From 8b39dc81fceb4cfa9fe3286d66ccfa2cb8a31211 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Wed, 3 Apr 2024 12:29:01 -0500 Subject: [PATCH] Adding DNSimple cert-manager dns01 webhook. --- .../apps/cert-manager/kustomization.yaml | 1 + .../webhook-dnsimple/app/apiservice.yaml | 16 +++ .../webhook-dnsimple/app/helmrelease.yaml | 59 ++++++++++ .../webhook-dnsimple/app/kustomization.yaml | 9 ++ .../webhook-dnsimple/app/pki.yaml | 62 +++++++++++ .../webhook-dnsimple/app/rbac.yaml | 101 ++++++++++++++++++ .../cert-manager/webhook-dnsimple/ks.yaml | 15 +++ 7 files changed, 263 insertions(+) create mode 100644 kubernetes/apps/cert-manager/webhook-dnsimple/app/apiservice.yaml create mode 100644 kubernetes/apps/cert-manager/webhook-dnsimple/app/helmrelease.yaml create mode 100644 kubernetes/apps/cert-manager/webhook-dnsimple/app/kustomization.yaml create mode 100644 kubernetes/apps/cert-manager/webhook-dnsimple/app/pki.yaml create mode 100644 kubernetes/apps/cert-manager/webhook-dnsimple/app/rbac.yaml create mode 100644 kubernetes/apps/cert-manager/webhook-dnsimple/ks.yaml diff --git a/kubernetes/apps/cert-manager/kustomization.yaml b/kubernetes/apps/cert-manager/kustomization.yaml index a298983..dd27359 100644 --- a/kubernetes/apps/cert-manager/kustomization.yaml +++ b/kubernetes/apps/cert-manager/kustomization.yaml @@ -7,3 +7,4 @@ resources: - ./namespace.yaml # Flux-Kustomizations - ./cert-manager/ks.yaml + - ./webhook-dnsimple/ks.yaml diff --git a/kubernetes/apps/cert-manager/webhook-dnsimple/app/apiservice.yaml b/kubernetes/apps/cert-manager/webhook-dnsimple/app/apiservice.yaml new file mode 100644 index 0000000..58ee272 --- /dev/null +++ b/kubernetes/apps/cert-manager/webhook-dnsimple/app/apiservice.yaml @@ -0,0 +1,16 @@ +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + name: v1alpha1.acme.hsn.dev + labels: + app: cert-manager-webhook-dnsimple + annotations: + cert-manager.io/inject-ca-from: "cert-manager/webhook-dnsimple-webhook-tls" +spec: + group: acme.hsn.dev + groupPriorityMinimum: 1000 + versionPriority: 15 + service: + name: webhook-dnsimple + namespace: cert-manager + version: v1alpha1 \ No newline at end of file diff --git a/kubernetes/apps/cert-manager/webhook-dnsimple/app/helmrelease.yaml b/kubernetes/apps/cert-manager/webhook-dnsimple/app/helmrelease.yaml new file mode 100644 index 0000000..4ddd8a9 --- /dev/null +++ b/kubernetes/apps/cert-manager/webhook-dnsimple/app/helmrelease.yaml @@ -0,0 +1,59 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json +apiVersion: helm.toolkit.fluxcd.io/v2beta2 +kind: HelmRelease +metadata: + name: webhook-dnsimple +spec: + chart: + spec: + chart: app-template + version: 3.0.4 + interval: 30m + sourceRef: + kind: HelmRepository + name: bjw-s + namespace: flux-system + interval: 30m + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + strategy: rollback + values: + controllers: + webhook-dnsimple: + strategy: RollingUpdate + annotations: + reloader.stakater.com/auto: "true" + containers: + app: + image: + repository: git.hsn.dev/jahanson/cert-manager-webhook-dnsimple + tag: v0.0.1 + args: + - --secure-port=8443 + - --tls-cert-file=/tls/tls.crt + - --tls-private-key-file=/tls/tls.key + env: + - name: GROUP_NAME + value: "acme.hsn.dev" + resources: + requests: + cpu: 23m + memory: 249M + probes: + liveness: + enabled: true + readiness: + enabled: true + persistence: + certs: + type: secret + name: webhook-dnsimple-webhook-tls + globalMounts: + - path: /tls + readOnly: true \ No newline at end of file diff --git a/kubernetes/apps/cert-manager/webhook-dnsimple/app/kustomization.yaml b/kubernetes/apps/cert-manager/webhook-dnsimple/app/kustomization.yaml new file mode 100644 index 0000000..fc2be73 --- /dev/null +++ b/kubernetes/apps/cert-manager/webhook-dnsimple/app/kustomization.yaml @@ -0,0 +1,9 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: cert-manager +resources: + - ./apiservice.yaml + - ./helmrelease.yaml + - ./pki.yaml diff --git a/kubernetes/apps/cert-manager/webhook-dnsimple/app/pki.yaml b/kubernetes/apps/cert-manager/webhook-dnsimple/app/pki.yaml new file mode 100644 index 0000000..aef8fbe --- /dev/null +++ b/kubernetes/apps/cert-manager/webhook-dnsimple/app/pki.yaml @@ -0,0 +1,62 @@ +--- +# yaml-language-server: $schema=https://ks.hsn.dev/cert-manager.io/issuer_v1.json +# Create a selfsigned Issuer, in order to create a root CA certificate for +# signing webhook serving certificates +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: webhook-dnsimple-selfsign + namespace: "cert-manager" + labels: + app: cert-manager-webhook-dnsimple +spec: + selfSigned: {} +--- +# yaml-language-server: $schema=https://ks.hsn.dev/cert-manager.io/issuer_v1.json +# Create an Issuer that uses the above generated CA certificate to issue certs +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: webhook-dnsimple-ca + namespace: "cert-manager" + labels: + app: cert-manager-webhook-dnsimple +spec: + ca: + secretName: webhook-dnsimple-ca +--- +# yaml-language-server: $schema=https://ks.hsn.dev/cert-manager.io/certificate_v1.json +# Generate a CA Certificate used to sign certificates for the webhook +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: webhook-dnsimple-ca + namespace: "cert-manager" + labels: + app: cert-manager-webhook-dnsimple +spec: + secretName: webhook-dnsimple-ca + duration: 43800h # 5y + issuerRef: + name: webhook-dnsimple-selfsign + commonName: "ca.dnsimple-webhook.cert-manager" + isCA: true +--- +# yaml-language-server: $schema=https://ks.hsn.dev/cert-manager.io/certificate_v1.json +# Finally, generate a serving certificate for the webhook to use +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: webhook-dnsimple-webhook-tls + namespace: "cert-manager" + labels: + app: cert-manager-webhook-dnsimple +spec: + secretName: webhook-dnsimple-webhook-tls + duration: 8760h # 1y + issuerRef: + name: webhook-dnsimple-ca + dnsNames: + - webhook-dnsimple + - webhook-dnsimple.cert-manager + - webhook-dnsimple.cert-manager.svc \ No newline at end of file diff --git a/kubernetes/apps/cert-manager/webhook-dnsimple/app/rbac.yaml b/kubernetes/apps/cert-manager/webhook-dnsimple/app/rbac.yaml new file mode 100644 index 0000000..332069d --- /dev/null +++ b/kubernetes/apps/cert-manager/webhook-dnsimple/app/rbac.yaml @@ -0,0 +1,101 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: webhook-dnsimple + namespace: "cert-manager" + labels: + app: cert-manager-webhook-dnsimple +--- +# Grant cert-manager permission to validate using our apiserver +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: webhook-dnsimple:domain-solver + labels: + app: cert-manager-webhook-dnsimple +rules: + - apiGroups: + - acme.hsn.dev + resources: + - '*' + verbs: + - 'create' +--- +# apiserver gets the auth-delegator role to delegate auth decisions to the core apiserver +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: webhook-dnsimple:auth-delegator + labels: + app: cert-manager-webhook-dnsimple +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: + - apiGroup: "" + kind: ServiceAccount + name: webhook-dnsimple + namespace: cert-manager +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: webhook-dnsimple:domain-solver + labels: + app: cert-manager-webhook-dnsimple +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: webhook-dnsimple:domain-solver +subjects: + - apiGroup: "" + kind: ServiceAccount + name: cert-manager + namespace: cert-manager +--- +# Grant the webhook permission to read the api-token Secret in the specified namespace. +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: "cert-manager" + name: webhook-dnsimple:access-secret +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch"] +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: webhook-dnsimple:access-secret + namespace: "cert-manager" +subjects: +- kind: ServiceAccount + name: webhook-dnsimple + namespace: "cert-manager" +roleRef: + kind: Role + name: webhook-dnsimple:access-secret + apiGroup: rbac.authorization.k8s.io +--- +# Grant the webhook permission to read the ConfigMap containing the Kubernetes +# apiserver's requestheader-ca-certificate. +# This ConfigMap is automatically created by the Kubernetes apiserver. +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: webhook-dnsimple:webhook-authentication-reader + namespace: kube-system + labels: + app: cert-manager-webhook-dnsimple +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: + - apiGroup: "" + kind: ServiceAccount + name: webhook-dnsimple + namespace: cert-manager diff --git a/kubernetes/apps/cert-manager/webhook-dnsimple/ks.yaml b/kubernetes/apps/cert-manager/webhook-dnsimple/ks.yaml new file mode 100644 index 0000000..83d4c5c --- /dev/null +++ b/kubernetes/apps/cert-manager/webhook-dnsimple/ks.yaml @@ -0,0 +1,15 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: cert-manager-webhook-dnsimple + namespace: flux-system +spec: + interval: 10m + path: "./kubernetes/apps/cert-manager/webhook-dnsimple/app" + prune: true + sourceRef: + kind: GitRepository + name: homelab + wait: true \ No newline at end of file