cert-manager dns-challenge-solver
diff --git a/charts/cert-manager-webhook-pcloud/.helmignore b/charts/cert-manager-webhook-pcloud/.helmignore
new file mode 100644
index 0000000..f0c1319
--- /dev/null
+++ b/charts/cert-manager-webhook-pcloud/.helmignore
@@ -0,0 +1,21 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
diff --git a/charts/cert-manager-webhook-pcloud/Chart.yaml b/charts/cert-manager-webhook-pcloud/Chart.yaml
new file mode 100644
index 0000000..748ca83
--- /dev/null
+++ b/charts/cert-manager-webhook-pcloud/Chart.yaml
@@ -0,0 +1,4 @@
+apiVersion: v2
+description: A Helm chart for cert-manager-webhook-pcloud
+name: cert-manager-webhook-pcloud
+version: v0.2.0
diff --git a/charts/cert-manager-webhook-pcloud/templates/_helpers.tpl b/charts/cert-manager-webhook-pcloud/templates/_helpers.tpl
new file mode 100644
index 0000000..5a1689f
--- /dev/null
+++ b/charts/cert-manager-webhook-pcloud/templates/_helpers.tpl
@@ -0,0 +1,48 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "cert-manager-webhook-pcloud.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "cert-manager-webhook-pcloud.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "cert-manager-webhook-pcloud.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "cert-manager-webhook-pcloud.selfSignedIssuer" -}}
+{{ printf "%s-selfsign" (include "cert-manager-webhook-pcloud.fullname" .) }}
+{{- end -}}
+
+{{- define "cert-manager-webhook-pcloud.rootCAIssuer" -}}
+{{ printf "%s-ca" (include "cert-manager-webhook-pcloud.fullname" .) }}
+{{- end -}}
+
+{{- define "cert-manager-webhook-pcloud.rootCACertificate" -}}
+{{ printf "%s-ca" (include "cert-manager-webhook-pcloud.fullname" .) }}
+{{- end -}}
+
+{{- define "cert-manager-webhook-pcloud.servingCertificate" -}}
+{{ printf "%s-webhook-tls" (include "cert-manager-webhook-pcloud.fullname" .) }}
+{{- end -}}
\ No newline at end of file
diff --git a/charts/cert-manager-webhook-pcloud/templates/apiservice.yaml b/charts/cert-manager-webhook-pcloud/templates/apiservice.yaml
new file mode 100644
index 0000000..faba034
--- /dev/null
+++ b/charts/cert-manager-webhook-pcloud/templates/apiservice.yaml
@@ -0,0 +1,19 @@
+apiVersion: apiregistration.k8s.io/v1
+kind: APIService
+metadata:
+ name: v1alpha1.{{ .Values.groupName }}
+ labels:
+ app: {{ include "cert-manager-webhook-pcloud.name" . }}
+ chart: {{ include "cert-manager-webhook-pcloud.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+ annotations:
+ cert-manager.io/inject-ca-from: "{{ .Values.certManager.namespace }}/{{ include "cert-manager-webhook-pcloud.servingCertificate" . }}"
+spec:
+ group: {{ .Values.groupName }}
+ groupPriorityMinimum: 1000
+ versionPriority: 15
+ service:
+ name: {{ include "cert-manager-webhook-pcloud.fullname" . }}
+ namespace: {{ .Values.certManager.namespace | quote }}
+ version: v1alpha1
\ No newline at end of file
diff --git a/charts/cert-manager-webhook-pcloud/templates/deployment.yaml b/charts/cert-manager-webhook-pcloud/templates/deployment.yaml
new file mode 100644
index 0000000..6c39bc5
--- /dev/null
+++ b/charts/cert-manager-webhook-pcloud/templates/deployment.yaml
@@ -0,0 +1,73 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: {{ include "cert-manager-webhook-pcloud.fullname" . }}
+ namespace: {{ .Values.certManager.namespace | quote }}
+ labels:
+ app: {{ include "cert-manager-webhook-pcloud.name" . }}
+ chart: {{ include "cert-manager-webhook-pcloud.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+spec:
+ replicas: {{ .Values.replicaCount }}
+ selector:
+ matchLabels:
+ app: {{ include "cert-manager-webhook-pcloud.name" . }}
+ release: {{ .Release.Name }}
+ template:
+ metadata:
+ labels:
+ app: {{ include "cert-manager-webhook-pcloud.name" . }}
+ release: {{ .Release.Name }}
+ spec:
+ serviceAccountName: {{ include "cert-manager-webhook-pcloud.fullname" . }}
+ containers:
+ - name: {{ .Chart.Name }}
+ image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ args:
+ - /dns-challenge-solver
+ - --tls-cert-file=/tls/tls.crt
+ - --tls-private-key-file=/tls/tls.key
+{{- if .Values.logLevel }}
+ - --v={{ .Values.logLevel }}
+{{- end }}
+ env:
+ - name: GROUP_NAME
+ value: {{ .Values.groupName | quote }}
+ ports:
+ - name: https
+ containerPort: 443
+ protocol: TCP
+ livenessProbe:
+ httpGet:
+ scheme: HTTPS
+ path: /healthz
+ port: https
+ readinessProbe:
+ httpGet:
+ scheme: HTTPS
+ path: /healthz
+ port: https
+ volumeMounts:
+ - name: certs
+ mountPath: /tls
+ readOnly: true
+ resources:
+{{ toYaml .Values.resources | indent 12 }}
+ volumes:
+ - name: certs
+ secret:
+ secretName: {{ include "cert-manager-webhook-pcloud.servingCertificate" . }}
+ {{- with .Values.nodeSelector }}
+ nodeSelector:
+{{ toYaml . | indent 8 }}
+ {{- end }}
+ {{- with .Values.affinity }}
+ affinity:
+{{ toYaml . | indent 8 }}
+ {{- end }}
+ {{- with .Values.tolerations }}
+ tolerations:
+{{ toYaml . | indent 8 }}
+ {{- end }}
diff --git a/charts/cert-manager-webhook-pcloud/templates/pki.yaml b/charts/cert-manager-webhook-pcloud/templates/pki.yaml
new file mode 100644
index 0000000..59caf22
--- /dev/null
+++ b/charts/cert-manager-webhook-pcloud/templates/pki.yaml
@@ -0,0 +1,70 @@
+---
+# Create a selfsigned Issuer, in order to create a root CA certificate for
+# signing webhook serving certificates
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+ name: {{ include "cert-manager-webhook-pcloud.selfSignedIssuer" . }}
+ namespace: {{ .Values.certManager.namespace | quote }}
+ labels:
+ app: {{ include "cert-manager-webhook-pcloud.name" . }}
+ chart: {{ include "cert-manager-webhook-pcloud.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+spec:
+ selfSigned: {}
+---
+# Generate a CA Certificate used to sign certificates for the webhook
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: {{ include "cert-manager-webhook-pcloud.rootCACertificate" . }}
+ namespace: {{ .Values.certManager.namespace | quote }}
+ labels:
+ app: {{ include "cert-manager-webhook-pcloud.name" . }}
+ chart: {{ include "cert-manager-webhook-pcloud.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+spec:
+ secretName: {{ include "cert-manager-webhook-pcloud.rootCACertificate" . }}
+ duration: 43800h # 5y
+ issuerRef:
+ name: {{ include "cert-manager-webhook-pcloud.selfSignedIssuer" . }}
+ commonName: "ca.cert-manager-webhook-pcloud.cert-manager"
+ isCA: true
+---
+# Create an Issuer that uses the above generated CA certificate to issue certs
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+ name: {{ include "cert-manager-webhook-pcloud.rootCAIssuer" . }}
+ namespace: {{ .Values.certManager.namespace | quote }}
+ labels:
+ app: {{ include "cert-manager-webhook-pcloud.name" . }}
+ chart: {{ include "cert-manager-webhook-pcloud.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+spec:
+ ca:
+ secretName: {{ include "cert-manager-webhook-pcloud.rootCACertificate" . }}
+---
+# Finally, generate a serving certificate for the webhook to use
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: {{ include "cert-manager-webhook-pcloud.servingCertificate" . }}
+ namespace: {{ .Values.certManager.namespace | quote }}
+ labels:
+ app: {{ include "cert-manager-webhook-pcloud.name" . }}
+ chart: {{ include "cert-manager-webhook-pcloud.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+spec:
+ secretName: {{ include "cert-manager-webhook-pcloud.servingCertificate" . }}
+ duration: 8760h # 1y
+ issuerRef:
+ name: {{ include "cert-manager-webhook-pcloud.rootCAIssuer" . }}
+ dnsNames:
+ - {{ include "cert-manager-webhook-pcloud.fullname" . }}
+ - {{ include "cert-manager-webhook-pcloud.fullname" . }}.{{ .Values.certManager.namespace }}
+ - {{ include "cert-manager-webhook-pcloud.fullname" . }}.{{ .Values.certManager.namespace }}.svc
\ No newline at end of file
diff --git a/charts/cert-manager-webhook-pcloud/templates/rbac.yaml b/charts/cert-manager-webhook-pcloud/templates/rbac.yaml
new file mode 100644
index 0000000..c3d8405
--- /dev/null
+++ b/charts/cert-manager-webhook-pcloud/templates/rbac.yaml
@@ -0,0 +1,165 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ include "cert-manager-webhook-pcloud.fullname" . }}
+ namespace: {{ .Values.certManager.namespace | quote }}
+ labels:
+ app: {{ include "cert-manager-webhook-pcloud.name" . }}
+ chart: {{ include "cert-manager-webhook-pcloud.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+---
+# Grant the webhook permission to read the ConfigMap containing the Kubernetes
+# apiserver's requestheader-ca-certificate
+# This ConfigMap is automatically created by the Kubernetes apiserver
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:webhook-authentication-reader
+ namespace: kube-system
+ labels:
+ app: {{ include "cert-manager-webhook-pcloud.name" . }}
+ chart: {{ include "cert-manager-webhook-pcloud.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: extension-apiserver-authentication-reader
+subjects:
+ - apiGroup: ""
+ kind: ServiceAccount
+ name: {{ include "cert-manager-webhook-pcloud.fullname" . }}
+ namespace: {{ .Values.certManager.namespace | quote }}
+---
+# apiserver gets the auth-delegator role to delegate auth decisions to
+# the core apiserver
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:auth-delegator
+ labels:
+ app: {{ include "cert-manager-webhook-pcloud.name" . }}
+ chart: {{ include "cert-manager-webhook-pcloud.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: system:auth-delegator
+subjects:
+ - apiGroup: ""
+ kind: ServiceAccount
+ name: {{ include "cert-manager-webhook-pcloud.fullname" . }}
+ namespace: {{ .Values.certManager.namespace | quote}}
+---
+# Grant cert-manager permission to validate using our apiserver
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:domain-solver
+ labels:
+ app: {{ include "cert-manager-webhook-pcloud.name" . }}
+ chart: {{ include "cert-manager-webhook-pcloud.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+rules:
+ - apiGroups:
+ - {{ .Values.groupName }}
+ resources:
+ - "*"
+ verbs:
+ - "create"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:domain-solver
+ labels:
+ app: {{ include "cert-manager-webhook-pcloud.name" . }}
+ chart: {{ include "cert-manager-webhook-pcloud.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:domain-solver
+subjects:
+ - apiGroup: ""
+ kind: ServiceAccount
+ name: {{ .Values.certManager.serviceAccountName }}
+ namespace: {{ .Values.certManager.namespace | quote }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:secret-reader
+ namespace: {{ .Values.certManager.namespace | quote }}
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - "secrets"
+ resourceNames:
+ - "pcloud-credentials"
+ verbs:
+ - "get"
+ - "watch"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:secret-reader
+ namespace: {{ .Values.certManager.namespace | quote }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:secret-reader
+subjects:
+ - apiGroup: ""
+ kind: ServiceAccount
+ name: {{ include "cert-manager-webhook-pcloud.fullname" . }}
+ namespace: {{ .Values.certManager.namespace | quote }}
+{{- if .Values.features.apiPriorityAndFairness }}
+---
+# Grant cert-manager-webhook-pcloud permission to read the flow control mechanism (APF)
+# API Priority and Fairness is enabled by default in Kubernetes 1.20
+# https://kubernetes.io/docs/concepts/cluster-administration/flow-control/
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:flowcontrol-solver
+ labels:
+ app: {{ include "cert-manager-webhook-pcloud.name" . }}
+ chart: {{ include "cert-manager-webhook-pcloud.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+rules:
+ - apiGroups:
+ - "flowcontrol.apiserver.k8s.io"
+ resources:
+ - "prioritylevelconfigurations"
+ - "flowschemas"
+ verbs:
+ - "list"
+ - "watch"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:flowcontrol-solver
+ labels:
+ app: {{ include "cert-manager-webhook-pcloud.name" . }}
+ chart: {{ include "cert-manager-webhook-pcloud.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:flowcontrol-solver
+subjects:
+ - apiGroup: ""
+ kind: ServiceAccount
+ name: {{ include "cert-manager-webhook-pcloud.fullname" . }}
+ namespace: {{ .Values.certManager.namespace | quote }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/cert-manager-webhook-pcloud/templates/service.yaml b/charts/cert-manager-webhook-pcloud/templates/service.yaml
new file mode 100644
index 0000000..022dbf1
--- /dev/null
+++ b/charts/cert-manager-webhook-pcloud/templates/service.yaml
@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ include "cert-manager-webhook-pcloud.fullname" . }}
+ namespace: {{ .Values.certManager.namespace | quote }}
+ labels:
+ app: {{ include "cert-manager-webhook-pcloud.name" . }}
+ chart: {{ include "cert-manager-webhook-pcloud.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+spec:
+ type: {{ .Values.service.type }}
+ ports:
+ - port: {{ .Values.service.port }}
+ targetPort: https
+ protocol: TCP
+ name: https
+ selector:
+ app: {{ include "cert-manager-webhook-pcloud.name" . }}
+ release: {{ .Release.Name }}
\ No newline at end of file
diff --git a/charts/cert-manager-webhook-pcloud/values.yaml b/charts/cert-manager-webhook-pcloud/values.yaml
new file mode 100644
index 0000000..3516468
--- /dev/null
+++ b/charts/cert-manager-webhook-pcloud/values.yaml
@@ -0,0 +1,20 @@
+groupName: dodo.cloud
+logLevel: 6
+certManager:
+ namespace: cert-manager
+ serviceAccountName: cert-manager
+image:
+ repository: giolekva/dns-challenge-solver
+ tag: latest
+ pullPolicy: Always
+nameOverride: ''
+fullnameOverride: ''
+service:
+ type: ClusterIP
+ port: 443
+features:
+ apiPriorityAndFairness: false
+resources: {}
+nodeSelector: {}
+tolerations: []
+affinity: {}