bootstrapper: tie up all dns related services

commit: 5c2c0b9624d05a915fa317c2024989106d7e8670 [log] [tgz]
author: Giorgi Lekveishvili <lekva@gl-mbp-m1-max.local> Thu Dec 07 17:35:40 2023 +0400
committer: Giorgi Lekveishvili <lekva@gl-mbp-m1-max.local> Thu Dec 07 20:31:20 2023 +0400
tree: 896473347017fa36c6b22c15b04277b140ea0485
parent: 91494a688c3f0287a9636659e3827fa2979501ea [diff]
diff --git a/charts/cert-manager-webhook-pcloud/templates/_helpers.tpl b/charts/cert-manager-webhook-pcloud/templates/_helpers.tpl
index 5a1689f..1332d17 100644
--- a/charts/cert-manager-webhook-pcloud/templates/_helpers.tpl
+++ b/charts/cert-manager-webhook-pcloud/templates/_helpers.tpl

@@ -45,4 +45,4 @@
 
 {{- define "cert-manager-webhook-pcloud.servingCertificate" -}}
 {{ printf "%s-webhook-tls" (include "cert-manager-webhook-pcloud.fullname" .) }}
-{{- end -}}
\ No newline at end of file
+{{- end -}}

diff --git a/charts/cert-manager-webhook-pcloud/templates/apiservice.yaml b/charts/cert-manager-webhook-pcloud/templates/apiservice.yaml
index faba034..e54fd33 100644
--- a/charts/cert-manager-webhook-pcloud/templates/apiservice.yaml
+++ b/charts/cert-manager-webhook-pcloud/templates/apiservice.yaml

@@ -1,7 +1,7 @@
 apiVersion: apiregistration.k8s.io/v1
 kind: APIService
 metadata:
-  name: v1alpha1.{{ .Values.groupName }}
+  name: v1alpha1.{{ .Values.apiGroupName }}
   labels:
     app: {{ include "cert-manager-webhook-pcloud.name" . }}
     chart: {{ include "cert-manager-webhook-pcloud.chart" . }}
@@ -10,10 +10,10 @@
   annotations:
     cert-manager.io/inject-ca-from: "{{ .Values.certManager.namespace }}/{{ include "cert-manager-webhook-pcloud.servingCertificate" . }}"
 spec:
-  group: {{ .Values.groupName }}
+  group: {{ .Values.apiGroupName }}
   groupPriorityMinimum: 1000
   versionPriority: 15
   service:
     name: {{ include "cert-manager-webhook-pcloud.fullname" . }}
     namespace: {{ .Values.certManager.namespace | quote }}
-  version: v1alpha1
\ No newline at end of file
+  version: v1alpha1

diff --git a/charts/cert-manager-webhook-pcloud/templates/deployment.yaml b/charts/cert-manager-webhook-pcloud/templates/deployment.yaml
index 6c39bc5..a9bf3c3 100644
--- a/charts/cert-manager-webhook-pcloud/templates/deployment.yaml
+++ b/charts/cert-manager-webhook-pcloud/templates/deployment.yaml

@@ -33,8 +33,10 @@
             - --v={{ .Values.logLevel }}
 {{- end }}
           env:
-            - name: GROUP_NAME
-              value: {{ .Values.groupName | quote }}
+            - name: API_GROUP_NAME
+              value: {{ .Values.apiGroupName | quote }}
+            - name: RESOLVER_NAME
+              value: {{ .Values.resolverName | quote }}
           ports:
             - name: https
               containerPort: 443

diff --git a/charts/cert-manager-webhook-pcloud/templates/rbac.yaml b/charts/cert-manager-webhook-pcloud/templates/rbac.yaml
index c3d8405..acd44c1 100644
--- a/charts/cert-manager-webhook-pcloud/templates/rbac.yaml
+++ b/charts/cert-manager-webhook-pcloud/templates/rbac.yaml

@@ -65,7 +65,7 @@
     heritage: {{ .Release.Service }}
 rules:
   - apiGroups:
-      - {{ .Values.groupName }}
+      - {{ .Values.apiGroupName }}
     resources:
       - "*"
     verbs:
@@ -120,6 +120,34 @@
     kind: ServiceAccount
     name: {{ include "cert-manager-webhook-pcloud.fullname" . }}
     namespace: {{ .Values.certManager.namespace | quote }}
+---
+# TODO(gio): limit access by resourceNames
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:api-configmap-reader
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - "configmaps"
+    verbs:
+      - "get"
+      - "watch"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:api-configmap-reader
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:api-configmap-reader
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: {{ include "cert-manager-webhook-pcloud.fullname" . }}
+    namespace: {{ .Values.certManager.namespace | quote }}
 {{- if .Values.features.apiPriorityAndFairness }}
 ---
 # Grant cert-manager-webhook-pcloud permission to read the flow control mechanism (APF)
@@ -162,4 +190,4 @@
     kind: ServiceAccount
     name: {{ include "cert-manager-webhook-pcloud.fullname" . }}
     namespace: {{ .Values.certManager.namespace | quote }}
-{{- end }}
\ No newline at end of file
+{{- end }}

diff --git a/charts/cert-manager-webhook-pcloud/templates/role.yaml b/charts/cert-manager-webhook-pcloud/templates/role.yaml
index 8671ae4..9c18ba1 100644
--- a/charts/cert-manager-webhook-pcloud/templates/role.yaml
+++ b/charts/cert-manager-webhook-pcloud/templates/role.yaml

@@ -1,12 +1,12 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: cert-manager-pcloud
+  name: cert-manager-{{ .Values.resolverName }}
 rules:
 - apiGroups:
-  - dodo.cloud
+  - {{ .Values.apiGroupName }}
   resources:
-  - pcloud-dns-solver
+  - {{ .Values.resolverName }}
   verbs:
   - "*" # TODO(giolekva): limit
 ---
@@ -17,7 +17,7 @@
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: cert-manager-pcloud
+  name: cert-manager-{{ .Values.resolverName }}
 subjects:
 - kind: ServiceAccount
   name: {{ .Values.certManager.name }}

diff --git a/charts/cert-manager-webhook-pcloud/values.yaml b/charts/cert-manager-webhook-pcloud/values.yaml
index 3516468..fccfcd7 100644
--- a/charts/cert-manager-webhook-pcloud/values.yaml
+++ b/charts/cert-manager-webhook-pcloud/values.yaml

@@ -1,4 +1,5 @@
-groupName: dodo.cloud
+apiGroupName: ""
+resolverName: ""
 logLevel: 6
 certManager:
   namespace: cert-manager
@@ -7,8 +8,8 @@
   repository: giolekva/dns-challenge-solver
   tag: latest
   pullPolicy: Always
-nameOverride: ''
-fullnameOverride: ''
+nameOverride: ""
+fullnameOverride: ""
 service:
   type: ClusterIP
   port: 443

diff --git a/charts/dns-ns-controller/templates/api-config.yaml b/charts/dns-ns-controller/templates/api-config.yaml
new file mode 100644
index 0000000..e489493
--- /dev/null
+++ b/charts/dns-ns-controller/templates/api-config.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Values.apiConfigMapName }}
+  namespace: {{ .Release.Namespace }}
+data:
+  createTXTAddr: "http://controller-manager.{{ .Release.Namespace }}.svc.cluster.local/create-txt-record"
+  deleteTXTAddr: "http://controller-manager.{{ .Release.Namespace }}.svc.cluster.local/delete-txt-record"

diff --git a/charts/dns-ns-controller/values.yaml b/charts/dns-ns-controller/values.yaml
index b4b4230..824e7a8 100644
--- a/charts/dns-ns-controller/values.yaml
+++ b/charts/dns-ns-controller/values.yaml

@@ -6,3 +6,4 @@
 volume:
   claimName: data
   mountPath: /etc/zone-configs
+apiConfigMapName: api-config
commit	5c2c0b9624d05a915fa317c2024989106d7e8670	[log] [tgz]
author	Giorgi Lekveishvili <lekva@gl-mbp-m1-max.local>	Thu Dec 07 17:35:40 2023 +0400
committer	Giorgi Lekveishvili <lekva@gl-mbp-m1-max.local>	Thu Dec 07 20:31:20 2023 +0400
tree	896473347017fa36c6b22c15b04277b140ea0485
parent	91494a688c3f0287a9636659e3827fa2979501ea [diff]