env: create private cert issuer as part of new env
diff --git a/charts/certificate-issuer-private/templates/gandi-credentials.yaml b/charts/certificate-issuer-private/templates/gandi-credentials.yaml
deleted file mode 100644
index 65c7076..0000000
--- a/charts/certificate-issuer-private/templates/gandi-credentials.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
-apiVersion: v1
-kind: Secret
-type: Opaque
-metadata:
- name: gandi-credentials
- namespace: {{ .Release.Namespace }}
-data:
- api-token: {{ .Values.issuer.gandiAPIToken | b64enc }}
diff --git a/charts/certificate-issuer-private/templates/gandi-webhook-secret-reader.yaml b/charts/certificate-issuer-private/templates/gandi-webhook-secret-reader.yaml
deleted file mode 100644
index 88cf405..0000000
--- a/charts/certificate-issuer-private/templates/gandi-webhook-secret-reader.yaml
+++ /dev/null
@@ -1,26 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: {{ .Release.Namespace }}-cert-manager-gandi-webhook-secret-reader # TODO(giolekva): make namespace part configurable
- namespace: {{ .Release.Namespace }}
-rules:
-- apiGroups:
- - ""
- resources:
- - secrets
- verbs:
- - get
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: {{ .Release.Namespace }}-cert-manager-gandi-webhook-secret-reader
- namespace: {{ .Release.Namespace }}
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: {{ .Release.Namespace }}-cert-manager-gandi-webhook-secret-reader
-subjects:
-- kind: ServiceAccount
- name: {{ .Values.certManager.gandiWebhookSecretReader }}
- namespace: {{ .Values.certManager.namespace }}
diff --git a/charts/certificate-issuer-private/templates/issuer.yaml b/charts/certificate-issuer-private/templates/issuer.yaml
index 91c4d57..6692784 100644
--- a/charts/certificate-issuer-private/templates/issuer.yaml
+++ b/charts/certificate-issuer-private/templates/issuer.yaml
@@ -15,5 +15,5 @@
groupName: dodo.cloud
solverName: pcloud-dns-solver
config:
- createAddress: "http://ns-controller.dodo-dns-zone-manager.svc.cluster.local/create-txt-record"
- deleteAddress: "http://ns-controller.dodo-dns-zone-manager.svc.cluster.local/delete-txt-record"
+ apiConfigMapName: {{ .Values.apiConfigMap.name }}
+ apiConfigMapNamespace: {{ .Values.apiConfigMap.Namespace }}
diff --git a/charts/certificate-issuer-private/values.yaml b/charts/certificate-issuer-private/values.yaml
index 4d6234f..e332987 100644
--- a/charts/certificate-issuer-private/values.yaml
+++ b/charts/certificate-issuer-private/values.yaml
@@ -1,10 +1,9 @@
-certManager:
- namespace: cert-manager
- gandiWebhookSecretReader: cert-manager-webhook-gandi
issuer:
name: selfsigned-private
server: https://acme-v02.api.letsencrypt.org/directory
contactEmail: admin@example.com
gandiAPIToken: token
domain: p.example.com
-
+apiConfigMap:
+ name: api-config
+ namespace: pcloud-dns-zone-manager
diff --git a/charts/dns-ns-controller/templates/api-config.yaml b/charts/dns-ns-controller/templates/api-config.yaml
index e489493..f902fd8 100644
--- a/charts/dns-ns-controller/templates/api-config.yaml
+++ b/charts/dns-ns-controller/templates/api-config.yaml
@@ -4,5 +4,5 @@
name: {{ .Values.apiConfigMapName }}
namespace: {{ .Release.Namespace }}
data:
- createTXTAddr: "http://controller-manager.{{ .Release.Namespace }}.svc.cluster.local/create-txt-record"
- deleteTXTAddr: "http://controller-manager.{{ .Release.Namespace }}.svc.cluster.local/delete-txt-record"
+ createTXTAddr: "http://ns-controller.{{ .Release.Namespace }}.svc.cluster.local/create-txt-record"
+ deleteTXTAddr: "http://ns-controller.{{ .Release.Namespace }}.svc.cluster.local/delete-txt-record"
diff --git a/charts/dns-ns-controller/templates/install.yaml b/charts/dns-ns-controller/templates/install.yaml
index 11210d4..555b170 100644
--- a/charts/dns-ns-controller/templates/install.yaml
+++ b/charts/dns-ns-controller/templates/install.yaml
@@ -205,7 +205,7 @@
metadata:
labels:
control-plane: controller-manager
- name: ns-controller
+ name: ns-controller # TODO(gio): move to _helpers
namespace: {{ .Release.Namespace }}
spec:
ports:
diff --git a/core/installer/values-tmpl/certificate-issuer-private.jsonschema b/core/installer/values-tmpl/certificate-issuer-private.jsonschema
index cb7e4dc..27f907e 100644
--- a/core/installer/values-tmpl/certificate-issuer-private.jsonschema
+++ b/core/installer/values-tmpl/certificate-issuer-private.jsonschema
@@ -1,7 +1,14 @@
{
"type": "object",
"properties": {
- "GandiAPIToken": { "type": "string" }
+ "APIConfigMap": {
+ "type": "object",
+ "properties": {
+ "Name": { "type": "string" },
+ "Namespace": { "type": "string" }
+ },
+ "additionalProperties": false
+ }
},
"additionalProperties": false
}
diff --git a/core/installer/values-tmpl/certificate-issuer-private.yaml b/core/installer/values-tmpl/certificate-issuer-private.yaml
index 09209d0..8654be5 100644
--- a/core/installer/values-tmpl/certificate-issuer-private.yaml
+++ b/core/installer/values-tmpl/certificate-issuer-private.yaml
@@ -16,9 +16,6 @@
namespace: {{ .Global.Id }}
interval: 1m0s
values:
- certManager:
- namespace: {{ .Global.PCloudEnvName }}-cert-manager
- gandiWebhookSecretReader: {{ .Global.PCloudEnvName }}-cert-manager-webhook-gandi
issuer:
name: {{ .Global.Id }}-private
server: https://acme-v02.api.letsencrypt.org/directory
@@ -26,3 +23,6 @@
domain: {{ .Global.PrivateDomain }}
contactEmail: {{ .Global.ContactEmail }}
gandiAPIToken: {{ .Values.GandiAPIToken }}
+ apiConfigMap:
+ name: {{ .Values.APIConfigMap.Name }}
+ namespace: {{ .Values.APIConfigMap.Namespace }}
diff --git a/core/installer/values-tmpl/certificate-issuer-public.yaml b/core/installer/values-tmpl/certificate-issuer-public.yaml
index 5755f0f..bcf0079 100644
--- a/core/installer/values-tmpl/certificate-issuer-public.yaml
+++ b/core/installer/values-tmpl/certificate-issuer-public.yaml
@@ -17,10 +17,6 @@
namespace: {{ .Global.Id }}
interval: 1m0s
values:
- pcloudInstanceId: {{ .Global.Id }}
- certManager:
- namespace: {{ .Global.PCloudEnvName }}-cert-manager
- gandiWebhookSecretReader: {{ .Global.PCloudEnvName }}-cert-manager-webhook-gandi
issuer:
name: {{ .Global.Id }}-public
server: https://acme-v02.api.letsencrypt.org/directory
diff --git a/core/installer/welcome/env.go b/core/installer/welcome/env.go
index c11770c..c0f2f01 100644
--- a/core/installer/welcome/env.go
+++ b/core/installer/welcome/env.go
@@ -564,6 +564,20 @@
}
}
{
+ app, err := appsRepo.Find("certificate-issuer-private")
+ if err != nil {
+ return err
+ }
+ if err := appManager.Install(*app, nsGen, emptySuffixGen, map[string]any{
+ "APIConfigMap": map[string]any{
+ "Name": "api-config", // TODO(gio): take from global pcloud config
+ "Namespace": fmt.Sprintf("%s-dns-zone-manager", pcloudEnvName),
+ },
+ }); err != nil {
+ return err
+ }
+ }
+ {
app, err := appsRepo.Find("core-auth")
if err != nil {
return err
diff --git a/core/installer/welcome/welcome.go b/core/installer/welcome/welcome.go
index e13ec3a..04e0792 100644
--- a/core/installer/welcome/welcome.go
+++ b/core/installer/welcome/welcome.go
@@ -118,19 +118,6 @@
}
appsRepo := installer.NewInMemoryAppRepository(installer.CreateAllApps())
{
- app, err := appsRepo.Find("certificate-issuer-private")
- if err != nil {
- http.Error(w, err.Error(), http.StatusInternalServerError)
- return
- }
- if err := appManager.Install(*app, nsGen, suffixGen, map[string]any{
- "GandiAPIToken": req.GandiAPIToken,
- }); err != nil {
- http.Error(w, err.Error(), http.StatusInternalServerError)
- return
- }
- }
- {
app, err := appsRepo.Find("headscale-user")
if err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)