diff --git a/enterprise/clusterissuer/5.0.0/CHANGELOG.md b/enterprise/clusterissuer/5.0.0/CHANGELOG.md new file mode 100644 index 0000000000..e52e28d3b5 --- /dev/null +++ b/enterprise/clusterissuer/5.0.0/CHANGELOG.md @@ -0,0 +1,99 @@ +**Important:** +*for the complete changelog, please refer to the website* + + + + +## [clusterissuer-5.0.0](https://github.com/truecharts/charts/compare/clusterissuer-4.2.14...clusterissuer-5.0.0) (2023-12-20) + +### Chore + +- BREAKING CHANGE adapt to common changes ([#15889](https://github.com/truecharts/charts/issues/15889)) + + + + +## [clusterissuer-4.2.14](https://github.com/truecharts/charts/compare/clusterissuer-4.2.13...clusterissuer-4.2.14) (2023-12-20) + +### Chore + +- Bump everything to force min/max scale version update + + + + +## [clusterissuer-4.2.13](https://github.com/truecharts/charts/compare/clusterissuer-4.2.11...clusterissuer-4.2.13) (2023-12-16) + +### Chore + +- fix move mistake and cleanup metadata + - update helm general non-major ([#14784](https://github.com/truecharts/charts/issues/14784)) + + + + +## [clusterissuer-4.2.13](https://github.com/truecharts/charts/compare/clusterissuer-4.2.11...clusterissuer-4.2.13) (2023-12-16) + +### Chore + +- fix move mistake and cleanup metadata + - update helm general non-major ([#14784](https://github.com/truecharts/charts/issues/14784)) + + + + +## [clusterissuer-4.2.12](https://github.com/truecharts/charts/compare/clusterissuer-4.2.11...clusterissuer-4.2.12) (2023-12-16) + +### Chore + +- fix move mistake and cleanup metadata + + + + +## [clusterissuer-4.2.11](https://github.com/truecharts/charts/compare/clusterissuer-4.2.10...clusterissuer-4.2.11) (2023-12-03) + +### Chore + +- bump everything to ensure catalog has latest versions + - fix annotations again + - update annotations + - cleanup chart.yaml and add min-max scale version + - lint files ([#15238](https://github.com/truecharts/charts/issues/15238)) + + + + + + + + + + + + +## [clusterissuer-4.2.10](https://github.com/truecharts/charts/compare/clusterissuer-4.2.9...clusterissuer-4.2.10) (2023-11-17) + + + + +## [clusterissuer-4.2.9](https://github.com/truecharts/charts/compare/clusterissuer-4.2.8...clusterissuer-4.2.9) (2023-11-08) + + + + +## [clusterissuer-4.2.8](https://github.com/truecharts/charts/compare/clusterissuer-4.2.7...clusterissuer-4.2.8) (2023-11-08) + + + + +## [clusterissuer-4.2.7](https://github.com/truecharts/charts/compare/clusterissuer-4.2.6...clusterissuer-4.2.7) (2023-11-08) + +### Chore + +- update helm general non-major ([#14454](https://github.com/truecharts/charts/issues/14454)) + + + + +## [clusterissuer-4.2.6](https://github.com/truecharts/charts/compare/clusterissuer-4.2.5...clusterissuer-4.2.6) (2023-11-05) diff --git a/enterprise/clusterissuer/5.0.0/Chart.yaml b/enterprise/clusterissuer/5.0.0/Chart.yaml new file mode 100644 index 0000000000..3c8275beb1 --- /dev/null +++ b/enterprise/clusterissuer/5.0.0/Chart.yaml @@ -0,0 +1,37 @@ +kubeVersion: ">=1.24.0-0" +apiVersion: v2 +name: clusterissuer +version: 5.0.0 +appVersion: latest +description: Certificate management for Kubernetes +home: https://truecharts.org/charts/enterprise/clusterissuer +icon: https://truecharts.org/img/hotlink-ok/chart-icons/clusterissuer.png +deprecated: false +sources: + - https://cert-manager.io/ + - https://github.com/truecharts/charts/tree/master/charts/enterprise/clusterissuer + - https://hub.docker.com/_/hello-world +maintainers: + - name: TrueCharts + email: info@truecharts.org + url: https://truecharts.org +keywords: + - cert-manager + - certificates +dependencies: + - name: common + version: 16.2.4 + repository: https://library-charts.truecharts.org + condition: "" + alias: "" + tags: [] + import-values: [] +annotations: + max_scale_version: 23.10.2 + min_scale_version: 23.10.0 + truecharts.org/SCALE-support: "true" + truecharts.org/category: core + truecharts.org/max_helm_version: "3.13" + truecharts.org/min_helm_version: "3.12" + truecharts.org/train: enterprise +type: application diff --git a/enterprise/clusterissuer/5.0.0/LICENSE b/enterprise/clusterissuer/5.0.0/LICENSE new file mode 100644 index 0000000000..80e4ab93f9 --- /dev/null +++ b/enterprise/clusterissuer/5.0.0/LICENSE @@ -0,0 +1,106 @@ +Business Source License 1.1 + +Parameters + +Licensor: The TrueCharts Project, it's owner and it's contributors +Licensed Work: The TrueCharts "Cert-Manager" Helm Chart +Additional Use Grant: You may use the licensed work in production, as long + as it is directly sourced from a TrueCharts provided + official repository, catalog or source. You may also make private + modification to the directly sourced licenced work, + when used in production. + + The following cases are, due to their nature, also + defined as 'production use' and explicitly prohibited: + - Bundling, including or displaying the licensed work + with(in) another work intended for production use, + with the apparent intend of facilitating and/or + promoting production use by third parties in + violation of this license. + +Change Date: 2050-01-01 + +Change License: 3-clause BSD license + +For information about alternative licensing arrangements for the Software, +please contact: legal@truecharts.org + +Notice + +The Business Source License (this document, or the “License”) is not an Open +Source license. However, the Licensed Work will eventually be made available +under an Open Source License, as stated in this License. + +License text copyright (c) 2017 MariaDB Corporation Ab, All Rights Reserved. +“Business Source License” is a trademark of MariaDB Corporation Ab. + +----------------------------------------------------------------------------- + +Business Source License 1.1 + +Terms + +The Licensor hereby grants you the right to copy, modify, create derivative +works, redistribute, and make non-production use of the Licensed Work. The +Licensor may make an Additional Use Grant, above, permitting limited +production use. + +Effective on the Change Date, or the fourth anniversary of the first publicly +available distribution of a specific version of the Licensed Work under this +License, whichever comes first, the Licensor hereby grants you rights under +the terms of the Change License, and the rights granted in the paragraph +above terminate. + +If your use of the Licensed Work does not comply with the requirements +currently in effect as described in this License, you must purchase a +commercial license from the Licensor, its affiliated entities, or authorized +resellers, or you must refrain from using the Licensed Work. + +All copies of the original and modified Licensed Work, and derivative works +of the Licensed Work, are subject to this License. This License applies +separately for each version of the Licensed Work and the Change Date may vary +for each version of the Licensed Work released by Licensor. + +You must conspicuously display this License on each original or modified copy +of the Licensed Work. If you receive the Licensed Work in original or +modified form from a third party, the terms and conditions set forth in this +License apply to your use of that work. + +Any use of the Licensed Work in violation of this License will automatically +terminate your rights under this License for the current and all other +versions of the Licensed Work. + +This License does not grant you any right in any trademark or logo of +Licensor or its affiliates (provided that you may use a trademark or logo of +Licensor as expressly required by this License). + +TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE LICENSED WORK IS PROVIDED ON +AN “AS IS” BASIS. LICENSOR HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS, +EXPRESS OR IMPLIED, INCLUDING (WITHOUT LIMITATION) WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND +TITLE. + +MariaDB hereby grants you permission to use this License’s text to license +your works, and to refer to it using the trademark “Business Source License”, +as long as you comply with the Covenants of Licensor below. + +Covenants of Licensor + +In consideration of the right to use this License’s text and the “Business +Source License” name and trademark, Licensor covenants to MariaDB, and to all +other recipients of the licensed work to be provided by Licensor: + +1. To specify as the Change License the GPL Version 2.0 or any later version, + or a license that is compatible with GPL Version 2.0 or a later version, + where “compatible” means that software provided under the Change License can + be included in a program with software provided under GPL Version 2.0 or a + later version. Licensor may specify additional Change Licenses without + limitation. + +2. To either: (a) specify an additional grant of rights to use that does not + impose any additional restriction on the right granted in this License, as + the Additional Use Grant; or (b) insert the text “None”. + +3. To specify a Change Date. + +4. Not to modify this License in any other way. diff --git a/enterprise/clusterissuer/5.0.0/README.md b/enterprise/clusterissuer/5.0.0/README.md new file mode 100644 index 0000000000..d1e771ade4 --- /dev/null +++ b/enterprise/clusterissuer/5.0.0/README.md @@ -0,0 +1,27 @@ +# README + +## General Info + +TrueCharts can be installed as both *normal* Helm Charts or as Apps on TrueNAS SCALE. +However only installations using the TrueNAS SCALE Apps system are supported. + +For more information about this App, please check the docs on the TrueCharts [website](https://truecharts.org/charts/enterprise/clusterissuer) + +**This chart is not maintained by the upstream project and any issues with the chart should be raised [here](https://github.com/truecharts/charts/issues/new/choose)** + + +## Support + +- Please check our [quick-start guides for TrueNAS SCALE](https://truecharts.org/manual/SCALE/guides/scale-intro). +- See the [Website](https://truecharts.org) +- Check our [Discord](https://discord.gg/tVsPTHWTtr) +- Open a [issue](https://github.com/truecharts/charts/issues/new/choose) + +--- + +## Sponsor TrueCharts + +TrueCharts can only exist due to the incredible effort of our staff. +Please consider making a [donation](https://truecharts.org/sponsor) or contributing back to the project any way you can! + +*All Rights Reserved - The TrueCharts Project* diff --git a/enterprise/clusterissuer/5.0.0/app-changelog.md b/enterprise/clusterissuer/5.0.0/app-changelog.md new file mode 100644 index 0000000000..5b86ece2d8 --- /dev/null +++ b/enterprise/clusterissuer/5.0.0/app-changelog.md @@ -0,0 +1,9 @@ + + +## [clusterissuer-5.0.0](https://github.com/truecharts/charts/compare/clusterissuer-4.2.14...clusterissuer-5.0.0) (2023-12-20) + +### Chore + +- BREAKING CHANGE adapt to common changes ([#15889](https://github.com/truecharts/charts/issues/15889)) + + \ No newline at end of file diff --git a/enterprise/clusterissuer/5.0.0/app-readme.md b/enterprise/clusterissuer/5.0.0/app-readme.md new file mode 100644 index 0000000000..1b0cc5e4cb --- /dev/null +++ b/enterprise/clusterissuer/5.0.0/app-readme.md @@ -0,0 +1,8 @@ +Certificate management for Kubernetes + +This App is supplied by TrueCharts, for more information visit the manual: [https://truecharts.org/charts/enterprise/clusterissuer](https://truecharts.org/charts/enterprise/clusterissuer) + +--- + +TrueCharts can only exist due to the incredible effort of our staff. +Please consider making a [donation](https://truecharts.org/sponsor) or contributing back to the project any way you can! diff --git a/enterprise/clusterissuer/5.0.0/charts/common-16.2.4.tgz b/enterprise/clusterissuer/5.0.0/charts/common-16.2.4.tgz new file mode 100644 index 0000000000..f96ce4eb65 Binary files /dev/null and b/enterprise/clusterissuer/5.0.0/charts/common-16.2.4.tgz differ diff --git a/enterprise/clusterissuer/5.0.0/ix_values.yaml b/enterprise/clusterissuer/5.0.0/ix_values.yaml new file mode 100644 index 0000000000..bae06df803 --- /dev/null +++ b/enterprise/clusterissuer/5.0.0/ix_values.yaml @@ -0,0 +1,104 @@ +image: + repository: hello-world + tag: latest@sha256:88ec0acaa3ec199d3b7eaf73588f4518c25f9d34f58ce9a0df68429c5af48e8d + pullPolicy: IfNotPresent +manifestManager: + enabled: true +workload: + main: + enabled: false + podSpec: + containers: + main: + enabled: false + probes: + liveness: + enabled: false + readiness: + enabled: false + startup: + enabled: false +service: + main: + enabled: false + ports: + main: + enabled: false + port: 9999 +portal: + open: + enabled: false +operator: + verify: + additionalOperators: + - cert-manager + enabled: true + failOnError: false +clusterIssuer: + selfSigned: + enabled: true + name: "selfsigned" + CA: [] + # - name: myca + # selfSigned: true + # selfSignedCommonName: "my-selfsigned-ca" + # # Used to manually define a CA-crt not used when selfSigned is enabled + # crt: "" + # key: "" + # # TODO: Add option to use SCALE CA certs + + ACME: [] +# - name: letsencrypt +# # Used for both logging in to the DNS provider AND ACME registration +# email: "" +# server: 'https://acme-staging-v02.api.letsencrypt.org/directory' +# # Used primarily for the SCALE GUI +# customServer: 'https://acme-staging-v02.api.letsencrypt.org/directory' +# email: "" +# # Options: HTTP01, cloudflare, route53, akamai, digitalocean, rfc2136, acmedns +# type: "" +# # for cloudflare +# cfapikey: "" +# cfapitoken: "" +# # for route53 +# region: "" +# accessKeyID: "" +# route53SecretAccessKey: "" +# # optional for route53 +# role: "" +# # for akamai +# serviceConsumerDomain: "" +# akclientToken: "" +# akclientSecret: "" +# akaccessToken: "" +# # for digitalocean +# doaccessToken: "" +# # for rfc2136 +# nameserver: "" +# tsigKeyName: "" +# tsigAlgorithm: "" +# rfctsigSecret: "" +# # for acmedns +# name: sd +# acmednsHost: asdf +# # Pick one of the bellow acmednsConfig +# acmednsConfigJson: +# acmednsConfig: +# - domain: "" +# username: "" +# password: "" +# fulldomain: "" +# subdomain: "" +# allowFrom: [] + +clusterCertificates: + # Namespaces in which the certificates must be available + # Accepts comma-separated regex expressions + # replicationNamespaces: 'ix-.*' + certificates: [] + # - name: mycert + # enabled: true + # certificateIssuer: selfsigned + # hosts: + # - my.domain.com + # - '*.my.domain.com' diff --git a/enterprise/clusterissuer/5.0.0/questions.yaml b/enterprise/clusterissuer/5.0.0/questions.yaml new file mode 100644 index 0000000000..89568bda30 --- /dev/null +++ b/enterprise/clusterissuer/5.0.0/questions.yaml @@ -0,0 +1,445 @@ +groups: + - name: Container Image + description: Image to be used for container + - name: General Settings + description: General Deployment Settings + - name: Workload Settings + description: Workload Settings + - name: App Configuration + description: App Specific Config Options + - name: Networking and Services + description: Configure Network and Services for Container + - name: Storage and Persistence + description: Persist and Share Data that is Separate from the Container + - name: Ingress + description: Ingress Configuration + - name: Security and Permissions + description: Configure Security Context and Permissions + - name: Resources and Devices + description: "Specify Resources/Devices to be Allocated to Workload" + - name: Middlewares + description: Traefik Middlewares + - name: Metrics + description: Metrics + - name: Addons + description: Addon Configuration + - name: Advanced + description: Advanced Configuration + - name: Postgresql + description: Postgresql + - name: Documentation + description: Documentation +questions: + - variable: global + group: General Settings + label: "Global Settings" + schema: + additional_attrs: true + type: dict + attrs: + - variable: stopAll + label: Stop All + description: "Stops All Running pods and hibernates cnpg" + schema: + type: boolean + default: false + - variable: clusterIssuer + group: App Configuration + label: Cluster Certificate Issuer + schema: + additional_attrs: true + type: dict + attrs: + - variable: ACME + label: 'ACME Issuer' + schema: + type: list + default: [] + items: + - variable: ACMEEntry + label: 'ACME Issuer Entry' + schema: + additional_attrs: true + type: dict + attrs: + - variable: name + label: Name + description: "Name to give the issuer" + schema: + type: string + required: true + valid_chars: '^[a-z]+(-?[a-z]){0,63}-?[a-z]+$' + default: "" + - variable: type + label: Type or DNS-Provider + description: DNS Provider + schema: + type: string + default: cloudflare + enum: + - value: cloudflare + description: Cloudflare + - value: route53 + description: Route53 + - value: akamai + description: Akamai + - value: digitalocean + description: Digitalocean + - value: rfc2136 + description: rfc2136 (Advanced) + - value: HTTP01 + description: HTTP01 (Experimental) + - value: acmedns + description: ACME DNS (Advanced) + - variable: server + label: Server + description: "Server for ACME, for example: letsencrypt" + schema: + type: string + default: 'Letsencrypt-Production' + enum: + - value: 'https://acme-v02.api.letsencrypt.org/directory' + description: Letsencrypt-Production + - value: 'https://acme-staging-v02.api.letsencrypt.org/directory' + description: Letsencrypt-Staging + - value: 'https://api.buypass.no/acme-v02/directory' + description: BuyPass-Production + - value: 'https://api.test4.buypass.no/acme-v02/directory' + description: BuyPass-Staging + - value: custom + description: Custom + - variable: customServer + label: Custom ACME Server (Advanced) + description: "This can be used to enter your own custom ACME server" + schema: + type: string + show_if: [["server", "=", "custom"]] + default: 'https://acme-staging-v02.api.letsencrypt.org/directory' + - variable: caBundle + label: Trusted CABundle for private ACME server + description: "Trusted CABundle for private ACME server, encoded in base64" + schema: + type: string + show_if: [["server", "=", "custom"]] + - variable: email + label: Email + description: "Email adress to use for certificate issuing must match your DNS provider email when required" + schema: + type: string + required: true + default: "something@example.com" + - variable: cfapikey + label: CloudFlare API key + description: "CloudFlare API Key" + schema: + show_if: [["type", "=", "cloudflare"]] + type: string + default: "" + - variable: cfapitoken + label: CloudFlare API Token + description: "CloudFlare API Token" + schema: + show_if: [["type", "=", "cloudflare"]] + type: string + default: "" + - variable: region + label: Route53 Region + description: "Route 53 Region" + schema: + show_if: [["type", "=", "route53"]] + type: string + required: true + default: "us-west-1" + - variable: accessKeyID + label: Route53 accessKeyID + description: "Route53 accessKeyID" + schema: + show_if: [["type", "=", "route53"]] + type: string + required: true + default: "" + - variable: route53SecretAccessKey + label: Route53 Secret Access Key + description: "Route53 Secret Access Key" + schema: + show_if: [["type", "=", "route53"]] + type: string + required: true + default: "" + - variable: role + label: Route53 Role (optional) + description: "Route53 Role" + schema: + show_if: [["type", "=", "route53"]] + type: string + default: "" + - variable: serviceConsumerDomain + label: Akamai Service Consumer Domain + description: "Akamai Service Consumer Domain" + schema: + show_if: [["type", "=", "akamai"]] + type: string + required: true + default: "" + - variable: akclientToken + label: Akamai Client Token + description: "Client Token" + schema: + show_if: [["type", "=", "akamai"]] + type: string + required: true + default: "" + - variable: akclientSecret + label: Akamai Client Secret + description: "Akamai Client Secret" + schema: + show_if: [["type", "=", "akamai"]] + type: string + required: true + default: "" + - variable: akaccessToken + label: Akamai Access Token + description: "Akamai Access Token" + schema: + show_if: [["type", "=", "akamai"]] + type: string + required: true + default: "" + - variable: doaccessToken + label: Digitalocean Access Token + description: "Digitalocean Access Token" + schema: + show_if: [["type", "=", "digitalocean"]] + type: string + required: true + default: "" + - variable: nameserver + label: rfc2136 Namesever + description: "rfc2136 Namesever" + schema: + show_if: [["type", "=", "rfc2136"]] + type: string + required: true + default: "" + - variable: tsigKeyName + label: rfc2136 tsig Key Name + description: "rfc2136 tsig Key Name" + schema: + show_if: [["type", "=", "rfc2136"]] + type: string + required: true + default: "" + - variable: tsigAlgorithm + label: rfc2136 tsig Algorithm + description: "rfc2136 tsig Algorithm" + schema: + show_if: [["type", "=", "rfc2136"]] + type: string + required: true + default: "" + - variable: rfctsigSecret + label: rfc2136 sig Secret + description: "rfc2136 sig Secret" + schema: + show_if: [["type", "=", "rfc2136"]] + type: string + required: true + default: "" + - variable: acmednsHost + label: ACME DNS host + description: "ACME DNS API server address" + schema: + show_if: [["type", "=", "acmedns"]] + type: string + required: true + default: "https://auth.acme-dns.io" + - variable: acmednsConfig + label: ACME DNS config + description: "ACME DNS per-domain auth configuration" + schema: + show_if: [["type", "=", "acmedns"]] + type: list + default: [] + items: + - variable: acmednsEntry + label: 'ACME DNS entry' + schema: + type: dict + attrs: + - variable: domain + label: Domain + schema: + type: string + required: true + - variable: username + label: Username + schema: + type: string + required: true + - variable: password + label: Password + schema: + type: string + required: true + - variable: fulldomain + label: Full domain + schema: + type: string + required: true + - variable: subdomain + label: Subdomain + schema: + type: string + required: true + - variable: allowFrom + label: Allow from + schema: + type: list + default: [] + items: + - variable: cidr + label: CIDR + schema: + type: ipaddr + cidr: true + required: true + - variable: CA + label: Certificate Authority Issuer + schema: + type: list + default: [] + items: + - variable: CAEntry + label: 'CA Issuer Entry' + schema: + additional_attrs: true + type: dict + attrs: + - variable: name + label: Name + description: "Name to give the issuer" + schema: + type: string + required: true + valid_chars: '^[a-z]+(-?[a-z]){0,63}-?[a-z]+$' + default: "" + - variable: selfSigned + label: selfSigned + description: "Create Self Signed CA cert" + schema: + type: boolean + default: true + - variable: selfSignedCommonName + label: selfSigned CommonName + description: "Common name for selfSigned Certiticate Authority" + schema: + type: string + required: true + show_if: [["selfSigned", "=", true]] + default: "my-selfsigned-ca" + - variable: crt + label: "Custom CA cert (experimental)" + description: "certificate for Certiticate Authority" + schema: + type: string + required: true + max_length: 10240 + show_if: [["selfSigned", "=", false]] + default: "" + - variable: key + label: "Custom CA key (experimental)" + description: "key Certiticate Authority" + schema: + type: string + required: true + max_length: 10240 + show_if: [["selfSigned", "=", false]] + default: "" + + - variable: selfSigned + label: 'SelfSigned Issuer' + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: enabled + description: "Enable self-signed issuer" + schema: + type: boolean + default: true + - variable: name + label: Name + description: "Name to give the issuer" + schema: + type: string + required: true + valid_chars: '^[a-z]+(-?[a-z]){0,63}-?[a-z]+$' + default: "selfsigned" + + - variable: clusterCertificates + group: App Configuration + label: Cluster Wide Certificates (Advanced) + description: "Creates certificates for use within the entire cluster. Can be used to create wildcard certificates." + schema: + additional_attrs: true + type: dict + attrs: + - variable: certificates + label: Cluster Certificates + schema: + type: list + default: [] + items: + - variable: CertEntry + label: 'Certificate Entry' + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: Enabled + schema: + type: boolean + default: true + - variable: name + label: Certificate Name + schema: + type: string + required: true + default: "" + - variable: certificateIssuer + label: Cert-Manager clusterIssuer + description: "One of the Cert-Manager clusterIssuers defined above" + schema: + type: string + required: true + valid_chars: '^[a-z]+(-?[a-z]){0,63}-?[a-z]+$' + default: "selfsigned" + - variable: hosts + label: Certificate Hosts + description: "NOTE: Creation of wildcard certificates with an ACME issuer requires a DNSO1 solver to be set up." + schema: + type: list + default: [] + items: + - variable: host + label: Host + schema: + type: string + default: "" + required: true + + - variable: customMetrics + group: Metrics + label: Prometheus Metrics + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: Enabled + description: Enable Prometheus Metrics + schema: + type: boolean + default: true diff --git a/enterprise/clusterissuer/5.0.0/templates/NOTES.txt b/enterprise/clusterissuer/5.0.0/templates/NOTES.txt new file mode 100644 index 0000000000..efcb74cb77 --- /dev/null +++ b/enterprise/clusterissuer/5.0.0/templates/NOTES.txt @@ -0,0 +1 @@ +{{- include "tc.v1.common.lib.chart.notes" $ -}} diff --git a/enterprise/clusterissuer/5.0.0/templates/clusterissuer/_ACME.tpl b/enterprise/clusterissuer/5.0.0/templates/clusterissuer/_ACME.tpl new file mode 100644 index 0000000000..f2af3d8f3d --- /dev/null +++ b/enterprise/clusterissuer/5.0.0/templates/clusterissuer/_ACME.tpl @@ -0,0 +1,128 @@ +{{- define "certmanager.clusterissuer.acme" -}} +{{- $operator := index $.Values.operator "cert-manager" -}} +{{- $namespace := $operator.namespace | default "cert-manager" -}} + +{{- $rfctsigSecret := .rfctsigSecret | default "" -}} +{{/* https://cert-manager.io/docs/configuration/acme/dns01/rfc2136/#troubleshooting */}} +{{- if $rfctsigSecret -}} {{/* If we try to decode and fail, go on and encode it. */}} + {{- if (contains "illegal base64" (b64dec $rfctsigSecret)) -}} + {{- $rfctsigSecret = b64enc $rfctsigSecret -}} + {{- end -}} +{{- end -}} + +{{- range .Values.clusterIssuer.ACME }} + {{- if or (not .name) (not (mustRegexMatch "^[a-z]+(-?[a-z]){0,63}-?[a-z]+$" .name)) -}} + {{- fail "ACME - Expected name to be all lowercase with hyphens, but not start or end with a hyphen" -}} + {{- end -}} + {{- $validTypes := list "HTTP01" "cloudflare" "route53" "digitalocean" "akamai" "rfc2136" "acmedns" -}} + {{- if not (mustHas .type $validTypes) -}} + {{- fail (printf "Expected ACME type to be one of [%s], but got [%s]" (join ", " $validTypes) .type) -}} + {{- end -}} + {{- $issuerSecretName := printf "%s-clusterissuer-secret" .name }} + {{- $acmednsDict := dict -}} + {{- if and (eq .type "acmedns") (not .acmednsConfigJson) }} + {{- range .acmednsConfig }} + {{/* Transform to a dict with domain as a key, also remove domain from the dict */}} + {{- $_ := set $acmednsDict .domain (omit . "domain") -}} + {{- end }} + {{- end }} +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: {{ .name }} +spec: + acme: + email: {{ .email }} + server: {{ if eq .server "custom" }}{{ .customServer }}{{ else }}{{ .server }}{{ end }} + {{- if .caBundle }} + caBundle: {{ .caBundle }} + {{- end }} + privateKeySecretRef: + name: {{ .name }}-acme-clusterissuer-account-key + solvers: + {{- if eq .type "HTTP01" }} + - http01: + ingress: {} + {{- else }} + - dns01: + {{- if eq .type "cloudflare" }} + cloudflare: + email: {{ .email }} + {{- if .cfapitoken }} + apiTokenSecretRef: + name: {{ $issuerSecretName }} + key: cf-api-token + {{- else if .cfapikey }} + apiKeySecretRef: + name: {{ $issuerSecretName }} + key: cf-api-key + {{- else -}} + {{- fail "A cloudflare API key or token is required" -}} + {{- end -}} + {{- else if eq .type "route53" }} + route53: + region: {{ .region }} + accessKeyID: {{ .accessKeyID }} + {{- if .role }} + role: {{ .role }} + {{- end }} + secretAccessKeySecretRef: + name: {{ $issuerSecretName }} + key: route53-secret-access-key + {{- else if eq .type "akamai" }} + akamai: + serviceConsumerDomain: {{ .serviceConsumerDomain }} + clientTokenSecretRef: + name: {{ $issuerSecretName }} + key: akclientToken + clientSecretSecretRef: + name: {{ $issuerSecretName }} + key: akclientSecret + accessTokenSecretRef: + name: {{ $issuerSecretName }} + key: akaccessToken + {{- else if eq .type "digitalocean" }} + digitalocean: + tokenSecretRef: + name: {{ $issuerSecretName }} + key: doaccessToken + {{- else if eq .type "rfc2136" }} + rfc2136: + nameserver: {{ .nameserver }} + tsigKeyName: {{ .tsigKeyName }} + tsigAlgorithm: {{ .tsigAlgorithm }} + tsigSecretSecretRef: + name: {{ $issuerSecretName }} + key: rfctsigSecret + {{- else if eq .type "acmedns" }} + acmeDNS: + host: {{ .acmednsHost }} + accountSecretRef: + name: {{ $issuerSecretName }} + key: acmednsJson + {{- end -}} + {{- end }} +--- +apiVersion: v1 +kind: Secret +metadata: + namespace: {{ $namespace }} + name: {{ $issuerSecretName }} +type: Opaque +stringData: + cf-api-token: {{ .cfapitoken | default "" }} + cf-api-key: {{ .cfapikey | default "" }} + route53-secret-access-key: {{ .route53SecretAccessKey | default "" }} + akclientToken: {{ .akclientToken | default "" }} + akclientSecret: {{ .akclientSecret | default "" }} + akaccessToken: {{ .akaccessToken | default "" }} + doaccessToken: {{ .doaccessToken | default "" }} + rfctsigSecret: {{ $rfctsigSecret }} +{{- if .acmednsConfigJson }} + acmednsJson: {{ .acmednsConfigJson }} +{{- else if $acmednsDict }} + acmednsJson: {{ toJson $acmednsDict }} +{{- end -}} + {{- end -}} +{{- end -}} diff --git a/enterprise/clusterissuer/5.0.0/templates/clusterissuer/_CA.tpl b/enterprise/clusterissuer/5.0.0/templates/clusterissuer/_CA.tpl new file mode 100644 index 0000000000..7a4f06e07b --- /dev/null +++ b/enterprise/clusterissuer/5.0.0/templates/clusterissuer/_CA.tpl @@ -0,0 +1,54 @@ +{{- define "certmanager.clusterissuer.ca" -}} +{{- $operator := index $.Values.operator "cert-manager" -}} +{{- $namespace := $operator.namespace | default "cert-manager" -}} + +{{- range .Values.clusterIssuer.CA }} + {{- if not (mustRegexMatch "^[a-z]+(-?[a-z]){0,63}-?[a-z]+$" .name) -}} + {{- fail "CA - Expected name to be all lowercase with hyphens, but not start or end with a hyphen" -}} + {{- end -}} +{{- if .selfSigned }} +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: {{ .name }}-selfsigned-ca-issuer +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ .name }}-selfsigned-ca + namespace: {{ $namespace }} +spec: + isCA: true + commonName: {{ .selfSignedCommonName }} + secretName: {{ .name }}-ca + privateKey: + algorithm: ECDSA + size: 256 + issuerRef: + name: {{ .name }}-selfsigned-ca-issuer + kind: ClusterIssuer + group: cert-manager.io +{{- else }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .name }}-ca + namespace: {{ $namespace }} +data: + tls.crt: {{ .crt | b64enc }} + tls.key: {{ .key | b64enc }} +{{- end }} +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: {{ .name }} +spec: + ca: + secretName: {{ .name }}-ca +{{- end }} +{{- end -}} diff --git a/enterprise/clusterissuer/5.0.0/templates/clusterissuer/_clusterCertificates.tpl b/enterprise/clusterissuer/5.0.0/templates/clusterissuer/_clusterCertificates.tpl new file mode 100644 index 0000000000..a1e0652073 --- /dev/null +++ b/enterprise/clusterissuer/5.0.0/templates/clusterissuer/_clusterCertificates.tpl @@ -0,0 +1,34 @@ +{{- define "certmanager.clusterissuer.clusterCertificates" -}} + {{- if .Values.clusterCertificates -}} + {{- $secretTemplates := dict -}} + {{- $certNamespace := (include "tc.v1.common.lib.metadata.namespace" (dict "rootCtx" $ "objectData" dict "caller" "ClusterCertificates")) -}} + {{- $replicationNamespaces := ".*" -}} + {{- if .Values.clusterCertificates.replicationNamespaces -}} + {{- $replicationNamespaces = .Values.clusterCertificates.replicationNamespaces -}} + {{- else if .Values.ixChartContext -}} + {{- $replicationNamespaces = "ix-.*" -}} + {{- end -}} + {{- $reflectorAnnotations := (dict + "reflector.v1.k8s.emberstack.com/reflection-allowed" "true" + "reflector.v1.k8s.emberstack.com/reflection-auto-enabled" "true" + "reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces" (printf "%v,%v" $certNamespace $replicationNamespaces) + "reflector.v1.k8s.emberstack.com/reflection-auto-namespaces" $replicationNamespaces ) -}} + {{- $certAnnotations := (mustMerge ($reflectorAnnotations) (include "tc.v1.common.lib.metadata.allAnnotations" $ | fromYaml)) -}} + + {{- $_ := set $secretTemplates "annotations" $certAnnotations -}} + + {{- if not $.Values.certificate -}} + {{- $_ := set $.Values "certificate" dict -}} + {{- end -}} + + {{- range .Values.clusterCertificates.certificates -}} + {{- $_ := set $.Values.certificate .name (dict + "enabled" .enabled + "hosts" .hosts + "certificateIssuer" .certificateIssuer + "certificateSecretTemplate" $secretTemplates + ) -}} + {{- end -}} + + {{- end -}} +{{- end -}} diff --git a/enterprise/clusterissuer/5.0.0/templates/clusterissuer/_selfSigned.tpl b/enterprise/clusterissuer/5.0.0/templates/clusterissuer/_selfSigned.tpl new file mode 100644 index 0000000000..235c03452c --- /dev/null +++ b/enterprise/clusterissuer/5.0.0/templates/clusterissuer/_selfSigned.tpl @@ -0,0 +1,14 @@ +{{- define "certmanager.clusterissuer.selfsigned" -}} +{{- if .Values.clusterIssuer.selfSigned.enabled -}} + {{- if not (mustRegexMatch "^[a-z]+(-?[a-z]){0,63}-?[a-z]+$" .Values.clusterIssuer.selfSigned.name) -}} + {{- fail "Self Singed Issuer - Expected name to be all lowercase with hyphens, but not start or end with a hyphen" -}} + {{- end }} +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: {{ .Values.clusterIssuer.selfSigned.name }} +spec: + selfSigned: {} +{{- end }} +{{- end -}} diff --git a/enterprise/clusterissuer/5.0.0/templates/common.yaml b/enterprise/clusterissuer/5.0.0/templates/common.yaml new file mode 100644 index 0000000000..494bfc898d --- /dev/null +++ b/enterprise/clusterissuer/5.0.0/templates/common.yaml @@ -0,0 +1,16 @@ +{{/* Make sure all variables are set properly */}} +{{- include "tc.v1.common.loader.init" . }} + +{{/* + Generate certificate data and set them to $.Values.ceritificate + Let common handle the creation of the objects +*/}} +{{- include "certmanager.clusterissuer.clusterCertificates" . }} + +{{/* Render the templates */}} +{{ include "tc.v1.common.loader.apply" . }} + +{{/* Generate the cluster issuers */}} +{{- include "certmanager.clusterissuer.acme" . }} +{{- include "certmanager.clusterissuer.selfsigned" . }} +{{- include "certmanager.clusterissuer.ca" . }} diff --git a/enterprise/clusterissuer/5.0.0/values.yaml b/enterprise/clusterissuer/5.0.0/values.yaml new file mode 100644 index 0000000000..e69de29bb2