Managing with bjw-s common app template.

2024-05-02 09:05:18 -05:00 · 2024-05-02 09:05:18 -05:00 · 28ee268329
commit 28ee268329
parent cd138b48e6
9 changed files with 0 additions and 437 deletions
--- a/deploy/example-webhook/.helmignore
+++ b/deploy/example-webhook/.helmignore
@ -1,21 +0,0 @@
 # Patterns to ignore when building packages.
 # This supports shell glob matching, relative path matching, and
 # negation (prefixed with !). Only one pattern per line.
 .DS_Store
 # Common VCS dirs
 .git/
 .gitignore
 .bzr/
 .bzrignore
 .hg/
 .hgignore
 .svn/
 # Common backup files
 *.swp
 *.bak
 *.tmp
 *~
 # Various IDEs
 .project
 .idea/
 *.tmproj
--- a/deploy/example-webhook/Chart.yaml
+++ b/deploy/example-webhook/Chart.yaml
@ -1,12 +0,0 @@
 apiVersion: v1
 appVersion: "0.0.1"
 description: cert-manager webhook solver for ACME DNS01 challenge via DNSimple
 name: cert-manager-webhook-dnsimple
 version: 0.0.1
 home: https://github.com/jahanson/cert-manager-webhook-dnsimple
 sources:
  - https://github.com/jahanson/cert-manager-webhook-dnsimple
 maintainers:
  - name: Joseph Hanson
    email: joe@veri.dev
    url: https://hsn.dev
--- a/deploy/example-webhook/templates/_helpers.tpl
+++ b/deploy/example-webhook/templates/_helpers.tpl
@ -1,52 +0,0 @@
 {{/* vim: set filetype=mustache: */}}
 {{/*
 Expand the name of the chart.
 */}}
 {{- define "dnsimple-webhook.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 {{/*
 Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 If release name contains chart name it will be used as a full name.
 */}}
 {{- define "dnsimple-webhook.fullname" -}}
 {{- if .Values.fullnameOverride -}}
 {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
 {{- else -}}
 {{- $name := default .Chart.Name .Values.nameOverride -}}
 {{- if contains $name .Release.Name -}}
 {{- .Release.Name | trunc 63 | trimSuffix "-" -}}
 {{- else -}}
 {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 {{- end -}}
 {{- end -}}
 {{/*
 Create chart name and version as used by the chart label.
 */}}
 {{- define "dnsimple-webhook.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 {{- define "dnsimple-webhook.selfSignedIssuer" -}}
 {{ printf "%s-selfsign" (include "dnsimple-webhook.fullname" .) }}
 {{- end -}}
 {{- define "dnsimple-webhook.rootCAIssuer" -}}
 {{ printf "%s-ca" (include "dnsimple-webhook.fullname" .) }}
 {{- end -}}
 {{- define "dnsimple-webhook.rootCACertificate" -}}
 {{ printf "%s-ca" (include "dnsimple-webhook.fullname" .) }}
 {{- end -}}
 {{- define "dnsimple-webhook.servingCertificate" -}}
 {{ printf "%s-webhook-tls" (include "dnsimple-webhook.fullname" .) }}
 {{- end -}}
 {{- define "dnsimple-webhook.tokenSecretName" -}}
 {{- default (include "dnsimple-webhook.fullname" .) (.Values.dnsimple.tokenSecretName) -}}
 {{- end -}}
--- a/deploy/example-webhook/templates/apiservice.yaml
+++ b/deploy/example-webhook/templates/apiservice.yaml
@ -1,19 +0,0 @@
 apiVersion: apiregistration.k8s.io/v1
 kind: APIService
 metadata:
  name: v1alpha1.{{ .Values.groupName }}
  labels:
    app: {{ include "dnsimple-webhook.name" . }}
    chart: {{ include "dnsimple-webhook.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
  annotations:
    cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/{{ include "dnsimple-webhook.servingCertificate" . }}"
 spec:
  group: {{ .Values.groupName }}
  groupPriorityMinimum: 1000
  versionPriority: 15
  service:
    name: {{ include "dnsimple-webhook.fullname" . }}
    namespace: {{ .Release.Namespace }}
  version: v1alpha1
--- a/deploy/example-webhook/templates/deployment.yaml
+++ b/deploy/example-webhook/templates/deployment.yaml
@ -1,72 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ include "dnsimple-webhook.fullname" . }}
  labels:
    app: {{ include "dnsimple-webhook.name" . }}
    chart: {{ include "dnsimple-webhook.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
 spec:
  replicas: {{ .Values.replicaCount }}
  selector:
    matchLabels:
      app: {{ include "dnsimple-webhook.name" . }}
      release: {{ .Release.Name }}
  template:
    metadata:
      labels:
        app: {{ include "dnsimple-webhook.name" . }}
        release: {{ .Release.Name }}
    spec:
      serviceAccountName: {{ include "dnsimple-webhook.fullname" . }}
      containers:
        - name: {{ .Chart.Name }}
          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          args:
            - --secure-port={{ .Values.containerport }}
            - --tls-cert-file=/tls/tls.crt
            - --tls-private-key-file=/tls/tls.key
 {{- if .Values.logLevel }}
            - --v={{ .Values.logLevel }}
 {{- end }}
          env:
            - name: GROUP_NAME
              value: {{ .Values.groupName | quote }}
          ports:
            - name: https
              containerPort: {{ .Values.containerport }}
              protocol: TCP
          livenessProbe:
            httpGet:
              scheme: HTTPS
              path: /healthz
              port: https
          readinessProbe:
            httpGet:
              scheme: HTTPS
              path: /healthz
              port: https
          volumeMounts:
            - name: certs
              mountPath: /tls
              readOnly: true
          resources:
 {{ toYaml .Values.resources | indent 12 }}
      volumes:
        - name: certs
          secret:
            secretName: {{ include "dnsimple-webhook.servingCertificate" . }}
    {{- with .Values.nodeSelector }}
      nodeSelector:
 {{ toYaml . | indent 8 }}
    {{- end }}
    {{- with .Values.affinity }}
      affinity:
 {{ toYaml . | indent 8 }}
    {{- end }}
    {{- with .Values.tolerations }}
      tolerations:
 {{ toYaml . | indent 8 }}
    {{- end }}
--- a/deploy/example-webhook/templates/pki.yaml
+++ b/deploy/example-webhook/templates/pki.yaml
@ -1,76 +0,0 @@
 ---
 # Create a selfsigned Issuer, in order to create a root CA certificate for
 # signing webhook serving certificates
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
  name: {{ include "dnsimple-webhook.selfSignedIssuer" . }}
  namespace: {{ .Release.Namespace | quote }}
  labels:
    app: {{ include "dnsimple-webhook.name" . }}
    chart: {{ include "dnsimple-webhook.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
 spec:
  selfSigned: {}
 ---
 # Generate a CA Certificate used to sign certificates for the webhook
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: {{ include "dnsimple-webhook.rootCACertificate" . }}
  namespace: {{ .Release.Namespace | quote }}
  labels:
    app: {{ include "dnsimple-webhook.name" . }}
    chart: {{ include "dnsimple-webhook.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
 spec:
  secretName: {{ include "dnsimple-webhook.rootCACertificate" . }}
  duration: 43800h # 5y
  issuerRef:
    name: {{ include "dnsimple-webhook.selfSignedIssuer" . }}
  commonName: "ca.dnsimple-webhook.cert-manager"
  isCA: true
 ---
 # Create an Issuer that uses the above generated CA certificate to issue certs
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
  name: {{ include "dnsimple-webhook.rootCAIssuer" . }}
  namespace: {{ .Release.Namespace | quote }}
  labels:
    app: {{ include "dnsimple-webhook.name" . }}
    chart: {{ include "dnsimple-webhook.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
 spec:
  ca:
    secretName: {{ include "dnsimple-webhook.rootCACertificate" . }}
 ---
 # Finally, generate a serving certificate for the webhook to use
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: {{ include "dnsimple-webhook.servingCertificate" . }}
  namespace: {{ .Release.Namespace | quote }}
  labels:
    app: {{ include "dnsimple-webhook.name" . }}
    chart: {{ include "dnsimple-webhook.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
 spec:
  secretName: {{ include "dnsimple-webhook.servingCertificate" . }}
  duration: 8760h # 1y
  issuerRef:
    name: {{ include "dnsimple-webhook.rootCAIssuer" . }}
  dnsNames:
    - {{ include "dnsimple-webhook.fullname" . }}
    - {{ include "dnsimple-webhook.fullname" . }}.{{ .Release.Namespace }}
    - {{ include "dnsimple-webhook.fullname" . }}.{{ .Release.Namespace }}.svc
--- a/deploy/example-webhook/templates/rbac.yaml
+++ b/deploy/example-webhook/templates/rbac.yaml
@ -1,116 +0,0 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: {{ include "dnsimple-webhook.fullname" . }}
  namespace: {{ .Release.Namespace | quote }}
  labels:
    app: {{ include "dnsimple-webhook.name" . }}
    chart: {{ include "dnsimple-webhook.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
 ---
 # Grant the webhook permission to read the api-token Secret in the specified namespace.
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  namespace: {{ .Release.Namespace | quote }}
  name: {{ include "dnsimple-webhook.fullname" . }}:access-secret
 rules:
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "watch"]
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: {{ include "dnsimple-webhook.fullname" . }}:access-secret
  namespace: {{ .Release.Namespace | quote }}
 subjects:
  - kind: ServiceAccount
    name: {{ include "dnsimple-webhook.fullname" . }}
    namespace: {{ .Release.Namespace | quote }}
 roleRef:
  kind: Role
  name: {{ include "dnsimple-webhook.fullname" . }}:access-secret
  apiGroup: rbac.authorization.k8s.io
 ---
 # Grant the webhook permission to read the ConfigMap containing the Kubernetes
 # apiserver's requestheader-ca-certificate.
 # This ConfigMap is automatically created by the Kubernetes apiserver.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: {{ include "dnsimple-webhook.fullname" . }}:webhook-authentication-reader
  namespace: kube-system
  labels:
    app: {{ include "dnsimple-webhook.name" . }}
    chart: {{ include "dnsimple-webhook.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: extension-apiserver-authentication-reader
 subjects:
  - apiGroup: ""
    kind: ServiceAccount
    name: {{ include "dnsimple-webhook.fullname" . }}
    namespace: {{ .Release.Namespace }}
 ---
 # apiserver gets the auth-delegator role to delegate auth decisions to
 # the core apiserver
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: {{ include "dnsimple-webhook.fullname" . }}:auth-delegator
  labels:
    app: {{ include "dnsimple-webhook.name" . }}
    chart: {{ include "dnsimple-webhook.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:auth-delegator
 subjects:
  - apiGroup: ""
    kind: ServiceAccount
    name: {{ include "dnsimple-webhook.fullname" . }}
    namespace: {{ .Release.Namespace }}
 ---
 # Grant cert-manager permission to validate using our apiserver
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: {{ include "dnsimple-webhook.fullname" . }}:domain-solver
  labels:
    app: {{ include "dnsimple-webhook.name" . }}
    chart: {{ include "dnsimple-webhook.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
 rules:
  - apiGroups:
      - {{ .Values.groupName }}
    resources:
      - '*'
    verbs:
      - 'create'
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: {{ include "dnsimple-webhook.fullname" . }}:domain-solver
  labels:
    app: {{ include "dnsimple-webhook.name" . }}
    chart: {{ include "dnsimple-webhook.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ include "dnsimple-webhook.fullname" . }}:domain-solver
 subjects:
  - apiGroup: ""
    kind: ServiceAccount
    name: {{ .Values.certManager.serviceAccountName }}
    namespace: {{ .Values.certManager.namespace }}
--- a/deploy/example-webhook/templates/service.yaml
+++ b/deploy/example-webhook/templates/service.yaml
@ -1,20 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: {{ include "dnsimple-webhook.fullname" . }}
  namespace: {{ .Release.Namespace | quote }}
  labels:
    app: {{ include "dnsimple-webhook.name" . }}
    chart: {{ include "dnsimple-webhook.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
 spec:
  type: {{ .Values.service.type }}
  ports:
    - port: {{ .Values.service.port }}
      targetPort: {{ .Values.containerport }}
      protocol: TCP
      name: https
  selector:
    app: {{ include "dnsimple-webhook.name" . }}
    release: {{ .Release.Name }}
--- a/deploy/example-webhook/values.yaml
+++ b/deploy/example-webhook/values.yaml
@ -1,49 +0,0 @@
 # The GroupName here is used to identify your company or business unit that
 # created this webhook.
 # For example, this may be "acme.mycompany.com".
 # This name will need to be referenced in each Issuer's `webhook` stanza to
 # inform cert-manager of where to send ChallengePayload resources in order to
 # solve the DNS01 challenge.
 # This group name should be **unique**, hence using your own company's domain
 # here is recommended.
 groupName: acme.jahanson.com
 certManager:
  namespace: cert-manager
  serviceAccountName: cert-manager
 # logLevel: 3
 dnsimple:
  token: ""
 clusterIssuer:
  email: name@example.com
 image:
  repository: git.hsn.dev/jahanson/cert-manager-webhook-dnsimple
  tag: "0.0.3"
  pullPolicy: IfNotPresent
 nameOverride: ""
 fullnameOverride: ""
 service:
  type: ClusterIP
  port: 443
 containerport: 8443
 resources: {}
  # We usually recommend not to specify default resources and to leave this as a conscious
  # choice for the user. This also increases chances charts run on environments with little
  # resources, such as Minikube. If you do want to specify resources, uncomment the following
  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
  # limits:
  #  cpu: 100m
  #  memory: 128Mi
  # requests:
  #  cpu: 100m
 #  memory: 128Mi
 nodeSelector: {}
 tolerations: []
 affinity: {}