From 6bb2a31fd397b4f96d78567862907638298de210 Mon Sep 17 00:00:00 2001 From: Jonas Juselius Date: Wed, 29 Oct 2025 09:38:58 +0100 Subject: [PATCH] feat: add stub dns01 issuer and refactor cert-manager manifests --- .../cert-manager/manifests/clusterissuer.yaml | 78 +++++++++++++++ .../manifests/pre-cert-manager.yaml | 94 ------------------- values/cert-manager/manifests/rbac.yaml | 35 +++++++ values/env-ekman.yaml | 4 +- values/env-oceanbox.yaml | 4 +- values/env-rossby.yaml | 4 +- values/env.yaml | 4 +- 7 files changed, 125 insertions(+), 98 deletions(-) create mode 100644 values/cert-manager/manifests/clusterissuer.yaml create mode 100644 values/cert-manager/manifests/rbac.yaml diff --git a/values/cert-manager/manifests/clusterissuer.yaml b/values/cert-manager/manifests/clusterissuer.yaml new file mode 100644 index 00000000..bfbbcac5 --- /dev/null +++ b/values/cert-manager/manifests/clusterissuer.yaml @@ -0,0 +1,78 @@ +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + name: letsencrypt-production +spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + email: {{ .Values.clusterConfig.acme.email }} + privateKeySecretRef: + name: letsencrypt-production + solvers: + - http01: + ingress: + class: nginx +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + name: letsencrypt-staging +spec: + acme: + server: https://acme-staging-v02.api.letsencrypt.org/directory + email: {{ .Values.clusterConfig.acme.email }} + privateKeySecretRef: + name: letsencrypt-staging + solvers: + - http01: + ingress: + class: nginx +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + name: ca-issuer +spec: + ca: + secretName: cluster-ca +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + name: selfsigning-issuer +spec: + selfSigned: {} +--- +{{- if .Values.clusterConfig.acme.dns01 }} +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-dns01-prod +spec: + acme: + email: {{ .Values.clusterConfig.acme.email }} + server: https://acme-v02.api.letsencrypt.org/directory + privateKeySecretRef: + name: letsencrypt-dns01-prod + solvers: + - dns01: + webhook: + groupName: acme.namecheap.com + solverName: namecheap + config: + apiKeySecretRef: + name: {{ .Values.clusterConfig.dns01 }} + key: apiKey + apiUserSecretRef: + name: {{ .Values.clusterConfig.dns01 }} + key: apiUser +{{- end }} diff --git a/values/cert-manager/manifests/pre-cert-manager.yaml b/values/cert-manager/manifests/pre-cert-manager.yaml index 57beb46c..45dc6b6c 100644 --- a/values/cert-manager/manifests/pre-cert-manager.yaml +++ b/values/cert-manager/manifests/pre-cert-manager.yaml @@ -1,98 +1,4 @@ --- -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - name: letsencrypt-production -spec: - acme: - # The ACME server URL - server: https://acme-v02.api.letsencrypt.org/directory - # Email address used for ACME registration - email: {{ .Values.clusterConfig.acme_email }} - # Name of a secret used to store the ACME account private key - privateKeySecretRef: - name: letsencrypt-production - solvers: - - http01: - ingress: - class: nginx ---- -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - name: letsencrypt-staging -spec: - acme: - # The ACME server URL - server: https://acme-staging-v02.api.letsencrypt.org/directory - # Email address used for ACME registration - email: {{ .Values.clusterConfig.acme_email }} - # Name of a secret used to store the ACME account private key - privateKeySecretRef: - name: letsencrypt-staging - solvers: - - http01: - ingress: - class: nginx ---- -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - name: ca-issuer -spec: - ca: - secretName: cluster-ca ---- -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - name: selfsigning-issuer -spec: - selfSigned: {} ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: front-proxy-client -subjects: - - kind: User - name: front-proxy-client - apiGroup: rbac.authorization.k8s.io -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: front-proxy-client ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: front-proxy-client -rules: -- apiGroups: - - "webhook.cert-manager.io" - resources: - - mutations - - validations - verbs: [ "*" ] -- apiGroups: - - metrics.k8s.io - resources: - - pods - - nodes - verbs: - - get - - list - - watch ---- - {{ if .Values.clusterConfig.initca }} # Pod to update certificates from master nodes # only runs on control plane nodes (etcd) diff --git a/values/cert-manager/manifests/rbac.yaml b/values/cert-manager/manifests/rbac.yaml new file mode 100644 index 00000000..534d93cf --- /dev/null +++ b/values/cert-manager/manifests/rbac.yaml @@ -0,0 +1,35 @@ +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: front-proxy-client +subjects: + - kind: User + name: front-proxy-client + apiGroup: rbac.authorization.k8s.io +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: front-proxy-client +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: front-proxy-client +rules: +- apiGroups: + - "webhook.cert-manager.io" + resources: + - mutations + - validations + verbs: [ "*" ] +- apiGroups: + - metrics.k8s.io + resources: + - pods + - nodes + verbs: + - get + - list + - watch +--- diff --git a/values/env-ekman.yaml b/values/env-ekman.yaml index 32151bdf..d10da337 100644 --- a/values/env-ekman.yaml +++ b/values/env-ekman.yaml @@ -14,7 +14,9 @@ clusterConfig: ingress_nodes: ["ekman , ekman-manage" ] ingress_replica_count: 2 fileserver: "10.255.241.100" - acme_email: "acme@oceanbox.io" + acme: + email: "acme@oceanbox.io" + dns01: "namecheap-apikey" oidc: - name: oceanbox provider: azuread diff --git a/values/env-oceanbox.yaml b/values/env-oceanbox.yaml index db1ea2cb..c78b15b6 100644 --- a/values/env-oceanbox.yaml +++ b/values/env-oceanbox.yaml @@ -12,7 +12,9 @@ clusterConfig: ingress_nodes: ["oceanbox-controlplane-1, oceanbox-controlplane-2, oceanbox-controlplane-3" ] ingress_replica_count: 3 fileserver: "10.255.241.210" - acme_email: "acme@oceanbox.io" + acme: + email: "acme@oceanbox.io" + dns01: "namecheap-apikey" oidc: - name: oceanbox provider: azuread diff --git a/values/env-rossby.yaml b/values/env-rossby.yaml index 818eb02b..32a3d6e8 100644 --- a/values/env-rossby.yaml +++ b/values/env-rossby.yaml @@ -20,7 +20,9 @@ clusterConfig: ingress_hostport: false ingress_nodeport: false fileserver: "172.16.239.222" - acme_email: "acme@oceanbox.io" + acme: + email: "acme@oceanbox.io" + dns01: "namecheap-apikey" oidc: - name: oceanbox provider: azuread diff --git a/values/env.yaml b/values/env.yaml index ddcfcc64..9024d27f 100644 --- a/values/env.yaml +++ b/values/env.yaml @@ -11,7 +11,9 @@ clusterConfig: ingress_nodes: [] ingress_replica_count: 3 fileserver: "" - acme_email: "" + acme: + email: "acme@oceanbox.io" + dns01: "" nodenames: [] nodes: [] ingress_clusterissuer: "letsencrypt-production"