From 58d0e1531eb614cba2c13a2c485270d9e0e51ffa Mon Sep 17 00:00:00 2001 From: Marius Ensrud Date: Wed, 11 Aug 2021 14:17:42 +0200 Subject: [PATCH] godaddy --- charts/godaddy-webhook/0.2.0/.helmignore | 22 ++++ charts/godaddy-webhook/0.2.0/Chart.yaml | 5 + .../0.2.0/extra/clusterissuer.yml | 42 +++++++ .../0.2.0/extra/ensrud.net.yml | 12 ++ .../0.2.0/extra/test.ensrud.net.yml | 12 ++ .../extra/wildcard-app.bassengvegen.com.yml | 12 ++ .../0.2.0/extra/wildcard-bassengvegen.com.yml | 12 ++ .../0.2.0/extra/wildcard-dogella.com.yml | 12 ++ .../0.2.0/extra/wildcard-jorunnkvam.no.yml | 12 ++ .../godaddy-webhook/0.2.0/templates/NOTES.txt | 0 .../0.2.0/templates/_helpers.tpl | 64 +++++++++++ .../0.2.0/templates/apiservice.yaml | 16 +++ .../0.2.0/templates/deployment.yaml | 69 ++++++++++++ .../godaddy-webhook/0.2.0/templates/pki.yaml | 64 +++++++++++ .../godaddy-webhook/0.2.0/templates/rbac.yaml | 105 ++++++++++++++++++ .../0.2.0/templates/service.yaml | 16 +++ charts/godaddy-webhook/0.2.0/values.yaml | 32 ++++++ 17 files changed, 507 insertions(+) create mode 100644 charts/godaddy-webhook/0.2.0/.helmignore create mode 100644 charts/godaddy-webhook/0.2.0/Chart.yaml create mode 100644 charts/godaddy-webhook/0.2.0/extra/clusterissuer.yml create mode 100644 charts/godaddy-webhook/0.2.0/extra/ensrud.net.yml create mode 100644 charts/godaddy-webhook/0.2.0/extra/test.ensrud.net.yml create mode 100644 charts/godaddy-webhook/0.2.0/extra/wildcard-app.bassengvegen.com.yml create mode 100644 charts/godaddy-webhook/0.2.0/extra/wildcard-bassengvegen.com.yml create mode 100644 charts/godaddy-webhook/0.2.0/extra/wildcard-dogella.com.yml create mode 100644 charts/godaddy-webhook/0.2.0/extra/wildcard-jorunnkvam.no.yml create mode 100644 charts/godaddy-webhook/0.2.0/templates/NOTES.txt create mode 100644 charts/godaddy-webhook/0.2.0/templates/_helpers.tpl create mode 100644 charts/godaddy-webhook/0.2.0/templates/apiservice.yaml create mode 100644 charts/godaddy-webhook/0.2.0/templates/deployment.yaml create mode 100644 charts/godaddy-webhook/0.2.0/templates/pki.yaml create mode 100644 charts/godaddy-webhook/0.2.0/templates/rbac.yaml create mode 100644 charts/godaddy-webhook/0.2.0/templates/service.yaml create mode 100644 charts/godaddy-webhook/0.2.0/values.yaml diff --git a/charts/godaddy-webhook/0.2.0/.helmignore b/charts/godaddy-webhook/0.2.0/.helmignore new file mode 100644 index 0000000..50af031 --- /dev/null +++ b/charts/godaddy-webhook/0.2.0/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/godaddy-webhook/0.2.0/Chart.yaml b/charts/godaddy-webhook/0.2.0/Chart.yaml new file mode 100644 index 0000000..5a2e8eb --- /dev/null +++ b/charts/godaddy-webhook/0.2.0/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +appVersion: "0.2" +description: A Helm chart for Kubernetes +name: godaddy-webhook +version: 0.2.0 diff --git a/charts/godaddy-webhook/0.2.0/extra/clusterissuer.yml b/charts/godaddy-webhook/0.2.0/extra/clusterissuer.yml new file mode 100644 index 0000000..0b2f0ea --- /dev/null +++ b/charts/godaddy-webhook/0.2.0/extra/clusterissuer.yml @@ -0,0 +1,42 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-prod +spec: + acme: + # ACME Server + # prod : https://acme-v02.api.letsencrypt.org/directory + # staging : https://acme-staging-v02.api.letsencrypt.org/directory + server: https://acme-v02.api.letsencrypt.org/directory + # ACME Email address + email: marius@ensrud.net + privateKeySecretRef: + name: letsencrypt-prod # staging or production + solvers: + - selector: + dnsZones: + - 'bassengvegen.com' + - 'app.bassengvegen.com' + - 'dyn.bassengvegen.com' + - 'dogella.com' + dns01: + webhook: + config: + apiKeySecretRef: + name: godaddy-api-key + key: token + production: true + ttl: 600 + groupName: acme.bassengvegen.com + solverName: godaddy + - selector: + dnsZones: + - "ensrud.net" + - 'jorunnkvam.no' + - 'krystallen-a401.com' + dns01: + cloudflare: + email: marius@ensrud.net + apiKeySecretRef: + name: cloudflare-apikey + key: api-key diff --git a/charts/godaddy-webhook/0.2.0/extra/ensrud.net.yml b/charts/godaddy-webhook/0.2.0/extra/ensrud.net.yml new file mode 100644 index 0000000..52b3172 --- /dev/null +++ b/charts/godaddy-webhook/0.2.0/extra/ensrud.net.yml @@ -0,0 +1,12 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: ensrud.net +spec: + secretName: wildcard-ensrud.net-tls + renewBefore: 240h + dnsNames: + - "*.ensrud.net" + issuerRef: + name: letsencrypt-prod + kind: ClusterIssuer diff --git a/charts/godaddy-webhook/0.2.0/extra/test.ensrud.net.yml b/charts/godaddy-webhook/0.2.0/extra/test.ensrud.net.yml new file mode 100644 index 0000000..6db758c --- /dev/null +++ b/charts/godaddy-webhook/0.2.0/extra/test.ensrud.net.yml @@ -0,0 +1,12 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: test.ensrud.net +spec: + secretName: test.ensrud.net-tls + renewBefore: 240h + dnsNames: + - test.ensrud.net + issuerRef: + name: letsencrypt-prod + kind: ClusterIssuer diff --git a/charts/godaddy-webhook/0.2.0/extra/wildcard-app.bassengvegen.com.yml b/charts/godaddy-webhook/0.2.0/extra/wildcard-app.bassengvegen.com.yml new file mode 100644 index 0000000..2bd08be --- /dev/null +++ b/charts/godaddy-webhook/0.2.0/extra/wildcard-app.bassengvegen.com.yml @@ -0,0 +1,12 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: wildcard-app-bassengvegen.com +spec: + secretName: wildcard-app-bassengvegen.com-tls + renewBefore: 240h + dnsNames: + - '*.app.bassengvegen.com' + issuerRef: + name: letsencrypt-prod + kind: ClusterIssuer diff --git a/charts/godaddy-webhook/0.2.0/extra/wildcard-bassengvegen.com.yml b/charts/godaddy-webhook/0.2.0/extra/wildcard-bassengvegen.com.yml new file mode 100644 index 0000000..f873e08 --- /dev/null +++ b/charts/godaddy-webhook/0.2.0/extra/wildcard-bassengvegen.com.yml @@ -0,0 +1,12 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: wildcard-bassengvegen.com +spec: + secretName: wildcard-bassengvegen.com-tls + renewBefore: 240h + dnsNames: + - '*.bassengvegen.com' + issuerRef: + name: letsencrypt-prod + kind: ClusterIssuer diff --git a/charts/godaddy-webhook/0.2.0/extra/wildcard-dogella.com.yml b/charts/godaddy-webhook/0.2.0/extra/wildcard-dogella.com.yml new file mode 100644 index 0000000..8e16e73 --- /dev/null +++ b/charts/godaddy-webhook/0.2.0/extra/wildcard-dogella.com.yml @@ -0,0 +1,12 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: wildcard-dogella.com +spec: + secretName: wildcard-dogella.com-tls + renewBefore: 240h + dnsNames: + - '*.dogella.com' + issuerRef: + name: letsencrypt-prod + kind: ClusterIssuer diff --git a/charts/godaddy-webhook/0.2.0/extra/wildcard-jorunnkvam.no.yml b/charts/godaddy-webhook/0.2.0/extra/wildcard-jorunnkvam.no.yml new file mode 100644 index 0000000..3e742ef --- /dev/null +++ b/charts/godaddy-webhook/0.2.0/extra/wildcard-jorunnkvam.no.yml @@ -0,0 +1,12 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: wildcard-jorunnkvam.no +spec: + secretName: wildcard-jorunnkvam.no-tls + renewBefore: 240h + dnsNames: + - '*.jorunnkvam.no' + issuerRef: + name: letsencrypt-prod + kind: ClusterIssuer diff --git a/charts/godaddy-webhook/0.2.0/templates/NOTES.txt b/charts/godaddy-webhook/0.2.0/templates/NOTES.txt new file mode 100644 index 0000000..e69de29 diff --git a/charts/godaddy-webhook/0.2.0/templates/_helpers.tpl b/charts/godaddy-webhook/0.2.0/templates/_helpers.tpl new file mode 100644 index 0000000..fe851b1 --- /dev/null +++ b/charts/godaddy-webhook/0.2.0/templates/_helpers.tpl @@ -0,0 +1,64 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "godaddy-webhook.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "godaddy-webhook.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "godaddy-webhook.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "godaddy-webhook.labels" -}} +app.kubernetes.io/name: {{ include "godaddy-webhook.name" . }} +helm.sh/chart: {{ include "godaddy-webhook.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +PKI +*/}} +{{- define "godaddy-webhook.selfSignedIssuer" -}} +{{ printf "%s-selfsign" (include "godaddy-webhook.fullname" .) }} +{{- end -}} + +{{- define "godaddy-webhook.rootCAIssuer" -}} +{{ printf "%s-ca" (include "godaddy-webhook.fullname" .) }} +{{- end -}} + +{{- define "godaddy-webhook.rootCACertificate" -}} +{{ printf "%s-ca" (include "godaddy-webhook.fullname" .) }} +{{- end -}} + +{{- define "godaddy-webhook.servingCertificate" -}} +{{ printf "%s-webhook-tls" (include "godaddy-webhook.fullname" .) }} +{{- end -}} diff --git a/charts/godaddy-webhook/0.2.0/templates/apiservice.yaml b/charts/godaddy-webhook/0.2.0/templates/apiservice.yaml new file mode 100644 index 0000000..6289aad --- /dev/null +++ b/charts/godaddy-webhook/0.2.0/templates/apiservice.yaml @@ -0,0 +1,16 @@ +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + name: v1alpha1.{{ .Values.groupName }} + labels: +{{ include "godaddy-webhook.labels" . | indent 4 }} + annotations: + cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/{{ include "godaddy-webhook.servingCertificate" . }}" +spec: + group: {{ .Values.groupName }} + groupPriorityMinimum: 1000 + versionPriority: 15 + service: + name: {{ include "godaddy-webhook.fullname" . }} + namespace: {{ .Release.Namespace }} + version: v1alpha1 diff --git a/charts/godaddy-webhook/0.2.0/templates/deployment.yaml b/charts/godaddy-webhook/0.2.0/templates/deployment.yaml new file mode 100644 index 0000000..b275df6 --- /dev/null +++ b/charts/godaddy-webhook/0.2.0/templates/deployment.yaml @@ -0,0 +1,69 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "godaddy-webhook.fullname" . }} + labels: +{{ include "godaddy-webhook.labels" . | indent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "godaddy-webhook.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "godaddy-webhook.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + spec: + serviceAccountName: {{ include "godaddy-webhook.fullname" . }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + args: + - --tls-cert-file=/tls/tls.crt + - --tls-private-key-file=/tls/tls.key + env: + - name: GROUP_NAME + value: {{ .Values.groupName | quote }} + ports: + - name: https + containerPort: 443 + protocol: TCP + livenessProbe: + httpGet: + scheme: HTTPS + path: /healthz + port: https + readinessProbe: + httpGet: + scheme: HTTPS + path: /healthz + port: https + volumeMounts: + - name: certs + mountPath: /tls + readOnly: true + resources: + {{- toYaml .Values.resources | nindent 12 }} + volumes: + - name: certs + secret: + secretName: {{ include "godaddy-webhook.servingCertificate" . }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/godaddy-webhook/0.2.0/templates/pki.yaml b/charts/godaddy-webhook/0.2.0/templates/pki.yaml new file mode 100644 index 0000000..3e68b29 --- /dev/null +++ b/charts/godaddy-webhook/0.2.0/templates/pki.yaml @@ -0,0 +1,64 @@ +--- +# Create a selfsigned Issuer, in order to create a root CA certificate for +# signing webhook serving certificates +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ include "godaddy-webhook.selfSignedIssuer" . }} + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "godaddy-webhook.labels" . | indent 4 }} +spec: + selfSigned: {} + +--- + +# Generate a CA Certificate used to sign certificates for the webhook +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ include "godaddy-webhook.rootCACertificate" . }} + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "godaddy-webhook.labels" . | indent 4 }} +spec: + secretName: {{ include "godaddy-webhook.rootCACertificate" . }} + duration: 43800h # 5y + issuerRef: + name: {{ include "godaddy-webhook.selfSignedIssuer" . }} + commonName: "ca.godaddy-webhook.cert-manager" + isCA: true + +--- + +# Create an Issuer that uses the above generated CA certificate to issue certs +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ include "godaddy-webhook.rootCAIssuer" . }} + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "godaddy-webhook.labels" . | indent 4 }} +spec: + ca: + secretName: {{ include "godaddy-webhook.rootCACertificate" . }} + +--- + +# Finally, generate a serving certificate for the webhook to use +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ include "godaddy-webhook.servingCertificate" . }} + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "godaddy-webhook.labels" . | indent 4 }} +spec: + secretName: {{ include "godaddy-webhook.servingCertificate" . }} + duration: 8760h # 1y + issuerRef: + name: {{ include "godaddy-webhook.rootCAIssuer" . }} + dnsNames: + - {{ include "godaddy-webhook.fullname" . }} + - {{ include "godaddy-webhook.fullname" . }}.{{ .Release.Namespace }} + - {{ include "godaddy-webhook.fullname" . }}.{{ .Release.Namespace }}.svc diff --git a/charts/godaddy-webhook/0.2.0/templates/rbac.yaml b/charts/godaddy-webhook/0.2.0/templates/rbac.yaml new file mode 100644 index 0000000..2d0fa02 --- /dev/null +++ b/charts/godaddy-webhook/0.2.0/templates/rbac.yaml @@ -0,0 +1,105 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "godaddy-webhook.fullname" . }} + labels: +{{ include "godaddy-webhook.labels" . | indent 4 }} +--- +# Grant the webhook permission to read the ConfigMap containing the Kubernetes +# apiserver's requestheader-ca-certificate. +# This ConfigMap is automatically created by the Kubernetes apiserver. +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "godaddy-webhook.fullname" . }}:webhook-authentication-reader + namespace: kube-system + labels: +{{ include "godaddy-webhook.labels" . | indent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: + - apiGroup: "" + kind: ServiceAccount + name: {{ include "godaddy-webhook.fullname" . }} + namespace: {{ .Release.Namespace }} +--- +# apiserver gets the auth-delegator role to delegate auth decisions to +# the core apiserver +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "godaddy-webhook.fullname" . }}:auth-delegator + labels: +{{ include "godaddy-webhook.labels" . | indent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: + - apiGroup: "" + kind: ServiceAccount + name: {{ include "godaddy-webhook.fullname" . }} + namespace: {{ .Release.Namespace }} +--- +# Grant cert-manager permission to validate using our apiserver +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "godaddy-webhook.fullname" . }}:domain-solver + labels: +{{ include "godaddy-webhook.labels" . | indent 4 }} +rules: + - apiGroups: + - {{ .Values.groupName }} + resources: + - '*' + verbs: + - 'create' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "godaddy-webhook.fullname" . }}:domain-solver + labels: +{{ include "godaddy-webhook.labels" . | indent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "godaddy-webhook.fullname" . }}:domain-solver +subjects: + - apiGroup: "" + kind: ServiceAccount + name: {{ .Values.certManager.serviceAccountName }} + namespace: {{ .Values.certManager.namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "godaddy-webhook.fullname" . }} + labels: +{{ include "godaddy-webhook.labels" . | indent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "godaddy-webhook.fullname" . }} +subjects: + - apiGroup: "" + kind: ServiceAccount + name: {{ include "godaddy-webhook.fullname" . }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "godaddy-webhook.fullname" . }} + labels: +{{ include "godaddy-webhook.labels" . | indent 4 }} +rules: + - apiGroups: + - '' + resources: + - 'secrets' + verbs: + - 'get' diff --git a/charts/godaddy-webhook/0.2.0/templates/service.yaml b/charts/godaddy-webhook/0.2.0/templates/service.yaml new file mode 100644 index 0000000..5c376b8 --- /dev/null +++ b/charts/godaddy-webhook/0.2.0/templates/service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "godaddy-webhook.fullname" . }} + labels: +{{ include "godaddy-webhook.labels" . | indent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: https + protocol: TCP + name: https + selector: + app.kubernetes.io/name: {{ include "godaddy-webhook.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/charts/godaddy-webhook/0.2.0/values.yaml b/charts/godaddy-webhook/0.2.0/values.yaml new file mode 100644 index 0000000..548b1f3 --- /dev/null +++ b/charts/godaddy-webhook/0.2.0/values.yaml @@ -0,0 +1,32 @@ +# Default values for godaddy-webhook. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +image: + repository: quay.io/snowdrop/cert-manager-webhook-godaddy + tag: latest + pullPolicy: IfNotPresent + +groupName: acme.bassengvegen.com + +certManager: + namespace: cert-manager + serviceAccountName: cert-manager + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +service: + type: ClusterIP + port: 443 + +resources: {} + +nodeSelector: {} + +tolerations: [] + +affinity: {}