Managing with bjw-s common app template.
This commit is contained in:
parent
cd138b48e6
commit
28ee268329
9 changed files with 0 additions and 437 deletions
|
@ -1,21 +0,0 @@
|
|||
# Patterns to ignore when building packages.
|
||||
# This supports shell glob matching, relative path matching, and
|
||||
# negation (prefixed with !). Only one pattern per line.
|
||||
.DS_Store
|
||||
# Common VCS dirs
|
||||
.git/
|
||||
.gitignore
|
||||
.bzr/
|
||||
.bzrignore
|
||||
.hg/
|
||||
.hgignore
|
||||
.svn/
|
||||
# Common backup files
|
||||
*.swp
|
||||
*.bak
|
||||
*.tmp
|
||||
*~
|
||||
# Various IDEs
|
||||
.project
|
||||
.idea/
|
||||
*.tmproj
|
|
@ -1,12 +0,0 @@
|
|||
apiVersion: v1
|
||||
appVersion: "0.0.1"
|
||||
description: cert-manager webhook solver for ACME DNS01 challenge via DNSimple
|
||||
name: cert-manager-webhook-dnsimple
|
||||
version: 0.0.1
|
||||
home: https://github.com/jahanson/cert-manager-webhook-dnsimple
|
||||
sources:
|
||||
- https://github.com/jahanson/cert-manager-webhook-dnsimple
|
||||
maintainers:
|
||||
- name: Joseph Hanson
|
||||
email: joe@veri.dev
|
||||
url: https://hsn.dev
|
|
@ -1,52 +0,0 @@
|
|||
{{/* vim: set filetype=mustache: */}}
|
||||
{{/*
|
||||
Expand the name of the chart.
|
||||
*/}}
|
||||
{{- define "dnsimple-webhook.name" -}}
|
||||
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
If release name contains chart name it will be used as a full name.
|
||||
*/}}
|
||||
{{- define "dnsimple-webhook.fullname" -}}
|
||||
{{- if .Values.fullnameOverride -}}
|
||||
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
|
||||
{{- else -}}
|
||||
{{- $name := default .Chart.Name .Values.nameOverride -}}
|
||||
{{- if contains $name .Release.Name -}}
|
||||
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create chart name and version as used by the chart label.
|
||||
*/}}
|
||||
{{- define "dnsimple-webhook.chart" -}}
|
||||
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "dnsimple-webhook.selfSignedIssuer" -}}
|
||||
{{ printf "%s-selfsign" (include "dnsimple-webhook.fullname" .) }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "dnsimple-webhook.rootCAIssuer" -}}
|
||||
{{ printf "%s-ca" (include "dnsimple-webhook.fullname" .) }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "dnsimple-webhook.rootCACertificate" -}}
|
||||
{{ printf "%s-ca" (include "dnsimple-webhook.fullname" .) }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "dnsimple-webhook.servingCertificate" -}}
|
||||
{{ printf "%s-webhook-tls" (include "dnsimple-webhook.fullname" .) }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "dnsimple-webhook.tokenSecretName" -}}
|
||||
{{- default (include "dnsimple-webhook.fullname" .) (.Values.dnsimple.tokenSecretName) -}}
|
||||
{{- end -}}
|
|
@ -1,19 +0,0 @@
|
|||
apiVersion: apiregistration.k8s.io/v1
|
||||
kind: APIService
|
||||
metadata:
|
||||
name: v1alpha1.{{ .Values.groupName }}
|
||||
labels:
|
||||
app: {{ include "dnsimple-webhook.name" . }}
|
||||
chart: {{ include "dnsimple-webhook.chart" . }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
annotations:
|
||||
cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/{{ include "dnsimple-webhook.servingCertificate" . }}"
|
||||
spec:
|
||||
group: {{ .Values.groupName }}
|
||||
groupPriorityMinimum: 1000
|
||||
versionPriority: 15
|
||||
service:
|
||||
name: {{ include "dnsimple-webhook.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
version: v1alpha1
|
|
@ -1,72 +0,0 @@
|
|||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ include "dnsimple-webhook.fullname" . }}
|
||||
labels:
|
||||
app: {{ include "dnsimple-webhook.name" . }}
|
||||
chart: {{ include "dnsimple-webhook.chart" . }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
spec:
|
||||
replicas: {{ .Values.replicaCount }}
|
||||
selector:
|
||||
matchLabels:
|
||||
app: {{ include "dnsimple-webhook.name" . }}
|
||||
release: {{ .Release.Name }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: {{ include "dnsimple-webhook.name" . }}
|
||||
release: {{ .Release.Name }}
|
||||
spec:
|
||||
serviceAccountName: {{ include "dnsimple-webhook.fullname" . }}
|
||||
containers:
|
||||
- name: {{ .Chart.Name }}
|
||||
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
||||
args:
|
||||
- --secure-port={{ .Values.containerport }}
|
||||
- --tls-cert-file=/tls/tls.crt
|
||||
- --tls-private-key-file=/tls/tls.key
|
||||
{{- if .Values.logLevel }}
|
||||
- --v={{ .Values.logLevel }}
|
||||
{{- end }}
|
||||
env:
|
||||
- name: GROUP_NAME
|
||||
value: {{ .Values.groupName | quote }}
|
||||
ports:
|
||||
- name: https
|
||||
containerPort: {{ .Values.containerport }}
|
||||
protocol: TCP
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
scheme: HTTPS
|
||||
path: /healthz
|
||||
port: https
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
scheme: HTTPS
|
||||
path: /healthz
|
||||
port: https
|
||||
volumeMounts:
|
||||
- name: certs
|
||||
mountPath: /tls
|
||||
readOnly: true
|
||||
resources:
|
||||
{{ toYaml .Values.resources | indent 12 }}
|
||||
volumes:
|
||||
- name: certs
|
||||
secret:
|
||||
secretName: {{ include "dnsimple-webhook.servingCertificate" . }}
|
||||
{{- with .Values.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.affinity }}
|
||||
affinity:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.tolerations }}
|
||||
tolerations:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
|
@ -1,76 +0,0 @@
|
|||
---
|
||||
# Create a selfsigned Issuer, in order to create a root CA certificate for
|
||||
# signing webhook serving certificates
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Issuer
|
||||
metadata:
|
||||
name: {{ include "dnsimple-webhook.selfSignedIssuer" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels:
|
||||
app: {{ include "dnsimple-webhook.name" . }}
|
||||
chart: {{ include "dnsimple-webhook.chart" . }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
spec:
|
||||
selfSigned: {}
|
||||
|
||||
---
|
||||
|
||||
# Generate a CA Certificate used to sign certificates for the webhook
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: {{ include "dnsimple-webhook.rootCACertificate" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels:
|
||||
app: {{ include "dnsimple-webhook.name" . }}
|
||||
chart: {{ include "dnsimple-webhook.chart" . }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
spec:
|
||||
secretName: {{ include "dnsimple-webhook.rootCACertificate" . }}
|
||||
duration: 43800h # 5y
|
||||
issuerRef:
|
||||
name: {{ include "dnsimple-webhook.selfSignedIssuer" . }}
|
||||
commonName: "ca.dnsimple-webhook.cert-manager"
|
||||
isCA: true
|
||||
|
||||
---
|
||||
|
||||
# Create an Issuer that uses the above generated CA certificate to issue certs
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Issuer
|
||||
metadata:
|
||||
name: {{ include "dnsimple-webhook.rootCAIssuer" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels:
|
||||
app: {{ include "dnsimple-webhook.name" . }}
|
||||
chart: {{ include "dnsimple-webhook.chart" . }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
spec:
|
||||
ca:
|
||||
secretName: {{ include "dnsimple-webhook.rootCACertificate" . }}
|
||||
|
||||
---
|
||||
|
||||
# Finally, generate a serving certificate for the webhook to use
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: {{ include "dnsimple-webhook.servingCertificate" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels:
|
||||
app: {{ include "dnsimple-webhook.name" . }}
|
||||
chart: {{ include "dnsimple-webhook.chart" . }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
spec:
|
||||
secretName: {{ include "dnsimple-webhook.servingCertificate" . }}
|
||||
duration: 8760h # 1y
|
||||
issuerRef:
|
||||
name: {{ include "dnsimple-webhook.rootCAIssuer" . }}
|
||||
dnsNames:
|
||||
- {{ include "dnsimple-webhook.fullname" . }}
|
||||
- {{ include "dnsimple-webhook.fullname" . }}.{{ .Release.Namespace }}
|
||||
- {{ include "dnsimple-webhook.fullname" . }}.{{ .Release.Namespace }}.svc
|
|
@ -1,116 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ include "dnsimple-webhook.fullname" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels:
|
||||
app: {{ include "dnsimple-webhook.name" . }}
|
||||
chart: {{ include "dnsimple-webhook.chart" . }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
---
|
||||
# Grant the webhook permission to read the api-token Secret in the specified namespace.
|
||||
kind: Role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
name: {{ include "dnsimple-webhook.fullname" . }}:access-secret
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "watch"]
|
||||
---
|
||||
kind: RoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: {{ include "dnsimple-webhook.fullname" . }}:access-secret
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ include "dnsimple-webhook.fullname" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: {{ include "dnsimple-webhook.fullname" . }}:access-secret
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
---
|
||||
# Grant the webhook permission to read the ConfigMap containing the Kubernetes
|
||||
# apiserver's requestheader-ca-certificate.
|
||||
# This ConfigMap is automatically created by the Kubernetes apiserver.
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ include "dnsimple-webhook.fullname" . }}:webhook-authentication-reader
|
||||
namespace: kube-system
|
||||
labels:
|
||||
app: {{ include "dnsimple-webhook.name" . }}
|
||||
chart: {{ include "dnsimple-webhook.chart" . }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: extension-apiserver-authentication-reader
|
||||
subjects:
|
||||
- apiGroup: ""
|
||||
kind: ServiceAccount
|
||||
name: {{ include "dnsimple-webhook.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
---
|
||||
# apiserver gets the auth-delegator role to delegate auth decisions to
|
||||
# the core apiserver
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ include "dnsimple-webhook.fullname" . }}:auth-delegator
|
||||
labels:
|
||||
app: {{ include "dnsimple-webhook.name" . }}
|
||||
chart: {{ include "dnsimple-webhook.chart" . }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: system:auth-delegator
|
||||
subjects:
|
||||
- apiGroup: ""
|
||||
kind: ServiceAccount
|
||||
name: {{ include "dnsimple-webhook.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
---
|
||||
# Grant cert-manager permission to validate using our apiserver
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ include "dnsimple-webhook.fullname" . }}:domain-solver
|
||||
labels:
|
||||
app: {{ include "dnsimple-webhook.name" . }}
|
||||
chart: {{ include "dnsimple-webhook.chart" . }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
rules:
|
||||
- apiGroups:
|
||||
- {{ .Values.groupName }}
|
||||
resources:
|
||||
- '*'
|
||||
verbs:
|
||||
- 'create'
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ include "dnsimple-webhook.fullname" . }}:domain-solver
|
||||
labels:
|
||||
app: {{ include "dnsimple-webhook.name" . }}
|
||||
chart: {{ include "dnsimple-webhook.chart" . }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ include "dnsimple-webhook.fullname" . }}:domain-solver
|
||||
subjects:
|
||||
- apiGroup: ""
|
||||
kind: ServiceAccount
|
||||
name: {{ .Values.certManager.serviceAccountName }}
|
||||
namespace: {{ .Values.certManager.namespace }}
|
|
@ -1,20 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ include "dnsimple-webhook.fullname" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels:
|
||||
app: {{ include "dnsimple-webhook.name" . }}
|
||||
chart: {{ include "dnsimple-webhook.chart" . }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
spec:
|
||||
type: {{ .Values.service.type }}
|
||||
ports:
|
||||
- port: {{ .Values.service.port }}
|
||||
targetPort: {{ .Values.containerport }}
|
||||
protocol: TCP
|
||||
name: https
|
||||
selector:
|
||||
app: {{ include "dnsimple-webhook.name" . }}
|
||||
release: {{ .Release.Name }}
|
|
@ -1,49 +0,0 @@
|
|||
# The GroupName here is used to identify your company or business unit that
|
||||
# created this webhook.
|
||||
# For example, this may be "acme.mycompany.com".
|
||||
# This name will need to be referenced in each Issuer's `webhook` stanza to
|
||||
# inform cert-manager of where to send ChallengePayload resources in order to
|
||||
# solve the DNS01 challenge.
|
||||
# This group name should be **unique**, hence using your own company's domain
|
||||
# here is recommended.
|
||||
groupName: acme.jahanson.com
|
||||
|
||||
certManager:
|
||||
namespace: cert-manager
|
||||
serviceAccountName: cert-manager
|
||||
# logLevel: 3
|
||||
dnsimple:
|
||||
token: ""
|
||||
clusterIssuer:
|
||||
email: name@example.com
|
||||
|
||||
image:
|
||||
repository: git.hsn.dev/jahanson/cert-manager-webhook-dnsimple
|
||||
tag: "0.0.3"
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
nameOverride: ""
|
||||
fullnameOverride: ""
|
||||
|
||||
service:
|
||||
type: ClusterIP
|
||||
port: 443
|
||||
containerport: 8443
|
||||
|
||||
resources: {}
|
||||
# We usually recommend not to specify default resources and to leave this as a conscious
|
||||
# choice for the user. This also increases chances charts run on environments with little
|
||||
# resources, such as Minikube. If you do want to specify resources, uncomment the following
|
||||
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
|
||||
# limits:
|
||||
# cpu: 100m
|
||||
# memory: 128Mi
|
||||
# requests:
|
||||
# cpu: 100m
|
||||
# memory: 128Mi
|
||||
|
||||
nodeSelector: {}
|
||||
|
||||
tolerations: []
|
||||
|
||||
affinity: {}
|
Loading…
Reference in a new issue