feat(cert-manager): add Cert-Manager configuration App (#6378)

* feat(cert-manager): add Cert-Manager configuration App

* eof

* pre-commit cleanup

* add temp crds folder

* patch mistake

* restructure

* add route53 support

* add some fails

* fixes and add route53 to GUI

* end

* add experimental HTTP01 support

* fix bug

* add buypass acme to dropdown

* add akamai support

* add Digitalocean

* add rfc2136 support

* fix some issues and add self-signed issuer

* add metrics and fix selfsigned

* whoops

* Add CA certificate system

* whoops

* benc stuff

* actually load CA

* fix

* fix ca

* bool -> boolean

* also test CA

* wait for pod to be ready

* sleep more agressively on cert-Manger itself

* some more fixes

* whoops

* fix mistakes

* all waits test

* add cmctl

* increase scope for now and some fixes

* simplify

* dont wait on non-existing pods

* make it non-failing

* fix typo
This commit is contained in:
Kjeld Schouten-Lebbing
2023-01-18 00:06:10 +01:00
committed by GitHub
parent fb0b94572b
commit 2d97bc9b9b
25 changed files with 5159 additions and 30 deletions

6
.github/SUPPORT.md vendored
View File

@@ -11,17 +11,17 @@ We also document which versions of TrueNAS will receive TrueCharts updates and f
### Supported Versions
| TrueNAS version | Branch | Supported with updates | Accepting Support tickets | Accepting Bug Reports | Notes |
| ---------------- | -------- | ---------------------- | ------------------------- | --------------------- | -------------------------------------------------------------------------------------------------------------- |
| 22.02.4 or prior | `master` | :white_check_mark: | :x: | :x: | Advised to update to 22.12.0 release of [TrueNAS SCALE](https://www.truenas.com/docs/scale/scalereleasenotes/) | |
| ---------------- | -------- | ---------------------- | ------------------------- | --------------------- | -------------------------------------------------------------------------------------------------------------- | --- |
| 22.02.4 or prior | `master` | :white_check_mark: | :x: | :x: | Advised to update to 22.12.0 release of [TrueNAS SCALE](https://www.truenas.com/docs/scale/scalereleasenotes/) | |
| 22.12.0 | `master` | :white_check_mark: | :white_check_mark: | :white_check_mark: | Most Stable Release as of 2022-12-13 |
| Nightly | `master` | :white_check_mark: | :x: | :white_check_mark: | Please only submit bug reports during codefreeze |
::: warning Support Guidelines
Our [Discord](https://discord.gg/tVsPTHWTtr) support (the ticketing system inside #support) is primarily limited to what is covered by our written guides. This includes installing, linking and editing apps. This doesn't mean the actual setup of the application. All #support tickets covered by the staff are done so in a **best effort** policy.
:::
## Stable Train Charts
We provide direct support for getting `stable` train charts working on our [discord](https://discord.gg/tVsPTHWTtr) inside the **#support** channel.

View File

@@ -1,7 +1,7 @@
module.exports = {
dryRun: false,
username: 'truecharts-admin',
gitAuthor: 'truecharts-admin <bot@truecharts.org>',
username: "truecharts-admin",
gitAuthor: "truecharts-admin <bot@truecharts.org>",
onboarding: false,
platform: "github",
repositories: ["truecharts/charts"],

View File

@@ -322,42 +322,42 @@ jobs:
res4="${{needs.lint-charts4.result}}"
res5="${{needs.lint-charts5.result}}"
res6="${{needs.lint-charts6.result}}"
if [[ $res1 == "success" || $res1 == "skipped" ]]; then
echo "lint tests 1 successfull..."
else
echo "lint tests 1 error, stopping due to failure..."
exit 1
fi
if [[ $res2 == "success" || $res2 == "skipped" ]]; then
echo "lint tests 2 successfull..."
else
echo "lint tests 2 error, stopping due to failure..."
exit 1
fi
if [[ $res3 == "success" || $res3 == "skipped" ]]; then
echo "lint tests 3 successfull..."
else
echo "lint tests 3 error, stopping due to failure..."
exit 1
fi
if [[ $res4 == "success" || $res4 == "skipped" ]]; then
echo "lint tests 4 successfull..."
else
echo "lint tests 4 error, stopping due to failure..."
exit 1
fi
if [[ $res5 == "success" || $res5 == "skipped" ]]; then
echo "lint tests 5 successfull..."
else
echo "lint tests 5 error, stopping due to failure..."
exit 1
fi
if [[ $res6 == "success" || $res6 == "skipped" ]]; then
echo "lint tests 6 successfull..."
else

View File

@@ -121,13 +121,13 @@ jobs:
mv -f website/docs/charts/${train}/${chart}/CHANGELOG.md tmp/website/docs/charts/${train}/${chart}/CHANGELOG.md || :
mv -f website/docs/charts/${train}/${chart}/helm-security.md tmp/website/docs/charts/${train}/${chart}/helm-security.md || :
mv -f website/docs/charts/${train}/${chart}/container-security.md tmp/website/docs/charts/${train}/${chart}/container-security.md || :
# remove old docs everywhere and recreate based on charts repo
rm -rf website/docs/charts/*/${chart} || :
mkdir -p website/docs/charts/${train}/${chart} || echo "chart path already exists, continuing..."
yes | cp -rf charts/${train}/${chart}/docs/* website/docs/charts/${train}/${chart}/ 2>/dev/null || :
yes | cp -rf charts/${train}/${chart}/icon.png website/static/img/hotlink-ok/chart-icons/${chart}.png 2>/dev/null || :
# Copy over kept documents
mv -f tmp/website/docs/charts/${train}/${chart}/CHANGELOG.md website/docs/charts/${train}/${chart}/CHANGELOG.md 2>/dev/null || :
mv -f tmp/website/docs/charts/${train}/${chart}/helm-security.md website/docs/charts/${train}/${chart}/helm-security.md 2>/dev/null || :

View File

@@ -421,42 +421,42 @@ jobs:
res4="${{needs.install-charts4.result}}"
res5="${{needs.install-charts5.result}}"
res6="${{needs.install-charts6.result}}"
if [[ $res1 == "success" || $res1 == "skipped" ]]; then
echo "install tests 1 successfull..."
else
echo "install tests 1 error, stopping due to failure..."
exit 1
fi
if [[ $res2 == "success" || $res2 == "skipped" ]]; then
echo "install tests 2 successfull..."
else
echo "install tests 2 error, stopping due to failure..."
exit 1
fi
if [[ $res3 == "success" || $res3 == "skipped" ]]; then
echo "install tests 3 successfull..."
else
echo "install tests 3 error, stopping due to failure..."
exit 1
fi
if [[ $res4 == "success" || $res4 == "skipped" ]]; then
echo "install tests 4 successfull..."
else
echo "install tests 4 error, stopping due to failure..."
exit 1
fi
if [[ $res5 == "success" || $res5 == "skipped" ]]; then
echo "install tests 5 successfull..."
else
echo "install tests 5 error, stopping due to failure..."
exit 1
fi
if [[ $res6 == "success" || $res6 == "skipped" ]]; then
echo "install tests 6 successfull..."
else

View File

@@ -15,10 +15,10 @@ jobs:
with:
token: ${{ secrets.BOT_TOKEN }}
fetch-depth: 0
- name: Setting repo parent dir as safe safe.directory
run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
- name: generate readme.md
shell: bash
run: |
@@ -44,7 +44,7 @@ jobs:
fi
done
done
- name: Bump and Sync
shell: bash
run: |
@@ -91,7 +91,7 @@ jobs:
echo "Sources of ${chartname} updated!"
}
export -f sync_tag
for train in enterprise stable incubator dependency; do
echo "Correcting Chart.yaml for Train: ${train}..."
for chart in $(ls "charts/${train}"); do
@@ -99,7 +99,7 @@ jobs:
sync_tag "charts/${train}/${chart}" "${chart}" "${train}"
done
done
- name: Cleanup
run: |
rm -rf changes.json
@@ -113,7 +113,7 @@ jobs:
git add --all
git commit -sm "Commit daily changes" || exit 0
git push
generate-security-reports:
runs-on: ubuntu-latest
name: "Generate Security Reports"
@@ -151,7 +151,7 @@ jobs:
repository: truecharts/website
token: ${{ secrets.BOT_TOKEN }}
path: website
- name: fetch dependencies
shell: bash
run: |

View File

@@ -78,7 +78,7 @@ jobs:
- charts-test
- charts-lint
- print_head_msg
if: needs.print_head_msg.outputs.head-commit-message == 'Commit bumped Chart Version'
if: needs.print_head_msg.outputs.head-commit-message == 'Commit bumped Chart Version'
name: Automerge build
runs-on: ubuntu-latest
steps:

View File

@@ -23,7 +23,7 @@ repos:
- id: requirements-txt-fixer # sorts entries in requirements.txt.
- id: check-added-large-files # prevents giant files from being committed.
- id: check-yaml # checks yaml files for parseable syntax.
exclude: (templates\/.*|questions.yaml|chart_schema.yaml)
exclude: (templates\/.*|crds\/.*|questions.yaml|chart_schema.yaml)
- id: detect-private-key # detects the presence of private keys.
- repo: https://github.com/pre-commit/pygrep-hooks
@@ -36,5 +36,5 @@ repos:
rev: v2.5.1
hooks:
- id: prettier
exclude: (templates\/.*|README.md|CHANGELOG.md|questions.yaml|devcontainer.json)
exclude: (templates\/.*|crds\/.*|README.md|CHANGELOG.md|questions.yaml|devcontainer.json)
files: \.(js|ts|jsx|tsx|css|less|html|json|markdown|md|yaml|yml)$

View File

@@ -0,0 +1,30 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
# OWNERS file for Kubernetes
OWNERS
# helm-docs templates
*.gotmpl
# docs folder
/docs
# icon
icon.png

View File

@@ -0,0 +1,28 @@
apiVersion: v2
appVersion: "upstream"
deprecated: false
description: Certificate management for Kubernetes
home: https://truecharts.org/charts/enterprise/cert-manager
icon: https://truecharts.org/img/hotlink-ok/chart-icons/cert-manager.png
keywords:
- metallb
- loadbalancer
dependencies:
- name: common
repository: https://library-charts.truecharts.org
version: 11.1.2
kubeVersion: ">=1.16.0-0"
maintainers:
- email: info@truecharts.org
name: TrueCharts
url: https://truecharts.org
name: cert-manager
sources:
- https://cert-manager.io/
type: application
version: 0.0.1
annotations:
truecharts.org/catagories: |
- core
truecharts.org/SCALE-support: "true"
truecharts.org/grade: U

View File

@@ -0,0 +1,27 @@
# README
## General Info
TrueCharts can be installed as both *normal* Helm Charts or as Apps on TrueNAS SCALE.
However only installations using the TrueNAS SCALE Apps system are supported.
For more information about this App, please check the docs on the TrueCharts [website](https://truecharts.org/charts/enterprise/)
**This chart is not maintained by the upstream project and any issues with the chart should be raised [here](https://github.com/truecharts/charts/issues/new/choose)**
## Support
- Please check our [quick-start guides for TrueNAS SCALE](https://truecharts.org/manual/SCALE%20Apps/Important-MUST-READ).
- See the [Website](https://truecharts.org)
- Check our [Discord](https://discord.gg/tVsPTHWTtr)
- Open a [issue](https://github.com/truecharts/charts/issues/new/choose)
---
## Sponsor TrueCharts
TrueCharts can only exist due to the incredible effort of our staff.
Please consider making a [donation](https://truecharts.org/sponsor) or contributing back to the project any way you can!
*All Rights Reserved - The TrueCharts Project*

View File

@@ -0,0 +1,8 @@
clusterIssuer:
selfSigned:
enabled: true
name: "selfsigned"
CA:
- name: myca
selfSigned: true
selfSignedCommonName: "my-selfsigned-ca"

File diff suppressed because it is too large Load Diff

Binary file not shown.

After

Width:  |  Height:  |  Size: 26 KiB

View File

@@ -0,0 +1,273 @@
# Include{groups}
questions:
# Include{global}
- variable: clusterIssuer
group: App Configuration
label: Cluster Certificate Issuer
schema:
additional_attrs: true
type: dict
attrs:
- variable: selfSigned
label: 'SelfSigned Issuer'
schema:
additional_attrs: true
type: dict
attrs:
- variable: enabled
label: enabled
description: "Enable self-signed issuer"
schema:
type: boolean
default: true
- variable: name
label: Name
description: "Name to give the issuer"
schema:
type: string
required: true
default: "selfSigned"
- variable: ACME
label: ACME Issuer
schema:
type: list
default: []
items:
- variable: ACMEEntry
label: 'ACME Issuer Entry'
schema:
additional_attrs: true
type: dict
attrs:
- variable: name
label: Name
description: "Name to give the issuer"
schema:
type: string
required: true
default: ""
- variable: server
label: Server
description: "Server for ACME, for example: letsencrypt"
schema:
type: string
show_if: [["type", "!=", "HTTP01"]]
default: 'Letsencrypt-Production'
enum:
- value: 'https://acme-v02.api.letsencrypt.org/directory'
description: Letsencrypt-Production
- value: 'https://acme-staging-v02.api.letsencrypt.org/directory'
description: Letsencrypt-Staging
- value: 'https://api.buypass.no/acme-v02/directory'
description: BuyPass-Production
- value: 'https://api.test4.buypass.no/acme-v02/directory'
description: BuyPass-Staging
- value: custom
description: Custom
- variable: customServer
label: Custom ACME Server (Advanced)
description: "This can be used to enter your own custom ACME server"
schema:
type: string
show_if: [["server", "=", "custom"]]
default: 'https://acme-staging-v02.api.letsencrypt.org/directory'
- variable: email
label: Email
description: "Email adress to use for certificate issuing must match your DNS provider email when required"
schema:
type: string
required: true
show_if: [["type", "!=", "HTTP01"]]
default: "something@example.com"
- variable: type
label: Type or DNS-Provider
description: DNS Provider
schema:
type: string
required: true
default: cloudflare
enum:
- value: cloudflare
description: Cloudflare
- value: route53
description: Route53
- value: akamai
description: Akamai
- value: digitalocean
description: Digitalocean
- value: rfc2136
description: rfc2136 (Advanced)
- value: HTTP01
description: HTTP01 (Experimental)
- variable: cfapikey
label: CloudFlare API key
description: "CloudFlare API Key"
schema:
show_if: [["type", "=", "cloudflare"]]
type: string
default: ""
- variable: cfapitoken
label: CloudFlare API Token
description: "CloudFlare API Token"
schema:
show_if: [["type", "=", "cloudflare"]]
type: string
default: ""
- variable: region
label: Route53 Region
description: "Route 53 Region"
schema:
show_if: [["type", "=", "route53"]]
type: string
required: true
default: "us-west-1"
- variable: accessKeyID
label: Route53 accessKeyID
description: "Route53 accessKeyID"
schema:
show_if: [["type", "=", "route53"]]
type: string
required: true
default: ""
- variable: route53SecretAccessKey
label: Route53 Secret Access Key
description: "Route53 Secret Access Key"
schema:
show_if: [["type", "=", "route53"]]
type: string
required: true
default: ""
- variable: role
label: Route53 Role (optional)
description: "Route53 Role"
schema:
show_if: [["type", "=", "route53"]]
type: string
default: ""
- variable: serviceConsumerDomain
label: Akamai Service Consumer Domain
description: "Akamai Service Consumer Domain"
schema:
show_if: [["type", "=", "akamai"]]
type: string
required: true
default: ""
- variable: akclientToken
label: Akamai Client Token
description: "Client Token"
schema:
show_if: [["type", "=", "akamai"]]
type: string
required: true
default: ""
- variable: akclientSecret
label: Akamai Client Secret
description: "Akamai Client Secret"
schema:
show_if: [["type", "=", "akamai"]]
type: string
required: true
default: ""
- variable: akaccessToken
label: Akamai Access Token
description: "Akamai Access Token"
schema:
show_if: [["type", "=", "akamai"]]
type: string
required: true
default: ""
- variable: doaccessToken
label: Digitalocean Access Token
description: "Digitalocean Access Token"
schema:
show_if: [["type", "=", "digitalocean"]]
type: string
required: true
default: ""
- variable: nameserver
label: rfc2136 Namesever
description: "rfc2136 Namesever"
schema:
show_if: [["type", "=", "digitalocean"]]
type: string
required: true
default: ""
- variable: tsigKeyName
label: rfc2136 tsig Key Name
description: "rfc2136 tsig Key Name"
schema:
show_if: [["type", "=", "digitalocean"]]
type: string
required: true
default: ""
- variable: tsigAlgorithm
label: rfc2136 tsig Algorithm
description: "rfc2136 tsig Algorithm"
schema:
show_if: [["type", "=", "digitalocean"]]
type: string
required: true
default: ""
- variable: rfctsigSecret
label: rfc2136 sig Secret
description: "rfc2136 sig Secret"
schema:
show_if: [["type", "=", "digitalocean"]]
type: string
required: true
default: ""
- variable: CA
label: Certiticate Authority Issuer
schema:
type: list
default: []
items:
- variable: CAEntry
label: 'CA Issuer Entry'
schema:
additional_attrs: true
type: dict
attrs:
- variable: name
label: Name
description: "Name to give the issuer"
schema:
type: string
required: true
default: ""
- variable: selfSigned
label: selfSigned
description: "Create Self Signed CA cert"
schema:
type: boolean
default: true
- variable: selfSignedCommonName
label: selfSigned CommonName
description: "Common name for selfSigned Certiticate Authority"
schema:
type: string
required: true
show_if: [["selfSigned", "=", "true"]]
default: "my-selfsigned-ca"
- variable: crt
label: "Custom CA cert (experimental)"
description: "certificate for Certiticate Authority"
schema:
type: string
required: true
show_if: [["selfSigned", "=", "false"]]
default: ""
- variable: key
label: "Custom CA key (experimental)"
description: "key Certiticate Authority"
schema:
type: string
required: true
show_if: [["selfSigned", "=", "false"]]
default: ""
# Include{metrics}
# Include{documentation}

View File

@@ -0,0 +1,25 @@
{{- define "certmanager.metrics" -}}
{{- if .Values.metrics.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
name: cert-manager
namespace: cert-manager
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"
spec:
jobLabel: app.kubernetes.io/name
selector:
matchLabels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"
podMetricsEndpoints:
- port: http
honorLabels: true
{{- end }}
{{- end -}}

View File

@@ -0,0 +1,85 @@
{{- define "certmanager.wait" }}
{{- $fullName := include "tc.common.names.fullname" . }}
---
apiVersion: batch/v1
kind: Job
metadata:
namespace: {{ .Release.Namespace }}
name: {{ $fullName }}-wait
annotations:
"helm.sh/hook": pre-install, pre-upgrade
"helm.sh/hook-weight": "-1"
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
spec:
template:
spec:
serviceAccountName: {{ $fullName }}-wait
containers:
- name: {{ $fullName }}-wait
image: {{ .Values.kubectlImage.repository }}:v1.26.0
securityContext:
runAsUser: 568
runAsGroup: 568
readOnlyRootFilesystem: true
runAsNonRoot: true
command:
- "/bin/sh"
- "-c"
- |
/bin/sh <<'EOF'
kubectl wait --namespace metallb-system --for=condition=ready pod --selector=app=metallb --timeout=90s || echo "metallb-system wait failed..."
kubectl wait --namespace cert-manager --for=condition=ready pod --selector=app=cert-manager --timeout=90s || echo "cert-manager wait failed..."
cmctl check api --wait=2m || echo "cmctl wait failed..."
EOF
volumeMounts:
- name: {{ $fullName }}-manifests-temp
mountPath: /tmp
- name: {{ $fullName }}-manifests-home
mountPath: /home/apps/
restartPolicy: Never
volumes:
- name: {{ $fullName }}-manifests-temp
emptyDir: {}
- name: {{ $fullName }}-manifests-home
emptyDir: {}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ $fullName }}-wait
annotations:
"helm.sh/hook": pre-install, pre-upgrade
"helm.sh/hook-weight": "-2"
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ $fullName }}-wait
annotations:
"helm.sh/hook": pre-install, pre-upgrade
"helm.sh/hook-weight": "-2"
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ $fullName }}-wait
subjects:
- kind: ServiceAccount
name: {{ $fullName }}-wait
namespace: {{ .Release.Namespace }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ $fullName }}-wait
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/hook": pre-install, pre-upgrade
"helm.sh/hook-weight": "-2"
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
{{- end }}

View File

@@ -0,0 +1,88 @@
{{- define "certmanager.clusterissuer.acme" -}}
{{- range .Values.clusterIssuer.acme }}
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: {{ .name }}
spec:
acme:
email: {{ .email }}
server: {{ if eq .server "custom" }}{{ .customServer }}{{ else }}{{ .server }}{{ end }}
privateKeySecretRef:
name: {{ .name }}-acme-clusterissuer-account-key
solvers:
{{- if eq .type "HTTP01" }}
- http01:
ingress:
{{- else }}
- dns01:
{{- if eq .type "cloudflare" }}
cloudflare:
email: {{ .email }}
{{- if .cfapitoken }}
apiTokenSecretRef:
name: {{ .name }}-clusterissuer-secret
key: cf-api-token
{{- else if .cfapikey }}
name: {{ .name }}-clusterissuer-secret
key: cf-api-key
{{ else }}
{{- fail "A cloudflare API key or token is required" }}
{{- end }}
{{- else if eq .type "route53" }}
route53:
region: {{ .region }}
accessKeyID: {{ .accessKeyID }}
{{- if .role }}
role: {{ .role }}
{{- end }}
secretAccessKeySecretRef:
name: prod-route53-credentials-secret
key: route53-secret-access-key
{{- else if eq .type "akamai" }}
akamai:
serviceConsumerDomain: {{ .serviceConsumerDomain }}
clientTokenSecretRef:
name: {{ .name }}-clusterissuer-secret
key: akclientToken
clientSecretSecretRef:
name: {{ .name }}-clusterissuer-secret
key: akclientSecret
accessTokenSecretRef:
name: {{ .name }}-clusterissuer-secret
key: akaccessToken
{{- else if eq .type "digitalocean" }}
digitalocean:
tokenSecretRef:
name: {{ .name }}-clusterissuer-secret
key: doaccessToken
{{- else if eq .type "rfc2136" }}
rfc2136:
nameserver: {{ .nameserver }}
tsigKeyName: {{ .tsigKeyName }}
tsigAlgorithm: {{ .tsigAlgorithm }}
tsigSecretSecretRef:
name: {{ .name }}-clusterissuer-secret
key: rfctsigSecret
{{- else }}
{{- fail "No correct ACME type entered..." }}
{{- end }}
{{- end }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ .name }}-clusterissuer-secret
type: Opaque
stringData:
cf-api-token: {{ .cfapitoken | default "" }}
cf-api-key: {{ .cfapikey | default "" }}
route53-secret-access-key: {{ .route53SecretAccessKey | default "" }}
akclientToken: {{ .akclientToken | default "" }}
akclientSecret: {{ .akclientSecret | default "" }}
akaccessToken: {{ .akaccessToken | default "" }}
doaccessToken: {{ .doaccessToken | default "" }}
rfctsigSecret: {{ .rfctsigSecret | default "" }}
{{- end }}
{{- end -}}

View File

@@ -0,0 +1,48 @@
{{- define "certmanager.clusterissuer.ca" -}}
{{- range .Values.clusterIssuer.CA }}
{{- if .selfSigned }}
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: {{ .name }}-selfsigned-ca-issuer
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ .name }}-selfsigned-ca
namespace: cert-manager
spec:
isCA: true
commonName: {{ .selfSignedCommonName }}
secretName: {{ .name }}-ca
privateKey:
algorithm: ECDSA
size: 256
issuerRef:
name: selfsigned-ca-issuer
kind: ClusterIssuer
group: cert-manager.io
{{- else }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ .name }}-ca
namespace: cert-manager
data:
tls.crt: {{ .crt | b64enc }}
tls.key: {{ .key | b64enc }}
{{- end }}
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: {{ .name }}
spec:
ca:
secretName: {{ .name }}-ca
{{- end }}
{{- end -}}

View File

@@ -0,0 +1,11 @@
{{- define "certmanager.clusterissuer.selfsigned" -}}
{{- if .Values.clusterIssuer.selfSigned.enabled }}
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: {{ .Values.clusterIssuer.selfSigned.name }}
spec:
selfSigned: {}
{{- end }}
{{- end -}}

View File

@@ -0,0 +1,11 @@
{{/* Make sure all variables are set properly */}}
{{- include "tc.common.loader.init" . }}
{{/* Render the templates */}}
{{ include "tc.common.loader.apply" . }}
{{- include "certmanager.clusterissuer.acme" . }}
{{- include "certmanager.clusterissuer.selfsigned" . }}
{{- include "certmanager.clusterissuer.ca" . }}
{{- include "certmanager.metrics" . }}
{{- include "certmanager.wait" . }}

View File

@@ -0,0 +1,74 @@
image:
repository: placeholder
tag: upstream
pullPolicy: IfNotPresent
controller:
enabled: false
service:
main:
enabled: false
ports:
main:
enabled: false
port: 9999
portal:
enabled: false
probes:
liveness:
enabled: false
readiness:
enabled: false
startup:
enabled: false
clusterIssuer:
selfSigned:
enabled: true
name: "selfsigned"
CA: []
# - name: myca
# selfSigned: true
# selfSignedCommonName: "my-selfsigned-ca"
# # Used to manually define a CA-crt not used when selfSigned is enabled
# crt: ""
# key: ""
# # TODO: Add option to use SCALE CA certs
ACME: []
# - name: letsencrypt
# # Used for both logging in to the DNS provider AND ACME registration
# email: ""
# server: 'https://acme-staging-v02.api.letsencrypt.org/directory'
# # Used primarily for the SCALE GUI
# customServer: 'https://acme-staging-v02.api.letsencrypt.org/directory'
# email: ""
# # Options: HTTP01, cloudflare, route53
# type: ""
# # for cloudflare
# cfapikey: ""
# cfapitoken: ""
# # for route53
# region: ""
# accessKeyID: ""
# route53SecretAccessKey: ""
# # optional for route53
# role: ""
# # for akamai
# serviceConsumerDomain: ""
# akclientToken: ""
# akclientSecret: ""
# akaccessToken: ""
# # for digitalocean
# doaccessToken: ""
# # for rfc2136
# nameserver: ""
# tsigKeyName: ""
# tsigAlgorithm: ""
# rfctsigSecret: ""
metrics:
enabled: true

View File

@@ -5,4 +5,3 @@
additional_attrs: true
type: dict
attrs: