feat: add namecheap-webhook for dns01 certificate provisioning

2025-10-31 09:19:38 +01:00
parent 685d4643d9
commit 34ce048512
6 changed files with 172 additions and 24 deletions
@@ -0,0 +1,42 @@
+bases:
+ - ../envs/environments.yaml.gotmpl
+
+repositories:
+  - name: namecheap-webhook
+    url: git+https://github.com/kelvie/cert-manager-webhook-namecheap@deploy?ref=master
+
+commonLabels:
+  tier: system
+
+releases:
+- name: namecheap-webhook
+  namespace: cert-manager
+  chart: namecheap-webhook/cert-manager-webhook-namecheap
+  condition: namecheap.enabled
+  values:
+  - ../values/namecheap-webhook/values/namecheap-webhook.yaml.gotmpl
+  - ../values/namecheap-webhook/values/namecheap-webhook-{{ .Environment.Name }}.yaml.gotmpl
+  postRenderer: ../bin/kustomizer
+  postRendererArgs:
+  - ../values/namecheap-webhook/kustomize/{{ .Environment.Name }}
+  missingFileHandler: Info
+- name: manifests
+  namespace: cert-manager
+  chart: manifests
+  condition: namecheap.enabled
+  missingFileHandler: Info
+  values:
+  - ../values/env.yaml
+  - ../values/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
+  - ../values/namecheap-webhook/env.yaml.gotmpl
+  - ../values/namecheap-webhook/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
+  hooks:
+  - events: [ prepare, cleanup ]
+    showlogs: true
+    command: ../bin/helmify
+    args:
+    - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
+    - '{{`{{ .Release.Chart }}`}}'
+    - '{{`{{ .Environment.Name }}`}}'
+    - ../values/namecheap-webhook/manifests
+    - manifests
@@ -52,27 +52,3 @@ metadata:
 spec:
  selfSigned: {}
 ---
-{{- if .Values.clusterConfig.acme.dns01 }}
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
-  name: letsencrypt-dns01-prod
-spec:
-  acme:
-    email: {{ .Values.clusterConfig.acme.email }}
-    server: https://acme-v02.api.letsencrypt.org/directory
-    privateKeySecretRef:
-      name: letsencrypt-dns01-prod
-    solvers:
-    - dns01:
-        webhook:
-          groupName: acme.namecheap.com
-          solverName: namecheap
-          config:
-            apiKeySecretRef:
-              name: {{ .Values.clusterConfig.dns01 }}
-              key: apiKey
-            apiUserSecretRef:
-              name: {{ .Values.clusterConfig.dns01 }}
-              key: apiUser
-{{- end }}
@@ -0,0 +1,3 @@
+namecheap:
+ enabled: true
+ autosync: true
@@ -0,0 +1,47 @@
+{{- if .Values.clusterConfig.acme.dns01 }}
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod-dns01
+spec:
+  acme:
+    email: {{ .Values.clusterConfig.acme.email }}
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: letsencrypt-prod
+    solvers:
+    - dns01:
+        webhook:
+          groupName: acme.oceanbox.io
+          solverName: namecheap
+          config:
+            apiKeySecretRef:
+              name: {{ .Values.clusterConfig.dns01 }}
+              key: apiKey
+            apiUserSecretRef:
+              name: {{ .Values.clusterConfig.dns01 }}
+              key: apiUser
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-stg-dns01
+spec:
+  acme:
+    email: {{ .Values.clusterConfig.acme.email }}
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: letsencrypt-stg
+    solvers:
+    - dns01:
+        webhook:
+          groupName: acme.oceanbox.io
+          solverName: namecheap
+          config:
+            apiKeySecretRef:
+              name: {{ .Values.clusterConfig.dns01 }}
+              key: apiKey
+            apiUserSecretRef:
+              name: {{ .Values.clusterConfig.dns01 }}
+              key: apiUser
+{{- end }}
@@ -0,0 +1,40 @@
+{{- if .Values.clusterConfig.argo.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: namecheap-webhook
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: cert-manager
+    server: 'https://kubernetes.default.svc'
+  sources:
+  - repoURL: {{ .Values.clusterConfig.manifests }}
+    targetRevision: HEAD
+    path: helmfile.d
+    plugin:
+      name: helmfile-cmp
+      env:
+      - name: CLUSTER_NAME
+        value: {{ .Values.clusterConfig.cluster }}
+      - name: HELMFILE_ENVIRONMENT
+        value: default
+      - name: HELMFILE_FILE_PATH
+        value: namecheap-webhook.yaml.gotmpl
+  project: sys
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: sys
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+      - ServerSideApply=true
+    {{- if .Values.namecheap.autosync }}
+    automated:
+      prune: true
+      # selfHeal: false
+    {{- end }}
+{{- end }}
@@ -0,0 +1,40 @@
+# The GroupName here is used to identify your company or business unit that
+# created this webhook.
+# For example, this may be "acme.mycompany.com".
+# This name will need to be referenced in each Issuer's `webhook` stanza to
+# inform cert-manager of where to send ChallengePayload resources in order to
+# solve the DNS01 challenge.
+# This group name should be **unique**, hence using your own company's domain
+# here is recommended.
+groupName: acme.oceanbox.io
+
+certManager:
+  namespace: cert-manager
+  serviceAccountName: cert-manager
+
+image:
+  repository: kelvie/cert-manager-webhook-namecheap
+  tag: latest
+  pullPolicy: IfNotPresent
+
+# The (secure) port our app binds to
+containerPort: 8443
+
+service:
+  type: ClusterIP
+  port: 443
+
+resources: {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #  cpu: 100m
+  #  memory: 128Mi
+  # requests:
+  #  cpu: 100m
+  #  memory: 128Mi
+
+securityContext: {}
+