Managing with bjw-s common app template.
This commit is contained in:
parent
cd138b48e6
commit
28ee268329
9 changed files with 0 additions and 437 deletions
|
@ -1,21 +0,0 @@
|
||||||
# Patterns to ignore when building packages.
|
|
||||||
# This supports shell glob matching, relative path matching, and
|
|
||||||
# negation (prefixed with !). Only one pattern per line.
|
|
||||||
.DS_Store
|
|
||||||
# Common VCS dirs
|
|
||||||
.git/
|
|
||||||
.gitignore
|
|
||||||
.bzr/
|
|
||||||
.bzrignore
|
|
||||||
.hg/
|
|
||||||
.hgignore
|
|
||||||
.svn/
|
|
||||||
# Common backup files
|
|
||||||
*.swp
|
|
||||||
*.bak
|
|
||||||
*.tmp
|
|
||||||
*~
|
|
||||||
# Various IDEs
|
|
||||||
.project
|
|
||||||
.idea/
|
|
||||||
*.tmproj
|
|
|
@ -1,12 +0,0 @@
|
||||||
apiVersion: v1
|
|
||||||
appVersion: "0.0.1"
|
|
||||||
description: cert-manager webhook solver for ACME DNS01 challenge via DNSimple
|
|
||||||
name: cert-manager-webhook-dnsimple
|
|
||||||
version: 0.0.1
|
|
||||||
home: https://github.com/jahanson/cert-manager-webhook-dnsimple
|
|
||||||
sources:
|
|
||||||
- https://github.com/jahanson/cert-manager-webhook-dnsimple
|
|
||||||
maintainers:
|
|
||||||
- name: Joseph Hanson
|
|
||||||
email: joe@veri.dev
|
|
||||||
url: https://hsn.dev
|
|
|
@ -1,52 +0,0 @@
|
||||||
{{/* vim: set filetype=mustache: */}}
|
|
||||||
{{/*
|
|
||||||
Expand the name of the chart.
|
|
||||||
*/}}
|
|
||||||
{{- define "dnsimple-webhook.name" -}}
|
|
||||||
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{/*
|
|
||||||
Create a default fully qualified app name.
|
|
||||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
|
||||||
If release name contains chart name it will be used as a full name.
|
|
||||||
*/}}
|
|
||||||
{{- define "dnsimple-webhook.fullname" -}}
|
|
||||||
{{- if .Values.fullnameOverride -}}
|
|
||||||
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
|
|
||||||
{{- else -}}
|
|
||||||
{{- $name := default .Chart.Name .Values.nameOverride -}}
|
|
||||||
{{- if contains $name .Release.Name -}}
|
|
||||||
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
|
|
||||||
{{- else -}}
|
|
||||||
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
|
|
||||||
{{- end -}}
|
|
||||||
{{- end -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{/*
|
|
||||||
Create chart name and version as used by the chart label.
|
|
||||||
*/}}
|
|
||||||
{{- define "dnsimple-webhook.chart" -}}
|
|
||||||
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "dnsimple-webhook.selfSignedIssuer" -}}
|
|
||||||
{{ printf "%s-selfsign" (include "dnsimple-webhook.fullname" .) }}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "dnsimple-webhook.rootCAIssuer" -}}
|
|
||||||
{{ printf "%s-ca" (include "dnsimple-webhook.fullname" .) }}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "dnsimple-webhook.rootCACertificate" -}}
|
|
||||||
{{ printf "%s-ca" (include "dnsimple-webhook.fullname" .) }}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "dnsimple-webhook.servingCertificate" -}}
|
|
||||||
{{ printf "%s-webhook-tls" (include "dnsimple-webhook.fullname" .) }}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "dnsimple-webhook.tokenSecretName" -}}
|
|
||||||
{{- default (include "dnsimple-webhook.fullname" .) (.Values.dnsimple.tokenSecretName) -}}
|
|
||||||
{{- end -}}
|
|
|
@ -1,19 +0,0 @@
|
||||||
apiVersion: apiregistration.k8s.io/v1
|
|
||||||
kind: APIService
|
|
||||||
metadata:
|
|
||||||
name: v1alpha1.{{ .Values.groupName }}
|
|
||||||
labels:
|
|
||||||
app: {{ include "dnsimple-webhook.name" . }}
|
|
||||||
chart: {{ include "dnsimple-webhook.chart" . }}
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
heritage: {{ .Release.Service }}
|
|
||||||
annotations:
|
|
||||||
cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/{{ include "dnsimple-webhook.servingCertificate" . }}"
|
|
||||||
spec:
|
|
||||||
group: {{ .Values.groupName }}
|
|
||||||
groupPriorityMinimum: 1000
|
|
||||||
versionPriority: 15
|
|
||||||
service:
|
|
||||||
name: {{ include "dnsimple-webhook.fullname" . }}
|
|
||||||
namespace: {{ .Release.Namespace }}
|
|
||||||
version: v1alpha1
|
|
|
@ -1,72 +0,0 @@
|
||||||
apiVersion: apps/v1
|
|
||||||
kind: Deployment
|
|
||||||
metadata:
|
|
||||||
name: {{ include "dnsimple-webhook.fullname" . }}
|
|
||||||
labels:
|
|
||||||
app: {{ include "dnsimple-webhook.name" . }}
|
|
||||||
chart: {{ include "dnsimple-webhook.chart" . }}
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
heritage: {{ .Release.Service }}
|
|
||||||
spec:
|
|
||||||
replicas: {{ .Values.replicaCount }}
|
|
||||||
selector:
|
|
||||||
matchLabels:
|
|
||||||
app: {{ include "dnsimple-webhook.name" . }}
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: {{ include "dnsimple-webhook.name" . }}
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
spec:
|
|
||||||
serviceAccountName: {{ include "dnsimple-webhook.fullname" . }}
|
|
||||||
containers:
|
|
||||||
- name: {{ .Chart.Name }}
|
|
||||||
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
|
|
||||||
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
|
||||||
args:
|
|
||||||
- --secure-port={{ .Values.containerport }}
|
|
||||||
- --tls-cert-file=/tls/tls.crt
|
|
||||||
- --tls-private-key-file=/tls/tls.key
|
|
||||||
{{- if .Values.logLevel }}
|
|
||||||
- --v={{ .Values.logLevel }}
|
|
||||||
{{- end }}
|
|
||||||
env:
|
|
||||||
- name: GROUP_NAME
|
|
||||||
value: {{ .Values.groupName | quote }}
|
|
||||||
ports:
|
|
||||||
- name: https
|
|
||||||
containerPort: {{ .Values.containerport }}
|
|
||||||
protocol: TCP
|
|
||||||
livenessProbe:
|
|
||||||
httpGet:
|
|
||||||
scheme: HTTPS
|
|
||||||
path: /healthz
|
|
||||||
port: https
|
|
||||||
readinessProbe:
|
|
||||||
httpGet:
|
|
||||||
scheme: HTTPS
|
|
||||||
path: /healthz
|
|
||||||
port: https
|
|
||||||
volumeMounts:
|
|
||||||
- name: certs
|
|
||||||
mountPath: /tls
|
|
||||||
readOnly: true
|
|
||||||
resources:
|
|
||||||
{{ toYaml .Values.resources | indent 12 }}
|
|
||||||
volumes:
|
|
||||||
- name: certs
|
|
||||||
secret:
|
|
||||||
secretName: {{ include "dnsimple-webhook.servingCertificate" . }}
|
|
||||||
{{- with .Values.nodeSelector }}
|
|
||||||
nodeSelector:
|
|
||||||
{{ toYaml . | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.affinity }}
|
|
||||||
affinity:
|
|
||||||
{{ toYaml . | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.tolerations }}
|
|
||||||
tolerations:
|
|
||||||
{{ toYaml . | indent 8 }}
|
|
||||||
{{- end }}
|
|
|
@ -1,76 +0,0 @@
|
||||||
---
|
|
||||||
# Create a selfsigned Issuer, in order to create a root CA certificate for
|
|
||||||
# signing webhook serving certificates
|
|
||||||
apiVersion: cert-manager.io/v1
|
|
||||||
kind: Issuer
|
|
||||||
metadata:
|
|
||||||
name: {{ include "dnsimple-webhook.selfSignedIssuer" . }}
|
|
||||||
namespace: {{ .Release.Namespace | quote }}
|
|
||||||
labels:
|
|
||||||
app: {{ include "dnsimple-webhook.name" . }}
|
|
||||||
chart: {{ include "dnsimple-webhook.chart" . }}
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
heritage: {{ .Release.Service }}
|
|
||||||
spec:
|
|
||||||
selfSigned: {}
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
# Generate a CA Certificate used to sign certificates for the webhook
|
|
||||||
apiVersion: cert-manager.io/v1
|
|
||||||
kind: Certificate
|
|
||||||
metadata:
|
|
||||||
name: {{ include "dnsimple-webhook.rootCACertificate" . }}
|
|
||||||
namespace: {{ .Release.Namespace | quote }}
|
|
||||||
labels:
|
|
||||||
app: {{ include "dnsimple-webhook.name" . }}
|
|
||||||
chart: {{ include "dnsimple-webhook.chart" . }}
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
heritage: {{ .Release.Service }}
|
|
||||||
spec:
|
|
||||||
secretName: {{ include "dnsimple-webhook.rootCACertificate" . }}
|
|
||||||
duration: 43800h # 5y
|
|
||||||
issuerRef:
|
|
||||||
name: {{ include "dnsimple-webhook.selfSignedIssuer" . }}
|
|
||||||
commonName: "ca.dnsimple-webhook.cert-manager"
|
|
||||||
isCA: true
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
# Create an Issuer that uses the above generated CA certificate to issue certs
|
|
||||||
apiVersion: cert-manager.io/v1
|
|
||||||
kind: Issuer
|
|
||||||
metadata:
|
|
||||||
name: {{ include "dnsimple-webhook.rootCAIssuer" . }}
|
|
||||||
namespace: {{ .Release.Namespace | quote }}
|
|
||||||
labels:
|
|
||||||
app: {{ include "dnsimple-webhook.name" . }}
|
|
||||||
chart: {{ include "dnsimple-webhook.chart" . }}
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
heritage: {{ .Release.Service }}
|
|
||||||
spec:
|
|
||||||
ca:
|
|
||||||
secretName: {{ include "dnsimple-webhook.rootCACertificate" . }}
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
# Finally, generate a serving certificate for the webhook to use
|
|
||||||
apiVersion: cert-manager.io/v1
|
|
||||||
kind: Certificate
|
|
||||||
metadata:
|
|
||||||
name: {{ include "dnsimple-webhook.servingCertificate" . }}
|
|
||||||
namespace: {{ .Release.Namespace | quote }}
|
|
||||||
labels:
|
|
||||||
app: {{ include "dnsimple-webhook.name" . }}
|
|
||||||
chart: {{ include "dnsimple-webhook.chart" . }}
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
heritage: {{ .Release.Service }}
|
|
||||||
spec:
|
|
||||||
secretName: {{ include "dnsimple-webhook.servingCertificate" . }}
|
|
||||||
duration: 8760h # 1y
|
|
||||||
issuerRef:
|
|
||||||
name: {{ include "dnsimple-webhook.rootCAIssuer" . }}
|
|
||||||
dnsNames:
|
|
||||||
- {{ include "dnsimple-webhook.fullname" . }}
|
|
||||||
- {{ include "dnsimple-webhook.fullname" . }}.{{ .Release.Namespace }}
|
|
||||||
- {{ include "dnsimple-webhook.fullname" . }}.{{ .Release.Namespace }}.svc
|
|
|
@ -1,116 +0,0 @@
|
||||||
apiVersion: v1
|
|
||||||
kind: ServiceAccount
|
|
||||||
metadata:
|
|
||||||
name: {{ include "dnsimple-webhook.fullname" . }}
|
|
||||||
namespace: {{ .Release.Namespace | quote }}
|
|
||||||
labels:
|
|
||||||
app: {{ include "dnsimple-webhook.name" . }}
|
|
||||||
chart: {{ include "dnsimple-webhook.chart" . }}
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
heritage: {{ .Release.Service }}
|
|
||||||
---
|
|
||||||
# Grant the webhook permission to read the api-token Secret in the specified namespace.
|
|
||||||
kind: Role
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
metadata:
|
|
||||||
namespace: {{ .Release.Namespace | quote }}
|
|
||||||
name: {{ include "dnsimple-webhook.fullname" . }}:access-secret
|
|
||||||
rules:
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["secrets"]
|
|
||||||
verbs: ["get", "watch"]
|
|
||||||
---
|
|
||||||
kind: RoleBinding
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
metadata:
|
|
||||||
name: {{ include "dnsimple-webhook.fullname" . }}:access-secret
|
|
||||||
namespace: {{ .Release.Namespace | quote }}
|
|
||||||
subjects:
|
|
||||||
- kind: ServiceAccount
|
|
||||||
name: {{ include "dnsimple-webhook.fullname" . }}
|
|
||||||
namespace: {{ .Release.Namespace | quote }}
|
|
||||||
roleRef:
|
|
||||||
kind: Role
|
|
||||||
name: {{ include "dnsimple-webhook.fullname" . }}:access-secret
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
---
|
|
||||||
# Grant the webhook permission to read the ConfigMap containing the Kubernetes
|
|
||||||
# apiserver's requestheader-ca-certificate.
|
|
||||||
# This ConfigMap is automatically created by the Kubernetes apiserver.
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: RoleBinding
|
|
||||||
metadata:
|
|
||||||
name: {{ include "dnsimple-webhook.fullname" . }}:webhook-authentication-reader
|
|
||||||
namespace: kube-system
|
|
||||||
labels:
|
|
||||||
app: {{ include "dnsimple-webhook.name" . }}
|
|
||||||
chart: {{ include "dnsimple-webhook.chart" . }}
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
heritage: {{ .Release.Service }}
|
|
||||||
roleRef:
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
kind: Role
|
|
||||||
name: extension-apiserver-authentication-reader
|
|
||||||
subjects:
|
|
||||||
- apiGroup: ""
|
|
||||||
kind: ServiceAccount
|
|
||||||
name: {{ include "dnsimple-webhook.fullname" . }}
|
|
||||||
namespace: {{ .Release.Namespace }}
|
|
||||||
---
|
|
||||||
# apiserver gets the auth-delegator role to delegate auth decisions to
|
|
||||||
# the core apiserver
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: ClusterRoleBinding
|
|
||||||
metadata:
|
|
||||||
name: {{ include "dnsimple-webhook.fullname" . }}:auth-delegator
|
|
||||||
labels:
|
|
||||||
app: {{ include "dnsimple-webhook.name" . }}
|
|
||||||
chart: {{ include "dnsimple-webhook.chart" . }}
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
heritage: {{ .Release.Service }}
|
|
||||||
roleRef:
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
kind: ClusterRole
|
|
||||||
name: system:auth-delegator
|
|
||||||
subjects:
|
|
||||||
- apiGroup: ""
|
|
||||||
kind: ServiceAccount
|
|
||||||
name: {{ include "dnsimple-webhook.fullname" . }}
|
|
||||||
namespace: {{ .Release.Namespace }}
|
|
||||||
---
|
|
||||||
# Grant cert-manager permission to validate using our apiserver
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: ClusterRole
|
|
||||||
metadata:
|
|
||||||
name: {{ include "dnsimple-webhook.fullname" . }}:domain-solver
|
|
||||||
labels:
|
|
||||||
app: {{ include "dnsimple-webhook.name" . }}
|
|
||||||
chart: {{ include "dnsimple-webhook.chart" . }}
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
heritage: {{ .Release.Service }}
|
|
||||||
rules:
|
|
||||||
- apiGroups:
|
|
||||||
- {{ .Values.groupName }}
|
|
||||||
resources:
|
|
||||||
- '*'
|
|
||||||
verbs:
|
|
||||||
- 'create'
|
|
||||||
---
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: ClusterRoleBinding
|
|
||||||
metadata:
|
|
||||||
name: {{ include "dnsimple-webhook.fullname" . }}:domain-solver
|
|
||||||
labels:
|
|
||||||
app: {{ include "dnsimple-webhook.name" . }}
|
|
||||||
chart: {{ include "dnsimple-webhook.chart" . }}
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
heritage: {{ .Release.Service }}
|
|
||||||
roleRef:
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
kind: ClusterRole
|
|
||||||
name: {{ include "dnsimple-webhook.fullname" . }}:domain-solver
|
|
||||||
subjects:
|
|
||||||
- apiGroup: ""
|
|
||||||
kind: ServiceAccount
|
|
||||||
name: {{ .Values.certManager.serviceAccountName }}
|
|
||||||
namespace: {{ .Values.certManager.namespace }}
|
|
|
@ -1,20 +0,0 @@
|
||||||
apiVersion: v1
|
|
||||||
kind: Service
|
|
||||||
metadata:
|
|
||||||
name: {{ include "dnsimple-webhook.fullname" . }}
|
|
||||||
namespace: {{ .Release.Namespace | quote }}
|
|
||||||
labels:
|
|
||||||
app: {{ include "dnsimple-webhook.name" . }}
|
|
||||||
chart: {{ include "dnsimple-webhook.chart" . }}
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
heritage: {{ .Release.Service }}
|
|
||||||
spec:
|
|
||||||
type: {{ .Values.service.type }}
|
|
||||||
ports:
|
|
||||||
- port: {{ .Values.service.port }}
|
|
||||||
targetPort: {{ .Values.containerport }}
|
|
||||||
protocol: TCP
|
|
||||||
name: https
|
|
||||||
selector:
|
|
||||||
app: {{ include "dnsimple-webhook.name" . }}
|
|
||||||
release: {{ .Release.Name }}
|
|
|
@ -1,49 +0,0 @@
|
||||||
# The GroupName here is used to identify your company or business unit that
|
|
||||||
# created this webhook.
|
|
||||||
# For example, this may be "acme.mycompany.com".
|
|
||||||
# This name will need to be referenced in each Issuer's `webhook` stanza to
|
|
||||||
# inform cert-manager of where to send ChallengePayload resources in order to
|
|
||||||
# solve the DNS01 challenge.
|
|
||||||
# This group name should be **unique**, hence using your own company's domain
|
|
||||||
# here is recommended.
|
|
||||||
groupName: acme.jahanson.com
|
|
||||||
|
|
||||||
certManager:
|
|
||||||
namespace: cert-manager
|
|
||||||
serviceAccountName: cert-manager
|
|
||||||
# logLevel: 3
|
|
||||||
dnsimple:
|
|
||||||
token: ""
|
|
||||||
clusterIssuer:
|
|
||||||
email: name@example.com
|
|
||||||
|
|
||||||
image:
|
|
||||||
repository: git.hsn.dev/jahanson/cert-manager-webhook-dnsimple
|
|
||||||
tag: "0.0.3"
|
|
||||||
pullPolicy: IfNotPresent
|
|
||||||
|
|
||||||
nameOverride: ""
|
|
||||||
fullnameOverride: ""
|
|
||||||
|
|
||||||
service:
|
|
||||||
type: ClusterIP
|
|
||||||
port: 443
|
|
||||||
containerport: 8443
|
|
||||||
|
|
||||||
resources: {}
|
|
||||||
# We usually recommend not to specify default resources and to leave this as a conscious
|
|
||||||
# choice for the user. This also increases chances charts run on environments with little
|
|
||||||
# resources, such as Minikube. If you do want to specify resources, uncomment the following
|
|
||||||
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
|
|
||||||
# limits:
|
|
||||||
# cpu: 100m
|
|
||||||
# memory: 128Mi
|
|
||||||
# requests:
|
|
||||||
# cpu: 100m
|
|
||||||
# memory: 128Mi
|
|
||||||
|
|
||||||
nodeSelector: {}
|
|
||||||
|
|
||||||
tolerations: []
|
|
||||||
|
|
||||||
affinity: {}
|
|
Loading…
Reference in a new issue