[kots] remove cert-manager from Gitpod package

Currently, We include `cert-manager` instance into the
Gitpod kots package, and install it whenever Gitpod installation
is requested.

This causes the following problems:

- `cert-manager` is a separate beast on its own, There are numerous
configurations that might be needed to be set to make it run correctly.
- A lot users could have already have it installed, and have to
  struggle to get Gitpod up and running in those cases.

To solve them, We could either provide all the configurations of
`cert-manager` into the Gitpod package to cater users with all
config needs or remove the package and expect `cert-manager` as a
pre-requisite and make sure its documented.

The latter feels better as it removes the maintaince of cert-manager for
us while also allowing users to have specific configuration. The install
path for `cert-manager` is [also pretty well documented](https://cert-manager.io/docs/installation/)
with all the [changes needed based on the cluster environment](https://cert-manager.io/docs/installation/compatibility/).

This PR also removes the cert-manager issuers and updates the config to allow
users to use pre-configured resources

Signed-off-by: Tarun Pothulapati <[email protected]>

Author: Pothulapati

install/kots/Makefile

@@ -3,7 +3,7 @@ CHANNEL_BETA = Beta
 CHANNEL_UNSTABLE = Unstable
 YAML_DIR = manifests
 
-all: helm lint create_dev_release
+all: lint create_dev_release
 
 create_dev_release:
 	@if [ "${REPLICATED_DEV_CHANNEL}" = "" ]; then \
@@ -27,8 +27,3 @@ lint:
 	replicated release lint --yaml-dir ${YAML_DIR}
 .PHONY: lint
 
-helm:
-	@echo "Installing Helm dependencies"
-	@rm -f manifests/*.tgz
-	@for f in $(shell ls -d charts/*/); do cd $${f} && helm dep up && helm package . --destination ../../manifests && cd -; done
-.PHONY: helm

install/kots/README.md

@@ -34,17 +34,8 @@ The following environment variables are required to be able to publish to our Re
 
 - Starts with `kots` - part of the KOTS configuration. Typically, this will follow the KOTS documentation/conventions
 - Starts with `gitpod` - part of the Gitpod application. Typically, this will be something we define/own
-- Starts with `helm` - a Helm chart
 - Starts with `crd` - a Custom Resource Definition
 
-## Helm charts
-
-KOTS [requires](https://kots.io/reference/v1beta1/helmchart) Helm charts to be uploaded as a `.tgz`
-file. The `make helm` command iterates through everything inside `charts`, installs the dependencies
-and packages them up as a `.tgz` file.
-
-The `.tgz` files should not be committed to the repository.
-
 # Create a development release
 
 A development release can be created by running `make create_dev_release`. This builds and publishes

install/kots/charts/cert-manager/Chart.yaml

@@ -10,8 +10,8 @@ metadata:
 spec:
   secretName: https-certificates
   issuerRef:
-    name: '{{repl if (ConfigOptionEquals "tls_self_signed_enabled" "1" ) }}ca-issuer{{repl else }}gitpod-issuer{{repl end }}'
-    kind: '{{repl if or (ConfigOptionEquals "tls_self_signed_enabled" "1") (ConfigOptionNotEquals "cert_manager_provider" "azure") }}Issuer{{repl else }}ClusterIssuer{{repl end }}'
+    name: '{{repl if (ConfigOptionEquals "tls_self_signed_enabled" "1" ) }}ca-issuer{{repl else }}{{repl ConfigOption "cert_manager_issuer_name" }}{{repl end }}'
+    kind: '{{repl if (ConfigOptionEquals "tls_self_signed_enabled" "1" ) }}Issuer{{repl else }}{{repl ConfigOption "cert_manager_issuer" }}{{repl end }}'
   dnsNames:
     - '{{repl ConfigOption "domain" }}'
     - '*.{{repl ConfigOption "domain" }}'

install/kots/manifests/crd-cert-manager.yaml

@@ -18,28 +18,6 @@ spec:
     spec:
       serviceAccountName: installer
       restartPolicy: OnFailure
-      initContainers:
-        # Checks that the cert-manager installation is complete
-        - name: cert-manager
-          image: alpine/helm
-          command:
-            - /bin/sh
-            - -c
-          args:
-            - |
-              set -e
-
-              echo "Gitpod: Install jq"
-              apk add --no-cache jq
-
-              echo "Gitpod: Perform the check"
-              while [ "$(helm status -n {{repl Namespace }} cert-manager -o json | jq '.info.status == "deployed"')" = "false" ];
-              do
-                echo "Gitpod: Release not found - will retry in 10s"
-                sleep 10
-              done
-
-              echo "Gitpod: Release found - goodbye"
       containers:
         - name: installer
           # This will normally be the release tag - using this tag as need the license evaluator

install/kots/manifests/gitpod-certificate.yaml

@@ -259,60 +259,26 @@ spec:
           when: '{{repl ConfigOptionEquals "tls_self_signed_enabled" "0" }}'
           help_text: Automate certificate management with [cert-manager](https://cert-manager.io).
 
-        - name: cert_manager_acme_url
-          title: ACME URL
+        - name: cert_manager_issuer_name
+          title: Issuer name
           type: text
-          value: https://acme-v02.api.letsencrypt.org/directory
+          value: gitpod-issuer
           required: true
           when: '{{repl and (ConfigOptionEquals "tls_self_signed_enabled" "0") (ConfigOptionEquals "cert_manager_enabled" "1") }}'
-          help_text: The ACME URL is used to issue the certificates.
+          help_text: The name of the issuer you wish to use to generate your certificate. This will be the Kubernetes resource name.
 
-        - name: cert_manager_email
-          title: Email address
-          type: text
-          required: false
-          when: '{{repl and (ConfigOptionEquals "tls_self_signed_enabled" "0") (ConfigOptionEquals "cert_manager_enabled" "1") }}'
-          help_text: The email address to send renewal notifications to.
-
-        - name: cert_manager_provider
-          title: DNS01 provider
+        - name: cert_manager_issuer
+          title: Issuer type
           type: select_one
+          default: "ClusterIssuer" # Default to ClusterIssuer so it can be stored in a different namespace
           required: true
           when: '{{repl and (ConfigOptionEquals "tls_self_signed_enabled" "0") (ConfigOptionEquals "cert_manager_enabled" "1") }}'
-          help_text: A DNS01 challenge provider is used by cert-manager in order to generate the certificate. See the [specific documentation](https://cert-manager.io/docs/configuration/acme/dns01) for instructions on configuring your provider.
+          help_text: A [DNS01](https://cert-manager.io/docs/configuration/acme/dns01) `Issuer` or `ClusterIssuer` is required on the cluster to generate the certificate.
           items:
-            - name: azure
-              title: AzureDNS
-            - name: gcp
-              title: Google CloudDNS
-
-        - name: cert_manager_azure_subscription_id
-          title: Subscription ID
-          type: text
-          required: true
-          when: '{{repl and (ConfigOptionEquals "tls_self_signed_enabled" "0") (ConfigOptionEquals "cert_manager_enabled" "1") (ConfigOptionEquals "cert_manager_provider" "azure") }}'
-          help_text: The Azure subscription ID.
-
-        - name: cert_manager_azure_resource_group
-          title: Resource group
-          type: text
-          required: true
-          when: '{{repl and (ConfigOptionEquals "tls_self_signed_enabled" "0") (ConfigOptionEquals "cert_manager_enabled" "1") (ConfigOptionEquals "cert_manager_provider" "azure") }}'
-          help_text: The name of the resource group where the DNS zone exists.
-
-        - name: cert_manager_gcp_project
-          title: Project ID
-          type: text
-          required: true
-          when: '{{repl and (ConfigOptionEquals "tls_self_signed_enabled" "0") (ConfigOptionEquals "cert_manager_enabled" "1") (ConfigOptionEquals "cert_manager_provider" "gcp") }}'
-          help_text: The ID of your GCP project.
-
-        - name: cert_manager_gcp_credentials
-          title: GCP service account key
-          when: '{{repl and (ConfigOptionEquals "tls_self_signed_enabled" "0") (ConfigOptionEquals "cert_manager_enabled" "1") (ConfigOptionEquals "cert_manager_provider" "gcp") }}'
-          type: file
-          required: true
-          help_text: Download a [service account key](https://cloud.google.com/iam/docs/creating-managing-service-account-keys) with the `roles/dns.admin` role attached.
+            - name: ClusterIssuer
+              title: Cluster issuer
+            - name: Issuer
+              title: Issuer
 
         - name: tls_crt
           title: Certificate