installer: welcome
diff --git a/charts/certificate-issuer-private/Chart.yaml b/charts/certificate-issuer-private/Chart.yaml
new file mode 100644
index 0000000..0d06818
--- /dev/null
+++ b/charts/certificate-issuer-private/Chart.yaml
@@ -0,0 +1,6 @@
+apiVersion: v2
+name: certificate-issuer
+description: A Helm chart for PCloud public and private certificate issuer
+type: application
+version: 0.0.1
+appVersion: "0.0.1"
diff --git a/charts/certificate-issuer-private/templates/certificate-wildcard.yaml b/charts/certificate-issuer-private/templates/certificate-wildcard.yaml
new file mode 100644
index 0000000..b478cc3
--- /dev/null
+++ b/charts/certificate-issuer-private/templates/certificate-wildcard.yaml
@@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: wildcard-{{ .Values.issuer.domain }}
+ namespace: {{ .Release.Namespace }}
+ annotations:
+ helm.sh/resource-policy: keep
+spec:
+ dnsNames:
+ - '*.{{ .Values.issuer.domain }}'
+ issuerRef:
+ name: {{ .Values.issuer.name }}
+ kind: Issuer
+ secretName: cert-wildcard.{{ .Values.issuer.domain }}
diff --git a/charts/certificate-issuer-private/templates/gandi-credentials.yaml b/charts/certificate-issuer-private/templates/gandi-credentials.yaml
new file mode 100644
index 0000000..65c7076
--- /dev/null
+++ b/charts/certificate-issuer-private/templates/gandi-credentials.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+ name: gandi-credentials
+ namespace: {{ .Release.Namespace }}
+data:
+ api-token: {{ .Values.issuer.gandiAPIToken | b64enc }}
diff --git a/charts/certificate-issuer-private/templates/gandi-webhook-secret-reader.yaml b/charts/certificate-issuer-private/templates/gandi-webhook-secret-reader.yaml
new file mode 100644
index 0000000..88cf405
--- /dev/null
+++ b/charts/certificate-issuer-private/templates/gandi-webhook-secret-reader.yaml
@@ -0,0 +1,26 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: {{ .Release.Namespace }}-cert-manager-gandi-webhook-secret-reader # TODO(giolekva): make namespace part configurable
+ namespace: {{ .Release.Namespace }}
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - secrets
+ verbs:
+ - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: {{ .Release.Namespace }}-cert-manager-gandi-webhook-secret-reader
+ namespace: {{ .Release.Namespace }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: {{ .Release.Namespace }}-cert-manager-gandi-webhook-secret-reader
+subjects:
+- kind: ServiceAccount
+ name: {{ .Values.certManager.gandiWebhookSecretReader }}
+ namespace: {{ .Values.certManager.namespace }}
diff --git a/charts/certificate-issuer-private/templates/issuer.yaml b/charts/certificate-issuer-private/templates/issuer.yaml
new file mode 100644
index 0000000..afc1ea4
--- /dev/null
+++ b/charts/certificate-issuer-private/templates/issuer.yaml
@@ -0,0 +1,20 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+ name: {{ .Values.issuer.name }}
+ namespace: {{ .Release.Namespace }}
+spec:
+ acme:
+ server: {{ .Values.issuer.server }}
+ email: {{ .Values.issuer.contactEmail }}
+ privateKeySecretRef:
+ name: issuer-{{ .Values.issuer.name }}-account-key
+ solvers:
+ - dns01:
+ webhook:
+ groupName: acme.bwolf.me
+ solverName: gandi
+ config:
+ apiKeySecretRef:
+ key: api-token
+ name: gandi-credentials
diff --git a/charts/certificate-issuer-private/values.yaml b/charts/certificate-issuer-private/values.yaml
new file mode 100644
index 0000000..4d6234f
--- /dev/null
+++ b/charts/certificate-issuer-private/values.yaml
@@ -0,0 +1,10 @@
+certManager:
+ namespace: cert-manager
+ gandiWebhookSecretReader: cert-manager-webhook-gandi
+issuer:
+ name: selfsigned-private
+ server: https://acme-v02.api.letsencrypt.org/directory
+ contactEmail: admin@example.com
+ gandiAPIToken: token
+ domain: p.example.com
+