From 34ce0485129414e65037e7767ef5f8a26772d910 Mon Sep 17 00:00:00 2001 From: Jonas Juselius Date: Fri, 31 Oct 2025 09:19:38 +0100 Subject: [PATCH] feat: add namecheap-webhook for dns01 certificate provisioning --- helmfile.d/namecheap-webhook.yaml.gotmpl | 42 +++++++++++++++++ .../cert-manager/manifests/clusterissuer.yaml | 24 ---------- values/namecheap-webhook/env.yaml.gotmpl | 3 ++ .../manifests/clusterissuer.yaml | 47 +++++++++++++++++++ .../manifests/namecheap-webhhok.yaml | 40 ++++++++++++++++ .../values/cert-manager-namecheap.yaml.gotmpl | 40 ++++++++++++++++ 6 files changed, 172 insertions(+), 24 deletions(-) create mode 100644 helmfile.d/namecheap-webhook.yaml.gotmpl create mode 100644 values/namecheap-webhook/env.yaml.gotmpl create mode 100644 values/namecheap-webhook/manifests/clusterissuer.yaml create mode 100644 values/namecheap-webhook/manifests/namecheap-webhhok.yaml create mode 100644 values/namecheap-webhook/values/cert-manager-namecheap.yaml.gotmpl diff --git a/helmfile.d/namecheap-webhook.yaml.gotmpl b/helmfile.d/namecheap-webhook.yaml.gotmpl new file mode 100644 index 00000000..27551d80 --- /dev/null +++ b/helmfile.d/namecheap-webhook.yaml.gotmpl @@ -0,0 +1,42 @@ +bases: + - ../envs/environments.yaml.gotmpl + +repositories: + - name: namecheap-webhook + url: git+https://github.com/kelvie/cert-manager-webhook-namecheap@deploy?ref=master + +commonLabels: + tier: system + +releases: +- name: namecheap-webhook + namespace: cert-manager + chart: namecheap-webhook/cert-manager-webhook-namecheap + condition: namecheap.enabled + values: + - ../values/namecheap-webhook/values/namecheap-webhook.yaml.gotmpl + - ../values/namecheap-webhook/values/namecheap-webhook-{{ .Environment.Name }}.yaml.gotmpl + postRenderer: ../bin/kustomizer + postRendererArgs: + - ../values/namecheap-webhook/kustomize/{{ .Environment.Name }} + missingFileHandler: Info +- name: manifests + namespace: cert-manager + chart: manifests + condition: namecheap.enabled + missingFileHandler: Info + values: + - ../values/env.yaml + - ../values/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml + - ../values/namecheap-webhook/env.yaml.gotmpl + - ../values/namecheap-webhook/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl + hooks: + - events: [ prepare, cleanup ] + showlogs: true + command: ../bin/helmify + args: + - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}' + - '{{`{{ .Release.Chart }}`}}' + - '{{`{{ .Environment.Name }}`}}' + - ../values/namecheap-webhook/manifests + - manifests diff --git a/values/cert-manager/manifests/clusterissuer.yaml b/values/cert-manager/manifests/clusterissuer.yaml index bfbbcac5..416e8db1 100644 --- a/values/cert-manager/manifests/clusterissuer.yaml +++ b/values/cert-manager/manifests/clusterissuer.yaml @@ -52,27 +52,3 @@ metadata: spec: selfSigned: {} --- -{{- if .Values.clusterConfig.acme.dns01 }} -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: letsencrypt-dns01-prod -spec: - acme: - email: {{ .Values.clusterConfig.acme.email }} - server: https://acme-v02.api.letsencrypt.org/directory - privateKeySecretRef: - name: letsencrypt-dns01-prod - solvers: - - dns01: - webhook: - groupName: acme.namecheap.com - solverName: namecheap - config: - apiKeySecretRef: - name: {{ .Values.clusterConfig.dns01 }} - key: apiKey - apiUserSecretRef: - name: {{ .Values.clusterConfig.dns01 }} - key: apiUser -{{- end }} diff --git a/values/namecheap-webhook/env.yaml.gotmpl b/values/namecheap-webhook/env.yaml.gotmpl new file mode 100644 index 00000000..1e047c2d --- /dev/null +++ b/values/namecheap-webhook/env.yaml.gotmpl @@ -0,0 +1,3 @@ +namecheap: + enabled: true + autosync: true diff --git a/values/namecheap-webhook/manifests/clusterissuer.yaml b/values/namecheap-webhook/manifests/clusterissuer.yaml new file mode 100644 index 00000000..8aa1aa7c --- /dev/null +++ b/values/namecheap-webhook/manifests/clusterissuer.yaml @@ -0,0 +1,47 @@ +{{- if .Values.clusterConfig.acme.dns01 }} +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-prod-dns01 +spec: + acme: + email: {{ .Values.clusterConfig.acme.email }} + server: https://acme-v02.api.letsencrypt.org/directory + privateKeySecretRef: + name: letsencrypt-prod + solvers: + - dns01: + webhook: + groupName: acme.oceanbox.io + solverName: namecheap + config: + apiKeySecretRef: + name: {{ .Values.clusterConfig.dns01 }} + key: apiKey + apiUserSecretRef: + name: {{ .Values.clusterConfig.dns01 }} + key: apiUser +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-stg-dns01 +spec: + acme: + email: {{ .Values.clusterConfig.acme.email }} + server: https://acme-staging-v02.api.letsencrypt.org/directory + privateKeySecretRef: + name: letsencrypt-stg + solvers: + - dns01: + webhook: + groupName: acme.oceanbox.io + solverName: namecheap + config: + apiKeySecretRef: + name: {{ .Values.clusterConfig.dns01 }} + key: apiKey + apiUserSecretRef: + name: {{ .Values.clusterConfig.dns01 }} + key: apiUser +{{- end }} diff --git a/values/namecheap-webhook/manifests/namecheap-webhhok.yaml b/values/namecheap-webhook/manifests/namecheap-webhhok.yaml new file mode 100644 index 00000000..282c4fa9 --- /dev/null +++ b/values/namecheap-webhook/manifests/namecheap-webhhok.yaml @@ -0,0 +1,40 @@ +{{- if .Values.clusterConfig.argo.enabled }} +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: namecheap-webhook + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: cert-manager + server: 'https://kubernetes.default.svc' + sources: + - repoURL: {{ .Values.clusterConfig.manifests }} + targetRevision: HEAD + path: helmfile.d + plugin: + name: helmfile-cmp + env: + - name: CLUSTER_NAME + value: {{ .Values.clusterConfig.cluster }} + - name: HELMFILE_ENVIRONMENT + value: default + - name: HELMFILE_FILE_PATH + value: namecheap-webhook.yaml.gotmpl + project: sys + syncPolicy: + managedNamespaceMetadata: + labels: + component: sys + syncOptions: + - CreateNamespace=true + - ApplyOutOfSyncOnly=true + - ServerSideApply=true + {{- if .Values.namecheap.autosync }} + automated: + prune: true + # selfHeal: false + {{- end }} +{{- end }} diff --git a/values/namecheap-webhook/values/cert-manager-namecheap.yaml.gotmpl b/values/namecheap-webhook/values/cert-manager-namecheap.yaml.gotmpl new file mode 100644 index 00000000..6571d50b --- /dev/null +++ b/values/namecheap-webhook/values/cert-manager-namecheap.yaml.gotmpl @@ -0,0 +1,40 @@ +# The GroupName here is used to identify your company or business unit that +# created this webhook. +# For example, this may be "acme.mycompany.com". +# This name will need to be referenced in each Issuer's `webhook` stanza to +# inform cert-manager of where to send ChallengePayload resources in order to +# solve the DNS01 challenge. +# This group name should be **unique**, hence using your own company's domain +# here is recommended. +groupName: acme.oceanbox.io + +certManager: + namespace: cert-manager + serviceAccountName: cert-manager + +image: + repository: kelvie/cert-manager-webhook-namecheap + tag: latest + pullPolicy: IfNotPresent + +# The (secure) port our app binds to +containerPort: 8443 + +service: + type: ClusterIP + port: 443 + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +securityContext: {} +