Installer: introduce namespacePrefix, fix certificates, split matrix installation using pre-install hook
diff --git a/charts/certificate-issuer/templates/gandi-webhook-secret-reader.yaml b/charts/certificate-issuer/templates/gandi-webhook-secret-reader.yaml
index b3d1491..88cf405 100644
--- a/charts/certificate-issuer/templates/gandi-webhook-secret-reader.yaml
+++ b/charts/certificate-issuer/templates/gandi-webhook-secret-reader.yaml
@@ -1,7 +1,7 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
- name: cert-manager-gandi-webhook-secret-reader
+ name: {{ .Release.Namespace }}-cert-manager-gandi-webhook-secret-reader # TODO(giolekva): make namespace part configurable
namespace: {{ .Release.Namespace }}
rules:
- apiGroups:
@@ -14,12 +14,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
- name: cert-manager-gandi-webhook-secret-reader
+ name: {{ .Release.Namespace }}-cert-manager-gandi-webhook-secret-reader
namespace: {{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
- name: cert-manager-gandi-webhook-secret-reader
+ name: {{ .Release.Namespace }}-cert-manager-gandi-webhook-secret-reader
subjects:
- kind: ServiceAccount
name: {{ .Values.certManager.gandiWebhookSecretReader }}
diff --git a/charts/certificate-issuer/templates/wildcard-certificate-private.yaml b/charts/certificate-issuer/templates/wildcard-certificate-private.yaml
index 408b76c..0300ce8 100644
--- a/charts/certificate-issuer/templates/wildcard-certificate-private.yaml
+++ b/charts/certificate-issuer/templates/wildcard-certificate-private.yaml
@@ -12,4 +12,4 @@
secretName: cert-wildcard.{{ .Values.private.domain }}
secretTemplate:
annotations:
- kubed.appscode.com/sync: "pcloud-instance-id={{ .Values.pcloudInstanceId }}"
+ kubed.appscode.com/sync: pcloud-instance-id={{ .Values.pcloudInstanceId }}
diff --git a/charts/certificate-issuer/templates/www-certificate-public.yaml b/charts/certificate-issuer/templates/www-certificate-public.yaml
index d6b4dc6..cb0c7ff 100644
--- a/charts/certificate-issuer/templates/www-certificate-public.yaml
+++ b/charts/certificate-issuer/templates/www-certificate-public.yaml
@@ -10,7 +10,7 @@
issuerRef:
name: {{ .Values.public.name }}
kind: ClusterIssuer
- secretName: cert-www.{{ .Values.private.domain }}
+ secretName: cert-www.{{ .Values.public.domain }}
secretTemplate:
annotations:
kubed.appscode.com/sync: "pcloud-instance-id={{ .Values.pcloudInstanceId }}"
diff --git a/charts/matrix/Chart.yaml b/charts/matrix/Chart.yaml
index 40204e5..51cb744 100644
--- a/charts/matrix/Chart.yaml
+++ b/charts/matrix/Chart.yaml
@@ -1,24 +1,6 @@
apiVersion: v2
name: matrix
-description: A Helm chart for Kubernetes
-
-# A chart can be either an 'application' or a 'library' chart.
-#
-# Application charts are a collection of templates that can be packaged into versioned archives
-# to be deployed.
-#
-# Library charts provide useful utilities or functions for the chart developer. They're included as
-# a dependency of application charts to inject those utilities and functions into the rendering
-# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+description: A Helm chart for Matrix on PCloud
type: application
-
-# This is the chart version. This version number should be incremented each time you make changes
-# to the chart and its templates, including the app version.
-# Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
-
-# This is the version number of the application being deployed. This version number should be
-# incremented each time you make changes to the application. Versions are not expected to
-# follow Semantic Versioning. They should reflect the version the application is using.
-# It is recommended to use it with quotes.
-appVersion: "1.16.0"
+version: 0.0.1
+appVersion: "0.0.1"
diff --git a/charts/matrix/templates/config-to-merge.yaml b/charts/matrix/templates/config-to-merge.yaml
index ba18144..f74f0c0 100644
--- a/charts/matrix/templates/config-to-merge.yaml
+++ b/charts/matrix/templates/config-to-merge.yaml
@@ -6,6 +6,9 @@
metadata:
name: {{ .Values.oauth2.secretName }}
namespace: {{ .Release.Namespace }}
+ annotations:
+ helm.sh/hook: pre-install
+ helm.sh/hook-weight: "-10"
data:
client_id: {{ .Values.oauth2.clientId | b64enc }}
client_secret: {{ $secret | b64enc }}
@@ -15,6 +18,9 @@
metadata:
name: {{ .Values.configMerge.configName }}
namespace: {{ .Release.Namespace }}
+ annotations:
+ helm.sh/hook: pre-install
+ helm.sh/hook-weight: "-10"
data:
{{ .Values.configMerge.fileName }}: |
public_baseurl: https://matrix.{{ .Values.domain }}/
diff --git a/charts/matrix/templates/matrix.yaml b/charts/matrix/templates/matrix.yaml
index d9bd47f..e03223f 100644
--- a/charts/matrix/templates/matrix.yaml
+++ b/charts/matrix/templates/matrix.yaml
@@ -4,6 +4,9 @@
metadata:
name: CreateConfigMaps
namespace: {{ .Release.Namespace }}
+ annotations:
+ helm.sh/hook: pre-install
+ helm.sh/hook-weight: "-10"
rules:
- apiGroups:
- ""
@@ -18,6 +21,9 @@
metadata:
name: default-CreateConfigMaps
namespace: {{ .Release.Namespace }}
+ annotations:
+ helm.sh/hook: pre-install
+ helm.sh/hook-weight: "-10"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
@@ -42,21 +48,32 @@
targetPort: http
protocol: TCP
---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: matrix.{{ .Values.domain }}
+ namespace: {{ .Release.Namespace }}
+ annotations:
+ helm.sh/resource-policy: keep
+spec:
+ dnsNames:
+ - 'matrix.{{ .Values.domain }}'
+ issuerRef:
+ name: {{ .Values.certificateIssuer }}
+ kind: ClusterIssuer
+ secretName: cert-matrix.{{ .Values.domain }}
+---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress
namespace: {{ .Release.Namespace }}
- annotations:
- cert-manager.io/cluster-issuer: {{ .Values.certificateIssuer }}
- acme.cert-manager.io/http01-edit-in-place: "true"
spec:
ingressClassName: {{ .Values.ingressClassName }}
tls:
- hosts:
- matrix.{{ .Values.domain }}
secretName: cert-matrix.{{ .Values.domain }}
- # secretName: cert-wildcard.{{ .Values.domain }}
rules:
- host: matrix.{{ .Values.domain }}
http:
@@ -74,6 +91,9 @@
metadata:
name: generate-config
namespace: {{ .Release.Namespace }}
+ annotations:
+ helm.sh/hook: pre-install
+ helm.sh/hook-weight: "-5"
spec:
template:
metadata:
@@ -179,6 +199,9 @@
metadata:
name: data
namespace: {{ .Release.Namespace }}
+ annotations:
+ helm.sh/hook: pre-install
+ helm.sh/hook-weight: "-10"
spec:
accessModes:
- ReadWriteOnce
diff --git a/charts/matrix/templates/well-known.yaml b/charts/matrix/templates/well-known.yaml
index 218e335..cd235cd 100644
--- a/charts/matrix/templates/well-known.yaml
+++ b/charts/matrix/templates/well-known.yaml
@@ -19,9 +19,6 @@
metadata:
name: well-known
namespace: {{ .Release.Namespace }}
- # annotations:
- # cert-manager.io/cluster-issuer: "{{ .Values.certificateIssuer }}"
- # acme.cert-manager.io/http01-edit-in-place: "true"
spec:
ingressClassName: {{ .Values.ingressClassName }}
tls:
diff --git a/charts/namespaces/templates/namespace.yaml b/charts/namespaces/templates/namespace.yaml
index 5ce22a0..af19d22 100644
--- a/charts/namespaces/templates/namespace.yaml
+++ b/charts/namespaces/templates/namespace.yaml
@@ -1,9 +1,10 @@
+{{ $prefix := .Values.namespacePrefix }}
{{ $id := .Values.pcloudInstanceId }}
{{ range .Values.namespaces }}
apiVersion: v1
kind: Namespace
metadata:
- name: {{ $id }}-{{ . }}
+ name: {{ $prefix }}{{ . }}
labels:
pcloud-instance-id: {{ $id }}
---
diff --git a/charts/namespaces/values.yaml b/charts/namespaces/values.yaml
index d17d865..9cb3886 100644
--- a/charts/namespaces/values.yaml
+++ b/charts/namespaces/values.yaml
@@ -1,4 +1,5 @@
pcloudInstanceId: example
+namespacePrefix: example-
namespaces:
- foo
- bar
diff --git a/charts/pihole/templates/oauth2-client.yaml b/charts/pihole/templates/oauth2-client.yaml
index 3ad56b2..a0b1b11 100644
--- a/charts/pihole/templates/oauth2-client.yaml
+++ b/charts/pihole/templates/oauth2-client.yaml
@@ -11,7 +11,7 @@
scope: "openid email profile"
secretName: {{ .Values.oauth2.secretName }}
redirectUris:
- - https://pihole.p.{{ .Values.domain }}/oauth2/callback
+ - https://{{ .Values.domain }}/oauth2/callback
hydraAdmin:
url: {{ .Values.oauth2.hydraAdmin }}
port: 80
diff --git a/charts/pihole/templates/oauth2-proxy-config.yaml b/charts/pihole/templates/oauth2-proxy-config.yaml
index 69a6448..04c6400 100644
--- a/charts/pihole/templates/oauth2-proxy-config.yaml
+++ b/charts/pihole/templates/oauth2-proxy-config.yaml
@@ -38,7 +38,7 @@
cookie_name = "_oauth2_proxy_pihole"
cookie_secret = "{{ .Values.oauth2.cookieSecret }}"
- cookie_domains = "pihole.p.{{ .Values.domain }}"
+ cookie_domains = "{{ .Values.domain }}"
cookie_expire = "168h"
cookie_refresh = "100h"
cookie_secure = true
diff --git a/charts/pihole/templates/oauth2-proxy.yaml b/charts/pihole/templates/oauth2-proxy.yaml
index b78490d..ddf0e2f 100644
--- a/charts/pihole/templates/oauth2-proxy.yaml
+++ b/charts/pihole/templates/oauth2-proxy.yaml
@@ -19,17 +19,13 @@
metadata:
name: ingress
namespace: {{ .Release.Namespace }}
- # annotations:
- # cert-manager.io/cluster-issuer: "{{ .Values.certificateIssuer }}"
- # acme.cert-manager.io/http01-edit-in-place: "true"
spec:
ingressClassName: {{ .Values.ingressClassName }}
tls:
- hosts:
- - pihole.p.{{ .Values.domain }}
- # secretName: cert-pihole.{{ .Values.domain }}
+ - {{ .Values.domain }}
rules:
- - host: pihole.p.{{ .Values.domain }}
+ - host: {{ .Values.domain }}
http:
paths:
- path: /
diff --git a/charts/pihole/values.yaml b/charts/pihole/values.yaml
index a7ced0b..65d1de4 100644
--- a/charts/pihole/values.yaml
+++ b/charts/pihole/values.yaml
@@ -5,10 +5,9 @@
cookieSecret: ""
secretName: oauth2-secret
configName: oauth2-proxy
-domain: example.com
+domain: pihole.p.example.com
hydraPublic: https://hydra.example.com
profileUrl: https://profile.example.com
-certificateIssuer: public
-ingressClassName: public
+ingressClassName: private
diff --git a/charts/vaultwarden/templates/install.yaml b/charts/vaultwarden/templates/install.yaml
index 3b250bd..3305d6a 100644
--- a/charts/vaultwarden/templates/install.yaml
+++ b/charts/vaultwarden/templates/install.yaml
@@ -68,15 +68,11 @@
metadata:
name: ingress
namespace: {{ .Release.Namespace }}
- # annotations:
- # cert-manager.io/cluster-issuer: "{{ .Values.certificateIssuer }}"
- # acme.cert-manager.io/http01-edit-in-place: "true"
spec:
ingressClassName: {{ .Values.ingressClassName }}
tls:
- hosts:
- {{ .Values.domain }}
- # secretName: cert-{{ .Values.domain }}
rules:
- host: {{ .Values.domain }}
http: