diff --git a/CHANGELOG.md b/CHANGELOG.md deleted file mode 100644 index 2129668..0000000 --- a/CHANGELOG.md +++ /dev/null @@ -1,18 +0,0 @@ -# Changelog - -## [Unreleased] - -### Added - -- `.mailmap` to ease fetching contributors list (#19) -- `CHANGELOG.md` is now maintained - -### Changed - -- License the project under Apache 2.0 (#19) -- Bumped cert-manager to `1.14.5` -- Recommended Kubernetes version is now `v1.29` - -## [v0.0.1] - 2020-11-19 - -- Initial release diff --git a/README.md b/README.md index b61cfb7..d88daf3 100644 --- a/README.md +++ b/README.md @@ -8,29 +8,37 @@ cert-manager Webhook for Scaleway DNS is a ACME [webhook](https://cert-manager.i - A [Scaleway Access Key and a Scaleway Secret Key](https://www.scaleway.com/en/docs/generate-api-keys/) - A valid domain configured on [Scaleway DNS](https://www.scaleway.com/en/docs/scaleway-dns/) -- A Kubernetes cluster (v1.22+ recommended) +- A Kubernetes cluster (v1.29+ recommended) - [Helm 3](https://helm.sh/) [installed](https://helm.sh/docs/intro/install/) on your computer - cert-manager [deployed](https://cert-manager.io/docs/installation/) on the cluster ### Installing -Once everything is set up, you can now install the Scaleway Webhook: -- Clone this repository: +> Attention: starting from `0.1.0` the chart's name is now named `scaleway-certmanager-webhook`, if upgrading from an older version you might want to add `--set nameOverride=scaleway-webhook` + +- Add scaleway's helm chart repository: + ```bash -git clone https://github.com/scaleway/cert-manager-webhook-scaleway.git +helm repo add scaleway https://helm.scw.cloud/ +helm repo update ``` -- Run: +- Install the chart + ```bash -helm install scaleway-webhook deploy/scaleway-webhook +helm install scaleway-webhook scaleway/scaleway-certmanager-webhook ``` + - Alternatively, you can install the webhook with default credentials with: + ```bash -helm install scaleway-webhook deploy/scaleway-webhook --set secret.accessKey= --set secret.secretKey= +helm install scaleway-webhook scaleway/scaleway-certmanager-webhook --set secret.accessKey= --set secret.secretKey= ``` The Scaleway Webhook is now installed! :tada: +> Refer to the chart's [documentation](https://github.com/scaleway/helm-charts/blob/master/charts/scaleway-certmanager-webhook/README.md) for more configuration options. + ### How to use it **Note**: It uses the [cert-manager webhook system](https://cert-manager.io/docs/configuration/acme/dns01/webhook/). Everything after the issuer is configured is just cert-manager. You can find out more in [their documentation](https://cert-manager.io/docs/usage/). diff --git a/deploy/.helmignore b/deploy/.helmignore deleted file mode 100644 index f0c1319..0000000 --- a/deploy/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/deploy/scaleway-webhook/Chart.yaml b/deploy/scaleway-webhook/Chart.yaml deleted file mode 100644 index e4aa579..0000000 --- a/deploy/scaleway-webhook/Chart.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v1 -appVersion: "v0.0.1" -description: Cert-Manager webhook for Scaleway -name: scaleway-webhook -version: 0.0.1 diff --git a/deploy/scaleway-webhook/templates/_helpers.tpl b/deploy/scaleway-webhook/templates/_helpers.tpl deleted file mode 100644 index 6f3325a..0000000 --- a/deploy/scaleway-webhook/templates/_helpers.tpl +++ /dev/null @@ -1,49 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "scaleway-webhook.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "scaleway-webhook.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "scaleway-webhook.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{- define "scaleway-webhook.selfSignedIssuer" -}} -{{ printf "%s-selfsign" (include "scaleway-webhook.fullname" .) }} -{{- end -}} - -{{- define "scaleway-webhook.rootCAIssuer" -}} -{{ printf "%s-ca" (include "scaleway-webhook.fullname" .) }} -{{- end -}} - -{{- define "scaleway-webhook.rootCACertificate" -}} -{{ printf "%s-ca" (include "scaleway-webhook.fullname" .) }} -{{- end -}} - -{{- define "scaleway-webhook.servingCertificate" -}} -{{ printf "%s-webhook-tls" (include "scaleway-webhook.fullname" .) }} -{{- end -}} - diff --git a/deploy/scaleway-webhook/templates/apiservice.yaml b/deploy/scaleway-webhook/templates/apiservice.yaml deleted file mode 100644 index 539c0fa..0000000 --- a/deploy/scaleway-webhook/templates/apiservice.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: apiregistration.k8s.io/v1 -kind: APIService -metadata: - name: v1alpha1.{{ .Values.groupName }} - labels: - app: {{ include "scaleway-webhook.name" . }} - chart: {{ include "scaleway-webhook.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - annotations: - cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/{{ include "scaleway-webhook.servingCertificate" . }}" -spec: - group: {{ .Values.groupName }} - groupPriorityMinimum: 1000 - versionPriority: 15 - service: - name: {{ include "scaleway-webhook.fullname" . }} - namespace: {{ .Release.Namespace }} - version: v1alpha1 diff --git a/deploy/scaleway-webhook/templates/deployment.yaml b/deploy/scaleway-webhook/templates/deployment.yaml deleted file mode 100644 index 31668bf..0000000 --- a/deploy/scaleway-webhook/templates/deployment.yaml +++ /dev/null @@ -1,78 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "scaleway-webhook.fullname" . }} - labels: - app: {{ include "scaleway-webhook.name" . }} - chart: {{ include "scaleway-webhook.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "scaleway-webhook.name" . }} - release: {{ .Release.Name }} - template: - metadata: - labels: - app: {{ include "scaleway-webhook.name" . }} - release: {{ .Release.Name }} - spec: - serviceAccountName: {{ include "scaleway-webhook.fullname" . }} - {{- with .Values.image.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - containers: - - name: {{ .Chart.Name }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - args: - - --tls-cert-file=/tls/tls.crt - - --tls-private-key-file=/tls/tls.key - env: - - name: GROUP_NAME - value: {{ .Values.groupName | quote }} - {{ if and .Values.secret.accessKey .Values.secret.secretKey }} - envFrom: - - secretRef: - name: {{ .Values.secret.name }} - {{ end }} - ports: - - name: https - containerPort: 443 - protocol: TCP - livenessProbe: - httpGet: - scheme: HTTPS - path: /healthz - port: https - readinessProbe: - timeoutSeconds: 5 - httpGet: - scheme: HTTPS - path: /healthz - port: https - volumeMounts: - - name: certs - mountPath: /tls - readOnly: true - resources: -{{ toYaml .Values.resources | indent 12 }} - volumes: - - name: certs - secret: - secretName: {{ include "scaleway-webhook.servingCertificate" . }} - {{- with .Values.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} diff --git a/deploy/scaleway-webhook/templates/pki.yaml b/deploy/scaleway-webhook/templates/pki.yaml deleted file mode 100644 index b30b40c..0000000 --- a/deploy/scaleway-webhook/templates/pki.yaml +++ /dev/null @@ -1,76 +0,0 @@ ---- -# Create a selfsigned Issuer, in order to create a root CA certificate for -# signing webhook serving certificates -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: {{ include "scaleway-webhook.selfSignedIssuer" . }} - namespace: {{ .Release.Namespace | quote }} - labels: - app: {{ include "scaleway-webhook.name" . }} - chart: {{ include "scaleway-webhook.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - selfSigned: {} - ---- - -# Generate a CA Certificate used to sign certificates for the webhook -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: {{ include "scaleway-webhook.rootCACertificate" . }} - namespace: {{ .Release.Namespace | quote }} - labels: - app: {{ include "scaleway-webhook.name" . }} - chart: {{ include "scaleway-webhook.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - secretName: {{ include "scaleway-webhook.rootCACertificate" . }} - duration: {{ .Values.pki.caDuration }} - issuerRef: - name: {{ include "scaleway-webhook.selfSignedIssuer" . }} - commonName: "ca.scaleway-webhook.cert-manager" - isCA: true - ---- - -# Create an Issuer that uses the above generated CA certificate to issue certs -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: {{ include "scaleway-webhook.rootCAIssuer" . }} - namespace: {{ .Release.Namespace | quote }} - labels: - app: {{ include "scaleway-webhook.name" . }} - chart: {{ include "scaleway-webhook.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - ca: - secretName: {{ include "scaleway-webhook.rootCACertificate" . }} - ---- - -# Finally, generate a serving certificate for the webhook to use -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: {{ include "scaleway-webhook.servingCertificate" . }} - namespace: {{ .Release.Namespace | quote }} - labels: - app: {{ include "scaleway-webhook.name" . }} - chart: {{ include "scaleway-webhook.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - secretName: {{ include "scaleway-webhook.servingCertificate" . }} - duration: {{ .Values.pki.servingCertificateDuration }} - issuerRef: - name: {{ include "scaleway-webhook.rootCAIssuer" . }} - dnsNames: - - {{ include "scaleway-webhook.fullname" . }} - - {{ include "scaleway-webhook.fullname" . }}.{{ .Release.Namespace }} - - {{ include "scaleway-webhook.fullname" . }}.{{ .Release.Namespace }}.svc diff --git a/deploy/scaleway-webhook/templates/rbac.yaml b/deploy/scaleway-webhook/templates/rbac.yaml deleted file mode 100644 index 1660b6c..0000000 --- a/deploy/scaleway-webhook/templates/rbac.yaml +++ /dev/null @@ -1,130 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "scaleway-webhook.fullname" . }} - labels: - app: {{ include "scaleway-webhook.name" . }} - chart: {{ include "scaleway-webhook.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} ---- -# Grant the webhook permission to read the secrets containing the credentials -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "scaleway-webhook.fullname" . }}:secrets-reader - namespace: {{ .Release.Namespace }} - labels: - app: {{ include "scaleway-webhook.name" . }} - chart: {{ include "scaleway-webhook.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -rules: - - apiGroups: - - '' - resources: - - 'secrets' - verbs: - - 'get' ---- -# Grant the webhook permission to read the secrets containing the credentials -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "scaleway-webhook.fullname" . }}:secrets-reader - namespace: {{ .Release.Namespace }} - labels: - app: {{ include "scaleway-webhook.name" . }} - chart: {{ include "scaleway-webhook.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ include "scaleway-webhook.fullname" . }}:secrets-reader -subjects: - - apiGroup: "" - kind: ServiceAccount - name: {{ include "scaleway-webhook.fullname" . }} - namespace: {{ .Release.Namespace }} ---- -# Grant the webhook permission to read the ConfigMap containing the Kubernetes -# apiserver's requestheader-ca-certificate. -# This ConfigMap is automatically created by the Kubernetes apiserver. -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "scaleway-webhook.fullname" . }}:webhook-authentication-reader - namespace: kube-system - labels: - app: {{ include "scaleway-webhook.name" . }} - chart: {{ include "scaleway-webhook.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: extension-apiserver-authentication-reader -subjects: - - apiGroup: "" - kind: ServiceAccount - name: {{ include "scaleway-webhook.fullname" . }} - namespace: {{ .Release.Namespace }} ---- -# apiserver gets the auth-delegator role to delegate auth decisions to -# the core apiserver -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "scaleway-webhook.fullname" . }}:auth-delegator - labels: - app: {{ include "scaleway-webhook.name" . }} - chart: {{ include "scaleway-webhook.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: - - apiGroup: "" - kind: ServiceAccount - name: {{ include "scaleway-webhook.fullname" . }} - namespace: {{ .Release.Namespace }} ---- -# Grant cert-manager permission to validate using our apiserver -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "scaleway-webhook.fullname" . }}:domain-solver - labels: - app: {{ include "scaleway-webhook.name" . }} - chart: {{ include "scaleway-webhook.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -rules: - - apiGroups: - - {{ .Values.groupName }} - resources: - - '*' - verbs: - - 'create' ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "scaleway-webhook.fullname" . }}:domain-solver - labels: - app: {{ include "scaleway-webhook.name" . }} - chart: {{ include "scaleway-webhook.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ include "scaleway-webhook.fullname" . }}:domain-solver -subjects: - - apiGroup: "" - kind: ServiceAccount - name: {{ .Values.certManager.serviceAccountName }} - namespace: {{ .Values.certManager.namespace }} diff --git a/deploy/scaleway-webhook/templates/secret.yaml b/deploy/scaleway-webhook/templates/secret.yaml deleted file mode 100644 index 092d801..0000000 --- a/deploy/scaleway-webhook/templates/secret.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{ if and .Values.secret.accessKey .Values.secret.secretKey }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.secret.name }} - labels: - app: {{ include "scaleway-webhook.name" . }} - chart: {{ include "scaleway-webhook.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -type: Opaque -stringData: - SCW_ACCESS_KEY: {{ .Values.secret.accessKey }} - SCW_SECRET_KEY: {{ .Values.secret.secretKey }} -{{ end }} diff --git a/deploy/scaleway-webhook/templates/service.yaml b/deploy/scaleway-webhook/templates/service.yaml deleted file mode 100644 index 526d90c..0000000 --- a/deploy/scaleway-webhook/templates/service.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ include "scaleway-webhook.fullname" . }} - labels: - app: {{ include "scaleway-webhook.name" . }} - chart: {{ include "scaleway-webhook.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - - port: {{ .Values.service.port }} - targetPort: https - protocol: TCP - name: https - selector: - app: {{ include "scaleway-webhook.name" . }} - release: {{ .Release.Name }} diff --git a/deploy/scaleway-webhook/values.yaml b/deploy/scaleway-webhook/values.yaml deleted file mode 100644 index 2dd1d87..0000000 --- a/deploy/scaleway-webhook/values.yaml +++ /dev/null @@ -1,44 +0,0 @@ -groupName: acme.scaleway.com - -certManager: - namespace: cert-manager - serviceAccountName: cert-manager - -image: - repository: scaleway/cert-manager-webhook-scaleway - pullPolicy: IfNotPresent - imagePullSecrets: [] - -nameOverride: "" -fullnameOverride: "" - -pki: - caDuration: 43800h # 5y - servingCertificateDuration: 8760h # 1y - -secret: - accessKey: "" - secretKey: "" - name: scaleway-webhook-secret - -service: - type: ClusterIP - port: 443 - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - -nodeSelector: {} - -tolerations: [] - -affinity: {}