.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "webhook"
+    {{- include "labels" . | nindent 4 }}
+data:
+  {{- if .Values.webhook.config }}
+  config.yaml: |
+    {{ .Values.webhook.config | toYaml | nindent 4 }}
+  {{- end }}

charts/gitlab/gitlab/charts/cert-manager/templates/webhook-deployment.yaml

@@ -2,16 +2,16 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ include "webhook.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "cert-manager.namespace" . }}
   labels:
     app: {{ include "webhook.name" . }}
     app.kubernetes.io/name: {{ include "webhook.name" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/component: "webhook"
     {{- include "labels" . | nindent 4 }}
-  {{- if .Values.webhook.deploymentAnnotations }}
+  {{- with .Values.webhook.deploymentAnnotations }}
   annotations:
-{{ toYaml .Values.webhook.deploymentAnnotations | indent 4 }}
+    {{- toYaml . | nindent 4 }}
   {{- end }}
 spec:
   replicas: {{ .Values.webhook.replicaCount }}
@@ -22,7 +22,7 @@ spec:
       app.kubernetes.io/component: "webhook"
   {{- with .Values.webhook.strategy }}
   strategy:
-    {{- . | toYaml | nindent 4 }}
+    {{- toYaml . | nindent 4 }}
   {{- end }}
   template:
     metadata:
@@ -32,50 +32,87 @@ spec:
         app.kubernetes.io/instance: {{ .Release.Name }}
         app.kubernetes.io/component: "webhook"
         {{- include "labels" . | nindent 8 }}
-{{- if .Values.webhook.podLabels }}
+        {{- with .Values.webhook.podLabels }}
-{{ toYaml .Values.webhook.podLabels | indent 8 }}
+        {{- toYaml . | nindent 8 }}
-{{- end }}
+        {{- end }}
-      {{- if .Values.webhook.podAnnotations }}
+      {{- with .Values.webhook.podAnnotations }}
       annotations:
-{{ toYaml .Values.webhook.podAnnotations | indent 8 }}
+        {{- toYaml . | nindent 8 }}
       {{- end }}
     spec:
       serviceAccountName: {{ template "webhook.serviceAccountName" . }}
-      {{- if .Values.global.priorityClassName }}
+      {{- if hasKey .Values.webhook "automountServiceAccountToken" }}
-      priorityClassName: {{ .Values.global.priorityClassName | quote }}
+      automountServiceAccountToken: {{ .Values.webhook.automountServiceAccountToken }}
       {{- end }}
-      {{- if .Values.webhook.securityContext}}
+      {{- with .Values.global.priorityClassName }}
+      priorityClassName: {{ . | quote }}
+      {{- end }}
+      {{- with .Values.webhook.securityContext }}
       securityContext:
-{{ toYaml .Values.webhook.securityContext | indent 8 }}
+        {{- toYaml . | nindent 8 }}
       {{- end }}
       {{- if .Values.webhook.hostNetwork }}
       hostNetwork: true
       {{- end }}
       containers:
-        - name: {{ .Chart.Name }}
+        - name: {{ .Chart.Name }}-webhook
           {{- with .Values.webhook.image }}
-          image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{.digest}}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}"
+          image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}"
           {{- end }}
           imagePullPolicy: {{ .Values.webhook.image.pullPolicy }}
           args:
           {{- if .Values.global.logLevel }}
           - --v={{ .Values.global.logLevel }}
           {{- end }}
+          {{- if .Values.webhook.config }}
+          - --config=/var/cert-manager/config/config.yaml
+          {{- end }}
+          {{- $config := default .Values.webhook.config "" }}
+          {{ if not $config.securePort -}}
           - --secure-port={{ .Values.webhook.securePort }}
+          {{- end }}
+          {{- if .Values.featureGates }}
+          - --feature-gates={{ .Values.featureGates }}
+          {{- end }}
+          {{- $tlsConfig := default $config.tlsConfig "" }}
+          {{ if or (not $config.tlsConfig) (and (not $tlsConfig.dynamic) (not $tlsConfig.filesystem) ) -}}
           - --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)
           - --dynamic-serving-ca-secret-name={{ template "webhook.fullname" . }}-ca
-          - --dynamic-serving-dns-names={{ template "webhook.fullname" . }},{{ template "webhook.fullname" . }}.{{ .Release.Namespace }},{{ template "webhook.fullname" . }}.{{ .Release.Namespace }}.svc{{ if .Values.webhook.url.host }},{{ .Values.webhook.url.host }}{{ end }}
+          - --dynamic-serving-dns-names={{ template "webhook.fullname" . }}
-        {{- if .Values.webhook.extraArgs }}
+          - --dynamic-serving-dns-names={{ template "webhook.fullname" . }}.$(POD_NAMESPACE)
-{{ toYaml .Values.webhook.extraArgs | indent 10 }}
+          - --dynamic-serving-dns-names={{ template "webhook.fullname" . }}.$(POD_NAMESPACE).svc
-        {{- end }}
+          {{ if .Values.webhook.url.host }}
+          - --dynamic-serving-dns-names={{ .Values.webhook.url.host }}
+          {{- end }}
+          {{- end }}
+          {{- with .Values.webhook.extraArgs }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
           ports:
           - name: https
             protocol: TCP
+            {{- if $config.securePort }}
+            containerPort: {{ $config.securePort }}
+            {{- else if .Values.webhook.securePort }}
             containerPort: {{ .Values.webhook.securePort }}
+            {{- else }}
+            containerPort: 6443
+            {{- end }}
+          - name: healthcheck
+            protocol: TCP
+            {{- if $config.healthzPort }}
+            containerPort: {{ $config.healthzPort }}
+            {{- else }}
+            containerPort: 6080
+            {{- end }}
           livenessProbe:
             httpGet:
               path: /livez
+              {{- if $config.healthzPort }}
+              port: {{ $config.healthzPort }}
+              {{- else }}
               port: 6080
+              {{- end }}
               scheme: HTTP
             initialDelaySeconds: {{ .Values.webhook.livenessProbe.initialDelaySeconds }}
             periodSeconds: {{ .Values.webhook.livenessProbe.periodSeconds }}
@@ -85,33 +122,54 @@ spec:
           readinessProbe:
             httpGet:
               path: /healthz
+              {{- if $config.healthzPort }}
+              port: {{ $config.healthzPort }}
+              {{- else }}
               port: 6080
+              {{- end }}
               scheme: HTTP
             initialDelaySeconds: {{ .Values.webhook.readinessProbe.initialDelaySeconds }}
             periodSeconds: {{ .Values.webhook.readinessProbe.periodSeconds }}
             timeoutSeconds: {{ .Values.webhook.readinessProbe.timeoutSeconds }}
             successThreshold: {{ .Values.webhook.readinessProbe.successThreshold }}
             failureThreshold: {{ .Values.webhook.readinessProbe.failureThreshold }}
-          {{- if .Values.webhook.containerSecurityContext }}
+          {{- with .Values.webhook.containerSecurityContext }}
           securityContext:
-            {{- toYaml .Values.webhook.containerSecurityContext | nindent 12 }}
+            {{- toYaml . | nindent 12 }}
           {{- end }}
           env:
           - name: POD_NAMESPACE
             valueFrom:
               fieldRef:
                 fieldPath: metadata.namespace
+          {{- with .Values.webhook.resources }}
           resources:
-{{ toYaml .Values.webhook.resources | indent 12 }}
+            {{- toYaml . | nindent 12 }}
-    {{- with .Values.webhook.nodeSelector }}
+          {{- end }}
+          {{- if .Values.webhook.config }}
+          volumeMounts:
+            - name: config
+              mountPath: /var/cert-manager/config
+          {{- end }}
+      {{- with .Values.webhook.nodeSelector }}
       nodeSelector:
-{{ toYaml . | indent 8 }}
+        {{- toYaml . | nindent 8 }}
-    {{- end }}
+      {{- end }}
-    {{- with .Values.webhook.affinity }}
+      {{- with .Values.webhook.affinity }}
       affinity:
-{{ toYaml . | indent 8 }}
+        {{- toYaml . | nindent 8 }}
-    {{- end }}
+      {{- end }}
-    {{- with .Values.webhook.tolerations }}
+      {{- with .Values.webhook.tolerations }}
       tolerations:
-{{ toYaml . | indent 8 }}
+        {{- toYaml . | nindent 8 }}
-    {{- end }}
+      {{- end }}
+      {{- with  .Values.webhook.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- if .Values.webhook.config }}
+      volumes:
+        - name: config
+          configMap:
+            name: {{ include "webhook.fullname" . }}
+      {{- end }}

charts/gitlab/gitlab/charts/cert-manager/templates/webhook-mutating-webhook.yaml

@@ -9,10 +9,10 @@ metadata:
     app.kubernetes.io/component: "webhook"
     {{- include "labels" . | nindent 4 }}
   annotations:
-    cert-manager.io/inject-ca-from-secret: "{{ .Release.Namespace }}/{{ template "webhook.fullname" . }}-ca"
+    cert-manager.io/inject-ca-from-secret: {{ printf "%s/%s-ca" (include "cert-manager.namespace" .) (include "webhook.fullname" .) | quote }}
-  {{- if .Values.webhook.mutatingWebhookConfigurationAnnotations }}
+    {{- with .Values.webhook.mutatingWebhookConfigurationAnnotations }}
-{{ toYaml .Values.webhook.mutatingWebhookConfigurationAnnotations | indent 4 }}
+    {{- toYaml . | nindent 4 }}
-  {{- end }}
+    {{- end }}
 webhooks:
   - name: webhook.cert-manager.io
     rules:
@@ -26,15 +26,7 @@ webhooks:
           - UPDATE
         resources:
           - "*/*"
-    # We don't actually support `v1beta1` but is listed here as it is a
+    admissionReviewVersions: ["v1"]
-    # required value for
-    # [Kubernetes v1.16](https://github.com/kubernetes/kubernetes/issues/82025).
-    # The API server reads the supported versions in order, so _should always_
-    # attempt a `v1` request which is understood by the cert-manager webhook.
-    # Any `v1beta1` request will return an error and fail closed for that
-    # resource (the whole object request is rejected). When we no longer
-    # support v1.16 we can remove `v1beta1` from this list.
-    admissionReviewVersions: ["v1", "v1beta1"]
     # This webhook only accepts v1 cert-manager resources.
     # Equivalent matchPolicy ensures that non-v1 resource requests are sent to
     # this webhook (after the resources have been converted to v1).
@@ -49,6 +41,6 @@ webhooks:
       {{- else }}
       service:
         name: {{ template "webhook.fullname" . }}
-        namespace: {{ .Release.Namespace | quote }}
+        namespace: {{ include "cert-manager.namespace" . }}
         path: /mutate
       {{- end }}

charts/gitlab/gitlab/charts/cert-manager/templates/webhook-psp-clusterrolebinding.yaml

@@ -16,5 +16,5 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: {{ template "webhook.serviceAccountName" . }}
-    namespace: {{ .Release.Namespace }}
+    namespace: {{ include "cert-manager.namespace" . }}
 {{- end }}

charts/gitlab/gitlab/charts/cert-manager/templates/webhook-psp.yaml

@@ -27,11 +27,11 @@ spec:
   - 'secret'
   - 'downwardAPI'
   hostNetwork: {{ .Values.webhook.hostNetwork }}
-  {{ if .Values.webhook.hostNetwork }}
+  {{- if .Values.webhook.hostNetwork }}
   hostPorts:
   - max: {{ .Values.webhook.securePort }}
     min: {{ .Values.webhook.securePort }}
-  {{ end }}
+  {{- end }}
   hostIPC: false
   hostPID: false
   runAsUser:

charts/gitlab/gitlab/charts/cert-manager/templates/webhook-rbac.yaml

@@ -1,9 +1,9 @@
-{{- if .Values.global.rbac.create -}}
+{{- if .Values.global.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: {{ template "webhook.fullname" . }}:dynamic-serving
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "cert-manager.namespace" . }}
   labels:
     app: {{ include "webhook.name" . }}
     app.kubernetes.io/name: {{ include "webhook.name" . }}
@@ -26,7 +26,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: {{ template "webhook.fullname" . }}:dynamic-serving
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "cert-manager.namespace" . }}
   labels:
     app: {{ include "webhook.name" . }}
     app.kubernetes.io/name: {{ include "webhook.name" . }}
@@ -41,7 +41,7 @@ subjects:
 - apiGroup: ""
   kind: ServiceAccount
   name: {{ template "webhook.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "cert-manager.namespace" . }}
 
 ---
 
@@ -79,5 +79,5 @@ subjects:
 - apiGroup: ""
   kind: ServiceAccount
   name: {{ template "webhook.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "cert-manager.namespace" . }}
-{{- end -}}
+{{- end }}

charts/gitlab/gitlab/charts/cert-manager/templates/webhook-service.yaml

@@ -2,26 +2,30 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ template "webhook.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "cert-manager.namespace" . }}
+{{- with .Values.webhook.serviceAnnotations }}
+  annotations:
+{{ toYaml . | indent 4 }}
+{{- end }}
   labels:
     app: {{ include "webhook.name" . }}
     app.kubernetes.io/name: {{ include "webhook.name" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/component: "webhook"
     {{- include "labels" . | nindent 4 }}
-{{- if .Values.webhook.serviceLabels }}
+    {{- with .Values.webhook.serviceLabels }}
-{{ toYaml .Values.webhook.serviceLabels | indent 4 }}
+    {{- toYaml . | nindent 4 }}
-{{- end }}
+    {{- end }}
 spec:
   type: {{ .Values.webhook.serviceType }}
-  {{- if .Values.webhook.loadBalancerIP }}
+  {{- with .Values.webhook.loadBalancerIP }}
-  loadBalancerIP: {{ .Values.webhook.loadBalancerIP }}
+  loadBalancerIP: {{ . }}
   {{- end }}
   ports:
   - name: https
     port: 443
     protocol: TCP
-    targetPort: {{ .Values.webhook.securePort }}
+    targetPort: "https"
   selector:
     app.kubernetes.io/name: {{ include "webhook.name" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}

charts/gitlab/gitlab/charts/cert-manager/templates/webhook-serviceaccount.yaml

@@ -1,13 +1,13 @@
-{{- if .Values.webhook.serviceAccount.create -}}
+{{- if .Values.webhook.serviceAccount.create }}
 apiVersion: v1
 kind: ServiceAccount
 automountServiceAccountToken: {{ .Values.webhook.serviceAccount.automountServiceAccountToken }}
 metadata:
   name: {{ template "webhook.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "cert-manager.namespace" . }}
-  {{- if .Values.webhook.serviceAccount.annotations }}
+  {{- with .Values.webhook.serviceAccount.annotations }}
   annotations:
-{{ toYaml .Values.webhook.serviceAccount.annotations | indent 4 }}
+    {{- toYaml . | nindent 4 }}
   {{- end }}
   labels:
     app: {{ include "webhook.name" . }}
@@ -15,7 +15,11 @@ metadata:
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/component: "webhook"
     {{- include "labels" . | nindent 4 }}
-{{- if .Values.global.imagePullSecrets }}
+    {{- with .Values.webhook.serviceAccount.labels }}
-imagePullSecrets: {{ toYaml .Values.global.imagePullSecrets | nindent 2 }}
+      {{ toYaml . | nindent 4 }}
-{{- end -}}
+    {{- end }}
-{{- end -}}
+{{- with .Values.global.imagePullSecrets }}
+imagePullSecrets:
+  {{- toYaml . | nindent 2 }}
+{{- end }}
+{{- end }}