godaddy

charts/godaddy-webhook/0.2.0/.helmignore

@@ -0,0 +1,22 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/godaddy-webhook/0.2.0/Chart.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+appVersion: "0.2"
+description: A Helm chart for Kubernetes
+name: godaddy-webhook
+version: 0.2.0

charts/godaddy-webhook/0.2.0/extra/clusterissuer.yml

@@ -0,0 +1,42 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    # ACME Server
+    # prod : https://acme-v02.api.letsencrypt.org/directory
+    # staging : https://acme-staging-v02.api.letsencrypt.org/directory
+    server: https://acme-v02.api.letsencrypt.org/directory 
+    # ACME Email address
+    email: marius@ensrud.net
+    privateKeySecretRef:
+      name: letsencrypt-prod # staging or production
+    solvers:
+    - selector:
+        dnsZones:
+        - 'bassengvegen.com'
+        - 'app.bassengvegen.com'
+        - 'dyn.bassengvegen.com'
+        - 'dogella.com'
+      dns01:
+        webhook:
+          config:
+            apiKeySecretRef:
+              name: godaddy-api-key
+              key: token
+            production: true
+            ttl: 600
+          groupName: acme.bassengvegen.com
+          solverName: godaddy
+    - selector:
+        dnsZones:
+        - "ensrud.net"
+        - 'jorunnkvam.no'
+        - 'krystallen-a401.com'
+      dns01:
+        cloudflare:
+          email: marius@ensrud.net
+          apiKeySecretRef:
+            name: cloudflare-apikey
+            key: api-key

charts/godaddy-webhook/0.2.0/extra/ensrud.net.yml

@@ -0,0 +1,12 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: ensrud.net
+spec:
+  secretName: wildcard-ensrud.net-tls
+  renewBefore: 240h
+  dnsNames:
+  - "*.ensrud.net"
+  issuerRef:
+    name: letsencrypt-prod
+    kind: ClusterIssuer

charts/godaddy-webhook/0.2.0/extra/test.ensrud.net.yml

@@ -0,0 +1,12 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: test.ensrud.net
+spec:
+  secretName: test.ensrud.net-tls
+  renewBefore: 240h
+  dnsNames:
+  - test.ensrud.net
+  issuerRef:
+    name: letsencrypt-prod
+    kind: ClusterIssuer

charts/godaddy-webhook/0.2.0/extra/wildcard-app.bassengvegen.com.yml

@@ -0,0 +1,12 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: wildcard-app-bassengvegen.com
+spec:
+  secretName: wildcard-app-bassengvegen.com-tls
+  renewBefore: 240h
+  dnsNames:
+  - '*.app.bassengvegen.com'
+  issuerRef:
+    name: letsencrypt-prod
+    kind: ClusterIssuer

charts/godaddy-webhook/0.2.0/extra/wildcard-bassengvegen.com.yml

@@ -0,0 +1,12 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: wildcard-bassengvegen.com
+spec:
+  secretName: wildcard-bassengvegen.com-tls
+  renewBefore: 240h
+  dnsNames:
+  - '*.bassengvegen.com'
+  issuerRef:
+    name: letsencrypt-prod
+    kind: ClusterIssuer

charts/godaddy-webhook/0.2.0/extra/wildcard-dogella.com.yml

@@ -0,0 +1,12 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: wildcard-dogella.com
+spec:
+  secretName: wildcard-dogella.com-tls
+  renewBefore: 240h
+  dnsNames:
+  - '*.dogella.com'
+  issuerRef:
+    name: letsencrypt-prod
+    kind: ClusterIssuer

charts/godaddy-webhook/0.2.0/extra/wildcard-jorunnkvam.no.yml

@@ -0,0 +1,12 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: wildcard-jorunnkvam.no
+spec:
+  secretName: wildcard-jorunnkvam.no-tls
+  renewBefore: 240h
+  dnsNames:
+  - '*.jorunnkvam.no'
+  issuerRef:
+    name: letsencrypt-prod
+    kind: ClusterIssuer

charts/godaddy-webhook/0.2.0/templates/_helpers.tpl

@@ -0,0 +1,64 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "godaddy-webhook.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "godaddy-webhook.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "godaddy-webhook.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "godaddy-webhook.labels" -}}
+app.kubernetes.io/name: {{ include "godaddy-webhook.name" . }}
+helm.sh/chart: {{ include "godaddy-webhook.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
+{{/*
+PKI
+*/}}
+{{- define "godaddy-webhook.selfSignedIssuer" -}}
+{{ printf "%s-selfsign" (include "godaddy-webhook.fullname" .) }}
+{{- end -}}
+
+{{- define "godaddy-webhook.rootCAIssuer" -}}
+{{ printf "%s-ca" (include "godaddy-webhook.fullname" .) }}
+{{- end -}}
+
+{{- define "godaddy-webhook.rootCACertificate" -}}
+{{ printf "%s-ca" (include "godaddy-webhook.fullname" .) }}
+{{- end -}}
+
+{{- define "godaddy-webhook.servingCertificate" -}}
+{{ printf "%s-webhook-tls" (include "godaddy-webhook.fullname" .) }}
+{{- end -}}

charts/godaddy-webhook/0.2.0/templates/apiservice.yaml

@@ -0,0 +1,16 @@
+apiVersion: apiregistration.k8s.io/v1
+kind: APIService
+metadata:
+  name: v1alpha1.{{ .Values.groupName }}
+  labels:
+{{ include "godaddy-webhook.labels" . | indent 4 }}
+  annotations:
+    cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/{{ include "godaddy-webhook.servingCertificate" . }}"
+spec:
+  group: {{ .Values.groupName }}
+  groupPriorityMinimum: 1000
+  versionPriority: 15
+  service:
+    name: {{ include "godaddy-webhook.fullname" . }}
+    namespace: {{ .Release.Namespace }}
+  version: v1alpha1

charts/godaddy-webhook/0.2.0/templates/deployment.yaml

@@ -0,0 +1,69 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "godaddy-webhook.fullname" . }}
+  labels:
+{{ include "godaddy-webhook.labels" . | indent 4 }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "godaddy-webhook.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: {{ include "godaddy-webhook.name" . }}
+        app.kubernetes.io/instance: {{ .Release.Name }}
+    spec:
+      serviceAccountName: {{ include "godaddy-webhook.fullname" . }}
+    {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+      containers:
+        - name: {{ .Chart.Name }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          args:
+            - --tls-cert-file=/tls/tls.crt
+            - --tls-private-key-file=/tls/tls.key
+          env:
+            - name: GROUP_NAME
+              value: {{ .Values.groupName | quote }}
+          ports:
+            - name: https
+              containerPort: 443
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              scheme: HTTPS
+              path: /healthz
+              port: https
+          readinessProbe:
+            httpGet:
+              scheme: HTTPS
+              path: /healthz
+              port: https
+          volumeMounts:
+            - name: certs
+              mountPath: /tls
+              readOnly: true
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+      volumes:
+        - name: certs
+          secret:
+            secretName: {{ include "godaddy-webhook.servingCertificate" . }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}

charts/godaddy-webhook/0.2.0/templates/pki.yaml

@@ -0,0 +1,64 @@
+---
+# Create a selfsigned Issuer, in order to create a root CA certificate for
+# signing webhook serving certificates
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ include "godaddy-webhook.selfSignedIssuer" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+{{ include "godaddy-webhook.labels" . | indent 4 }}
+spec:
+  selfSigned: {}
+
+---
+
+# Generate a CA Certificate used to sign certificates for the webhook
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ include "godaddy-webhook.rootCACertificate" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+{{ include "godaddy-webhook.labels" . | indent 4 }}
+spec:
+  secretName: {{ include "godaddy-webhook.rootCACertificate" . }}
+  duration: 43800h # 5y
+  issuerRef:
+    name: {{ include "godaddy-webhook.selfSignedIssuer" . }}
+  commonName: "ca.godaddy-webhook.cert-manager"
+  isCA: true
+
+---
+
+# Create an Issuer that uses the above generated CA certificate to issue certs
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ include "godaddy-webhook.rootCAIssuer" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+{{ include "godaddy-webhook.labels" . | indent 4 }}
+spec:
+  ca:
+    secretName: {{ include "godaddy-webhook.rootCACertificate" . }}
+
+---
+
+# Finally, generate a serving certificate for the webhook to use
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ include "godaddy-webhook.servingCertificate" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+{{ include "godaddy-webhook.labels" . | indent 4 }}
+spec:
+  secretName: {{ include "godaddy-webhook.servingCertificate" . }}
+  duration: 8760h # 1y
+  issuerRef:
+    name: {{ include "godaddy-webhook.rootCAIssuer" . }}
+  dnsNames:
+  - {{ include "godaddy-webhook.fullname" . }}
+  - {{ include "godaddy-webhook.fullname" . }}.{{ .Release.Namespace }}
+  - {{ include "godaddy-webhook.fullname" . }}.{{ .Release.Namespace }}.svc

charts/godaddy-webhook/0.2.0/templates/rbac.yaml

@@ -0,0 +1,105 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "godaddy-webhook.fullname" . }}
+  labels:
+{{ include "godaddy-webhook.labels" . | indent 4 }}
+---
+# Grant the webhook permission to read the ConfigMap containing the Kubernetes
+# apiserver's requestheader-ca-certificate.
+# This ConfigMap is automatically created by the Kubernetes apiserver.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "godaddy-webhook.fullname" . }}:webhook-authentication-reader
+  namespace: kube-system
+  labels:
+{{ include "godaddy-webhook.labels" . | indent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: extension-apiserver-authentication-reader
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: {{ include "godaddy-webhook.fullname" . }}
+    namespace: {{ .Release.Namespace }}
+---
+# apiserver gets the auth-delegator role to delegate auth decisions to
+# the core apiserver
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "godaddy-webhook.fullname" . }}:auth-delegator
+  labels:
+{{ include "godaddy-webhook.labels" . | indent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: {{ include "godaddy-webhook.fullname" . }}
+    namespace: {{ .Release.Namespace }}
+---
+# Grant cert-manager permission to validate using our apiserver
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "godaddy-webhook.fullname" . }}:domain-solver
+  labels:
+{{ include "godaddy-webhook.labels" . | indent 4 }}
+rules:
+  - apiGroups:
+      - {{ .Values.groupName }}
+    resources:
+      - '*'
+    verbs:
+      - 'create'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "godaddy-webhook.fullname" . }}:domain-solver
+  labels:
+{{ include "godaddy-webhook.labels" . | indent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "godaddy-webhook.fullname" . }}:domain-solver
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: {{ .Values.certManager.serviceAccountName }}
+    namespace: {{ .Values.certManager.namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "godaddy-webhook.fullname" . }}
+  labels:
+{{ include "godaddy-webhook.labels" . | indent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "godaddy-webhook.fullname" . }}
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: {{ include "godaddy-webhook.fullname" . }}
+    namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "godaddy-webhook.fullname" . }}
+  labels:
+{{ include "godaddy-webhook.labels" . | indent 4 }}
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - 'secrets'
+    verbs:
+      - 'get'

charts/godaddy-webhook/0.2.0/templates/service.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "godaddy-webhook.fullname" . }}
+  labels:
+{{ include "godaddy-webhook.labels" . | indent 4 }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: https
+      protocol: TCP
+      name: https
+  selector:
+    app.kubernetes.io/name: {{ include "godaddy-webhook.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}

charts/godaddy-webhook/0.2.0/values.yaml

@@ -0,0 +1,32 @@
+# Default values for godaddy-webhook.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+replicaCount: 1
+
+image:
+  repository: quay.io/snowdrop/cert-manager-webhook-godaddy
+  tag: latest
+  pullPolicy: IfNotPresent
+
+groupName: acme.bassengvegen.com
+
+certManager:
+  namespace: cert-manager
+  serviceAccountName: cert-manager
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+service:
+  type: ClusterIP
+  port: 443
+
+resources: {}
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}