diff --git a/.github/ct.yaml b/.github/ct-install.yaml similarity index 91% rename from .github/ct.yaml rename to .github/ct-install.yaml index 367c4cb3..1d637002 100644 --- a/.github/ct.yaml +++ b/.github/ct-install.yaml @@ -4,8 +4,8 @@ helm-extra-args: --timeout 600s chart-dirs: - charts excluded-charts: -- common - common-test +- dnsmadeeasy-webhook chart-repos: - bitnami=https://charts.bitnami.com/bitnami - k8s-at-home=https://k8s-at-home.com/charts diff --git a/.github/ct-lint.yaml b/.github/ct-lint.yaml new file mode 100644 index 00000000..9fda8101 --- /dev/null +++ b/.github/ct-lint.yaml @@ -0,0 +1,9 @@ +remote: origin +target-branch: master +helm-extra-args: --timeout 600s +chart-dirs: +- charts +excluded-charts: +chart-repos: +- bitnami=https://charts.bitnami.com/bitnami +- k8s-at-home=https://k8s-at-home.com/charts diff --git a/.github/workflows/charts-lint-test.yaml b/.github/workflows/charts-lint-test.yaml index d9814b3c..627c6866 100644 --- a/.github/workflows/charts-lint-test.yaml +++ b/.github/workflows/charts-lint-test.yaml @@ -37,19 +37,19 @@ jobs: - name: Run chart-testing (list-changed) id: list-changed run: | - changed=$(ct list-changed --config .github/ct.yaml) + changed=$(ct list-changed --config .github/ct-lint.yaml) if [[ -n "$changed" ]]; then echo "::set-output name=changed::true" fi - changed_unfiltered=$(ct list-changed --config .github/ct.yaml --excluded-charts "") + changed_unfiltered=$(ct list-changed --config .github/ct-lint.yaml --excluded-charts "") if [[ $(grep -E "^charts/common(-test)?$" <<< "$changed_unfiltered") ]]; then echo "::set-output name=common::true" fi - name: Run chart-testing (lint) id: lint - run: ct lint --config .github/ct.yaml --excluded-charts "" + run: ct lint --config .github/ct-lint.yaml --excluded-charts "" if: steps.list-changed.outputs.changed == 'true' || steps.list-changed.outputs.common == 'true' unittest: @@ -111,10 +111,10 @@ jobs: if: needs.lint.outputs.changed == 'true' || needs.lint.outputs.common == 'true' - name: Run chart-testing (install) - run: ct install --config .github/ct.yaml --excluded-charts "" + run: ct install --config .github/ct-install.yaml if: needs.lint.outputs.changed == 'true' - name: Run chart-testing (common-test) run: | - ct install --config .github/ct.yaml --charts 'charts/common-test' + ct install --config .github/ct-install.yaml --charts 'charts/common-test' if: needs.lint.outputs.common == 'true' diff --git a/.taskfiles/Taskfile_chart.yml b/.taskfiles/Taskfile_chart.yml index c7cb6b51..0b98346f 100644 --- a/.taskfiles/Taskfile_chart.yml +++ b/.taskfiles/Taskfile_chart.yml @@ -37,7 +37,7 @@ tasks: ct-lint: desc: run `ct lint` on your chart code cmds: - - docker run --rm -it --user $(id -u):$(id -g) -e "HELM_CONFIG_HOME=/tmp/helm" -e "HELM_CACHE_HOME=/tmp/helm" -v {{.GIT_ROOT}}:/ci -w /ci quay.io/helmpack/chart-testing:latest ct lint --charts charts/{{.CHART}} --config /ci/.github/ct.yaml + - docker run --rm -it --user $(id -u):$(id -g) -e "HELM_CONFIG_HOME=/tmp/helm" -e "HELM_CACHE_HOME=/tmp/helm" -v {{.GIT_ROOT}}:/ci -w /ci quay.io/helmpack/chart-testing:latest ct lint --charts charts/{{.CHART}} --config /ci/.github/ct-lint.yaml deps: - check-chart - lint diff --git a/charts/dnsmadeeasy-webhook/.helmignore b/charts/dnsmadeeasy-webhook/.helmignore new file mode 100644 index 00000000..e559de0a --- /dev/null +++ b/charts/dnsmadeeasy-webhook/.helmignore @@ -0,0 +1,24 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ +# OWNERS file for Kubernetes +OWNERS diff --git a/charts/dnsmadeeasy-webhook/Chart.yaml b/charts/dnsmadeeasy-webhook/Chart.yaml new file mode 100644 index 00000000..13df8d69 --- /dev/null +++ b/charts/dnsmadeeasy-webhook/Chart.yaml @@ -0,0 +1,21 @@ +apiVersion: v2 +appVersion: 1.0.0 +description: Cert-Manager Webhook for DNSMadeEasy +name: dnsmadeeasy-webhook +version: 1.0.0 +keywords: +- cert-manager +- dnsmadeeasy +- letsencrypt +home: https://github.com/k8s-at-home/dnsmadeeasy-webhook +icon: https://pbs.twimg.com/profile_images/1759911243/dnsmeavatar_400x400.png +sources: +- https://github.com/k8s-at-home/dnsmadeeasy-webhook +- https://cert-manager.io +maintainers: +- name: angelnu + email: git@angelnu.com +dependencies: +- name: common + repository: https://k8s-at-home.com/charts/ + version: 3.1.0 diff --git a/charts/dnsmadeeasy-webhook/README.md b/charts/dnsmadeeasy-webhook/README.md new file mode 100644 index 00000000..d4dd05da --- /dev/null +++ b/charts/dnsmadeeasy-webhook/README.md @@ -0,0 +1,135 @@ +# dnsmadeeasy-webhook + +![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square) + +Cert-Manager Webhook for DNSMadeEasy + +**This chart is not maintained by the upstream project and any issues with the chart should be raised [here](https://github.com/k8s-at-home/charts/issues/new/choose)** + +## Source Code + +* +* + +## Requirements + +## Dependencies + +| Repository | Name | Version | +|------------|------|---------| +| https://k8s-at-home.com/charts/ | common | 3.1.0 | + +## TL;DR + +```console +helm repo add k8s-at-home https://k8s-at-home.com/charts/ +helm repo update +helm install dnsmadeeasy-webhook k8s-at-home/dnsmadeeasy-webhook +``` + +## Installing the Chart + +To install the chart with the release name `dnsmadeeasy-webhook` + +```console +helm install dnsmadeeasy-webhook k8s-at-home/dnsmadeeasy-webhook +``` + +## Uninstalling the Chart + +To uninstall the `dnsmadeeasy-webhook` deployment + +```console +helm uninstall dnsmadeeasy-webhook +``` + +The command removes all the Kubernetes components associated with the chart **including persistent volumes** and deletes the release. + +## Configuration + +Read through the [values.yaml](./values.yaml) file. It has several commented out suggested values. +Other values may be used from the [values.yaml](../common/values.yaml) from the [common library](../common). + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. + +```console +helm install dnsmadeeasy-webhook \ + --set env.TZ="America/New York" \ + k8s-at-home/dnsmadeeasy-webhook +``` + +Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. + +```console +helm install dnsmadeeasy-webhook k8s-at-home/dnsmadeeasy-webhook -f values.yaml +``` + +## Custom configuration + +N/A + +## Values + +**Important**: When deploying an application Helm chart you can add more values from our common library chart [here](https://github.com/k8s-at-home/charts/tree/master/charts/common/) + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalVolumeMounts[0].mountPath | string | `"/tls"` | | +| additionalVolumeMounts[0].name | string | `"certs"` | | +| additionalVolumeMounts[0].readOnly | bool | `true` | | +| args | string | `"[\"--tls-cert-file=/tls/tls.crt\",\"--tls-private-key-file=/tls/tls.key\"]"` | | +| certManager.namespace | string | `"cert-manager"` | Namespace where the cert-manager operator was installed to | +| certManager.serviceAccountName | string | `"cert-manager"` | Service account used by the cert-manager | +| groupName | string | `"acme.mycompany.com"` | The GroupName here is used to identify your company or business unit that created this webhook. This name will need to be referenced in each Issuer's `webhook` stanza to inform cert-manager of where to send ChallengePayload resources in order to solve the DNS01 challenge. This group name should be **unique**, hence using your own company's domain here is recommended. | +| image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | +| image.repository | string | `"ghcr.io/k8s-at-home/dnsmadeeasy-webhook"` | Image repository | +| image.tag | string | `"v1.0.0"` | Image tag | +| probes.liveness.custom | bool | `true` | | +| probes.liveness.enabled | bool | `true` | | +| probes.liveness.spec.httpGet.path | string | `"/healthz"` | | +| probes.liveness.spec.httpGet.port | string | `"https"` | | +| probes.liveness.spec.httpGet.scheme | string | `"HTTPS"` | | +| probes.readiness.custom | bool | `true` | | +| probes.readiness.enabled | bool | `true` | | +| probes.readiness.spec.httpGet.path | string | `"/healthz"` | | +| probes.readiness.spec.httpGet.port | string | `"https"` | | +| probes.readiness.spec.httpGet.scheme | string | `"HTTPS"` | | +| probes.startup.custom | bool | `true` | | +| probes.startup.enabled | bool | `true` | | +| probes.startup.spec.httpGet.path | string | `"/healthz"` | | +| probes.startup.spec.httpGet.port | string | `"https"` | | +| probes.startup.spec.httpGet.scheme | string | `"HTTPS"` | | +| service.port.name | string | `"https"` | | +| service.port.port | int | `443` | | + +## Changelog + +All notable changes to this application Helm chart will be documented in this file but does not include changes from our common library. To read those click [here](https://github.com/k8s-at-home/charts/tree/master/charts/common/README.md#Changelog). + +The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). + +### [1.0.0] + +#### Added + +- N/A + +#### Changed + +- First release of chart into k8s-at-home + +#### Removed + +- N/A + +[1.0.0]: #1.0.0 + +## Support + +- See the [Docs](https://docs.k8s-at-home.com/our-helm-charts/getting-started/) +- Open an [issue](https://github.com/k8s-at-home/charts/issues/new/choose) +- Ask a [question](https://github.com/k8s-at-home/organization/discussions) +- Join our [Discord](https://discord.gg/sTMX7Vh) community + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0) \ No newline at end of file diff --git a/charts/dnsmadeeasy-webhook/README.md.gotmpl b/charts/dnsmadeeasy-webhook/README.md.gotmpl new file mode 100644 index 00000000..e39382b7 --- /dev/null +++ b/charts/dnsmadeeasy-webhook/README.md.gotmpl @@ -0,0 +1,147 @@ +{{- define "custom.repository.organization" -}} +k8s-at-home +{{- end -}} + +{{- define "custom.repository.url" -}} +https://github.com/k8s-at-home/charts +{{- end -}} + +{{- define "custom.helm.url" -}} +https://k8s-at-home.com/charts/ +{{- end -}} + +{{- define "custom.helm.path" -}} +{{ template "custom.repository.organization" . }}/{{ template "chart.name" . }} +{{- end -}} + +{{- define "custom.notes" -}} +**This chart is not maintained by the upstream project and any issues with the chart should be raised [here](https://github.com/k8s-at-home/charts/issues/new/choose)** +{{- end -}} + +{{- define "custom.requirements" -}} +## Requirements + +{{ template "chart.kubeVersionLine" . }} +{{- end -}} + +{{- define "custom.dependencies" -}} +## Dependencies + +This chart depends on the [cert-manager](https://cert-manager.io/docs/installation/kubernetes/). + +{{ template "chart.requirementsTable" . }} +{{- end -}} + +{{- define "custom.install.tldr" -}} +## TL;DR + +```console +helm repo add {{ template "custom.repository.organization" . }} {{ template "custom.helm.url" . }} +helm repo update +helm install {{ template "chart.name" . }} {{ template "custom.helm.path" . }} +``` +{{- end -}} + +{{- define "custom.install" -}} +## Installing the Chart + +To install the chart with the release name `{{ template "chart.name" . }}` + +```console +helm install {{ template "chart.name" . }} {{ template "custom.helm.path" . }} +``` +{{- end -}} + +{{- define "custom.uninstall" -}} +## Uninstalling the Chart + +To uninstall the `{{ template "chart.name" . }}` deployment + +```console +helm uninstall {{ template "chart.name" . }} +``` + +The command removes all the Kubernetes components associated with the chart **including persistent volumes** and deletes the release. +{{- end -}} + +{{- define "custom.configuration.header" -}} +## Configuration +{{- end -}} + +{{- define "custom.configuration.readValues" -}} +Read through the [values.yaml](./values.yaml) file. It has several commented out suggested values. +Other values may be used from the [values.yaml](../common/values.yaml) from the [common library](../common). +{{- end -}} + +{{- define "custom.configuration.example.set" -}} +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. + +```console +helm install {{ template "chart.name" . }} \ + --set env.TZ="America/New York" \ + {{ template "custom.helm.path" . }} +``` +{{- end -}} + +{{- define "custom.configuration.example.file" -}} +Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. + +```console +helm install {{ template "chart.name" . }} {{ template "custom.helm.path" . }} -f values.yaml +``` +{{- end -}} + +{{- define "custom.valuesSection" -}} +## Values + +**Important**: When deploying an application Helm chart you can add more values from our common library chart [here](https://github.com/k8s-at-home/charts/tree/master/charts/common/) + +{{ template "chart.valuesTable" . }} +{{- end -}} + +{{- define "custom.support" -}} +## Support + +- See the [Docs](https://docs.k8s-at-home.com/our-helm-charts/getting-started/) +- Open an [issue](https://github.com/k8s-at-home/charts/issues/new/choose) +- Ask a [question](https://github.com/k8s-at-home/organization/discussions) +- Join our [Discord](https://discord.gg/sTMX7Vh) community +{{- end -}} + +{{ template "chart.header" . }} + +{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }} + +{{ template "chart.description" . }} + +{{ template "custom.notes" . }} + +{{ template "chart.sourcesSection" . }} + +{{ template "custom.requirements" . }} + +{{ template "custom.dependencies" . }} + +{{ template "custom.install.tldr" . }} + +{{ template "custom.install" . }} + +{{ template "custom.uninstall" . }} + +{{ template "custom.configuration.header" . }} + +{{ template "custom.configuration.readValues" . }} + +{{ template "custom.configuration.example.set" . }} + +{{ template "custom.configuration.example.file" . }} + +{{ template "custom.custom.configuration" . }} + +{{ template "custom.valuesSection" . }} + +{{ template "custom.changelog" . }} + +{{ template "custom.support" . }} + +{{ template "helm-docs.versionFooter" . }} diff --git a/charts/dnsmadeeasy-webhook/README_CHANGELOG.md.gotmpl b/charts/dnsmadeeasy-webhook/README_CHANGELOG.md.gotmpl new file mode 100644 index 00000000..7c6cc526 --- /dev/null +++ b/charts/dnsmadeeasy-webhook/README_CHANGELOG.md.gotmpl @@ -0,0 +1,27 @@ +{{- define "custom.changelog.header" -}} +## Changelog +{{- end -}} + +{{- define "custom.changelog" -}} +{{ template "custom.changelog.header" . }} + +All notable changes to this application Helm chart will be documented in this file but does not include changes from our common library. To read those click [here](https://github.com/k8s-at-home/charts/tree/master/charts/common/README.md#Changelog). + +The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). + +### [1.0.0] + +#### Added + +- N/A + +#### Changed + +- First release of chart into k8s-at-home + +#### Removed + +- N/A + +[1.0.0]: #1.0.0 +{{- end -}} diff --git a/charts/dnsmadeeasy-webhook/README_CONFIG.md.gotmpl b/charts/dnsmadeeasy-webhook/README_CONFIG.md.gotmpl new file mode 100644 index 00000000..e93d80bf --- /dev/null +++ b/charts/dnsmadeeasy-webhook/README_CONFIG.md.gotmpl @@ -0,0 +1,9 @@ +{{- define "custom.custom.configuration.header" -}} +## Custom configuration +{{- end -}} + +{{- define "custom.custom.configuration" -}} +{{ template "custom.custom.configuration.header" . }} + +N/A +{{- end -}} diff --git a/charts/dnsmadeeasy-webhook/templates/NOTES.txt b/charts/dnsmadeeasy-webhook/templates/NOTES.txt new file mode 100644 index 00000000..90f7b653 --- /dev/null +++ b/charts/dnsmadeeasy-webhook/templates/NOTES.txt @@ -0,0 +1 @@ +{{- include "common.notes.defaultNotes" . -}} diff --git a/charts/dnsmadeeasy-webhook/templates/apiservice.yaml b/charts/dnsmadeeasy-webhook/templates/apiservice.yaml new file mode 100644 index 00000000..f5957eb6 --- /dev/null +++ b/charts/dnsmadeeasy-webhook/templates/apiservice.yaml @@ -0,0 +1,18 @@ +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + name: v1alpha1.{{ .Values.groupName }} + labels: + {{- include "common.labels" . | nindent 4 }} + annotations: + certmanager.k8s.io/inject-ca-from: "{{ .Release.Namespace }}/{{ include "dnsmadeeasy-webhook.servingCertificate" . }}" +spec: + group: {{ .Values.groupName }} + groupPriorityMinimum: 1000 + versionPriority: 15 + #TBD : avoid insecureSkipTLSVerify + insecureSkipTLSVerify: true + service: + name: {{ include "common.names.fullname" . }} + namespace: {{ .Release.Namespace }} + version: v1alpha1 diff --git a/charts/dnsmadeeasy-webhook/templates/common.tpl b/charts/dnsmadeeasy-webhook/templates/common.tpl new file mode 100644 index 00000000..5cdfde2b --- /dev/null +++ b/charts/dnsmadeeasy-webhook/templates/common.tpl @@ -0,0 +1,39 @@ +{{/* Make sure all variables are set properly */}} +{{- include "common.values.setup" . }} + +{{- define "dnsmadeeasy-webhook.selfSignedIssuer" -}} +{{ printf "%s-selfsign" (include "common.names.fullname" .) }} +{{- end -}} + +{{- define "dnsmadeeasy-webhook.rootCAIssuer" -}} +{{ printf "%s-ca" (include "common.names.fullname" .) }} +{{- end -}} + +{{- define "dnsmadeeasy-webhook.rootCACertificate" -}} +{{ printf "%s-ca" (include "common.names.fullname" .) }} +{{- end -}} + +{{- define "dnsmadeeasy-webhook.servingCertificate" -}} +{{ printf "%s-webhook-tls" (include "common.names.fullname" .) }} +{{- end -}} + + +{{- $_ := set .Values.env "GROUP_NAME" .Values.groupName -}} + + +{{/* Append the cert secret to the additionalVolumes */}} +{{- define "dnsmadeeasy-webhook.servingCertificate.volume" -}} +name: certs +secret: + secretName: {{ include "dnsmadeeasy-webhook.servingCertificate" . }} +{{- end -}} + +{{- $volume := include "dnsmadeeasy-webhook.servingCertificate.volume" . | fromYaml -}} +{{- if $volume -}} + {{- $additionalVolumes := append .Values.additionalVolumes $volume }} + {{- $_ := set .Values "additionalVolumes" (deepCopy $additionalVolumes) -}} +{{- end -}} + + +{{/* Render the templates */}} +{{ include "common.all" . }} diff --git a/charts/dnsmadeeasy-webhook/templates/pki.yaml b/charts/dnsmadeeasy-webhook/templates/pki.yaml new file mode 100644 index 00000000..68ccd873 --- /dev/null +++ b/charts/dnsmadeeasy-webhook/templates/pki.yaml @@ -0,0 +1,66 @@ +--- +# Create a selfsigned Issuer, in order to create a root CA certificate for +# signing webhook serving certificates +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ include "dnsmadeeasy-webhook.selfSignedIssuer" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "common.labels" . | nindent 4 }} +spec: + selfSigned: {} + +--- + +# Generate a CA Certificate used to sign certificates for the webhook +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ include "dnsmadeeasy-webhook.rootCACertificate" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "common.labels" . | nindent 4 }} +spec: + secretName: {{ include "dnsmadeeasy-webhook.rootCACertificate" . }} + duration: 43800h # 5y + issuerRef: + name: {{ include "dnsmadeeasy-webhook.selfSignedIssuer" . }} + kind: Issuer + commonName: "ca.dnsmadeeasy-webhook.cert-manager" + isCA: true + +--- + +# Create an Issuer that uses the above generated CA certificate to issue certs +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ include "dnsmadeeasy-webhook.rootCAIssuer" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "common.labels" . | nindent 4 }} +spec: + ca: + secretName: {{ include "dnsmadeeasy-webhook.rootCACertificate" . }} + +--- + +# Finally, generate a serving certificate for the webhook to use +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ include "dnsmadeeasy-webhook.servingCertificate" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "common.labels" . | nindent 4 }} +spec: + secretName: {{ include "dnsmadeeasy-webhook.servingCertificate" . }} + duration: 8760h # 1y + issuerRef: + name: {{ include "dnsmadeeasy-webhook.rootCAIssuer" . }} + kind: Issuer + dnsNames: + - {{ include "common.names.fullname" . }} + - {{ include "common.names.fullname" . }}.{{ .Release.Namespace }} + - {{ include "common.names.fullname" . }}.{{ .Release.Namespace }}.svc diff --git a/charts/dnsmadeeasy-webhook/templates/rbac.yaml b/charts/dnsmadeeasy-webhook/templates/rbac.yaml new file mode 100644 index 00000000..1ef6df00 --- /dev/null +++ b/charts/dnsmadeeasy-webhook/templates/rbac.yaml @@ -0,0 +1,108 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "common.labels" . | nindent 4 }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "common.names.fullname" . }} + labels: + {{- include "common.labels" . | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - "secrets" + - "configmaps" + verbs: + - "get" + - "list" + - "watch" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "common.names.fullname" . }} + labels: + {{- include "common.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "common.names.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ include "common.names.fullname" . }} + namespace: {{ .Release.Namespace }} +--- +# Grant the webhook permission to read the ConfigMap containing the Kubernetes +# apiserver's requestheader-ca-certificate. +# This ConfigMap is automatically created by the Kubernetes apiserver. +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "common.names.fullname" . }}-webhook-authentication-reader + namespace: kube-system + labels: + {{- include "common.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: + - apiGroup: "" + kind: ServiceAccount + name: {{ include "common.names.fullname" . }} + namespace: {{ .Release.Namespace }} +--- +# apiserver gets the auth-delegator role to delegate auth decisions to +# the core apiserver +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "common.names.fullname" . }}-auth-delegator + labels: + {{- include "common.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: + - apiGroup: "" + kind: ServiceAccount + name: {{ include "common.names.fullname" . }} + namespace: {{ .Release.Namespace }} +--- +# Grant cert-manager permission to validate using our apiserver +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "common.names.fullname" . }}-domain-solver + labels: + {{- include "common.labels" . | nindent 4 }} +rules: + - apiGroups: + - {{ .Values.groupName }} + resources: + - '*' + verbs: + - 'create' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "common.names.fullname" . }}-domain-solver + labels: + {{- include "common.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "common.names.fullname" . }}-domain-solver +subjects: + - apiGroup: "" + kind: ServiceAccount + name: {{ .Values.certManager.serviceAccountName }} + namespace: {{ .Values.certManager.namespace }} diff --git a/charts/dnsmadeeasy-webhook/values.yaml b/charts/dnsmadeeasy-webhook/values.yaml new file mode 100644 index 00000000..63ba4b80 --- /dev/null +++ b/charts/dnsmadeeasy-webhook/values.yaml @@ -0,0 +1,63 @@ +# -- The GroupName here is used to identify your company or business unit that +# created this webhook. +# This name will need to be referenced in each Issuer's `webhook` stanza to +# inform cert-manager of where to send ChallengePayload resources in order to +# solve the DNS01 challenge. +# This group name should be **unique**, hence using your own company's domain +# here is recommended. +groupName: acme.mycompany.com + +certManager: + # -- Namespace where the cert-manager operator was installed to + namespace: cert-manager + # -- Service account used by the cert-manager + serviceAccountName: cert-manager + + +# Default values for dnsmadeeasy-webhook. + +image: + # -- Image repository + repository: ghcr.io/k8s-at-home/dnsmadeeasy-webhook + # -- Image pull policy + pullPolicy: IfNotPresent + # -- Image tag + tag: v1.0.0 + +args: '["--tls-cert-file=/tls/tls.crt","--tls-private-key-file=/tls/tls.key"]' + +additionalVolumeMounts: +- name: certs + mountPath: /tls + readOnly: true + + +probes: + liveness: + enabled: true + custom: true + spec: + httpGet: + scheme: HTTPS + path: /healthz + port: https + readiness: + enabled: true + custom: true + spec: + httpGet: + scheme: HTTPS + path: /healthz + port: https + startup: + enabled: true + custom: true + spec: + httpGet: + scheme: HTTPS + path: /healthz + port: https +service: + port: + name: https + port: 443