From f67b7ed93e4ed49400213a3b553922f8cb2a487a Mon Sep 17 00:00:00 2001 From: Finn Date: Tue, 21 Jan 2025 09:19:57 -0800 Subject: [PATCH] cert-manager-webhook-pdns: render from helm in main cluster already doing this in the new cluster, might as well have a way to update it here too --- helm/render-all.sh | 2 +- .../bundle.yaml} | 444 ++++++++---------- .../kustomization.yaml | 18 + .../letsencrypt.yaml | 0 .../namespace-patch.yaml | 3 + k8s/operators/cert-manager/kustomization.yaml | 4 +- 6 files changed, 229 insertions(+), 242 deletions(-) rename k8s/operators/{cert-manager/pdns-hook.yaml => cert-manager-webhook-pdns/bundle.yaml} (51%) create mode 100644 k8s/operators/cert-manager-webhook-pdns/kustomization.yaml rename k8s/operators/{cert-manager => cert-manager-webhook-pdns}/letsencrypt.yaml (100%) create mode 100644 k8s/operators/cert-manager-webhook-pdns/namespace-patch.yaml diff --git a/helm/render-all.sh b/helm/render-all.sh index 91d2dd9..55d451e 100755 --- a/helm/render-all.sh +++ b/helm/render-all.sh @@ -14,7 +14,7 @@ render_helm() { } # main k8s cluster operators -for component in openbao external-secrets secrets-store-csi-driver; do +for component in openbao external-secrets secrets-store-csi-driver cert-manager-webhook-pdns; do render_helm ../k8s/operators "${component}" done diff --git a/k8s/operators/cert-manager/pdns-hook.yaml b/k8s/operators/cert-manager-webhook-pdns/bundle.yaml similarity index 51% rename from k8s/operators/cert-manager/pdns-hook.yaml rename to k8s/operators/cert-manager-webhook-pdns/bundle.yaml index 21c37a0..5d095b0 100644 --- a/k8s/operators/cert-manager/pdns-hook.yaml +++ b/k8s/operators/cert-manager-webhook-pdns/bundle.yaml @@ -1,345 +1,311 @@ ---- -# Source: cert-manager-webhook-pdns/templates/serviceaccount.yaml +# DO NOT EDIT: This file has been automatically generated by the script in helm/render-all.sh, edits may get overwritten apiVersion: v1 kind: ServiceAccount metadata: - name: cert-manager-webhook-pdns - namespace: cert-manager labels: - helm.sh/chart: cert-manager-webhook-pdns-3.1.3 - app.kubernetes.io/name: cert-manager-webhook-pdns app.kubernetes.io/instance: cert-manager-webhook-pdns - app.kubernetes.io/version: "v2.5.1" app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cert-manager-webhook-pdns + app.kubernetes.io/version: v2.5.1 + helm.sh/chart: cert-manager-webhook-pdns-3.2.2 + name: cert-manager-webhook-pdns --- -# Source: cert-manager-webhook-pdns/templates/rbac.yaml -# Grant cert-manager permission to validate using our apiserver apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: cert-manager-webhook-pdns labels: - helm.sh/chart: cert-manager-webhook-pdns-3.1.3 - app.kubernetes.io/name: cert-manager-webhook-pdns app.kubernetes.io/instance: cert-manager-webhook-pdns - app.kubernetes.io/version: "v2.5.1" app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cert-manager-webhook-pdns + app.kubernetes.io/version: v2.5.1 + helm.sh/chart: cert-manager-webhook-pdns-3.2.2 + name: cert-manager-webhook-pdns rules: - - apiGroups: - - '' - resources: - - 'secrets' - verbs: - - 'get' - - apiGroups: - - 'flowcontrol.apiserver.k8s.io' - resources: - - 'flowschemas' - - 'prioritylevelconfigurations' - verbs: - - 'watch' - - 'list' +- apiGroups: + - "" + resources: + - secrets + verbs: + - get +- apiGroups: + - flowcontrol.apiserver.k8s.io + resources: + - flowschemas + - prioritylevelconfigurations + verbs: + - watch + - list --- -# Source: cert-manager-webhook-pdns/templates/rbac.yaml -# Grant cert-manager permission to validate using our apiserver apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: cert-manager-webhook-pdns:domain-solver labels: - helm.sh/chart: cert-manager-webhook-pdns-3.1.3 - app.kubernetes.io/name: cert-manager-webhook-pdns app.kubernetes.io/instance: cert-manager-webhook-pdns - app.kubernetes.io/version: "v2.5.1" app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cert-manager-webhook-pdns + app.kubernetes.io/version: v2.5.1 + helm.sh/chart: cert-manager-webhook-pdns-3.2.2 + name: cert-manager-webhook-pdns:domain-solver rules: - - apiGroups: - - acme.zacharyseguin.ca - resources: - - '*' - verbs: - - 'create' +- apiGroups: + - acme.zacharyseguin.ca + resources: + - '*' + verbs: + - create --- -# Source: cert-manager-webhook-pdns/templates/rbac.yaml -# Grant the webhook permission to read the ConfigMap containing the Kubernetes -# apiserver's requestheader-ca-certificate. -# This ConfigMap is automatically created by the Kubernetes apiserver. -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: cert-manager-webhook-pdns - labels: - helm.sh/chart: cert-manager-webhook-pdns-3.1.3 - app.kubernetes.io/name: cert-manager-webhook-pdns - app.kubernetes.io/instance: cert-manager-webhook-pdns - app.kubernetes.io/version: "v2.5.1" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cert-manager-webhook-pdns -subjects: - - apiGroup: "" - kind: ServiceAccount - name: cert-manager-webhook-pdns - namespace: cert-manager ---- -# Source: cert-manager-webhook-pdns/templates/rbac.yaml -# apiserver gets the auth-delegator role to delegate auth decisions to -# the core apiserver -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: cert-manager-webhook-pdns:auth-delegator - labels: - helm.sh/chart: cert-manager-webhook-pdns-3.1.3 - app.kubernetes.io/name: cert-manager-webhook-pdns - app.kubernetes.io/instance: cert-manager-webhook-pdns - app.kubernetes.io/version: "v2.5.1" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: - - apiGroup: "" - kind: ServiceAccount - name: cert-manager-webhook-pdns - namespace: cert-manager ---- -# Source: cert-manager-webhook-pdns/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: cert-manager-webhook-pdns:domain-solver - labels: - helm.sh/chart: cert-manager-webhook-pdns-3.1.3 - app.kubernetes.io/name: cert-manager-webhook-pdns - app.kubernetes.io/instance: cert-manager-webhook-pdns - app.kubernetes.io/version: "v2.5.1" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cert-manager-webhook-pdns:domain-solver -subjects: - - apiGroup: "" - kind: ServiceAccount - name: cert-manager - namespace: cert-manager ---- -# Source: cert-manager-webhook-pdns/templates/rbac.yaml -# Grant the webhook permission to read the ConfigMap containing the Kubernetes -# apiserver's requestheader-ca-certificate. -# This ConfigMap is automatically created by the Kubernetes apiserver. apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: + labels: + app.kubernetes.io/instance: cert-manager-webhook-pdns + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cert-manager-webhook-pdns + app.kubernetes.io/version: v2.5.1 + helm.sh/chart: cert-manager-webhook-pdns-3.2.2 name: cert-manager-webhook-pdns:webhook-authentication-reader namespace: kube-system - labels: - helm.sh/chart: cert-manager-webhook-pdns-3.1.3 - app.kubernetes.io/name: cert-manager-webhook-pdns - app.kubernetes.io/instance: cert-manager-webhook-pdns - app.kubernetes.io/version: "v2.5.1" - app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: extension-apiserver-authentication-reader subjects: - - apiGroup: "" - kind: ServiceAccount - name: cert-manager-webhook-pdns - namespace: cert-manager +- apiGroup: "" + kind: ServiceAccount + name: cert-manager-webhook-pdns + namespace: cert-manager +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: cert-manager-webhook-pdns + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cert-manager-webhook-pdns + app.kubernetes.io/version: v2.5.1 + helm.sh/chart: cert-manager-webhook-pdns-3.2.2 + name: cert-manager-webhook-pdns +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cert-manager-webhook-pdns +subjects: +- apiGroup: "" + kind: ServiceAccount + name: cert-manager-webhook-pdns + namespace: cert-manager +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: cert-manager-webhook-pdns + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cert-manager-webhook-pdns + app.kubernetes.io/version: v2.5.1 + helm.sh/chart: cert-manager-webhook-pdns-3.2.2 + name: cert-manager-webhook-pdns:auth-delegator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: +- apiGroup: "" + kind: ServiceAccount + name: cert-manager-webhook-pdns + namespace: cert-manager +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: cert-manager-webhook-pdns + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cert-manager-webhook-pdns + app.kubernetes.io/version: v2.5.1 + helm.sh/chart: cert-manager-webhook-pdns-3.2.2 + name: cert-manager-webhook-pdns:domain-solver +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cert-manager-webhook-pdns:domain-solver +subjects: +- apiGroup: "" + kind: ServiceAccount + name: cert-manager + namespace: cert-manager --- -# Source: cert-manager-webhook-pdns/templates/service.yaml apiVersion: v1 kind: Service metadata: - name: cert-manager-webhook-pdns - namespace: cert-manager labels: - helm.sh/chart: cert-manager-webhook-pdns-3.1.3 - app.kubernetes.io/name: cert-manager-webhook-pdns app.kubernetes.io/instance: cert-manager-webhook-pdns - app.kubernetes.io/version: "v2.5.1" app.kubernetes.io/managed-by: Helm -spec: - type: ClusterIP - ports: - - port: 443 - targetPort: https - protocol: TCP - name: https - selector: app.kubernetes.io/name: cert-manager-webhook-pdns + app.kubernetes.io/version: v2.5.1 + helm.sh/chart: cert-manager-webhook-pdns-3.2.2 + name: cert-manager-webhook-pdns +spec: + ports: + - name: https + port: 443 + protocol: TCP + targetPort: https + selector: app.kubernetes.io/instance: cert-manager-webhook-pdns + app.kubernetes.io/name: cert-manager-webhook-pdns + type: ClusterIP --- -# Source: cert-manager-webhook-pdns/templates/deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: - name: cert-manager-webhook-pdns - namespace: cert-manager labels: - helm.sh/chart: cert-manager-webhook-pdns-3.1.3 - app.kubernetes.io/name: cert-manager-webhook-pdns app.kubernetes.io/instance: cert-manager-webhook-pdns - app.kubernetes.io/version: "v2.5.1" app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cert-manager-webhook-pdns + app.kubernetes.io/version: v2.5.1 + helm.sh/chart: cert-manager-webhook-pdns-3.2.2 + name: cert-manager-webhook-pdns spec: - replicas: 1 + replicas: null selector: matchLabels: - app.kubernetes.io/name: cert-manager-webhook-pdns app.kubernetes.io/instance: cert-manager-webhook-pdns + app.kubernetes.io/name: cert-manager-webhook-pdns template: metadata: labels: - helm.sh/chart: cert-manager-webhook-pdns-3.1.3 - app.kubernetes.io/name: cert-manager-webhook-pdns app.kubernetes.io/instance: cert-manager-webhook-pdns - app.kubernetes.io/version: "v2.5.1" app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cert-manager-webhook-pdns + app.kubernetes.io/version: v2.5.1 + helm.sh/chart: cert-manager-webhook-pdns-3.2.2 spec: - serviceAccountName: cert-manager-webhook-pdns containers: - - name: cert-manager-webhook-pdns - image: docker.io/zachomedia/cert-manager-webhook-pdns:v2.5.1 - imagePullPolicy: IfNotPresent - args: - - --tls-cert-file=/tls/tls.crt - - --tls-private-key-file=/tls/tls.key - - --secure-port=8443 - env: - - name: GROUP_NAME - value: "acme.zacharyseguin.ca" - ports: - - name: https - containerPort: 8443 - protocol: TCP - securityContext: - runAsGroup: 100 - runAsUser: 100 - livenessProbe: - httpGet: - scheme: HTTPS - path: /healthz - port: https - readinessProbe: - httpGet: - scheme: HTTPS - path: /healthz - port: https - volumeMounts: - - name: certs - mountPath: /tls - readOnly: true - resources: - {} + - args: + - --tls-cert-file=/tls/tls.crt + - --tls-private-key-file=/tls/tls.key + - --secure-port=8443 + env: + - name: GROUP_NAME + value: acme.zacharyseguin.ca + image: zachomedia/cert-manager-webhook-pdns:v2.5.1 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: https + scheme: HTTPS + name: cert-manager-webhook-pdns + ports: + - containerPort: 8443 + name: https + protocol: TCP + readinessProbe: + httpGet: + path: /healthz + port: https + scheme: HTTPS + resources: {} + securityContext: + runAsGroup: 100 + runAsUser: 100 + volumeMounts: + - mountPath: /tls + name: certs + readOnly: true + serviceAccountName: cert-manager-webhook-pdns volumes: - - name: certs - secret: - secretName: cert-manager-webhook-pdns-webhook-tls + - name: certs + secret: + secretName: cert-manager-webhook-pdns-webhook-tls --- -# Source: cert-manager-webhook-pdns/templates/apiservice.yaml apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: - name: v1alpha1.acme.zacharyseguin.ca - namespace: cert-manager - labels: - helm.sh/chart: cert-manager-webhook-pdns-3.1.3 - app.kubernetes.io/name: cert-manager-webhook-pdns - app.kubernetes.io/instance: cert-manager-webhook-pdns - app.kubernetes.io/version: "v2.5.1" - app.kubernetes.io/managed-by: Helm annotations: - cert-manager.io/inject-ca-from: "cert-manager/cert-manager-webhook-pdns-webhook-tls" + cert-manager.io/inject-ca-from: cert-manager/cert-manager-webhook-pdns-webhook-tls + labels: + app.kubernetes.io/instance: cert-manager-webhook-pdns + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cert-manager-webhook-pdns + app.kubernetes.io/version: v2.5.1 + helm.sh/chart: cert-manager-webhook-pdns-3.2.2 + name: v1alpha1.acme.zacharyseguin.ca spec: group: acme.zacharyseguin.ca groupPriorityMinimum: 1000 - versionPriority: 15 service: name: cert-manager-webhook-pdns namespace: cert-manager version: v1alpha1 + versionPriority: 15 --- -# Source: cert-manager-webhook-pdns/templates/pki.yaml -# Generate a CA Certificate used to sign certificates for the webhook apiVersion: cert-manager.io/v1 kind: Certificate metadata: - name: cert-manager-webhook-pdns-ca - namespace: "cert-manager" labels: - helm.sh/chart: cert-manager-webhook-pdns-3.1.3 - app.kubernetes.io/name: cert-manager-webhook-pdns app.kubernetes.io/instance: cert-manager-webhook-pdns - app.kubernetes.io/version: "v2.5.1" app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cert-manager-webhook-pdns + app.kubernetes.io/version: v2.5.1 + helm.sh/chart: cert-manager-webhook-pdns-3.2.2 + name: cert-manager-webhook-pdns-ca + namespace: cert-manager spec: - secretName: cert-manager-webhook-pdns-ca - duration: 43800h0m0s # 5y + commonName: ca.cert-manager-webhook-pdns.cert-manager + duration: 43800h0m0s + isCA: true issuerRef: name: cert-manager-webhook-pdns-selfsign - commonName: "ca.cert-manager-webhook-pdns.cert-manager" - isCA: true + secretName: cert-manager-webhook-pdns-ca --- -# Source: cert-manager-webhook-pdns/templates/pki.yaml -# Finally, generate a serving certificate for the webhook to use apiVersion: cert-manager.io/v1 kind: Certificate metadata: - name: cert-manager-webhook-pdns-webhook-tls - namespace: "cert-manager" labels: - helm.sh/chart: cert-manager-webhook-pdns-3.1.3 - app.kubernetes.io/name: cert-manager-webhook-pdns app.kubernetes.io/instance: cert-manager-webhook-pdns - app.kubernetes.io/version: "v2.5.1" app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cert-manager-webhook-pdns + app.kubernetes.io/version: v2.5.1 + helm.sh/chart: cert-manager-webhook-pdns-3.2.2 + name: cert-manager-webhook-pdns-webhook-tls + namespace: cert-manager spec: - secretName: cert-manager-webhook-pdns-webhook-tls - duration: 8760h0m0s # 1y - issuerRef: - name: cert-manager-webhook-pdns-ca dnsNames: - cert-manager-webhook-pdns - cert-manager-webhook-pdns.cert-manager - cert-manager-webhook-pdns.cert-manager.svc + duration: 8760h0m0s + issuerRef: + name: cert-manager-webhook-pdns-ca + secretName: cert-manager-webhook-pdns-webhook-tls --- -# Source: cert-manager-webhook-pdns/templates/pki.yaml -# Create a selfsigned Issuer, in order to create a root CA certificate for -# signing webhook serving certificates apiVersion: cert-manager.io/v1 kind: Issuer metadata: - name: cert-manager-webhook-pdns-selfsign - namespace: "cert-manager" labels: - helm.sh/chart: cert-manager-webhook-pdns-3.1.3 - app.kubernetes.io/name: cert-manager-webhook-pdns app.kubernetes.io/instance: cert-manager-webhook-pdns - app.kubernetes.io/version: "v2.5.1" app.kubernetes.io/managed-by: Helm -spec: - selfSigned: {} ---- -# Source: cert-manager-webhook-pdns/templates/pki.yaml -# Create an Issuer that uses the above generated CA certificate to issue certs -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: + app.kubernetes.io/name: cert-manager-webhook-pdns + app.kubernetes.io/version: v2.5.1 + helm.sh/chart: cert-manager-webhook-pdns-3.2.2 name: cert-manager-webhook-pdns-ca - namespace: "cert-manager" - labels: - helm.sh/chart: cert-manager-webhook-pdns-3.1.3 - app.kubernetes.io/name: cert-manager-webhook-pdns - app.kubernetes.io/instance: cert-manager-webhook-pdns - app.kubernetes.io/version: "v2.5.1" - app.kubernetes.io/managed-by: Helm + namespace: cert-manager spec: ca: secretName: cert-manager-webhook-pdns-ca +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + app.kubernetes.io/instance: cert-manager-webhook-pdns + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cert-manager-webhook-pdns + app.kubernetes.io/version: v2.5.1 + helm.sh/chart: cert-manager-webhook-pdns-3.2.2 + name: cert-manager-webhook-pdns-selfsign + namespace: cert-manager +spec: + selfSigned: {} diff --git a/k8s/operators/cert-manager-webhook-pdns/kustomization.yaml b/k8s/operators/cert-manager-webhook-pdns/kustomization.yaml new file mode 100644 index 0000000..79e81d3 --- /dev/null +++ b/k8s/operators/cert-manager-webhook-pdns/kustomization.yaml @@ -0,0 +1,18 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - bundle.yaml + - letsencrypt.yaml +patches: + - path: namespace-patch.yaml + target: + kind: Deployment + name: cert-manager-webhook-pdns + - path: namespace-patch.yaml + target: + kind: ServiceAccount + name: cert-manager-webhook-pdns + - path: namespace-patch.yaml + target: + kind: Service + name: cert-manager-webhook-pdns diff --git a/k8s/operators/cert-manager/letsencrypt.yaml b/k8s/operators/cert-manager-webhook-pdns/letsencrypt.yaml similarity index 100% rename from k8s/operators/cert-manager/letsencrypt.yaml rename to k8s/operators/cert-manager-webhook-pdns/letsencrypt.yaml diff --git a/k8s/operators/cert-manager-webhook-pdns/namespace-patch.yaml b/k8s/operators/cert-manager-webhook-pdns/namespace-patch.yaml new file mode 100644 index 0000000..e3a273e --- /dev/null +++ b/k8s/operators/cert-manager-webhook-pdns/namespace-patch.yaml @@ -0,0 +1,3 @@ +- op: add + path: /metadata/namespace + value: cert-manager diff --git a/k8s/operators/cert-manager/kustomization.yaml b/k8s/operators/cert-manager/kustomization.yaml index b4bc2ca..9eb0aee 100644 --- a/k8s/operators/cert-manager/kustomization.yaml +++ b/k8s/operators/cert-manager/kustomization.yaml @@ -3,8 +3,8 @@ kind: Kustomization # namespace: cert-manager resources: - https://github.com/cert-manager/cert-manager/releases/download/v1.15.2/cert-manager.yaml - - pdns-hook.yaml - - letsencrypt.yaml + # - pdns-hook.yaml + # - letsencrypt.yaml - selfsigned.yaml patches: - path: controller-patches.yaml