feat(cert-manager): add Cert-Manager configuration App (#6378)
* feat(cert-manager): add Cert-Manager configuration App * eof * pre-commit cleanup * add temp crds folder * patch mistake * restructure * add route53 support * add some fails * fixes and add route53 to GUI * end * add experimental HTTP01 support * fix bug * add buypass acme to dropdown * add akamai support * add Digitalocean * add rfc2136 support * fix some issues and add self-signed issuer * add metrics and fix selfsigned * whoops * Add CA certificate system * whoops * benc stuff * actually load CA * fix * fix ca * bool -> boolean * also test CA * wait for pod to be ready * sleep more agressively on cert-Manger itself * some more fixes * whoops * fix mistakes * all waits test * add cmctl * increase scope for now and some fixes * simplify * dont wait on non-existing pods * make it non-failing * fix typo
This commit is contained in:
committed by
GitHub
parent
fb0b94572b
commit
2d97bc9b9b
6
.github/SUPPORT.md
vendored
6
.github/SUPPORT.md
vendored
@@ -11,17 +11,17 @@ We also document which versions of TrueNAS will receive TrueCharts updates and f
|
||||
### Supported Versions
|
||||
|
||||
| TrueNAS version | Branch | Supported with updates | Accepting Support tickets | Accepting Bug Reports | Notes |
|
||||
| ---------------- | -------- | ---------------------- | ------------------------- | --------------------- | -------------------------------------------------------------------------------------------------------------- |
|
||||
| 22.02.4 or prior | `master` | :white_check_mark: | :x: | :x: | Advised to update to 22.12.0 release of [TrueNAS SCALE](https://www.truenas.com/docs/scale/scalereleasenotes/) | |
|
||||
| ---------------- | -------- | ---------------------- | ------------------------- | --------------------- | -------------------------------------------------------------------------------------------------------------- | --- |
|
||||
| 22.02.4 or prior | `master` | :white_check_mark: | :x: | :x: | Advised to update to 22.12.0 release of [TrueNAS SCALE](https://www.truenas.com/docs/scale/scalereleasenotes/) | |
|
||||
| 22.12.0 | `master` | :white_check_mark: | :white_check_mark: | :white_check_mark: | Most Stable Release as of 2022-12-13 |
|
||||
| Nightly | `master` | :white_check_mark: | :x: | :white_check_mark: | Please only submit bug reports during codefreeze |
|
||||
|
||||
::: warning Support Guidelines
|
||||
|
||||
Our [Discord](https://discord.gg/tVsPTHWTtr) support (the ticketing system inside #support) is primarily limited to what is covered by our written guides. This includes installing, linking and editing apps. This doesn't mean the actual setup of the application. All #support tickets covered by the staff are done so in a **best effort** policy.
|
||||
|
||||
:::
|
||||
|
||||
|
||||
## Stable Train Charts
|
||||
|
||||
We provide direct support for getting `stable` train charts working on our [discord](https://discord.gg/tVsPTHWTtr) inside the **#support** channel.
|
||||
|
||||
4
.github/renovate-config.js
vendored
4
.github/renovate-config.js
vendored
@@ -1,7 +1,7 @@
|
||||
module.exports = {
|
||||
dryRun: false,
|
||||
username: 'truecharts-admin',
|
||||
gitAuthor: 'truecharts-admin <bot@truecharts.org>',
|
||||
username: "truecharts-admin",
|
||||
gitAuthor: "truecharts-admin <bot@truecharts.org>",
|
||||
onboarding: false,
|
||||
platform: "github",
|
||||
repositories: ["truecharts/charts"],
|
||||
|
||||
12
.github/workflows/charts-lint.yaml
vendored
12
.github/workflows/charts-lint.yaml
vendored
@@ -322,42 +322,42 @@ jobs:
|
||||
res4="${{needs.lint-charts4.result}}"
|
||||
res5="${{needs.lint-charts5.result}}"
|
||||
res6="${{needs.lint-charts6.result}}"
|
||||
|
||||
|
||||
if [[ $res1 == "success" || $res1 == "skipped" ]]; then
|
||||
echo "lint tests 1 successfull..."
|
||||
else
|
||||
echo "lint tests 1 error, stopping due to failure..."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
|
||||
if [[ $res2 == "success" || $res2 == "skipped" ]]; then
|
||||
echo "lint tests 2 successfull..."
|
||||
else
|
||||
echo "lint tests 2 error, stopping due to failure..."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
|
||||
if [[ $res3 == "success" || $res3 == "skipped" ]]; then
|
||||
echo "lint tests 3 successfull..."
|
||||
else
|
||||
echo "lint tests 3 error, stopping due to failure..."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
|
||||
if [[ $res4 == "success" || $res4 == "skipped" ]]; then
|
||||
echo "lint tests 4 successfull..."
|
||||
else
|
||||
echo "lint tests 4 error, stopping due to failure..."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
|
||||
if [[ $res5 == "success" || $res5 == "skipped" ]]; then
|
||||
echo "lint tests 5 successfull..."
|
||||
else
|
||||
echo "lint tests 5 error, stopping due to failure..."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
|
||||
if [[ $res6 == "success" || $res6 == "skipped" ]]; then
|
||||
echo "lint tests 6 successfull..."
|
||||
else
|
||||
|
||||
4
.github/workflows/charts-release.yaml
vendored
4
.github/workflows/charts-release.yaml
vendored
@@ -121,13 +121,13 @@ jobs:
|
||||
mv -f website/docs/charts/${train}/${chart}/CHANGELOG.md tmp/website/docs/charts/${train}/${chart}/CHANGELOG.md || :
|
||||
mv -f website/docs/charts/${train}/${chart}/helm-security.md tmp/website/docs/charts/${train}/${chart}/helm-security.md || :
|
||||
mv -f website/docs/charts/${train}/${chart}/container-security.md tmp/website/docs/charts/${train}/${chart}/container-security.md || :
|
||||
|
||||
|
||||
# remove old docs everywhere and recreate based on charts repo
|
||||
rm -rf website/docs/charts/*/${chart} || :
|
||||
mkdir -p website/docs/charts/${train}/${chart} || echo "chart path already exists, continuing..."
|
||||
yes | cp -rf charts/${train}/${chart}/docs/* website/docs/charts/${train}/${chart}/ 2>/dev/null || :
|
||||
yes | cp -rf charts/${train}/${chart}/icon.png website/static/img/hotlink-ok/chart-icons/${chart}.png 2>/dev/null || :
|
||||
|
||||
|
||||
# Copy over kept documents
|
||||
mv -f tmp/website/docs/charts/${train}/${chart}/CHANGELOG.md website/docs/charts/${train}/${chart}/CHANGELOG.md 2>/dev/null || :
|
||||
mv -f tmp/website/docs/charts/${train}/${chart}/helm-security.md website/docs/charts/${train}/${chart}/helm-security.md 2>/dev/null || :
|
||||
|
||||
12
.github/workflows/charts-test.yaml
vendored
12
.github/workflows/charts-test.yaml
vendored
@@ -421,42 +421,42 @@ jobs:
|
||||
res4="${{needs.install-charts4.result}}"
|
||||
res5="${{needs.install-charts5.result}}"
|
||||
res6="${{needs.install-charts6.result}}"
|
||||
|
||||
|
||||
if [[ $res1 == "success" || $res1 == "skipped" ]]; then
|
||||
echo "install tests 1 successfull..."
|
||||
else
|
||||
echo "install tests 1 error, stopping due to failure..."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
|
||||
if [[ $res2 == "success" || $res2 == "skipped" ]]; then
|
||||
echo "install tests 2 successfull..."
|
||||
else
|
||||
echo "install tests 2 error, stopping due to failure..."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
|
||||
if [[ $res3 == "success" || $res3 == "skipped" ]]; then
|
||||
echo "install tests 3 successfull..."
|
||||
else
|
||||
echo "install tests 3 error, stopping due to failure..."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
|
||||
if [[ $res4 == "success" || $res4 == "skipped" ]]; then
|
||||
echo "install tests 4 successfull..."
|
||||
else
|
||||
echo "install tests 4 error, stopping due to failure..."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
|
||||
if [[ $res5 == "success" || $res5 == "skipped" ]]; then
|
||||
echo "install tests 5 successfull..."
|
||||
else
|
||||
echo "install tests 5 error, stopping due to failure..."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
|
||||
if [[ $res6 == "success" || $res6 == "skipped" ]]; then
|
||||
echo "install tests 6 successfull..."
|
||||
else
|
||||
|
||||
14
.github/workflows/daily.yaml
vendored
14
.github/workflows/daily.yaml
vendored
@@ -15,10 +15,10 @@ jobs:
|
||||
with:
|
||||
token: ${{ secrets.BOT_TOKEN }}
|
||||
fetch-depth: 0
|
||||
|
||||
|
||||
- name: Setting repo parent dir as safe safe.directory
|
||||
run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
|
||||
|
||||
|
||||
- name: generate readme.md
|
||||
shell: bash
|
||||
run: |
|
||||
@@ -44,7 +44,7 @@ jobs:
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
|
||||
- name: Bump and Sync
|
||||
shell: bash
|
||||
run: |
|
||||
@@ -91,7 +91,7 @@ jobs:
|
||||
echo "Sources of ${chartname} updated!"
|
||||
}
|
||||
export -f sync_tag
|
||||
|
||||
|
||||
for train in enterprise stable incubator dependency; do
|
||||
echo "Correcting Chart.yaml for Train: ${train}..."
|
||||
for chart in $(ls "charts/${train}"); do
|
||||
@@ -99,7 +99,7 @@ jobs:
|
||||
sync_tag "charts/${train}/${chart}" "${chart}" "${train}"
|
||||
done
|
||||
done
|
||||
|
||||
|
||||
- name: Cleanup
|
||||
run: |
|
||||
rm -rf changes.json
|
||||
@@ -113,7 +113,7 @@ jobs:
|
||||
git add --all
|
||||
git commit -sm "Commit daily changes" || exit 0
|
||||
git push
|
||||
|
||||
|
||||
generate-security-reports:
|
||||
runs-on: ubuntu-latest
|
||||
name: "Generate Security Reports"
|
||||
@@ -151,7 +151,7 @@ jobs:
|
||||
repository: truecharts/website
|
||||
token: ${{ secrets.BOT_TOKEN }}
|
||||
path: website
|
||||
|
||||
|
||||
- name: fetch dependencies
|
||||
shell: bash
|
||||
run: |
|
||||
|
||||
2
.github/workflows/pr-validate.yaml
vendored
2
.github/workflows/pr-validate.yaml
vendored
@@ -78,7 +78,7 @@ jobs:
|
||||
- charts-test
|
||||
- charts-lint
|
||||
- print_head_msg
|
||||
if: needs.print_head_msg.outputs.head-commit-message == 'Commit bumped Chart Version'
|
||||
if: needs.print_head_msg.outputs.head-commit-message == 'Commit bumped Chart Version'
|
||||
name: Automerge build
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
|
||||
@@ -23,7 +23,7 @@ repos:
|
||||
- id: requirements-txt-fixer # sorts entries in requirements.txt.
|
||||
- id: check-added-large-files # prevents giant files from being committed.
|
||||
- id: check-yaml # checks yaml files for parseable syntax.
|
||||
exclude: (templates\/.*|questions.yaml|chart_schema.yaml)
|
||||
exclude: (templates\/.*|crds\/.*|questions.yaml|chart_schema.yaml)
|
||||
- id: detect-private-key # detects the presence of private keys.
|
||||
|
||||
- repo: https://github.com/pre-commit/pygrep-hooks
|
||||
@@ -36,5 +36,5 @@ repos:
|
||||
rev: v2.5.1
|
||||
hooks:
|
||||
- id: prettier
|
||||
exclude: (templates\/.*|README.md|CHANGELOG.md|questions.yaml|devcontainer.json)
|
||||
exclude: (templates\/.*|crds\/.*|README.md|CHANGELOG.md|questions.yaml|devcontainer.json)
|
||||
files: \.(js|ts|jsx|tsx|css|less|html|json|markdown|md|yaml|yml)$
|
||||
|
||||
30
charts/enterprise/cert-manager/.helmignore
Normal file
30
charts/enterprise/cert-manager/.helmignore
Normal file
@@ -0,0 +1,30 @@
|
||||
# Patterns to ignore when building packages.
|
||||
# This supports shell glob matching, relative path matching, and
|
||||
# negation (prefixed with !). Only one pattern per line.
|
||||
.DS_Store
|
||||
# Common VCS dirs
|
||||
.git/
|
||||
.gitignore
|
||||
.bzr/
|
||||
.bzrignore
|
||||
.hg/
|
||||
.hgignore
|
||||
.svn/
|
||||
# Common backup files
|
||||
*.swp
|
||||
*.bak
|
||||
*.tmp
|
||||
*~
|
||||
# Various IDEs
|
||||
.project
|
||||
.idea/
|
||||
*.tmproj
|
||||
.vscode/
|
||||
# OWNERS file for Kubernetes
|
||||
OWNERS
|
||||
# helm-docs templates
|
||||
*.gotmpl
|
||||
# docs folder
|
||||
/docs
|
||||
# icon
|
||||
icon.png
|
||||
0
charts/enterprise/cert-manager/CHANGELOG.md
Normal file
0
charts/enterprise/cert-manager/CHANGELOG.md
Normal file
28
charts/enterprise/cert-manager/Chart.yaml
Normal file
28
charts/enterprise/cert-manager/Chart.yaml
Normal file
@@ -0,0 +1,28 @@
|
||||
apiVersion: v2
|
||||
appVersion: "upstream"
|
||||
deprecated: false
|
||||
description: Certificate management for Kubernetes
|
||||
home: https://truecharts.org/charts/enterprise/cert-manager
|
||||
icon: https://truecharts.org/img/hotlink-ok/chart-icons/cert-manager.png
|
||||
keywords:
|
||||
- metallb
|
||||
- loadbalancer
|
||||
dependencies:
|
||||
- name: common
|
||||
repository: https://library-charts.truecharts.org
|
||||
version: 11.1.2
|
||||
kubeVersion: ">=1.16.0-0"
|
||||
maintainers:
|
||||
- email: info@truecharts.org
|
||||
name: TrueCharts
|
||||
url: https://truecharts.org
|
||||
name: cert-manager
|
||||
sources:
|
||||
- https://cert-manager.io/
|
||||
type: application
|
||||
version: 0.0.1
|
||||
annotations:
|
||||
truecharts.org/catagories: |
|
||||
- core
|
||||
truecharts.org/SCALE-support: "true"
|
||||
truecharts.org/grade: U
|
||||
27
charts/enterprise/cert-manager/README.md
Normal file
27
charts/enterprise/cert-manager/README.md
Normal file
@@ -0,0 +1,27 @@
|
||||
# README
|
||||
|
||||
## General Info
|
||||
|
||||
TrueCharts can be installed as both *normal* Helm Charts or as Apps on TrueNAS SCALE.
|
||||
However only installations using the TrueNAS SCALE Apps system are supported.
|
||||
|
||||
For more information about this App, please check the docs on the TrueCharts [website](https://truecharts.org/charts/enterprise/)
|
||||
|
||||
**This chart is not maintained by the upstream project and any issues with the chart should be raised [here](https://github.com/truecharts/charts/issues/new/choose)**
|
||||
|
||||
|
||||
## Support
|
||||
|
||||
- Please check our [quick-start guides for TrueNAS SCALE](https://truecharts.org/manual/SCALE%20Apps/Important-MUST-READ).
|
||||
- See the [Website](https://truecharts.org)
|
||||
- Check our [Discord](https://discord.gg/tVsPTHWTtr)
|
||||
- Open a [issue](https://github.com/truecharts/charts/issues/new/choose)
|
||||
|
||||
---
|
||||
|
||||
## Sponsor TrueCharts
|
||||
|
||||
TrueCharts can only exist due to the incredible effort of our staff.
|
||||
Please consider making a [donation](https://truecharts.org/sponsor) or contributing back to the project any way you can!
|
||||
|
||||
*All Rights Reserved - The TrueCharts Project*
|
||||
8
charts/enterprise/cert-manager/ci/CA-values.yaml
Normal file
8
charts/enterprise/cert-manager/ci/CA-values.yaml
Normal file
@@ -0,0 +1,8 @@
|
||||
clusterIssuer:
|
||||
selfSigned:
|
||||
enabled: true
|
||||
name: "selfsigned"
|
||||
CA:
|
||||
- name: myca
|
||||
selfSigned: true
|
||||
selfSignedCommonName: "my-selfsigned-ca"
|
||||
0
charts/enterprise/cert-manager/ci/basic-values.yaml
Normal file
0
charts/enterprise/cert-manager/ci/basic-values.yaml
Normal file
4422
charts/enterprise/cert-manager/crds/cert-manager.yaml
Normal file
4422
charts/enterprise/cert-manager/crds/cert-manager.yaml
Normal file
File diff suppressed because it is too large
Load Diff
BIN
charts/enterprise/cert-manager/icon.png
Normal file
BIN
charts/enterprise/cert-manager/icon.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 26 KiB |
273
charts/enterprise/cert-manager/questions.yaml
Normal file
273
charts/enterprise/cert-manager/questions.yaml
Normal file
@@ -0,0 +1,273 @@
|
||||
# Include{groups}
|
||||
questions:
|
||||
# Include{global}
|
||||
- variable: clusterIssuer
|
||||
group: App Configuration
|
||||
label: Cluster Certificate Issuer
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: selfSigned
|
||||
label: 'SelfSigned Issuer'
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: enabled
|
||||
label: enabled
|
||||
description: "Enable self-signed issuer"
|
||||
schema:
|
||||
type: boolean
|
||||
default: true
|
||||
- variable: name
|
||||
label: Name
|
||||
description: "Name to give the issuer"
|
||||
schema:
|
||||
type: string
|
||||
required: true
|
||||
default: "selfSigned"
|
||||
- variable: ACME
|
||||
label: ACME Issuer
|
||||
schema:
|
||||
type: list
|
||||
default: []
|
||||
items:
|
||||
- variable: ACMEEntry
|
||||
label: 'ACME Issuer Entry'
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: name
|
||||
label: Name
|
||||
description: "Name to give the issuer"
|
||||
schema:
|
||||
type: string
|
||||
required: true
|
||||
default: ""
|
||||
- variable: server
|
||||
label: Server
|
||||
description: "Server for ACME, for example: letsencrypt"
|
||||
schema:
|
||||
type: string
|
||||
show_if: [["type", "!=", "HTTP01"]]
|
||||
default: 'Letsencrypt-Production'
|
||||
enum:
|
||||
- value: 'https://acme-v02.api.letsencrypt.org/directory'
|
||||
description: Letsencrypt-Production
|
||||
- value: 'https://acme-staging-v02.api.letsencrypt.org/directory'
|
||||
description: Letsencrypt-Staging
|
||||
- value: 'https://api.buypass.no/acme-v02/directory'
|
||||
description: BuyPass-Production
|
||||
- value: 'https://api.test4.buypass.no/acme-v02/directory'
|
||||
description: BuyPass-Staging
|
||||
- value: custom
|
||||
description: Custom
|
||||
- variable: customServer
|
||||
label: Custom ACME Server (Advanced)
|
||||
description: "This can be used to enter your own custom ACME server"
|
||||
schema:
|
||||
type: string
|
||||
show_if: [["server", "=", "custom"]]
|
||||
default: 'https://acme-staging-v02.api.letsencrypt.org/directory'
|
||||
- variable: email
|
||||
label: Email
|
||||
description: "Email adress to use for certificate issuing must match your DNS provider email when required"
|
||||
schema:
|
||||
type: string
|
||||
required: true
|
||||
show_if: [["type", "!=", "HTTP01"]]
|
||||
default: "something@example.com"
|
||||
- variable: type
|
||||
label: Type or DNS-Provider
|
||||
description: DNS Provider
|
||||
schema:
|
||||
type: string
|
||||
required: true
|
||||
default: cloudflare
|
||||
enum:
|
||||
- value: cloudflare
|
||||
description: Cloudflare
|
||||
- value: route53
|
||||
description: Route53
|
||||
- value: akamai
|
||||
description: Akamai
|
||||
- value: digitalocean
|
||||
description: Digitalocean
|
||||
- value: rfc2136
|
||||
description: rfc2136 (Advanced)
|
||||
- value: HTTP01
|
||||
description: HTTP01 (Experimental)
|
||||
- variable: cfapikey
|
||||
label: CloudFlare API key
|
||||
description: "CloudFlare API Key"
|
||||
schema:
|
||||
show_if: [["type", "=", "cloudflare"]]
|
||||
type: string
|
||||
default: ""
|
||||
- variable: cfapitoken
|
||||
label: CloudFlare API Token
|
||||
description: "CloudFlare API Token"
|
||||
schema:
|
||||
show_if: [["type", "=", "cloudflare"]]
|
||||
type: string
|
||||
default: ""
|
||||
- variable: region
|
||||
label: Route53 Region
|
||||
description: "Route 53 Region"
|
||||
schema:
|
||||
show_if: [["type", "=", "route53"]]
|
||||
type: string
|
||||
required: true
|
||||
default: "us-west-1"
|
||||
- variable: accessKeyID
|
||||
label: Route53 accessKeyID
|
||||
description: "Route53 accessKeyID"
|
||||
schema:
|
||||
show_if: [["type", "=", "route53"]]
|
||||
type: string
|
||||
required: true
|
||||
default: ""
|
||||
- variable: route53SecretAccessKey
|
||||
label: Route53 Secret Access Key
|
||||
description: "Route53 Secret Access Key"
|
||||
schema:
|
||||
show_if: [["type", "=", "route53"]]
|
||||
type: string
|
||||
required: true
|
||||
default: ""
|
||||
- variable: role
|
||||
label: Route53 Role (optional)
|
||||
description: "Route53 Role"
|
||||
schema:
|
||||
show_if: [["type", "=", "route53"]]
|
||||
type: string
|
||||
default: ""
|
||||
- variable: serviceConsumerDomain
|
||||
label: Akamai Service Consumer Domain
|
||||
description: "Akamai Service Consumer Domain"
|
||||
schema:
|
||||
show_if: [["type", "=", "akamai"]]
|
||||
type: string
|
||||
required: true
|
||||
default: ""
|
||||
- variable: akclientToken
|
||||
label: Akamai Client Token
|
||||
description: "Client Token"
|
||||
schema:
|
||||
show_if: [["type", "=", "akamai"]]
|
||||
type: string
|
||||
required: true
|
||||
default: ""
|
||||
- variable: akclientSecret
|
||||
label: Akamai Client Secret
|
||||
description: "Akamai Client Secret"
|
||||
schema:
|
||||
show_if: [["type", "=", "akamai"]]
|
||||
type: string
|
||||
required: true
|
||||
default: ""
|
||||
- variable: akaccessToken
|
||||
label: Akamai Access Token
|
||||
description: "Akamai Access Token"
|
||||
schema:
|
||||
show_if: [["type", "=", "akamai"]]
|
||||
type: string
|
||||
required: true
|
||||
default: ""
|
||||
- variable: doaccessToken
|
||||
label: Digitalocean Access Token
|
||||
description: "Digitalocean Access Token"
|
||||
schema:
|
||||
show_if: [["type", "=", "digitalocean"]]
|
||||
type: string
|
||||
required: true
|
||||
default: ""
|
||||
- variable: nameserver
|
||||
label: rfc2136 Namesever
|
||||
description: "rfc2136 Namesever"
|
||||
schema:
|
||||
show_if: [["type", "=", "digitalocean"]]
|
||||
type: string
|
||||
required: true
|
||||
default: ""
|
||||
- variable: tsigKeyName
|
||||
label: rfc2136 tsig Key Name
|
||||
description: "rfc2136 tsig Key Name"
|
||||
schema:
|
||||
show_if: [["type", "=", "digitalocean"]]
|
||||
type: string
|
||||
required: true
|
||||
default: ""
|
||||
- variable: tsigAlgorithm
|
||||
label: rfc2136 tsig Algorithm
|
||||
description: "rfc2136 tsig Algorithm"
|
||||
schema:
|
||||
show_if: [["type", "=", "digitalocean"]]
|
||||
type: string
|
||||
required: true
|
||||
default: ""
|
||||
- variable: rfctsigSecret
|
||||
label: rfc2136 sig Secret
|
||||
description: "rfc2136 sig Secret"
|
||||
schema:
|
||||
show_if: [["type", "=", "digitalocean"]]
|
||||
type: string
|
||||
required: true
|
||||
default: ""
|
||||
|
||||
- variable: CA
|
||||
label: Certiticate Authority Issuer
|
||||
schema:
|
||||
type: list
|
||||
default: []
|
||||
items:
|
||||
- variable: CAEntry
|
||||
label: 'CA Issuer Entry'
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: name
|
||||
label: Name
|
||||
description: "Name to give the issuer"
|
||||
schema:
|
||||
type: string
|
||||
required: true
|
||||
default: ""
|
||||
- variable: selfSigned
|
||||
label: selfSigned
|
||||
description: "Create Self Signed CA cert"
|
||||
schema:
|
||||
type: boolean
|
||||
default: true
|
||||
- variable: selfSignedCommonName
|
||||
label: selfSigned CommonName
|
||||
description: "Common name for selfSigned Certiticate Authority"
|
||||
schema:
|
||||
type: string
|
||||
required: true
|
||||
show_if: [["selfSigned", "=", "true"]]
|
||||
default: "my-selfsigned-ca"
|
||||
- variable: crt
|
||||
label: "Custom CA cert (experimental)"
|
||||
description: "certificate for Certiticate Authority"
|
||||
schema:
|
||||
type: string
|
||||
required: true
|
||||
show_if: [["selfSigned", "=", "false"]]
|
||||
default: ""
|
||||
- variable: key
|
||||
label: "Custom CA key (experimental)"
|
||||
description: "key Certiticate Authority"
|
||||
schema:
|
||||
type: string
|
||||
required: true
|
||||
show_if: [["selfSigned", "=", "false"]]
|
||||
default: ""
|
||||
|
||||
|
||||
|
||||
# Include{metrics}
|
||||
# Include{documentation}
|
||||
25
charts/enterprise/cert-manager/templates/_metrics.tpl
Normal file
25
charts/enterprise/cert-manager/templates/_metrics.tpl
Normal file
@@ -0,0 +1,25 @@
|
||||
{{- define "certmanager.metrics" -}}
|
||||
{{- if .Values.metrics.enabled }}
|
||||
apiVersion: monitoring.coreos.com/v1
|
||||
kind: PodMonitor
|
||||
metadata:
|
||||
name: cert-manager
|
||||
namespace: cert-manager
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/component: "controller"
|
||||
spec:
|
||||
jobLabel: app.kubernetes.io/name
|
||||
selector:
|
||||
matchLabels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/component: "controller"
|
||||
podMetricsEndpoints:
|
||||
- port: http
|
||||
honorLabels: true
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
85
charts/enterprise/cert-manager/templates/_wait.tpl
Normal file
85
charts/enterprise/cert-manager/templates/_wait.tpl
Normal file
@@ -0,0 +1,85 @@
|
||||
{{- define "certmanager.wait" }}
|
||||
{{- $fullName := include "tc.common.names.fullname" . }}
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
namespace: {{ .Release.Namespace }}
|
||||
name: {{ $fullName }}-wait
|
||||
annotations:
|
||||
"helm.sh/hook": pre-install, pre-upgrade
|
||||
"helm.sh/hook-weight": "-1"
|
||||
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
serviceAccountName: {{ $fullName }}-wait
|
||||
containers:
|
||||
- name: {{ $fullName }}-wait
|
||||
image: {{ .Values.kubectlImage.repository }}:v1.26.0
|
||||
securityContext:
|
||||
runAsUser: 568
|
||||
runAsGroup: 568
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
command:
|
||||
- "/bin/sh"
|
||||
- "-c"
|
||||
- |
|
||||
/bin/sh <<'EOF'
|
||||
kubectl wait --namespace metallb-system --for=condition=ready pod --selector=app=metallb --timeout=90s || echo "metallb-system wait failed..."
|
||||
kubectl wait --namespace cert-manager --for=condition=ready pod --selector=app=cert-manager --timeout=90s || echo "cert-manager wait failed..."
|
||||
cmctl check api --wait=2m || echo "cmctl wait failed..."
|
||||
EOF
|
||||
volumeMounts:
|
||||
- name: {{ $fullName }}-manifests-temp
|
||||
mountPath: /tmp
|
||||
- name: {{ $fullName }}-manifests-home
|
||||
mountPath: /home/apps/
|
||||
restartPolicy: Never
|
||||
volumes:
|
||||
- name: {{ $fullName }}-manifests-temp
|
||||
emptyDir: {}
|
||||
- name: {{ $fullName }}-manifests-home
|
||||
emptyDir: {}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ $fullName }}-wait
|
||||
annotations:
|
||||
"helm.sh/hook": pre-install, pre-upgrade
|
||||
"helm.sh/hook-weight": "-2"
|
||||
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
|
||||
rules:
|
||||
- apiGroups: ["*"]
|
||||
resources: ["*"]
|
||||
verbs: ["*"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ $fullName }}-wait
|
||||
annotations:
|
||||
"helm.sh/hook": pre-install, pre-upgrade
|
||||
"helm.sh/hook-weight": "-2"
|
||||
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ $fullName }}-wait
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ $fullName }}-wait
|
||||
namespace: {{ .Release.Namespace }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ $fullName }}-wait
|
||||
namespace: {{ .Release.Namespace }}
|
||||
annotations:
|
||||
"helm.sh/hook": pre-install, pre-upgrade
|
||||
"helm.sh/hook-weight": "-2"
|
||||
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
|
||||
{{- end }}
|
||||
@@ -0,0 +1,88 @@
|
||||
{{- define "certmanager.clusterissuer.acme" -}}
|
||||
{{- range .Values.clusterIssuer.acme }}
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
name: {{ .name }}
|
||||
spec:
|
||||
acme:
|
||||
email: {{ .email }}
|
||||
server: {{ if eq .server "custom" }}{{ .customServer }}{{ else }}{{ .server }}{{ end }}
|
||||
privateKeySecretRef:
|
||||
name: {{ .name }}-acme-clusterissuer-account-key
|
||||
solvers:
|
||||
{{- if eq .type "HTTP01" }}
|
||||
- http01:
|
||||
ingress:
|
||||
{{- else }}
|
||||
- dns01:
|
||||
{{- if eq .type "cloudflare" }}
|
||||
cloudflare:
|
||||
email: {{ .email }}
|
||||
{{- if .cfapitoken }}
|
||||
apiTokenSecretRef:
|
||||
name: {{ .name }}-clusterissuer-secret
|
||||
key: cf-api-token
|
||||
{{- else if .cfapikey }}
|
||||
name: {{ .name }}-clusterissuer-secret
|
||||
key: cf-api-key
|
||||
{{ else }}
|
||||
{{- fail "A cloudflare API key or token is required" }}
|
||||
{{- end }}
|
||||
{{- else if eq .type "route53" }}
|
||||
route53:
|
||||
region: {{ .region }}
|
||||
accessKeyID: {{ .accessKeyID }}
|
||||
{{- if .role }}
|
||||
role: {{ .role }}
|
||||
{{- end }}
|
||||
secretAccessKeySecretRef:
|
||||
name: prod-route53-credentials-secret
|
||||
key: route53-secret-access-key
|
||||
{{- else if eq .type "akamai" }}
|
||||
akamai:
|
||||
serviceConsumerDomain: {{ .serviceConsumerDomain }}
|
||||
clientTokenSecretRef:
|
||||
name: {{ .name }}-clusterissuer-secret
|
||||
key: akclientToken
|
||||
clientSecretSecretRef:
|
||||
name: {{ .name }}-clusterissuer-secret
|
||||
key: akclientSecret
|
||||
accessTokenSecretRef:
|
||||
name: {{ .name }}-clusterissuer-secret
|
||||
key: akaccessToken
|
||||
{{- else if eq .type "digitalocean" }}
|
||||
digitalocean:
|
||||
tokenSecretRef:
|
||||
name: {{ .name }}-clusterissuer-secret
|
||||
key: doaccessToken
|
||||
{{- else if eq .type "rfc2136" }}
|
||||
rfc2136:
|
||||
nameserver: {{ .nameserver }}
|
||||
tsigKeyName: {{ .tsigKeyName }}
|
||||
tsigAlgorithm: {{ .tsigAlgorithm }}
|
||||
tsigSecretSecretRef:
|
||||
name: {{ .name }}-clusterissuer-secret
|
||||
key: rfctsigSecret
|
||||
{{- else }}
|
||||
{{- fail "No correct ACME type entered..." }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ .name }}-clusterissuer-secret
|
||||
type: Opaque
|
||||
stringData:
|
||||
cf-api-token: {{ .cfapitoken | default "" }}
|
||||
cf-api-key: {{ .cfapikey | default "" }}
|
||||
route53-secret-access-key: {{ .route53SecretAccessKey | default "" }}
|
||||
akclientToken: {{ .akclientToken | default "" }}
|
||||
akclientSecret: {{ .akclientSecret | default "" }}
|
||||
akaccessToken: {{ .akaccessToken | default "" }}
|
||||
doaccessToken: {{ .doaccessToken | default "" }}
|
||||
rfctsigSecret: {{ .rfctsigSecret | default "" }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
@@ -0,0 +1,48 @@
|
||||
{{- define "certmanager.clusterissuer.ca" -}}
|
||||
{{- range .Values.clusterIssuer.CA }}
|
||||
{{- if .selfSigned }}
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
name: {{ .name }}-selfsigned-ca-issuer
|
||||
spec:
|
||||
selfSigned: {}
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: {{ .name }}-selfsigned-ca
|
||||
namespace: cert-manager
|
||||
spec:
|
||||
isCA: true
|
||||
commonName: {{ .selfSignedCommonName }}
|
||||
secretName: {{ .name }}-ca
|
||||
privateKey:
|
||||
algorithm: ECDSA
|
||||
size: 256
|
||||
issuerRef:
|
||||
name: selfsigned-ca-issuer
|
||||
kind: ClusterIssuer
|
||||
group: cert-manager.io
|
||||
{{- else }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ .name }}-ca
|
||||
namespace: cert-manager
|
||||
data:
|
||||
tls.crt: {{ .crt | b64enc }}
|
||||
tls.key: {{ .key | b64enc }}
|
||||
{{- end }}
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
name: {{ .name }}
|
||||
spec:
|
||||
ca:
|
||||
secretName: {{ .name }}-ca
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
@@ -0,0 +1,11 @@
|
||||
{{- define "certmanager.clusterissuer.selfsigned" -}}
|
||||
{{- if .Values.clusterIssuer.selfSigned.enabled }}
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
name: {{ .Values.clusterIssuer.selfSigned.name }}
|
||||
spec:
|
||||
selfSigned: {}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
11
charts/enterprise/cert-manager/templates/common.yaml
Normal file
11
charts/enterprise/cert-manager/templates/common.yaml
Normal file
@@ -0,0 +1,11 @@
|
||||
{{/* Make sure all variables are set properly */}}
|
||||
{{- include "tc.common.loader.init" . }}
|
||||
|
||||
{{/* Render the templates */}}
|
||||
{{ include "tc.common.loader.apply" . }}
|
||||
|
||||
{{- include "certmanager.clusterissuer.acme" . }}
|
||||
{{- include "certmanager.clusterissuer.selfsigned" . }}
|
||||
{{- include "certmanager.clusterissuer.ca" . }}
|
||||
{{- include "certmanager.metrics" . }}
|
||||
{{- include "certmanager.wait" . }}
|
||||
74
charts/enterprise/cert-manager/values.yaml
Normal file
74
charts/enterprise/cert-manager/values.yaml
Normal file
@@ -0,0 +1,74 @@
|
||||
image:
|
||||
repository: placeholder
|
||||
tag: upstream
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
controller:
|
||||
enabled: false
|
||||
|
||||
service:
|
||||
main:
|
||||
enabled: false
|
||||
ports:
|
||||
main:
|
||||
enabled: false
|
||||
port: 9999
|
||||
|
||||
portal:
|
||||
enabled: false
|
||||
|
||||
probes:
|
||||
liveness:
|
||||
enabled: false
|
||||
readiness:
|
||||
enabled: false
|
||||
startup:
|
||||
enabled: false
|
||||
|
||||
clusterIssuer:
|
||||
selfSigned:
|
||||
enabled: true
|
||||
name: "selfsigned"
|
||||
CA: []
|
||||
# - name: myca
|
||||
# selfSigned: true
|
||||
# selfSignedCommonName: "my-selfsigned-ca"
|
||||
# # Used to manually define a CA-crt not used when selfSigned is enabled
|
||||
# crt: ""
|
||||
# key: ""
|
||||
# # TODO: Add option to use SCALE CA certs
|
||||
|
||||
ACME: []
|
||||
# - name: letsencrypt
|
||||
# # Used for both logging in to the DNS provider AND ACME registration
|
||||
# email: ""
|
||||
# server: 'https://acme-staging-v02.api.letsencrypt.org/directory'
|
||||
# # Used primarily for the SCALE GUI
|
||||
# customServer: 'https://acme-staging-v02.api.letsencrypt.org/directory'
|
||||
# email: ""
|
||||
# # Options: HTTP01, cloudflare, route53
|
||||
# type: ""
|
||||
# # for cloudflare
|
||||
# cfapikey: ""
|
||||
# cfapitoken: ""
|
||||
# # for route53
|
||||
# region: ""
|
||||
# accessKeyID: ""
|
||||
# route53SecretAccessKey: ""
|
||||
# # optional for route53
|
||||
# role: ""
|
||||
# # for akamai
|
||||
# serviceConsumerDomain: ""
|
||||
# akclientToken: ""
|
||||
# akclientSecret: ""
|
||||
# akaccessToken: ""
|
||||
# # for digitalocean
|
||||
# doaccessToken: ""
|
||||
# # for rfc2136
|
||||
# nameserver: ""
|
||||
# tsigKeyName: ""
|
||||
# tsigAlgorithm: ""
|
||||
# rfctsigSecret: ""
|
||||
|
||||
metrics:
|
||||
enabled: true
|
||||
@@ -5,4 +5,3 @@
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
|
||||
|
||||
Reference in New Issue
Block a user