feat(kserve): install KServe

cert-manager/README.md

@@ -0,0 +1,166 @@
+# cert-manager Module
+
+cert-manager is a Kubernetes add-on that automates the management and issuance of TLS certificates from various sources. It provides a common API for certificate issuers and ensures certificates are valid and up to date.
+
+## Features
+
+- **Automatic Certificate Renewal**: Automatically renews certificates before they expire
+- **Multiple Issuers**: Supports Let's Encrypt, HashiCorp Vault, Venafi, self-signed, and more
+- **Kubernetes Native**: Uses Custom Resource Definitions (CRDs) for certificate management
+- **Webhook Integration**: Provides admission webhooks for validating and mutating certificate resources
+
+## Prerequisites
+
+- Kubernetes cluster (installed via `just k8s::install`)
+- kubectl configured with cluster admin permissions
+
+## Installation
+
+### Basic Installation
+
+```bash
+# Install cert-manager with default settings
+just cert-manager::install
+```
+
+### Environment Variables
+
+Key environment variables (set via `.env.local` or environment):
+
+```bash
+CERT_MANAGER_NAMESPACE=cert-manager       # Namespace for cert-manager
+CERT_MANAGER_CHART_VERSION=v1.19.1        # cert-manager Helm chart version
+```
+
+## Usage
+
+### Check Status
+
+```bash
+# View status of cert-manager components
+just cert-manager::status
+```
+
+### Create a Self-Signed Issuer
+
+```yaml
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+    name: selfsigned-issuer
+spec:
+    selfSigned: {}
+```
+
+Apply the resource:
+
+```bash
+kubectl apply -f issuer.yaml
+```
+
+### Create a Certificate
+
+```yaml
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+    name: example-cert
+    namespace: default
+spec:
+    secretName: example-cert-tls
+    issuerRef:
+        name: selfsigned-issuer
+        kind: ClusterIssuer
+    dnsNames:
+        - example.com
+        - www.example.com
+```
+
+Apply the resource:
+
+```bash
+kubectl apply -f certificate.yaml
+```
+
+### View Certificates
+
+```bash
+# List all certificates
+kubectl get certificates -A
+
+# Describe a specific certificate
+kubectl describe certificate example-cert -n default
+```
+
+## Components
+
+cert-manager installs three main components:
+
+1. **cert-manager**: Main controller managing Certificate resources
+2. **cert-manager-webhook**: Admission webhook for validating and mutating cert-manager resources
+3. **cert-manager-cainjector**: Injects CA bundles into webhooks and API services
+
+## Used By
+
+cert-manager is required by:
+- **KServe**: For webhook TLS certificates
+
+## Upgrade
+
+```bash
+# Upgrade cert-manager to a new version
+just cert-manager::upgrade
+```
+
+## Uninstall
+
+```bash
+# Remove cert-manager
+just cert-manager::uninstall
+```
+
+This will:
+- Uninstall cert-manager Helm release
+- Delete cert-manager CRDs
+- Delete namespace
+
+**Warning**: Uninstalling will remove all Certificate, Issuer, and ClusterIssuer resources.
+
+## Troubleshooting
+
+### Check Controller Logs
+
+```bash
+kubectl logs -n cert-manager -l app=cert-manager
+```
+
+### Check Webhook Logs
+
+```bash
+kubectl logs -n cert-manager -l app=webhook
+```
+
+### Verify CRDs
+
+```bash
+kubectl get crd | grep cert-manager.io
+```
+
+### Check Certificate Status
+
+```bash
+kubectl get certificate -A
+kubectl describe certificate <name> -n <namespace>
+```
+
+Common issues:
+- **Certificate not ready**: Check issuer configuration and logs
+- **Webhook errors**: Ensure cert-manager webhook is running and healthy
+- **DNS validation failures**: For ACME issuers, ensure DNS records are correct
+
+## References
+
+- [cert-manager Documentation](https://cert-manager.io/docs/)
+- [cert-manager GitHub](https://github.com/cert-manager/cert-manager)
+- [Helm Chart Configuration](https://artifacthub.io/packages/helm/cert-manager/cert-manager)
+- [Supported Issuers](https://cert-manager.io/docs/configuration/)

cert-manager/justfile

@@ -0,0 +1,91 @@
+set fallback := true
+
+export CERT_MANAGER_NAMESPACE := env("CERT_MANAGER_NAMESPACE", "cert-manager")
+export CERT_MANAGER_CHART_VERSION := env("CERT_MANAGER_CHART_VERSION", "v1.19.1")
+
+[private]
+default:
+    @just --list --unsorted --list-submodules
+
+# Create namespace
+create-namespace:
+    @kubectl get namespace ${CERT_MANAGER_NAMESPACE} &>/dev/null || \
+        kubectl create namespace ${CERT_MANAGER_NAMESPACE}
+
+# Delete namespace
+delete-namespace:
+    @kubectl delete namespace ${CERT_MANAGER_NAMESPACE} --ignore-not-found
+
+# Install cert-manager
+install:
+    #!/bin/bash
+    set -euo pipefail
+    echo "Installing cert-manager..."
+    just create-namespace
+
+    echo "Installing cert-manager from OCI registry..."
+    helm upgrade --cleanup-on-fail --install cert-manager \
+        oci://quay.io/jetstack/charts/cert-manager --version ${CERT_MANAGER_CHART_VERSION} \
+        -n ${CERT_MANAGER_NAMESPACE} --set crds.enabled=true --wait --timeout=5m
+
+    echo "Waiting for cert-manager webhook to be ready..."
+    kubectl wait --for=condition=ready pod -l app.kubernetes.io/name=webhook \
+        -n ${CERT_MANAGER_NAMESPACE} --timeout=300s
+
+    echo "Verifying cert-manager webhook is functional..."
+    sleep 10
+
+    echo ""
+    echo "=== cert-manager installed ==="
+    echo "Namespace: ${CERT_MANAGER_NAMESPACE}"
+    echo "Version: ${CERT_MANAGER_CHART_VERSION}"
+    echo ""
+    echo "cert-manager provides TLS certificate management for Kubernetes"
+
+# Upgrade cert-manager
+upgrade:
+    #!/bin/bash
+    set -euo pipefail
+    echo "Upgrading cert-manager..."
+
+    echo "Upgrading cert-manager from OCI registry..."
+    helm upgrade cert-manager oci://quay.io/jetstack/charts/cert-manager \
+        --version ${CERT_MANAGER_CHART_VERSION} -n ${CERT_MANAGER_NAMESPACE} \
+        --set crds.enabled=true --wait --timeout=5m
+
+    echo "cert-manager upgraded successfully"
+
+# Uninstall cert-manager
+uninstall:
+    #!/bin/bash
+    set -euo pipefail
+    echo "Uninstalling cert-manager..."
+    helm uninstall cert-manager -n ${CERT_MANAGER_NAMESPACE} --ignore-not-found --wait
+    echo "Deleting cert-manager CRDs..."
+    kubectl delete crd \
+        certificates.cert-manager.io \
+        certificaterequests.cert-manager.io \
+        challenges.acme.cert-manager.io \
+        clusterissuers.cert-manager.io \
+        issuers.cert-manager.io \
+        orders.acme.cert-manager.io \
+        --ignore-not-found
+    just delete-namespace
+    echo "cert-manager uninstalled"
+
+# Get status of cert-manager components
+status:
+    #!/bin/bash
+    set -euo pipefail
+    echo "=== cert-manager Components Status ==="
+    echo ""
+    echo "Namespace: ${CERT_MANAGER_NAMESPACE}"
+    echo ""
+    echo "Pods:"
+    kubectl get pods -n ${CERT_MANAGER_NAMESPACE}
+    echo ""
+    echo "Services:"
+    kubectl get services -n ${CERT_MANAGER_NAMESPACE}
+    echo ""
+    echo "CRDs:"
+    kubectl get crd | grep cert-manager.io