helm-charts/cert-manager-webhook-variomedia
1
0
Fork 0
forked from mirrors/cert-manager-webhook-variomedia
Code Pull Requests Actions Packages Releases Activity

created webhook for Variomedia AG API (2019+)

Browse Source
This commit is contained in:
Jens-U. Mozdzen
2022-07-03 20:33:07 +02:00
parent 97ebc9b1dd
commit ecfaaacf38
22 changed files with 1300 additions and 121 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
helm/.gitignore vendored Normal file
View File

@@ -0,0 +1 @@
cert-manager-webhook-variomedia*.tgz

23
helm/cert-manager-webhook-variomedia/.helmignore Normal file
View File

@@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

25
helm/cert-manager-webhook-variomedia/Chart.yaml Normal file
View File

@@ -0,0 +1,25 @@
apiVersion: v2
name: cert-manager-webhook-variomedia
description: cert-manager extension for DNS-01 challenges via DNS provider "Variomedia AG" (https://www.variomedia.de).
# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
# to be deployed.
#
# Library charts provide useful utilities or functions for the chart developer. They're included as
# a dependency of application charts to inject those utilities and functions into the rendering
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.9.1
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "1.1.0"

48
helm/cert-manager-webhook-variomedia/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,48 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "cert-manager-webhook-variomedia.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "cert-manager-webhook-variomedia.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "cert-manager-webhook-variomedia.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- define "cert-manager-webhook-variomedia.selfSignedIssuer" -}}
{{ printf "%s-selfsign" (include "cert-manager-webhook-variomedia.fullname" .) }}
{{- end -}}
{{- define "cert-manager-webhook-variomedia.rootCAIssuer" -}}
{{ printf "%s-ca" (include "cert-manager-webhook-variomedia.fullname" .) }}
{{- end -}}
{{- define "cert-manager-webhook-variomedia.rootCACertificate" -}}
{{ printf "%s-ca" (include "cert-manager-webhook-variomedia.fullname" .) }}
{{- end -}}
{{- define "cert-manager-webhook-variomedia.servingCertificate" -}}
{{ printf "%s-webhook-tls" (include "cert-manager-webhook-variomedia.fullname" .) }}
{{- end -}}

19
helm/cert-manager-webhook-variomedia/templates/apiservice.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
name: v1alpha1.{{ .Values.groupName }}
labels:
app: {{ include "cert-manager-webhook-variomedia.name" . }}
chart: {{ include "cert-manager-webhook-variomedia.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
annotations:
cert-manager.io/inject-ca-from: "{{ .Values.certManager.namespace }}/{{ include "cert-manager-webhook-variomedia.servingCertificate" . }}"
spec:
group: {{ .Values.groupName }}
groupPriorityMinimum: 1000
versionPriority: 15
service:
name: {{ include "cert-manager-webhook-variomedia.fullname" . }}
namespace: {{ .Values.certManager.namespace | quote }}
version: v1alpha1

76
helm/cert-manager-webhook-variomedia/templates/deployment.yaml Normal file
View File

@@ -0,0 +1,76 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "cert-manager-webhook-variomedia.fullname" . }}
namespace: {{ .Values.certManager.namespace | quote }}
labels:
app: {{ include "cert-manager-webhook-variomedia.name" . }}
chart: {{ include "cert-manager-webhook-variomedia.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
app: {{ include "cert-manager-webhook-variomedia.name" . }}
release: {{ .Release.Name }}
template:
metadata:
labels:
app: {{ include "cert-manager-webhook-variomedia.name" . }}
release: {{ .Release.Name }}
spec:
serviceAccountName: {{ include "cert-manager-webhook-variomedia.fullname" . }}
containers:
- name: {{ .Chart.Name }}
{{- if .Values.image.repository }}
image: "{{ .Values.image.repository }}/{{ .Values.image.image }}:{{ .Values.image.tag }}"
{{- else }}
image: "{{ .Values.image.image }}:{{ .Values.image.tag }}"
{{- end }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
args:
- --tls-cert-file=/tls/tls.crt
- --tls-private-key-file=/tls/tls.key
{{- if .Values.logLevel }}
- --v={{ .Values.logLevel }}
{{- end }}
env:
- name: GROUP_NAME
value: {{ .Values.groupName | quote }}
ports:
- name: https
containerPort: 443
protocol: TCP
livenessProbe:
httpGet:
scheme: HTTPS
path: /healthz
port: https
readinessProbe:
httpGet:
scheme: HTTPS
path: /healthz
port: https
volumeMounts:
- name: certs
mountPath: /tls
readOnly: true
resources:
{{ toYaml .Values.resources | indent 12 }}
volumes:
- name: certs
secret:
secretName: {{ include "cert-manager-webhook-variomedia.servingCertificate" . }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}

70
helm/cert-manager-webhook-variomedia/templates/pki.yaml Normal file
View File

@@ -0,0 +1,70 @@
---
# Create a selfsigned Issuer, in order to create a root CA certificate for
# signing webhook serving certificates
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: {{ include "cert-manager-webhook-variomedia.selfSignedIssuer" . }}
namespace: {{ .Values.certManager.namespace | quote }}
labels:
app: {{ include "cert-manager-webhook-variomedia.name" . }}
chart: {{ include "cert-manager-webhook-variomedia.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
selfSigned: {}
---
# Generate a CA Certificate used to sign certificates for the webhook
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ include "cert-manager-webhook-variomedia.rootCACertificate" . }}
namespace: {{ .Values.certManager.namespace | quote }}
labels:
app: {{ include "cert-manager-webhook-variomedia.name" . }}
chart: {{ include "cert-manager-webhook-variomedia.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
secretName: {{ include "cert-manager-webhook-variomedia.rootCACertificate" . }}
duration: 43800h # 5y
issuerRef:
name: {{ include "cert-manager-webhook-variomedia.selfSignedIssuer" . }}
commonName: "ca.cert-manager-webhook-variomedia.cert-manager"
isCA: true
---
# Create an Issuer that uses the above generated CA certificate to issue certs
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: {{ include "cert-manager-webhook-variomedia.rootCAIssuer" . }}
namespace: {{ .Values.certManager.namespace | quote }}
labels:
app: {{ include "cert-manager-webhook-variomedia.name" . }}
chart: {{ include "cert-manager-webhook-variomedia.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
ca:
secretName: {{ include "cert-manager-webhook-variomedia.rootCACertificate" . }}
---
# Finally, generate a serving certificate for the webhook to use
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ include "cert-manager-webhook-variomedia.servingCertificate" . }}
namespace: {{ .Values.certManager.namespace | quote }}
labels:
app: {{ include "cert-manager-webhook-variomedia.name" . }}
chart: {{ include "cert-manager-webhook-variomedia.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
secretName: {{ include "cert-manager-webhook-variomedia.servingCertificate" . }}
duration: 8760h # 1y
issuerRef:
name: {{ include "cert-manager-webhook-variomedia.rootCAIssuer" . }}
dnsNames:
- {{ include "cert-manager-webhook-variomedia.fullname" . }}
- {{ include "cert-manager-webhook-variomedia.fullname" . }}.{{ .Values.certManager.namespace }}
- {{ include "cert-manager-webhook-variomedia.fullname" . }}.{{ .Values.certManager.namespace }}.svc

165
helm/cert-manager-webhook-variomedia/templates/rbac.yaml Normal file
View File

@@ -0,0 +1,165 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "cert-manager-webhook-variomedia.fullname" . }}
namespace: {{ .Values.certManager.namespace | quote }}
labels:
app: {{ include "cert-manager-webhook-variomedia.name" . }}
chart: {{ include "cert-manager-webhook-variomedia.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
---
# Grant the webhook permission to read the ConfigMap containing the Kubernetes
# apiserver's requestheader-ca-certificate
# This ConfigMap is automatically created by the Kubernetes apiserver
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "cert-manager-webhook-variomedia.fullname" . }}:webhook-authentication-reader
namespace: kube-system
labels:
app: {{ include "cert-manager-webhook-variomedia.name" . }}
chart: {{ include "cert-manager-webhook-variomedia.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: extension-apiserver-authentication-reader
subjects:
- apiGroup: ""
kind: ServiceAccount
name: {{ include "cert-manager-webhook-variomedia.fullname" . }}
namespace: {{ .Values.certManager.namespace | quote }}
---
# apiserver gets the auth-delegator role to delegate auth decisions to
# the core apiserver
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "cert-manager-webhook-variomedia.fullname" . }}:auth-delegator
labels:
app: {{ include "cert-manager-webhook-variomedia.name" . }}
chart: {{ include "cert-manager-webhook-variomedia.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- apiGroup: ""
kind: ServiceAccount
name: {{ include "cert-manager-webhook-variomedia.fullname" . }}
namespace: {{ .Values.certManager.namespace | quote}}
---
# Grant cert-manager permission to validate using our apiserver
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "cert-manager-webhook-variomedia.fullname" . }}:domain-solver
labels:
app: {{ include "cert-manager-webhook-variomedia.name" . }}
chart: {{ include "cert-manager-webhook-variomedia.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
rules:
- apiGroups:
- {{ .Values.groupName }}
resources:
- "*"
verbs:
- "create"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "cert-manager-webhook-variomedia.fullname" . }}:domain-solver
labels:
app: {{ include "cert-manager-webhook-variomedia.name" . }}
chart: {{ include "cert-manager-webhook-variomedia.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "cert-manager-webhook-variomedia.fullname" . }}:domain-solver
subjects:
- apiGroup: ""
kind: ServiceAccount
name: {{ .Values.certManager.serviceAccountName }}
namespace: {{ .Values.certManager.namespace | quote }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "cert-manager-webhook-variomedia.fullname" . }}:secret-reader
namespace: {{ .Values.certManager.namespace | quote }}
rules:
- apiGroups:
- ""
resources:
- "secrets"
resourceNames:
- "variomedia-credentials"
verbs:
- "get"
- "watch"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "cert-manager-webhook-variomedia.fullname" . }}:secret-reader
namespace: {{ .Values.certManager.namespace | quote }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "cert-manager-webhook-variomedia.fullname" . }}:secret-reader
subjects:
- apiGroup: ""
kind: ServiceAccount
name: {{ include "cert-manager-webhook-variomedia.fullname" . }}
namespace: {{ .Values.certManager.namespace | quote }}
{{- if .Values.features.apiPriorityAndFairness }}
---
# Grant cert-manager-webhook-variomedia permission to read the flow control mechanism (APF)
# API Priority and Fairness is enabled by default in Kubernetes 1.20
# https://kubernetes.io/docs/concepts/cluster-administration/flow-control/
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "cert-manager-webhook-variomedia.fullname" . }}:flowcontrol-solver
labels:
app: {{ include "cert-manager-webhook-variomedia.name" . }}
chart: {{ include "cert-manager-webhook-variomedia.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
rules:
- apiGroups:
- "flowcontrol.apiserver.k8s.io"
resources:
- "prioritylevelconfigurations"
- "flowschemas"
verbs:
- "list"
- "watch"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "cert-manager-webhook-variomedia.fullname" . }}:flowcontrol-solver
labels:
app: {{ include "cert-manager-webhook-variomedia.name" . }}
chart: {{ include "cert-manager-webhook-variomedia.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "cert-manager-webhook-variomedia.fullname" . }}:flowcontrol-solver
subjects:
- apiGroup: ""
kind: ServiceAccount
name: {{ include "cert-manager-webhook-variomedia.fullname" . }}
namespace: {{ .Values.certManager.namespace | quote }}
{{- end }}

20
helm/cert-manager-webhook-variomedia/templates/service.yaml Normal file
View File

@@ -0,0 +1,20 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "cert-manager-webhook-variomedia.fullname" . }}
namespace: {{ .Values.certManager.namespace | quote }}
labels:
app: {{ include "cert-manager-webhook-variomedia.name" . }}
chart: {{ include "cert-manager-webhook-variomedia.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.port }}
targetPort: https
protocol: TCP
name: https
selector:
app: {{ include "cert-manager-webhook-variomedia.name" . }}
release: {{ .Release.Name }}

79
helm/cert-manager-webhook-variomedia/values.yaml Normal file
View File

@@ -0,0 +1,79 @@
# Default values for cert-manager-webhook-variomedia.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
replicaCount: 1
certManager:
namespace: cert-manager
serviceAccountName: cert-manager
groupName: acme.cert-manager-webhook-variomedia.local
image:
repository: ''
image: cert-manager-webhook-variomedia
tag: "v1.1.0"
pullPolicy: IfNotPresent
imagePullSecrets: []
logLevel: 6
nameOverride: ""
fullnameOverride: ""
serviceAccount:
# Specifies whether a service account should be created
create: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
podAnnotations: {}
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
service:
type: ClusterIP
port: 443
features:
apiPriorityAndFairness: false
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 100
targetCPUUtilizationPercentage: 80
# targetMemoryUtilizationPercentage: 80
nodeSelector: {}
tolerations: []
affinity: {}