Skip to content

Commit

Permalink
feat: add manifest bundle
Browse files Browse the repository at this point in the history
  • Loading branch information
@Nox-404
Nox-404 committed May 3, 2024
1 parent c290d8d commit 9c6b9a7
Show file tree
Hide file tree
Showing 2 changed files with 260 additions and 2 deletions.
7 changes: 5 additions & 2 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,19 +26,22 @@ helm repo update
- Install the chart

```bash
helm install scaleway-webhook scaleway/scaleway-certmanager-webhook
helm install scaleway-certmanager-webhook scaleway/scaleway-certmanager-webhook
```

- Alternatively, you can install the webhook with default credentials with:

```bash
helm install scaleway-webhook scaleway/scaleway-certmanager-webhook --set secret.accessKey=<YOUR-ACCESS-KEY> --set secret.secretKey=<YOUR-SECRET_KEY>
helm install scaleway-certmanager-webhook scaleway/scaleway-certmanager-webhook --set secret.accessKey=<YOUR-ACCESS-KEY> --set secret.secretKey=<YOUR-SECRET_KEY>
```

The Scaleway Webhook is now installed! :tada:

> Refer to the chart's [documentation](https://github.com/scaleway/helm-charts/blob/master/charts/scaleway-certmanager-webhook/README.md) for more configuration options.
> Alternatively, you may use the provided bundle for a basic install in the cert-manager namespace:
> `kubectl apply -f https://github.com/raw/scaleway/cert-manager-webhook-scaleway/main/deploy/bundle.yaml`
### How to use it

**Note**: It uses the [cert-manager webhook system](https://cert-manager.io/docs/configuration/acme/dns01/webhook/). Everything after the issuer is configured is just cert-manager. You can find out more in [their documentation](https://cert-manager.io/docs/usage/).
Expand Down
255 changes: 255 additions & 0 deletions deploy/bundle.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,255 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: scaleway-certmanager-webhook
labels:
app: scaleway-certmanager-webhook
---
# Grant cert-manager permission to validate using our apiserver
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: scaleway-certmanager-webhook:domain-solver
labels:
app: scaleway-certmanager-webhook
rules:
- apiGroups:
- acme.scaleway.com
resources:
- '*'
verbs:
- 'create'
---
# apiserver gets the auth-delegator role to delegate auth decisions to
# the core apiserver
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: scaleway-certmanager-webhook:auth-delegator
labels:
app: scaleway-certmanager-webhook
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- apiGroup: ""
kind: ServiceAccount
name: scaleway-certmanager-webhook
namespace: cert-manager
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: scaleway-certmanager-webhook:domain-solver
labels:
app: scaleway-certmanager-webhook
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: scaleway-certmanager-webhook:domain-solver
subjects:
- apiGroup: ""
kind: ServiceAccount
name: cert-manager
namespace: cert-manager
---
# Grant the webhook permission to read the secrets containing the credentials
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: scaleway-certmanager-webhook:secrets-reader
namespace: cert-manager
labels:
app: scaleway-certmanager-webhook
rules:
- apiGroups:
- ''
resources:
- 'secrets'
verbs:
- 'get'
---
# Grant the webhook permission to read the secrets containing the credentials
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: scaleway-certmanager-webhook:secrets-reader
namespace: cert-manager
labels:
app: scaleway-certmanager-webhook
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: scaleway-certmanager-webhook:secrets-reader
subjects:
- apiGroup: ""
kind: ServiceAccount
name: scaleway-certmanager-webhook
namespace: cert-manager
---
# Grant the webhook permission to read the ConfigMap containing the Kubernetes
# apiserver's requestheader-ca-certificate.
# This ConfigMap is automatically created by the Kubernetes apiserver.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: scaleway-certmanager-webhook:webhook-authentication-reader
namespace: kube-system
labels:
app: scaleway-certmanager-webhook
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: extension-apiserver-authentication-reader
subjects:
- apiGroup: ""
kind: ServiceAccount
name: scaleway-certmanager-webhook
namespace: cert-manager
---
apiVersion: v1
kind: Service
metadata:
name: scaleway-certmanager-webhook
labels:
app: scaleway-certmanager-webhook
spec:
type: ClusterIP
ports:
- port: 443
targetPort: https
protocol: TCP
name: https
selector:
app: scaleway-certmanager-webhook
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: scaleway-certmanager-webhook
labels:
app: scaleway-certmanager-webhook
spec:
replicas: 1
selector:
matchLabels:
app: scaleway-certmanager-webhook
template:
metadata:
labels:
app: scaleway-certmanager-webhook
spec:
serviceAccountName: scaleway-certmanager-webhook
containers:
- name: scaleway-certmanager-webhook
image: "scaleway/cert-manager-webhook-scaleway:v0.1.0"
imagePullPolicy: IfNotPresent
args:
- --tls-cert-file=/tls/tls.crt
- --tls-private-key-file=/tls/tls.key
env:
- name: GROUP_NAME
value: "acme.scaleway.com"

ports:
- name: https
containerPort: 443
protocol: TCP
livenessProbe:
httpGet:
scheme: HTTPS
path: /healthz
port: https
readinessProbe:
timeoutSeconds: 5
httpGet:
scheme: HTTPS
path: /healthz
port: https
volumeMounts:
- name: certs
mountPath: /tls
readOnly: true
resources:
{}
volumes:
- name: certs
secret:
secretName: scaleway-certmanager-webhook-webhook-tls
---
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
name: v1alpha1.acme.scaleway.com
labels:
app: scaleway-certmanager-webhook
annotations:
cert-manager.io/inject-ca-from: "cert-manager/scaleway-certmanager-webhook-webhook-tls"
spec:
group: acme.scaleway.com
groupPriorityMinimum: 1000
versionPriority: 15
service:
name: scaleway-certmanager-webhook
namespace: cert-manager
version: v1alpha1
---
# Generate a CA Certificate used to sign certificates for the webhook
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: scaleway-certmanager-webhook-ca
namespace: "cert-manager"
labels:
app: scaleway-certmanager-webhook
spec:
secretName: scaleway-certmanager-webhook-ca
duration: 43800h
issuerRef:
name: scaleway-certmanager-webhook-selfsign
commonName: "ca.scaleway-webhook.cert-manager"
isCA: true
---
# Finally, generate a serving certificate for the webhook to use
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: scaleway-certmanager-webhook-webhook-tls
namespace: "cert-manager"
labels:
app: scaleway-certmanager-webhook
spec:
secretName: scaleway-certmanager-webhook-webhook-tls
duration: 8760h
issuerRef:
name: scaleway-certmanager-webhook-ca
dnsNames:
- scaleway-certmanager-webhook
- scaleway-certmanager-webhook.cert-manager
- scaleway-certmanager-webhook.cert-manager.svc
---
# Create a selfsigned Issuer, in order to create a root CA certificate for
# signing webhook serving certificates
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: scaleway-certmanager-webhook-selfsign
namespace: "cert-manager"
labels:
app: scaleway-certmanager-webhook
spec:
selfSigned: {}
---
# Create an Issuer that uses the above generated CA certificate to issue certs
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: scaleway-certmanager-webhook-ca
namespace: "cert-manager"
labels:
app: scaleway-certmanager-webhook
spec:
ca:
secretName: scaleway-certmanager-webhook-ca

0 comments on commit 9c6b9a7

Please sign in to comment.