feat: add namecheap-webhook for dns01 certificate provisioning

2025-10-31 09:19:38 +01:00
parent 685d4643d9
commit 34ce048512
6 changed files with 172 additions and 24 deletions
@@ -0,0 +1,42 @@
 bases:
 - ../envs/environments.yaml.gotmpl
 repositories:
  - name: namecheap-webhook
    url: git+https://github.com/kelvie/cert-manager-webhook-namecheap@deploy?ref=master
 commonLabels:
  tier: system
 releases:
 - name: namecheap-webhook
  namespace: cert-manager
  chart: namecheap-webhook/cert-manager-webhook-namecheap
  condition: namecheap.enabled
  values:
  - ../values/namecheap-webhook/values/namecheap-webhook.yaml.gotmpl
  - ../values/namecheap-webhook/values/namecheap-webhook-{{ .Environment.Name }}.yaml.gotmpl
  postRenderer: ../bin/kustomizer
  postRendererArgs:
  - ../values/namecheap-webhook/kustomize/{{ .Environment.Name }}
  missingFileHandler: Info
 - name: manifests
  namespace: cert-manager
  chart: manifests
  condition: namecheap.enabled
  missingFileHandler: Info
  values:
  - ../values/env.yaml
  - ../values/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
  - ../values/namecheap-webhook/env.yaml.gotmpl
  - ../values/namecheap-webhook/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
  hooks:
  - events: [ prepare, cleanup ]
    showlogs: true
    command: ../bin/helmify
    args:
    - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
    - '{{`{{ .Release.Chart }}`}}'
    - '{{`{{ .Environment.Name }}`}}'
    - ../values/namecheap-webhook/manifests
    - manifests
@@ -52,27 +52,3 @@ metadata:
 spec:
  selfSigned: {}
 ---
 {{- if .Values.clusterConfig.acme.dns01 }}
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
  name: letsencrypt-dns01-prod
 spec:
  acme:
    email: {{ .Values.clusterConfig.acme.email }}
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-dns01-prod
    solvers:
    - dns01:
        webhook:
          groupName: acme.namecheap.com
          solverName: namecheap
          config:
            apiKeySecretRef:
              name: {{ .Values.clusterConfig.dns01 }}
              key: apiKey
            apiUserSecretRef:
              name: {{ .Values.clusterConfig.dns01 }}
              key: apiUser
 {{- end }}
@@ -0,0 +1,3 @@
 namecheap:
 enabled: true
 autosync: true
@@ -0,0 +1,47 @@
 {{- if .Values.clusterConfig.acme.dns01 }}
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
  name: letsencrypt-prod-dns01
 spec:
  acme:
    email: {{ .Values.clusterConfig.acme.email }}
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
    - dns01:
        webhook:
          groupName: acme.oceanbox.io
          solverName: namecheap
          config:
            apiKeySecretRef:
              name: {{ .Values.clusterConfig.dns01 }}
              key: apiKey
            apiUserSecretRef:
              name: {{ .Values.clusterConfig.dns01 }}
              key: apiUser
 ---
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
  name: letsencrypt-stg-dns01
 spec:
  acme:
    email: {{ .Values.clusterConfig.acme.email }}
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-stg
    solvers:
    - dns01:
        webhook:
          groupName: acme.oceanbox.io
          solverName: namecheap
          config:
            apiKeySecretRef:
              name: {{ .Values.clusterConfig.dns01 }}
              key: apiKey
            apiUserSecretRef:
              name: {{ .Values.clusterConfig.dns01 }}
              key: apiUser
 {{- end }}
@@ -0,0 +1,40 @@
 {{- if .Values.clusterConfig.argo.enabled }}
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: namecheap-webhook
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  destination:
    namespace: cert-manager
    server: 'https://kubernetes.default.svc'
  sources:
  - repoURL: {{ .Values.clusterConfig.manifests }}
    targetRevision: HEAD
    path: helmfile.d
    plugin:
      name: helmfile-cmp
      env:
      - name: CLUSTER_NAME
        value: {{ .Values.clusterConfig.cluster }}
      - name: HELMFILE_ENVIRONMENT
        value: default
      - name: HELMFILE_FILE_PATH
        value: namecheap-webhook.yaml.gotmpl
  project: sys
  syncPolicy:
    managedNamespaceMetadata:
      labels:
        component: sys
    syncOptions:
      - CreateNamespace=true
      - ApplyOutOfSyncOnly=true
      - ServerSideApply=true
    {{- if .Values.namecheap.autosync }}
    automated:
      prune: true
      # selfHeal: false
    {{- end }}
 {{- end }}
@@ -0,0 +1,40 @@
 # The GroupName here is used to identify your company or business unit that
 # created this webhook.
 # For example, this may be "acme.mycompany.com".
 # This name will need to be referenced in each Issuer's `webhook` stanza to
 # inform cert-manager of where to send ChallengePayload resources in order to
 # solve the DNS01 challenge.
 # This group name should be **unique**, hence using your own company's domain
 # here is recommended.
 groupName: acme.oceanbox.io
 certManager:
  namespace: cert-manager
  serviceAccountName: cert-manager
 image:
  repository: kelvie/cert-manager-webhook-namecheap
  tag: latest
  pullPolicy: IfNotPresent
 # The (secure) port our app binds to
 containerPort: 8443
 service:
  type: ClusterIP
  port: 443
 resources: {}
  # We usually recommend not to specify default resources and to leave this as a conscious
  # choice for the user. This also increases chances charts run on environments with little
  # resources, such as Minikube. If you do want to specify resources, uncomment the following
  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
  # limits:
  #  cpu: 100m
  #  memory: 128Mi
  # requests:
  #  cpu: 100m
  #  memory: 128Mi
 securityContext: {}