feat: Externalize ZTVP charts: cert-manager

Signed-off-by: Min Zhang <minzhang@redhat.com>

Author: minmzzhang

.github/linters/.checkov.yaml

@@ -5,8 +5,13 @@ directory:
 skip-path:
   - tests
 skip-check:
-  - CKV_K8S_49 # Minimize wildcard use in Roles and ClusterRoles
-  - CKV_K8S_155 # Minimize ClusterRoles that grant control over validating or mutating admission webhook configurations
-  - CKV_K8S_156 # Minimize ClusterRoles that grant permissions to approve CertificateSigningRequests
-  - CKV_K8S_157 # Minimize Roles and ClusterRoles that grant permissions to bind RoleBindings or ClusterRoleBindings
-  - CKV_K8S_158 # Minimize Roles and ClusterRoles that grant permissions to escalate Roles or ClusterRoles
+  # CKV_K8S_49: Minimize wildcard use in Roles and ClusterRoles
+  - CKV_K8S_49
+  # CKV_K8S_155: ClusterRoles for admission webhook configurations
+  - CKV_K8S_155
+  # CKV_K8S_156: ClusterRoles to approve CertificateSigningRequests
+  - CKV_K8S_156
+  # CKV_K8S_157: Roles/ClusterRoles to bind RoleBindings or ClusterRoleBindings
+  - CKV_K8S_157
+  # CKV_K8S_158: Roles/ClusterRoles to escalate Roles or ClusterRoles
+  - CKV_K8S_158

.github/workflows/superlinter.yml

@@ -14,3 +14,5 @@ jobs:
     with:
       sl_env: |
         VALIDATE_BIOME_FORMAT=false
+        # Exclude Helm chart templates (contain {{ }}; not valid YAML)
+        FILTER_REGEX_EXCLUDE=.*/templates/.*

.github/workflows/update-helm-repo.yml

@@ -1,3 +1,4 @@
+---
 # This invokes the workflow named 'publish-charts' in the umbrella repo
 # It expects to have a secret called CHARTS_REPOS_TOKEN which contains
 # the GitHub token that has permissions to invoke workflows and commit code
@@ -23,13 +24,15 @@ permissions:
 
 jobs:
   helmlint:
-    uses: validatedpatterns/helm-charts/.github/workflows/helmlint.yml@69fd10ef9199eecd093fca715ae9765c78750efc # October 6, 2025
+    # October 6, 2025
+    uses: validatedpatterns/helm-charts/.github/workflows/helmlint.yml@69fd10ef9199eecd093fca715ae9765c78750efc
     permissions:
       contents: read
 
   update-helm-repo:
     needs: [helmlint]
-    uses: validatedpatterns/helm-charts/.github/workflows/update-helm-repo.yml@69fd10ef9199eecd093fca715ae9765c78750efc # October 6, 2025
+    # October 6, 2025
+    uses: validatedpatterns/helm-charts/.github/workflows/update-helm-repo.yml@69fd10ef9199eecd093fca715ae9765c78750efc
     permissions:
       contents: read
     secrets:

.prettierignore

@@ -0,0 +1,4 @@
+# Helm template files contain {{ }} and are not plain YAML
+templates/
+# Keep [ ] for yamllint; Prettier would change to []
+values.yaml

.yamllint

@@ -0,0 +1,12 @@
+extends: default
+ignore:
+  - templates/
+  - templates/**
+  - "**/templates/**"
+rules:
+  document-start: disable
+  line-length:
+    max: 80
+  brackets:
+    min-spaces-inside: 0
+    max-spaces-inside: 1

Chart.yaml

@@ -1,6 +1,27 @@
+---
 apiVersion: v2
-description: A Helm chart to serve as the Validated Patterns Template
+name: ocp-certmanager
+description: >
+  A Helm chart to deploy OpenShift cert-manager operator with proper
+  DNS nameserver configuration.
+type: application
+# This is the chart version. This version number should be incremented each
+# time you make changes to the chart and its templates, including the app
+# version. Versions are expected to follow Semantic Versioning (semver.org).
+version: 0.2.0
+
+# This is the version number of the application being deployed. This version
+# number should be incremented each time you make changes to the application.
+# It is recommended to use it with quotes.
+appVersion: "1.16.0"
+home: https://github.com/validatedpatterns/ocp-certmanager-chart
+maintainers:
+  - name: Validated Patterns Team
+    email: validatedpatterns@googlegroups.com
+icon: https://validatedpatterns.io/images/validated-patterns.png
 keywords:
-  - pattern
-name: vp-template
-version: 0.0.1
+  - cert-manager
+  - ssl
+  - tls
+  - certificates
+  - openshift

Makefile

@@ -36,8 +36,10 @@ test: helm-lint helm-unittest ## Runs helm lint and unit tests
 .PHONY: super-linter
 super-linter: ## Runs super linter locally
 	rm -rf .mypy_cache
-	podman run -e RUN_LOCAL=true -e USE_FIND_ALGORITHM=true	\
-					-e VALIDATE_BIOME_FORMAT=false \
-					-v $(PWD):/tmp/lint:rw,z \
-					-w /tmp/lint \
-					ghcr.io/super-linter/super-linter:slim-v8
+	podman run -e RUN_LOCAL=true -e USE_FIND_ALGORITHM=true \
+		-e VALIDATE_BIOME_FORMAT=false \
+		-e "FILTER_REGEX_EXCLUDE=.*/templates/.*" \
+		-e VALIDATE_GITHUB_ACTIONS_ZIZMOR=false \
+		-v $(PWD):/tmp/lint:rw,z \
+		-w /tmp/lint \
+		ghcr.io/super-linter/super-linter:slim-v8

README.md

@@ -1,13 +1,33 @@
-# vp-template
+# ocp-certmanager
 
-![Version: 0.0.1](https://img.shields.io/badge/Version-0.0.1-informational?style=flat-square)
+![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.16.0](https://img.shields.io/badge/AppVersion-1.16.0-informational?style=flat-square)
 
-A Helm chart to serve as the Validated Patterns Template
+A Helm chart to deploy OpenShift cert-manager operator with proper DNS nameserver configuration.
 
 This chart is used to serve as the template for Validated Patterns Charts
 
 ## Notable changes
 
+**Homepage:** <https://github.com/validatedpatterns/ocp-certmanager-chart>
+
+## Maintainers
+
+| Name                    | Email                                | Url |
+| ----------------------- | ------------------------------------ | --- |
+| Validated Patterns Team | <validatedpatterns@googlegroups.com> |     |
+
+## Values
+
+| Key                                 | Type   | Default                            | Description                                                                                                                                                                                                                     |
+| ----------------------------------- | ------ | ---------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| certmgrOperator.additionalArgs      | list   | `[]`                               | Arguments for the cert-manager controller (optional). Example: `--acme-http01-solver-nameservers=8.8.8.8:53,1.1.1.1:53`, `--v=2`.                                                                                               |
+| certmgrOperator.credentialsRequests | list   | `[]`                               | Cloud credentials for cert-manager (optional). Multiple credentials can be set for different providers and used by DNS solvers.                                                                                                 |
+| certmgrOperator.issuers             | list   | `[]`                               | Issuers for cert-manager (optional). Multiple issuers can be set for different challenges.                                                                                                                                      |
+| certmgrOperator.nameservers         | list   | `["8.8.8.8:53","1.1.1.1:53"]`      | DNS servers (`ip:port`) for DNS01 challenges. Defaults to 8.8.8.8:53 and 1.1.1.1:53. See [cert-manager DNS01 nameserver docs](https://cert-manager.io/docs/configuration/acme/dns01/#setting-nameservers-for-dns01-self-check). |
+| global                              | string | depends on the individual settings | Dictionary of global settings for this chart.                                                                                                                                                                                   |
+| installerType                       | string | `"argocd"`                         |                                                                                                                                                                                                                                 |
+| operatorChannel                     | string | `"stable-v1"`                      | Channel to install cert-manager from (default: `stable-v1`).                                                                                                                                                                    |
+
 ---
 
 Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)

templates/.keep

@@ -0,0 +1,20 @@
+{{- /*
+  Validations for the acme issuer
+*/ -}}
+{{- define "acme.validations" -}}
+{{- if not .solvers }}
+{{- fail "For the acme issuer, you must specify the properties solvers" }}
+{{- end }}
+{{- end }}
+
+{{- /*
+  Validations for the credentials-request
+*/ -}}
+{{- define "credential-request.validations" -}}
+{{- if not .secretRef }}
+{{- fail "CredentialRequest requires a SecretRef definition" }}
+{{- end }}
+{{- if not .providerSpec }}
+{{- fail "CredentialRequest requires a providerSpec definition" }}
+{{- end }}
+{{- end }}