diff --git a/charts/godaddy-webhook/0.1.0/.helmignore b/charts/godaddy-webhook/0.1.0/.helmignore new file mode 100644 index 0000000..50af031 --- /dev/null +++ b/charts/godaddy-webhook/0.1.0/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/godaddy-webhook/0.1.0/Chart.yaml b/charts/godaddy-webhook/0.1.0/Chart.yaml new file mode 100644 index 0000000..8b52800 --- /dev/null +++ b/charts/godaddy-webhook/0.1.0/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +appVersion: "0.1.1" +description: A Helm chart for Kubernetes +name: godaddy-webhook +version: 0.1.0 diff --git a/charts/godaddy-webhook/0.1.0/templates/NOTES.txt b/charts/godaddy-webhook/0.1.0/templates/NOTES.txt new file mode 100644 index 0000000..e69de29 diff --git a/charts/godaddy-webhook/0.1.0/templates/_helpers.tpl b/charts/godaddy-webhook/0.1.0/templates/_helpers.tpl new file mode 100644 index 0000000..fe851b1 --- /dev/null +++ b/charts/godaddy-webhook/0.1.0/templates/_helpers.tpl @@ -0,0 +1,64 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "godaddy-webhook.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "godaddy-webhook.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "godaddy-webhook.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "godaddy-webhook.labels" -}} +app.kubernetes.io/name: {{ include "godaddy-webhook.name" . }} +helm.sh/chart: {{ include "godaddy-webhook.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +PKI +*/}} +{{- define "godaddy-webhook.selfSignedIssuer" -}} +{{ printf "%s-selfsign" (include "godaddy-webhook.fullname" .) }} +{{- end -}} + +{{- define "godaddy-webhook.rootCAIssuer" -}} +{{ printf "%s-ca" (include "godaddy-webhook.fullname" .) }} +{{- end -}} + +{{- define "godaddy-webhook.rootCACertificate" -}} +{{ printf "%s-ca" (include "godaddy-webhook.fullname" .) }} +{{- end -}} + +{{- define "godaddy-webhook.servingCertificate" -}} +{{ printf "%s-webhook-tls" (include "godaddy-webhook.fullname" .) }} +{{- end -}} diff --git a/charts/godaddy-webhook/0.1.0/templates/apiservice.yaml b/charts/godaddy-webhook/0.1.0/templates/apiservice.yaml new file mode 100644 index 0000000..7fa426c --- /dev/null +++ b/charts/godaddy-webhook/0.1.0/templates/apiservice.yaml @@ -0,0 +1,16 @@ +apiVersion: apiregistration.k8s.io/v1beta1 +kind: APIService +metadata: + name: v1alpha1.{{ .Values.groupName }} + labels: +{{ include "godaddy-webhook.labels" . | indent 4 }} + annotations: + cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/{{ include "godaddy-webhook.servingCertificate" . }}" +spec: + group: {{ .Values.groupName }} + groupPriorityMinimum: 1000 + versionPriority: 15 + service: + name: {{ include "godaddy-webhook.fullname" . }} + namespace: {{ .Release.Namespace }} + version: v1alpha1 diff --git a/charts/godaddy-webhook/0.1.0/templates/deployment.yaml b/charts/godaddy-webhook/0.1.0/templates/deployment.yaml new file mode 100644 index 0000000..b275df6 --- /dev/null +++ b/charts/godaddy-webhook/0.1.0/templates/deployment.yaml @@ -0,0 +1,69 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "godaddy-webhook.fullname" . }} + labels: +{{ include "godaddy-webhook.labels" . | indent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "godaddy-webhook.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "godaddy-webhook.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + spec: + serviceAccountName: {{ include "godaddy-webhook.fullname" . }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + args: + - --tls-cert-file=/tls/tls.crt + - --tls-private-key-file=/tls/tls.key + env: + - name: GROUP_NAME + value: {{ .Values.groupName | quote }} + ports: + - name: https + containerPort: 443 + protocol: TCP + livenessProbe: + httpGet: + scheme: HTTPS + path: /healthz + port: https + readinessProbe: + httpGet: + scheme: HTTPS + path: /healthz + port: https + volumeMounts: + - name: certs + mountPath: /tls + readOnly: true + resources: + {{- toYaml .Values.resources | nindent 12 }} + volumes: + - name: certs + secret: + secretName: {{ include "godaddy-webhook.servingCertificate" . }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/godaddy-webhook/0.1.0/templates/pki.yaml b/charts/godaddy-webhook/0.1.0/templates/pki.yaml new file mode 100644 index 0000000..2a51be5 --- /dev/null +++ b/charts/godaddy-webhook/0.1.0/templates/pki.yaml @@ -0,0 +1,64 @@ +--- +# Create a selfsigned Issuer, in order to create a root CA certificate for +# signing webhook serving certificates +apiVersion: cert-manager.io/v1alpha2 +kind: Issuer +metadata: + name: {{ include "godaddy-webhook.selfSignedIssuer" . }} + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "godaddy-webhook.labels" . | indent 4 }} +spec: + selfSigned: {} + +--- + +# Generate a CA Certificate used to sign certificates for the webhook +apiVersion: cert-manager.io/v1alpha2 +kind: Certificate +metadata: + name: {{ include "godaddy-webhook.rootCACertificate" . }} + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "godaddy-webhook.labels" . | indent 4 }} +spec: + secretName: {{ include "godaddy-webhook.rootCACertificate" . }} + duration: 43800h # 5y + issuerRef: + name: {{ include "godaddy-webhook.selfSignedIssuer" . }} + commonName: "ca.godaddy-webhook.cert-manager" + isCA: true + +--- + +# Create an Issuer that uses the above generated CA certificate to issue certs +apiVersion: cert-manager.io/v1alpha2 +kind: Issuer +metadata: + name: {{ include "godaddy-webhook.rootCAIssuer" . }} + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "godaddy-webhook.labels" . | indent 4 }} +spec: + ca: + secretName: {{ include "godaddy-webhook.rootCACertificate" . }} + +--- + +# Finally, generate a serving certificate for the webhook to use +apiVersion: cert-manager.io/v1alpha2 +kind: Certificate +metadata: + name: {{ include "godaddy-webhook.servingCertificate" . }} + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "godaddy-webhook.labels" . | indent 4 }} +spec: + secretName: {{ include "godaddy-webhook.servingCertificate" . }} + duration: 8760h # 1y + issuerRef: + name: {{ include "godaddy-webhook.rootCAIssuer" . }} + dnsNames: + - {{ include "godaddy-webhook.fullname" . }} + - {{ include "godaddy-webhook.fullname" . }}.{{ .Release.Namespace }} + - {{ include "godaddy-webhook.fullname" . }}.{{ .Release.Namespace }}.svc diff --git a/charts/godaddy-webhook/0.1.0/templates/rbac.yaml b/charts/godaddy-webhook/0.1.0/templates/rbac.yaml new file mode 100644 index 0000000..b0c9c69 --- /dev/null +++ b/charts/godaddy-webhook/0.1.0/templates/rbac.yaml @@ -0,0 +1,105 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "godaddy-webhook.fullname" . }} + labels: +{{ include "godaddy-webhook.labels" . | indent 4 }} +--- +# Grant the webhook permission to read the ConfigMap containing the Kubernetes +# apiserver's requestheader-ca-certificate. +# This ConfigMap is automatically created by the Kubernetes apiserver. +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: {{ include "godaddy-webhook.fullname" . }}:webhook-authentication-reader + namespace: kube-system + labels: +{{ include "godaddy-webhook.labels" . | indent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: + - apiGroup: "" + kind: ServiceAccount + name: {{ include "godaddy-webhook.fullname" . }} + namespace: {{ .Release.Namespace }} +--- +# apiserver gets the auth-delegator role to delegate auth decisions to +# the core apiserver +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: {{ include "godaddy-webhook.fullname" . }}:auth-delegator + labels: +{{ include "godaddy-webhook.labels" . | indent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: + - apiGroup: "" + kind: ServiceAccount + name: {{ include "godaddy-webhook.fullname" . }} + namespace: {{ .Release.Namespace }} +--- +# Grant cert-manager permission to validate using our apiserver +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: {{ include "godaddy-webhook.fullname" . }}:domain-solver + labels: +{{ include "godaddy-webhook.labels" . | indent 4 }} +rules: + - apiGroups: + - {{ .Values.groupName }} + resources: + - '*' + verbs: + - 'create' +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: {{ include "godaddy-webhook.fullname" . }}:domain-solver + labels: +{{ include "godaddy-webhook.labels" . | indent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "godaddy-webhook.fullname" . }}:domain-solver +subjects: + - apiGroup: "" + kind: ServiceAccount + name: {{ .Values.certManager.serviceAccountName }} + namespace: {{ .Values.certManager.namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: {{ include "godaddy-webhook.fullname" . }} + labels: +{{ include "godaddy-webhook.labels" . | indent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "godaddy-webhook.fullname" . }} +subjects: + - apiGroup: "" + kind: ServiceAccount + name: {{ include "godaddy-webhook.fullname" . }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: {{ include "godaddy-webhook.fullname" . }} + labels: +{{ include "godaddy-webhook.labels" . | indent 4 }} +rules: + - apiGroups: + - '' + resources: + - 'secrets' + verbs: + - 'get' \ No newline at end of file diff --git a/charts/godaddy-webhook/0.1.0/templates/service.yaml b/charts/godaddy-webhook/0.1.0/templates/service.yaml new file mode 100644 index 0000000..5c376b8 --- /dev/null +++ b/charts/godaddy-webhook/0.1.0/templates/service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "godaddy-webhook.fullname" . }} + labels: +{{ include "godaddy-webhook.labels" . | indent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: https + protocol: TCP + name: https + selector: + app.kubernetes.io/name: {{ include "godaddy-webhook.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/charts/godaddy-webhook/0.1.0/values.yaml b/charts/godaddy-webhook/0.1.0/values.yaml new file mode 100644 index 0000000..31ac70a --- /dev/null +++ b/charts/godaddy-webhook/0.1.0/values.yaml @@ -0,0 +1,32 @@ +# Default values for godaddy-webhook. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +image: + repository: quay.io/snowdrop/cert-manager-webhook-godaddy + tag: latest + pullPolicy: IfNotPresent + +groupName: acme.mycompany.com + +certManager: + namespace: cert-manager + serviceAccountName: cert-manager + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +service: + type: ClusterIP + port: 443 + +resources: {} + +nodeSelector: {} + +tolerations: [] + +affinity: {} diff --git a/charts/godaddy-webhook/sync.sh b/charts/godaddy-webhook/sync.sh new file mode 100755 index 0000000..c27dbb5 --- /dev/null +++ b/charts/godaddy-webhook/sync.sh @@ -0,0 +1,33 @@ +#!/bin/sh + +_old_pwd=$(pwd) +_tmpdir="/tmp/fetch_subrepo_$$" + +die () { + echo $1; exit 1 +} +version_greater_equal() { + printf '%s\n%s\n' "$2" "$1" | sort -V -C +} +command -v yq 2>&1 >/dev/null || die ">> missing yq" +#version_greater_equal "$( git --version | awk '{print $3}')" 2.25 || die ">> require git version 2.25 or above" + + +version=$(curl https://raw.githubusercontent.com/snowdrop/godaddy-webhook/master/deploy/godaddy-webhook/Chart.yaml 2>/dev/null| yq e '.version' - ) +base_repo=https://github.com/snowdrop/godaddy-webhook +sub_dir=deploy/godaddy-webhook +branch=master + +test -d $version && die "version $version exist.." +test ! -d $version \ + && mkdir $_tmpdir \ + && cd $_tmpdir \ + && git init \ + && git config core.sparseCheckout true \ + && git remote add origin $base_repo \ + && echo "$sub_dir" > .git/info/sparse-checkout \ + && git pull --depth=1 origin $branch \ + && mv -v "${_tmpdir}/${sub_dir}" "$_old_pwd/$version" \ + && rm -rf ${_tmpdir} \ + && cd $_old_pwd +