jahanson/cert-manager-webhook-dnsimple
1
0
Fork 0
Code Issues 1 Pull requests 1 Projects Releases 4 Packages Wiki Activity Actions

Managing with bjw-s common app template.

Browse source
This commit is contained in:
Joseph Hanson 2024-05-02 09:05:18 -05:00
parent cd138b48e6
commit 28ee268329
9 changed files with 0 additions and 437 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
deploy/example-webhook/.helmignore
View file

@ -1,21 +0,0 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj

12
deploy/example-webhook/Chart.yaml
View file

@ -1,12 +0,0 @@
apiVersion: v1
appVersion: "0.0.1"
description: cert-manager webhook solver for ACME DNS01 challenge via DNSimple
name: cert-manager-webhook-dnsimple
version: 0.0.1
home: https://github.com/jahanson/cert-manager-webhook-dnsimple
sources:
- https://github.com/jahanson/cert-manager-webhook-dnsimple
maintainers:
- name: Joseph Hanson
email: joe@veri.dev
url: https://hsn.dev

52
deploy/example-webhook/templates/_helpers.tpl
View file

@ -1,52 +0,0 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "dnsimple-webhook.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "dnsimple-webhook.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "dnsimple-webhook.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- define "dnsimple-webhook.selfSignedIssuer" -}}
{{ printf "%s-selfsign" (include "dnsimple-webhook.fullname" .) }}
{{- end -}}
{{- define "dnsimple-webhook.rootCAIssuer" -}}
{{ printf "%s-ca" (include "dnsimple-webhook.fullname" .) }}
{{- end -}}
{{- define "dnsimple-webhook.rootCACertificate" -}}
{{ printf "%s-ca" (include "dnsimple-webhook.fullname" .) }}
{{- end -}}
{{- define "dnsimple-webhook.servingCertificate" -}}
{{ printf "%s-webhook-tls" (include "dnsimple-webhook.fullname" .) }}
{{- end -}}
{{- define "dnsimple-webhook.tokenSecretName" -}}
{{- default (include "dnsimple-webhook.fullname" .) (.Values.dnsimple.tokenSecretName) -}}
{{- end -}}

19
deploy/example-webhook/templates/apiservice.yaml
View file

@ -1,19 +0,0 @@
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
name: v1alpha1.{{ .Values.groupName }}
labels:
app: {{ include "dnsimple-webhook.name" . }}
chart: {{ include "dnsimple-webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
annotations:
cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/{{ include "dnsimple-webhook.servingCertificate" . }}"
spec:
group: {{ .Values.groupName }}
groupPriorityMinimum: 1000
versionPriority: 15
service:
name: {{ include "dnsimple-webhook.fullname" . }}
namespace: {{ .Release.Namespace }}
version: v1alpha1

72
deploy/example-webhook/templates/deployment.yaml
View file

@ -1,72 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "dnsimple-webhook.fullname" . }}
labels:
app: {{ include "dnsimple-webhook.name" . }}
chart: {{ include "dnsimple-webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
app: {{ include "dnsimple-webhook.name" . }}
release: {{ .Release.Name }}
template:
metadata:
labels:
app: {{ include "dnsimple-webhook.name" . }}
release: {{ .Release.Name }}
spec:
serviceAccountName: {{ include "dnsimple-webhook.fullname" . }}
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
args:
- --secure-port={{ .Values.containerport }}
- --tls-cert-file=/tls/tls.crt
- --tls-private-key-file=/tls/tls.key
{{- if .Values.logLevel }}
- --v={{ .Values.logLevel }}
{{- end }}
env:
- name: GROUP_NAME
value: {{ .Values.groupName | quote }}
ports:
- name: https
containerPort: {{ .Values.containerport }}
protocol: TCP
livenessProbe:
httpGet:
scheme: HTTPS
path: /healthz
port: https
readinessProbe:
httpGet:
scheme: HTTPS
path: /healthz
port: https
volumeMounts:
- name: certs
mountPath: /tls
readOnly: true
resources:
{{ toYaml .Values.resources | indent 12 }}
volumes:
- name: certs
secret:
secretName: {{ include "dnsimple-webhook.servingCertificate" . }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}

76
deploy/example-webhook/templates/pki.yaml
View file

@ -1,76 +0,0 @@
---
# Create a selfsigned Issuer, in order to create a root CA certificate for
# signing webhook serving certificates
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: {{ include "dnsimple-webhook.selfSignedIssuer" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ include "dnsimple-webhook.name" . }}
chart: {{ include "dnsimple-webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
selfSigned: {}
---
# Generate a CA Certificate used to sign certificates for the webhook
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ include "dnsimple-webhook.rootCACertificate" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ include "dnsimple-webhook.name" . }}
chart: {{ include "dnsimple-webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
secretName: {{ include "dnsimple-webhook.rootCACertificate" . }}
duration: 43800h # 5y
issuerRef:
name: {{ include "dnsimple-webhook.selfSignedIssuer" . }}
commonName: "ca.dnsimple-webhook.cert-manager"
isCA: true
---
# Create an Issuer that uses the above generated CA certificate to issue certs
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: {{ include "dnsimple-webhook.rootCAIssuer" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ include "dnsimple-webhook.name" . }}
chart: {{ include "dnsimple-webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
ca:
secretName: {{ include "dnsimple-webhook.rootCACertificate" . }}
---
# Finally, generate a serving certificate for the webhook to use
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ include "dnsimple-webhook.servingCertificate" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ include "dnsimple-webhook.name" . }}
chart: {{ include "dnsimple-webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
secretName: {{ include "dnsimple-webhook.servingCertificate" . }}
duration: 8760h # 1y
issuerRef:
name: {{ include "dnsimple-webhook.rootCAIssuer" . }}
dnsNames:
- {{ include "dnsimple-webhook.fullname" . }}
- {{ include "dnsimple-webhook.fullname" . }}.{{ .Release.Namespace }}
- {{ include "dnsimple-webhook.fullname" . }}.{{ .Release.Namespace }}.svc

116
deploy/example-webhook/templates/rbac.yaml
View file

@ -1,116 +0,0 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "dnsimple-webhook.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ include "dnsimple-webhook.name" . }}
chart: {{ include "dnsimple-webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
---
# Grant the webhook permission to read the api-token Secret in the specified namespace.
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: {{ .Release.Namespace | quote }}
name: {{ include "dnsimple-webhook.fullname" . }}:access-secret
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ include "dnsimple-webhook.fullname" . }}:access-secret
namespace: {{ .Release.Namespace | quote }}
subjects:
- kind: ServiceAccount
name: {{ include "dnsimple-webhook.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
roleRef:
kind: Role
name: {{ include "dnsimple-webhook.fullname" . }}:access-secret
apiGroup: rbac.authorization.k8s.io
---
# Grant the webhook permission to read the ConfigMap containing the Kubernetes
# apiserver's requestheader-ca-certificate.
# This ConfigMap is automatically created by the Kubernetes apiserver.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "dnsimple-webhook.fullname" . }}:webhook-authentication-reader
namespace: kube-system
labels:
app: {{ include "dnsimple-webhook.name" . }}
chart: {{ include "dnsimple-webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: extension-apiserver-authentication-reader
subjects:
- apiGroup: ""
kind: ServiceAccount
name: {{ include "dnsimple-webhook.fullname" . }}
namespace: {{ .Release.Namespace }}
---
# apiserver gets the auth-delegator role to delegate auth decisions to
# the core apiserver
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "dnsimple-webhook.fullname" . }}:auth-delegator
labels:
app: {{ include "dnsimple-webhook.name" . }}
chart: {{ include "dnsimple-webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- apiGroup: ""
kind: ServiceAccount
name: {{ include "dnsimple-webhook.fullname" . }}
namespace: {{ .Release.Namespace }}
---
# Grant cert-manager permission to validate using our apiserver
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "dnsimple-webhook.fullname" . }}:domain-solver
labels:
app: {{ include "dnsimple-webhook.name" . }}
chart: {{ include "dnsimple-webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
rules:
- apiGroups:
- {{ .Values.groupName }}
resources:
- '*'
verbs:
- 'create'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "dnsimple-webhook.fullname" . }}:domain-solver
labels:
app: {{ include "dnsimple-webhook.name" . }}
chart: {{ include "dnsimple-webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "dnsimple-webhook.fullname" . }}:domain-solver
subjects:
- apiGroup: ""
kind: ServiceAccount
name: {{ .Values.certManager.serviceAccountName }}
namespace: {{ .Values.certManager.namespace }}

20
deploy/example-webhook/templates/service.yaml
View file

@ -1,20 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "dnsimple-webhook.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ include "dnsimple-webhook.name" . }}
chart: {{ include "dnsimple-webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.port }}
targetPort: {{ .Values.containerport }}
protocol: TCP
name: https
selector:
app: {{ include "dnsimple-webhook.name" . }}
release: {{ .Release.Name }}

49
deploy/example-webhook/values.yaml
View file

@ -1,49 +0,0 @@
# The GroupName here is used to identify your company or business unit that
# created this webhook.
# For example, this may be "acme.mycompany.com".
# This name will need to be referenced in each Issuer's `webhook` stanza to
# inform cert-manager of where to send ChallengePayload resources in order to
# solve the DNS01 challenge.
# This group name should be **unique**, hence using your own company's domain
# here is recommended.
groupName: acme.jahanson.com
certManager:
namespace: cert-manager
serviceAccountName: cert-manager
# logLevel: 3
dnsimple:
token: ""
clusterIssuer:
email: name@example.com
image:
repository: git.hsn.dev/jahanson/cert-manager-webhook-dnsimple
tag: "0.0.3"
pullPolicy: IfNotPresent
nameOverride: ""
fullnameOverride: ""
service:
type: ClusterIP
port: 443
containerport: 8443
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
nodeSelector: {}
tolerations: []
affinity: {}