[dnsmadeeasy-webhook] New chart (#649)

* add cert-manager-dnsmadeeasy

* fix probes

* Fix for status probes

* Fix deprecation warnings

* update common

* increase path version

* use github repo

* Use helm-docs

* change repo name

* rename

* fix lint issue

* exclude dnsmadeeasy from install check

* Feedback

* splitting ct.yaml

* remove old changelog

Co-authored-by: angelnu <git@angelnucom>
Co-authored-by: ᗪєνιη ᗷυнʟ <onedr0p@users.noreply.github.com>

.github/ct-install.yaml

@@ -4,8 +4,8 @@ helm-extra-args: --timeout 600s
 chart-dirs:
 - charts
 excluded-charts:
-- common
 - common-test
+- dnsmadeeasy-webhook
 chart-repos:
 - bitnami=https://charts.bitnami.com/bitnami
 - k8s-at-home=https://k8s-at-home.com/charts

.github/ct-lint.yaml

@@ -0,0 +1,9 @@
+remote: origin
+target-branch: master
+helm-extra-args: --timeout 600s
+chart-dirs:
+- charts
+excluded-charts:
+chart-repos:
+- bitnami=https://charts.bitnami.com/bitnami
+- k8s-at-home=https://k8s-at-home.com/charts

.github/workflows/charts-lint-test.yaml

@@ -37,19 +37,19 @@ jobs:
     - name: Run chart-testing (list-changed)
       id: list-changed
       run: |
-        changed=$(ct list-changed --config .github/ct.yaml)
+        changed=$(ct list-changed --config .github/ct-lint.yaml)
         if [[ -n "$changed" ]]; then
           echo "::set-output name=changed::true"
         fi
 
-        changed_unfiltered=$(ct list-changed --config .github/ct.yaml --excluded-charts "")
+        changed_unfiltered=$(ct list-changed --config .github/ct-lint.yaml --excluded-charts "")
         if [[ $(grep -E "^charts/common(-test)?$" <<< "$changed_unfiltered") ]]; then
           echo "::set-output name=common::true"
         fi
 
     - name: Run chart-testing (lint)
       id: lint
-      run: ct lint --config .github/ct.yaml --excluded-charts ""
+      run: ct lint --config .github/ct-lint.yaml --excluded-charts ""
       if: steps.list-changed.outputs.changed == 'true' || steps.list-changed.outputs.common == 'true'
 
   unittest:
@@ -111,10 +111,10 @@ jobs:
       if: needs.lint.outputs.changed == 'true' || needs.lint.outputs.common == 'true'
 
     - name: Run chart-testing (install)
-      run: ct install --config .github/ct.yaml --excluded-charts ""
+      run: ct install --config .github/ct-install.yaml
       if: needs.lint.outputs.changed == 'true'
 
     - name: Run chart-testing (common-test)
       run: |
-        ct install --config .github/ct.yaml --charts 'charts/common-test'
+        ct install --config .github/ct-install.yaml --charts 'charts/common-test'
       if: needs.lint.outputs.common == 'true'

.taskfiles/Taskfile_chart.yml

@@ -37,7 +37,7 @@ tasks:
   ct-lint:
     desc: run `ct lint` on your chart code
     cmds:
-    - docker run --rm -it --user $(id -u):$(id -g) -e "HELM_CONFIG_HOME=/tmp/helm" -e "HELM_CACHE_HOME=/tmp/helm" -v {{.GIT_ROOT}}:/ci -w /ci quay.io/helmpack/chart-testing:latest ct lint --charts charts/{{.CHART}} --config /ci/.github/ct.yaml
+    - docker run --rm -it --user $(id -u):$(id -g) -e "HELM_CONFIG_HOME=/tmp/helm" -e "HELM_CACHE_HOME=/tmp/helm" -v {{.GIT_ROOT}}:/ci -w /ci quay.io/helmpack/chart-testing:latest ct lint --charts charts/{{.CHART}} --config /ci/.github/ct-lint.yaml
     deps:
     - check-chart
     - lint

charts/dnsmadeeasy-webhook/.helmignore

@@ -0,0 +1,24 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
+# OWNERS file for Kubernetes
+OWNERS

charts/dnsmadeeasy-webhook/Chart.yaml

@@ -0,0 +1,21 @@
+apiVersion: v2
+appVersion: 1.0.0
+description: Cert-Manager Webhook for DNSMadeEasy
+name: dnsmadeeasy-webhook
+version: 1.0.0
+keywords:
+- cert-manager
+- dnsmadeeasy
+- letsencrypt
+home: https://github.com/k8s-at-home/dnsmadeeasy-webhook
+icon: https://pbs.twimg.com/profile_images/1759911243/dnsmeavatar_400x400.png
+sources:
+- https://github.com/k8s-at-home/dnsmadeeasy-webhook
+- https://cert-manager.io
+maintainers:
+- name: angelnu
+  email: git@angelnu.com
+dependencies:
+- name: common
+  repository: https://k8s-at-home.com/charts/
+  version: 3.1.0

charts/dnsmadeeasy-webhook/README.md

@@ -0,0 +1,135 @@
+# dnsmadeeasy-webhook
+
+![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square)
+
+Cert-Manager Webhook for DNSMadeEasy
+
+**This chart is not maintained by the upstream project and any issues with the chart should be raised [here](https://github.com/k8s-at-home/charts/issues/new/choose)**
+
+## Source Code
+
+* <https://github.com/k8s-at-home/dnsmadeeasy-webhook>
+* <https://cert-manager.io>
+
+## Requirements
+
+## Dependencies
+
+| Repository | Name | Version |
+|------------|------|---------|
+| https://k8s-at-home.com/charts/ | common | 3.1.0 |
+
+## TL;DR
+
+```console
+helm repo add k8s-at-home https://k8s-at-home.com/charts/
+helm repo update
+helm install dnsmadeeasy-webhook k8s-at-home/dnsmadeeasy-webhook
+```
+
+## Installing the Chart
+
+To install the chart with the release name `dnsmadeeasy-webhook`
+
+```console
+helm install dnsmadeeasy-webhook k8s-at-home/dnsmadeeasy-webhook
+```
+
+## Uninstalling the Chart
+
+To uninstall the `dnsmadeeasy-webhook` deployment
+
+```console
+helm uninstall dnsmadeeasy-webhook
+```
+
+The command removes all the Kubernetes components associated with the chart **including persistent volumes** and deletes the release.
+
+## Configuration
+
+Read through the [values.yaml](./values.yaml) file. It has several commented out suggested values.
+Other values may be used from the [values.yaml](../common/values.yaml) from the [common library](../common).
+
+Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.
+
+```console
+helm install dnsmadeeasy-webhook \
+  --set env.TZ="America/New York" \
+    k8s-at-home/dnsmadeeasy-webhook
+```
+
+Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart.
+
+```console
+helm install dnsmadeeasy-webhook k8s-at-home/dnsmadeeasy-webhook -f values.yaml
+```
+
+## Custom configuration
+
+N/A
+
+## Values
+
+**Important**: When deploying an application Helm chart you can add more values from our common library chart [here](https://github.com/k8s-at-home/charts/tree/master/charts/common/)
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| additionalVolumeMounts[0].mountPath | string | `"/tls"` |  |
+| additionalVolumeMounts[0].name | string | `"certs"` |  |
+| additionalVolumeMounts[0].readOnly | bool | `true` |  |
+| args | string | `"[\"--tls-cert-file=/tls/tls.crt\",\"--tls-private-key-file=/tls/tls.key\"]"` |  |
+| certManager.namespace | string | `"cert-manager"` | Namespace where the cert-manager operator was installed to |
+| certManager.serviceAccountName | string | `"cert-manager"` | Service account used by the cert-manager |
+| groupName | string | `"acme.mycompany.com"` | The GroupName here is used to identify your company or business unit that created this webhook. This name will need to be referenced in each Issuer's `webhook` stanza to inform cert-manager of where to send ChallengePayload resources in order to solve the DNS01 challenge. This group name should be **unique**, hence using your own company's domain here is recommended. |
+| image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
+| image.repository | string | `"ghcr.io/k8s-at-home/dnsmadeeasy-webhook"` | Image repository |
+| image.tag | string | `"v1.0.0"` | Image tag |
+| probes.liveness.custom | bool | `true` |  |
+| probes.liveness.enabled | bool | `true` |  |
+| probes.liveness.spec.httpGet.path | string | `"/healthz"` |  |
+| probes.liveness.spec.httpGet.port | string | `"https"` |  |
+| probes.liveness.spec.httpGet.scheme | string | `"HTTPS"` |  |
+| probes.readiness.custom | bool | `true` |  |
+| probes.readiness.enabled | bool | `true` |  |
+| probes.readiness.spec.httpGet.path | string | `"/healthz"` |  |
+| probes.readiness.spec.httpGet.port | string | `"https"` |  |
+| probes.readiness.spec.httpGet.scheme | string | `"HTTPS"` |  |
+| probes.startup.custom | bool | `true` |  |
+| probes.startup.enabled | bool | `true` |  |
+| probes.startup.spec.httpGet.path | string | `"/healthz"` |  |
+| probes.startup.spec.httpGet.port | string | `"https"` |  |
+| probes.startup.spec.httpGet.scheme | string | `"HTTPS"` |  |
+| service.port.name | string | `"https"` |  |
+| service.port.port | int | `443` |  |
+
+## Changelog
+
+All notable changes to this application Helm chart will be documented in this file but does not include changes from our common library. To read those click [here](https://github.com/k8s-at-home/charts/tree/master/charts/common/README.md#Changelog).
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+### [1.0.0]
+
+#### Added
+
+- N/A
+
+#### Changed
+
+- First release of chart into k8s-at-home
+
+#### Removed
+
+- N/A
+
+[1.0.0]: #1.0.0
+
+## Support
+
+- See the [Docs](https://docs.k8s-at-home.com/our-helm-charts/getting-started/)
+- Open an [issue](https://github.com/k8s-at-home/charts/issues/new/choose)
+- Ask a [question](https://github.com/k8s-at-home/organization/discussions)
+- Join our [Discord](https://discord.gg/sTMX7Vh) community
+
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0)

charts/dnsmadeeasy-webhook/README.md.gotmpl

@@ -0,0 +1,147 @@
+{{- define "custom.repository.organization" -}}
+k8s-at-home
+{{- end -}}
+
+{{- define "custom.repository.url" -}}
+https://github.com/k8s-at-home/charts
+{{- end -}}
+
+{{- define "custom.helm.url" -}}
+https://k8s-at-home.com/charts/
+{{- end -}}
+
+{{- define "custom.helm.path" -}}
+{{ template "custom.repository.organization" . }}/{{ template "chart.name" . }}
+{{- end -}}
+
+{{- define "custom.notes" -}}
+**This chart is not maintained by the upstream project and any issues with the chart should be raised [here](https://github.com/k8s-at-home/charts/issues/new/choose)**
+{{- end -}}
+
+{{- define "custom.requirements" -}}
+## Requirements
+
+{{ template "chart.kubeVersionLine" . }}
+{{- end -}}
+
+{{- define "custom.dependencies" -}}
+## Dependencies
+
+This chart depends on the [cert-manager](https://cert-manager.io/docs/installation/kubernetes/).
+
+{{ template "chart.requirementsTable" . }}
+{{- end -}}
+
+{{- define "custom.install.tldr" -}}
+## TL;DR
+
+```console
+helm repo add {{ template "custom.repository.organization" . }} {{ template "custom.helm.url" . }}
+helm repo update
+helm install {{ template "chart.name" . }} {{ template "custom.helm.path" . }}
+```
+{{- end -}}
+
+{{- define "custom.install" -}}
+## Installing the Chart
+
+To install the chart with the release name `{{ template "chart.name" . }}`
+
+```console
+helm install {{ template "chart.name" . }} {{ template "custom.helm.path" . }}
+```
+{{- end -}}
+
+{{- define "custom.uninstall" -}}
+## Uninstalling the Chart
+
+To uninstall the `{{ template "chart.name" . }}` deployment
+
+```console
+helm uninstall {{ template "chart.name" . }}
+```
+
+The command removes all the Kubernetes components associated with the chart **including persistent volumes** and deletes the release.
+{{- end -}}
+
+{{- define "custom.configuration.header" -}}
+## Configuration
+{{- end -}}
+
+{{- define "custom.configuration.readValues" -}}
+Read through the [values.yaml](./values.yaml) file. It has several commented out suggested values.
+Other values may be used from the [values.yaml](../common/values.yaml) from the [common library](../common).
+{{- end -}}
+
+{{- define "custom.configuration.example.set" -}}
+Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.
+
+```console
+helm install {{ template "chart.name" . }} \
+  --set env.TZ="America/New York" \
+    {{ template "custom.helm.path" . }}
+```
+{{- end -}}
+
+{{- define "custom.configuration.example.file" -}}
+Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart.
+
+```console
+helm install {{ template "chart.name" . }} {{ template "custom.helm.path" . }} -f values.yaml
+```
+{{- end -}}
+
+{{- define "custom.valuesSection" -}}
+## Values
+
+**Important**: When deploying an application Helm chart you can add more values from our common library chart [here](https://github.com/k8s-at-home/charts/tree/master/charts/common/)
+
+{{ template "chart.valuesTable" . }}
+{{- end -}}
+
+{{- define "custom.support" -}}
+## Support
+
+- See the [Docs](https://docs.k8s-at-home.com/our-helm-charts/getting-started/)
+- Open an [issue](https://github.com/k8s-at-home/charts/issues/new/choose)
+- Ask a [question](https://github.com/k8s-at-home/organization/discussions)
+- Join our [Discord](https://discord.gg/sTMX7Vh) community
+{{- end -}}
+
+{{ template "chart.header" . }}
+
+{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }}
+
+{{ template "chart.description" . }}
+
+{{ template "custom.notes" . }}
+
+{{ template "chart.sourcesSection" . }}
+
+{{ template "custom.requirements" . }}
+
+{{ template "custom.dependencies" . }}
+
+{{ template "custom.install.tldr" . }}
+
+{{ template "custom.install" . }}
+
+{{ template "custom.uninstall" . }}
+
+{{ template "custom.configuration.header" . }}
+
+{{ template "custom.configuration.readValues" . }}
+
+{{ template "custom.configuration.example.set" . }}
+
+{{ template "custom.configuration.example.file" . }}
+
+{{ template "custom.custom.configuration" . }}
+
+{{ template "custom.valuesSection" . }}
+
+{{ template "custom.changelog" . }}
+
+{{ template "custom.support" . }}
+
+{{ template "helm-docs.versionFooter" . }}

charts/dnsmadeeasy-webhook/README_CHANGELOG.md.gotmpl

@@ -0,0 +1,27 @@
+{{- define "custom.changelog.header" -}}
+## Changelog
+{{- end -}}
+
+{{- define "custom.changelog" -}}
+{{ template "custom.changelog.header" . }}
+
+All notable changes to this application Helm chart will be documented in this file but does not include changes from our common library. To read those click [here](https://github.com/k8s-at-home/charts/tree/master/charts/common/README.md#Changelog).
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+### [1.0.0]
+
+#### Added
+
+- N/A
+
+#### Changed
+
+- First release of chart into k8s-at-home
+
+#### Removed
+
+- N/A
+
+[1.0.0]: #1.0.0
+{{- end -}}

charts/dnsmadeeasy-webhook/README_CONFIG.md.gotmpl

@@ -0,0 +1,9 @@
+{{- define "custom.custom.configuration.header" -}}
+## Custom configuration
+{{- end -}}
+
+{{- define "custom.custom.configuration" -}}
+{{ template "custom.custom.configuration.header" . }}
+
+N/A
+{{- end -}}

charts/dnsmadeeasy-webhook/templates/NOTES.txt

@@ -0,0 +1 @@
+{{- include "common.notes.defaultNotes" . -}}

charts/dnsmadeeasy-webhook/templates/apiservice.yaml

@@ -0,0 +1,18 @@
+apiVersion: apiregistration.k8s.io/v1
+kind: APIService
+metadata:
+  name: v1alpha1.{{ .Values.groupName }}
+  labels:
+    {{- include "common.labels" . | nindent 4 }}
+  annotations:
+    certmanager.k8s.io/inject-ca-from: "{{ .Release.Namespace }}/{{ include "dnsmadeeasy-webhook.servingCertificate" . }}"
+spec:
+  group: {{ .Values.groupName }}
+  groupPriorityMinimum: 1000
+  versionPriority: 15
+  #TBD : avoid insecureSkipTLSVerify
+  insecureSkipTLSVerify: true
+  service:
+    name: {{ include "common.names.fullname" . }}
+    namespace: {{ .Release.Namespace }}
+  version: v1alpha1

charts/dnsmadeeasy-webhook/templates/common.tpl

@@ -0,0 +1,39 @@
+{{/* Make sure all variables are set properly */}}
+{{- include "common.values.setup" . }}
+
+{{- define "dnsmadeeasy-webhook.selfSignedIssuer" -}}
+{{ printf "%s-selfsign" (include "common.names.fullname" .) }}
+{{- end -}}
+
+{{- define "dnsmadeeasy-webhook.rootCAIssuer" -}}
+{{ printf "%s-ca" (include "common.names.fullname" .) }}
+{{- end -}}
+
+{{- define "dnsmadeeasy-webhook.rootCACertificate" -}}
+{{ printf "%s-ca" (include "common.names.fullname" .) }}
+{{- end -}}
+
+{{- define "dnsmadeeasy-webhook.servingCertificate" -}}
+{{ printf "%s-webhook-tls" (include "common.names.fullname" .) }}
+{{- end -}}
+
+
+{{- $_ := set .Values.env "GROUP_NAME" .Values.groupName -}}
+
+
+{{/* Append the cert secret to the additionalVolumes */}}
+{{- define "dnsmadeeasy-webhook.servingCertificate.volume" -}}
+name: certs
+secret:
+  secretName: {{ include "dnsmadeeasy-webhook.servingCertificate" . }}
+{{- end -}}
+
+{{- $volume := include "dnsmadeeasy-webhook.servingCertificate.volume" . | fromYaml -}}
+{{- if $volume -}}
+  {{- $additionalVolumes := append .Values.additionalVolumes $volume }}
+  {{- $_ := set .Values "additionalVolumes" (deepCopy $additionalVolumes) -}}
+{{- end -}}
+
+
+{{/* Render the templates */}}
+{{ include "common.all" . }}

charts/dnsmadeeasy-webhook/templates/pki.yaml

@@ -0,0 +1,66 @@
+---
+# Create a selfsigned Issuer, in order to create a root CA certificate for
+# signing webhook serving certificates
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ include "dnsmadeeasy-webhook.selfSignedIssuer" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels" . | nindent 4 }}
+spec:
+  selfSigned: {}
+
+---
+
+# Generate a CA Certificate used to sign certificates for the webhook
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ include "dnsmadeeasy-webhook.rootCACertificate" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels" . | nindent 4 }}
+spec:
+  secretName: {{ include "dnsmadeeasy-webhook.rootCACertificate" . }}
+  duration: 43800h # 5y
+  issuerRef:
+    name: {{ include "dnsmadeeasy-webhook.selfSignedIssuer" . }}
+    kind: Issuer
+  commonName: "ca.dnsmadeeasy-webhook.cert-manager"
+  isCA: true
+
+---
+
+# Create an Issuer that uses the above generated CA certificate to issue certs
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ include "dnsmadeeasy-webhook.rootCAIssuer" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels" . | nindent 4 }}
+spec:
+  ca:
+    secretName: {{ include "dnsmadeeasy-webhook.rootCACertificate" . }}
+
+---
+
+# Finally, generate a serving certificate for the webhook to use
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ include "dnsmadeeasy-webhook.servingCertificate" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels" . | nindent 4 }}
+spec:
+  secretName: {{ include "dnsmadeeasy-webhook.servingCertificate" . }}
+  duration: 8760h # 1y
+  issuerRef:
+    name: {{ include "dnsmadeeasy-webhook.rootCAIssuer" . }}
+    kind: Issuer
+  dnsNames:
+  - {{ include "common.names.fullname" . }}
+  - {{ include "common.names.fullname" . }}.{{ .Release.Namespace }}
+  - {{ include "common.names.fullname" . }}.{{ .Release.Namespace }}.svc

charts/dnsmadeeasy-webhook/templates/rbac.yaml

@@ -0,0 +1,108 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "common.names.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "common.labels" . | nindent 4 }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "common.names.fullname" . }}
+  labels:
+    {{- include "common.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - "secrets"
+      - "configmaps"
+    verbs:
+      - "get"
+      - "list"
+      - "watch"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "common.names.fullname" . }}
+  labels:
+    {{- include "common.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "common.names.fullname" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "common.names.fullname" . }}
+    namespace: {{ .Release.Namespace }}
+---
+# Grant the webhook permission to read the ConfigMap containing the Kubernetes
+# apiserver's requestheader-ca-certificate.
+# This ConfigMap is automatically created by the Kubernetes apiserver.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "common.names.fullname" . }}-webhook-authentication-reader
+  namespace: kube-system
+  labels:
+    {{- include "common.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: extension-apiserver-authentication-reader
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: {{ include "common.names.fullname" . }}
+    namespace: {{ .Release.Namespace }}
+---
+# apiserver gets the auth-delegator role to delegate auth decisions to
+# the core apiserver
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "common.names.fullname" . }}-auth-delegator
+  labels:
+    {{- include "common.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: {{ include "common.names.fullname" . }}
+    namespace: {{ .Release.Namespace }}
+---
+# Grant cert-manager permission to validate using our apiserver
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "common.names.fullname" . }}-domain-solver
+  labels:
+    {{- include "common.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - {{ .Values.groupName }}
+    resources:
+      - '*'
+    verbs:
+      - 'create'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "common.names.fullname" . }}-domain-solver
+  labels:
+    {{- include "common.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "common.names.fullname" . }}-domain-solver
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: {{ .Values.certManager.serviceAccountName }}
+    namespace: {{ .Values.certManager.namespace }}

charts/dnsmadeeasy-webhook/values.yaml

@@ -0,0 +1,63 @@
+# -- The GroupName here is used to identify your company or business unit that
+# created this webhook.
+# This name will need to be referenced in each Issuer's `webhook` stanza to
+# inform cert-manager of where to send ChallengePayload resources in order to
+# solve the DNS01 challenge.
+# This group name should be **unique**, hence using your own company's domain
+# here is recommended.
+groupName: acme.mycompany.com
+
+certManager:
+  # -- Namespace where the cert-manager operator was installed to
+  namespace: cert-manager
+  # -- Service account used by the cert-manager
+  serviceAccountName: cert-manager
+
+
+# Default values for dnsmadeeasy-webhook.
+
+image:
+  # -- Image repository
+  repository: ghcr.io/k8s-at-home/dnsmadeeasy-webhook
+  # -- Image pull policy
+  pullPolicy: IfNotPresent
+  # -- Image tag
+  tag: v1.0.0
+
+args: '["--tls-cert-file=/tls/tls.crt","--tls-private-key-file=/tls/tls.key"]'
+
+additionalVolumeMounts:
+- name: certs
+  mountPath: /tls
+  readOnly: true
+
+
+probes:
+  liveness:
+    enabled: true
+    custom: true
+    spec:
+      httpGet:
+        scheme: HTTPS
+        path: /healthz
+        port: https
+  readiness:
+    enabled: true
+    custom: true
+    spec:
+      httpGet:
+        scheme: HTTPS
+        path: /healthz
+        port: https
+  startup:
+    enabled: true
+    custom: true
+    spec:
+      httpGet:
+        scheme: HTTPS
+        path: /healthz
+        port: https
+service:
+  port:
+    name: https
+    port: 443