diff --git a/deploy/hetzner-webhook/.helmignore b/deploy/cert-manager-webhook-hetzner/.helmignore similarity index 100% rename from deploy/hetzner-webhook/.helmignore rename to deploy/cert-manager-webhook-hetzner/.helmignore diff --git a/deploy/cert-manager-webhook-hetzner/Chart.yaml b/deploy/cert-manager-webhook-hetzner/Chart.yaml new file mode 100644 index 0000000..0fff556 --- /dev/null +++ b/deploy/cert-manager-webhook-hetzner/Chart.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +description: A Helm chart for the Hetzner DNS webhook for cert-manager +name: cert-manager-webhook-hetzner +version: 0.1.0 +appVersion: 0.1.0 +maintainers: + - name: mecodia GmbH + url: https://github.com/mecodia/cert-manager-webhook-hetzner \ No newline at end of file diff --git a/deploy/hetzner-webhook/templates/NOTES.txt b/deploy/cert-manager-webhook-hetzner/templates/NOTES.txt similarity index 100% rename from deploy/hetzner-webhook/templates/NOTES.txt rename to deploy/cert-manager-webhook-hetzner/templates/NOTES.txt diff --git a/deploy/hetzner-webhook/templates/_helpers.tpl b/deploy/cert-manager-webhook-hetzner/templates/_helpers.tpl similarity index 58% rename from deploy/hetzner-webhook/templates/_helpers.tpl rename to deploy/cert-manager-webhook-hetzner/templates/_helpers.tpl index 33e5aab..253a87a 100644 --- a/deploy/hetzner-webhook/templates/_helpers.tpl +++ b/deploy/cert-manager-webhook-hetzner/templates/_helpers.tpl @@ -2,7 +2,7 @@ {{/* Expand the name of the chart. */}} -{{- define "hetzner-webhook.name" -}} +{{- define "cert-manager-webhook-hetzner.name" -}} {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} {{- end -}} @@ -11,7 +11,7 @@ Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). If release name contains chart name it will be used as a full name. */}} -{{- define "hetzner-webhook.fullname" -}} +{{- define "cert-manager-webhook-hetzner.fullname" -}} {{- if .Values.fullnameOverride -}} {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} {{- else -}} @@ -27,22 +27,22 @@ If release name contains chart name it will be used as a full name. {{/* Create chart name and version as used by the chart label. */}} -{{- define "hetzner-webhook.chart" -}} +{{- define "cert-manager-webhook-hetzner.chart" -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} {{- end -}} -{{- define "hetzner-webhook.selfSignedIssuer" -}} -{{ printf "%s-selfsign" (include "hetzner-webhook.fullname" .) }} +{{- define "cert-manager-webhook-hetzner.selfSignedIssuer" -}} +{{ printf "%s-selfsign" (include "cert-manager-webhook-hetzner.fullname" .) }} {{- end -}} -{{- define "hetzner-webhook.rootCAIssuer" -}} -{{ printf "%s-ca" (include "hetzner-webhook.fullname" .) }} +{{- define "cert-manager-webhook-hetzner.rootCAIssuer" -}} +{{ printf "%s-ca" (include "cert-manager-webhook-hetzner.fullname" .) }} {{- end -}} -{{- define "hetzner-webhook.rootCACertificate" -}} -{{ printf "%s-ca" (include "hetzner-webhook.fullname" .) }} +{{- define "cert-manager-webhook-hetzner.rootCACertificate" -}} +{{ printf "%s-ca" (include "cert-manager-webhook-hetzner.fullname" .) }} {{- end -}} -{{- define "hetzner-webhook.servingCertificate" -}} -{{ printf "%s-webhook-tls" (include "hetzner-webhook.fullname" .) }} +{{- define "cert-manager-webhook-hetzner.servingCertificate" -}} +{{ printf "%s-webhook-tls" (include "cert-manager-webhook-hetzner.fullname" .) }} {{- end -}} diff --git a/deploy/hetzner-webhook/templates/apiservice.yaml b/deploy/cert-manager-webhook-hetzner/templates/apiservice.yaml similarity index 62% rename from deploy/hetzner-webhook/templates/apiservice.yaml rename to deploy/cert-manager-webhook-hetzner/templates/apiservice.yaml index a989ac1..6c6a657 100644 --- a/deploy/hetzner-webhook/templates/apiservice.yaml +++ b/deploy/cert-manager-webhook-hetzner/templates/apiservice.yaml @@ -3,17 +3,17 @@ kind: APIService metadata: name: v1alpha1.{{ .Values.groupName }} labels: - app: {{ include "hetzner-webhook.name" . }} - chart: {{ include "hetzner-webhook.chart" . }} + app: {{ include "cert-manager-webhook-hetzner.name" . }} + chart: {{ include "cert-manager-webhook-hetzner.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} annotations: - cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/{{ include "hetzner-webhook.servingCertificate" . }}" + cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/{{ include "cert-manager-webhook-hetzner.servingCertificate" . }}" spec: group: {{ .Values.groupName }} groupPriorityMinimum: 1000 versionPriority: 15 service: - name: {{ include "hetzner-webhook.fullname" . }} + name: {{ include "cert-manager-webhook-hetzner.fullname" . }} namespace: {{ .Release.Namespace }} version: v1alpha1 diff --git a/deploy/hetzner-webhook/templates/deployment.yaml b/deploy/cert-manager-webhook-hetzner/templates/deployment.yaml similarity index 76% rename from deploy/hetzner-webhook/templates/deployment.yaml rename to deploy/cert-manager-webhook-hetzner/templates/deployment.yaml index e14d321..5dd6e18 100644 --- a/deploy/hetzner-webhook/templates/deployment.yaml +++ b/deploy/cert-manager-webhook-hetzner/templates/deployment.yaml @@ -1,25 +1,25 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: {{ include "hetzner-webhook.fullname" . }} + name: {{ include "cert-manager-webhook-hetzner.fullname" . }} labels: - app: {{ include "hetzner-webhook.name" . }} - chart: {{ include "hetzner-webhook.chart" . }} + app: {{ include "cert-manager-webhook-hetzner.name" . }} + chart: {{ include "cert-manager-webhook-hetzner.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} spec: replicas: {{ .Values.replicaCount }} selector: matchLabels: - app: {{ include "hetzner-webhook.name" . }} + app: {{ include "cert-manager-webhook-hetzner.name" . }} release: {{ .Release.Name }} template: metadata: labels: - app: {{ include "hetzner-webhook.name" . }} + app: {{ include "cert-manager-webhook-hetzner.name" . }} release: {{ .Release.Name }} spec: - serviceAccountName: {{ include "hetzner-webhook.fullname" . }} + serviceAccountName: {{ include "cert-manager-webhook-hetzner.fullname" . }} containers: - name: {{ .Chart.Name }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" @@ -53,7 +53,7 @@ spec: volumes: - name: certs secret: - secretName: {{ include "hetzner-webhook.servingCertificate" . }} + secretName: {{ include "cert-manager-webhook-hetzner.servingCertificate" . }} {{- with .Values.nodeSelector }} nodeSelector: {{ toYaml . | indent 8 }} diff --git a/deploy/cert-manager-webhook-hetzner/templates/pki.yaml b/deploy/cert-manager-webhook-hetzner/templates/pki.yaml new file mode 100644 index 0000000..d625173 --- /dev/null +++ b/deploy/cert-manager-webhook-hetzner/templates/pki.yaml @@ -0,0 +1,76 @@ +--- +# Create a selfsigned Issuer, in order to create a root CA certificate for +# signing webhook serving certificates +apiVersion: cert-manager.io/v1alpha2 +kind: Issuer +metadata: + name: {{ include "cert-manager-webhook-hetzner.selfSignedIssuer" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ include "cert-manager-webhook-hetzner.name" . }} + chart: {{ include "cert-manager-webhook-hetzner.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + selfSigned: {} + +--- + +# Generate a CA Certificate used to sign certificates for the webhook +apiVersion: cert-manager.io/v1alpha2 +kind: Certificate +metadata: + name: {{ include "cert-manager-webhook-hetzner.rootCACertificate" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ include "cert-manager-webhook-hetzner.name" . }} + chart: {{ include "cert-manager-webhook-hetzner.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + secretName: {{ include "cert-manager-webhook-hetzner.rootCACertificate" . }} + duration: 43800h # 5y + issuerRef: + name: {{ include "cert-manager-webhook-hetzner.selfSignedIssuer" . }} + commonName: "ca.cert-manager-webhook-hetzner.cert-manager" + isCA: true + +--- + +# Create an Issuer that uses the above generated CA certificate to issue certs +apiVersion: cert-manager.io/v1alpha2 +kind: Issuer +metadata: + name: {{ include "cert-manager-webhook-hetzner.rootCAIssuer" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ include "cert-manager-webhook-hetzner.name" . }} + chart: {{ include "cert-manager-webhook-hetzner.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + ca: + secretName: {{ include "cert-manager-webhook-hetzner.rootCACertificate" . }} + +--- + +# Finally, generate a serving certificate for the webhook to use +apiVersion: cert-manager.io/v1alpha2 +kind: Certificate +metadata: + name: {{ include "cert-manager-webhook-hetzner.servingCertificate" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ include "cert-manager-webhook-hetzner.name" . }} + chart: {{ include "cert-manager-webhook-hetzner.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + secretName: {{ include "cert-manager-webhook-hetzner.servingCertificate" . }} + duration: 8760h # 1y + issuerRef: + name: {{ include "cert-manager-webhook-hetzner.rootCAIssuer" . }} + dnsNames: + - {{ include "cert-manager-webhook-hetzner.fullname" . }} + - {{ include "cert-manager-webhook-hetzner.fullname" . }}.{{ .Release.Namespace }} + - {{ include "cert-manager-webhook-hetzner.fullname" . }}.{{ .Release.Namespace }}.svc diff --git a/deploy/hetzner-webhook/templates/rbac.yaml b/deploy/cert-manager-webhook-hetzner/templates/rbac.yaml similarity index 60% rename from deploy/hetzner-webhook/templates/rbac.yaml rename to deploy/cert-manager-webhook-hetzner/templates/rbac.yaml index 96b1fce..0caffbf 100644 --- a/deploy/hetzner-webhook/templates/rbac.yaml +++ b/deploy/cert-manager-webhook-hetzner/templates/rbac.yaml @@ -1,10 +1,10 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: {{ include "hetzner-webhook.fullname" . }} + name: {{ include "cert-manager-webhook-hetzner.fullname" . }} labels: - app: {{ include "hetzner-webhook.name" . }} - chart: {{ include "hetzner-webhook.chart" . }} + app: {{ include "cert-manager-webhook-hetzner.name" . }} + chart: {{ include "cert-manager-webhook-hetzner.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} --- @@ -14,11 +14,11 @@ metadata: apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: {{ include "hetzner-webhook.fullname" . }}:webhook-authentication-reader + name: {{ include "cert-manager-webhook-hetzner.fullname" . }}:webhook-authentication-reader namespace: kube-system labels: - app: {{ include "hetzner-webhook.name" . }} - chart: {{ include "hetzner-webhook.chart" . }} + app: {{ include "cert-manager-webhook-hetzner.name" . }} + chart: {{ include "cert-manager-webhook-hetzner.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} roleRef: @@ -28,7 +28,7 @@ roleRef: subjects: - apiGroup: "" kind: ServiceAccount - name: {{ include "hetzner-webhook.fullname" . }} + name: {{ include "cert-manager-webhook-hetzner.fullname" . }} namespace: {{ .Release.Namespace }} --- # apiserver gets the auth-delegator role to delegate auth decisions to @@ -36,10 +36,10 @@ subjects: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ include "hetzner-webhook.fullname" . }}:auth-delegator + name: {{ include "cert-manager-webhook-hetzner.fullname" . }}:auth-delegator labels: - app: {{ include "hetzner-webhook.name" . }} - chart: {{ include "hetzner-webhook.chart" . }} + app: {{ include "cert-manager-webhook-hetzner.name" . }} + chart: {{ include "cert-manager-webhook-hetzner.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} roleRef: @@ -49,17 +49,17 @@ roleRef: subjects: - apiGroup: "" kind: ServiceAccount - name: {{ include "hetzner-webhook.fullname" . }} + name: {{ include "cert-manager-webhook-hetzner.fullname" . }} namespace: {{ .Release.Namespace }} --- # Grant cert-manager permission to validate using our apiserver apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: {{ include "hetzner-webhook.fullname" . }}:domain-solver + name: {{ include "cert-manager-webhook-hetzner.fullname" . }}:domain-solver labels: - app: {{ include "hetzner-webhook.name" . }} - chart: {{ include "hetzner-webhook.chart" . }} + app: {{ include "cert-manager-webhook-hetzner.name" . }} + chart: {{ include "cert-manager-webhook-hetzner.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} rules: @@ -73,16 +73,16 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ include "hetzner-webhook.fullname" . }}:domain-solver + name: {{ include "cert-manager-webhook-hetzner.fullname" . }}:domain-solver labels: - app: {{ include "hetzner-webhook.name" . }} - chart: {{ include "hetzner-webhook.chart" . }} + app: {{ include "cert-manager-webhook-hetzner.name" . }} + chart: {{ include "cert-manager-webhook-hetzner.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: {{ include "hetzner-webhook.fullname" . }}:domain-solver + name: {{ include "cert-manager-webhook-hetzner.fullname" . }}:domain-solver subjects: - apiGroup: "" kind: ServiceAccount diff --git a/deploy/hetzner-webhook/templates/service.yaml b/deploy/cert-manager-webhook-hetzner/templates/service.yaml similarity index 59% rename from deploy/hetzner-webhook/templates/service.yaml rename to deploy/cert-manager-webhook-hetzner/templates/service.yaml index 470f6b0..cbd5fe6 100644 --- a/deploy/hetzner-webhook/templates/service.yaml +++ b/deploy/cert-manager-webhook-hetzner/templates/service.yaml @@ -1,11 +1,11 @@ apiVersion: v1 kind: Service metadata: - name: {{ include "hetzner-webhook.fullname" . }} + name: {{ include "cert-manager-webhook-hetzner.fullname" . }} namespace: {{ .Release.Namespace | quote }} labels: - app: {{ include "hetzner-webhook.name" . }} - chart: {{ include "hetzner-webhook.chart" . }} + app: {{ include "cert-manager-webhook-hetzner.name" . }} + chart: {{ include "cert-manager-webhook-hetzner.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} spec: @@ -16,5 +16,5 @@ spec: protocol: TCP name: https selector: - app: {{ include "hetzner-webhook.name" . }} + app: {{ include "cert-manager-webhook-hetzner.name" . }} release: {{ .Release.Name }} diff --git a/deploy/hetzner-webhook/values.yaml b/deploy/cert-manager-webhook-hetzner/values.yaml similarity index 100% rename from deploy/hetzner-webhook/values.yaml rename to deploy/cert-manager-webhook-hetzner/values.yaml diff --git a/deploy/hetzner-webhook/Chart.yaml b/deploy/hetzner-webhook/Chart.yaml deleted file mode 100644 index 58e44ec..0000000 --- a/deploy/hetzner-webhook/Chart.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v1 -appVersion: "1.0" -description: A Helm chart for Kubernetes -name: hetzner-webhook -version: 0.1.0 diff --git a/deploy/hetzner-webhook/templates/pki.yaml b/deploy/hetzner-webhook/templates/pki.yaml deleted file mode 100644 index 76260db..0000000 --- a/deploy/hetzner-webhook/templates/pki.yaml +++ /dev/null @@ -1,76 +0,0 @@ ---- -# Create a selfsigned Issuer, in order to create a root CA certificate for -# signing webhook serving certificates -apiVersion: cert-manager.io/v1alpha2 -kind: Issuer -metadata: - name: {{ include "hetzner-webhook.selfSignedIssuer" . }} - namespace: {{ .Release.Namespace | quote }} - labels: - app: {{ include "hetzner-webhook.name" . }} - chart: {{ include "hetzner-webhook.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - selfSigned: {} - ---- - -# Generate a CA Certificate used to sign certificates for the webhook -apiVersion: cert-manager.io/v1alpha2 -kind: Certificate -metadata: - name: {{ include "hetzner-webhook.rootCACertificate" . }} - namespace: {{ .Release.Namespace | quote }} - labels: - app: {{ include "hetzner-webhook.name" . }} - chart: {{ include "hetzner-webhook.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - secretName: {{ include "hetzner-webhook.rootCACertificate" . }} - duration: 43800h # 5y - issuerRef: - name: {{ include "hetzner-webhook.selfSignedIssuer" . }} - commonName: "ca.hetzner-webhook.cert-manager" - isCA: true - ---- - -# Create an Issuer that uses the above generated CA certificate to issue certs -apiVersion: cert-manager.io/v1alpha2 -kind: Issuer -metadata: - name: {{ include "hetzner-webhook.rootCAIssuer" . }} - namespace: {{ .Release.Namespace | quote }} - labels: - app: {{ include "hetzner-webhook.name" . }} - chart: {{ include "hetzner-webhook.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - ca: - secretName: {{ include "hetzner-webhook.rootCACertificate" . }} - ---- - -# Finally, generate a serving certificate for the webhook to use -apiVersion: cert-manager.io/v1alpha2 -kind: Certificate -metadata: - name: {{ include "hetzner-webhook.servingCertificate" . }} - namespace: {{ .Release.Namespace | quote }} - labels: - app: {{ include "hetzner-webhook.name" . }} - chart: {{ include "hetzner-webhook.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - secretName: {{ include "hetzner-webhook.servingCertificate" . }} - duration: 8760h # 1y - issuerRef: - name: {{ include "hetzner-webhook.rootCAIssuer" . }} - dnsNames: - - {{ include "hetzner-webhook.fullname" . }} - - {{ include "hetzner-webhook.fullname" . }}.{{ .Release.Namespace }} - - {{ include "hetzner-webhook.fullname" . }}.{{ .Release.Namespace }}.svc