cert-manager: Add cert-manager-setup chart, make dex + traefik use ce…

…rt-manager issued certificates Add cert-manager-setup chart, make dex + traefik use cert-manager issued certificates
mesosphere · Sep 19, 2019 · a5ce5ad · a5ce5ad
2 parents e95bc86 + c083c9f
commit a5ce5ad
Show file tree

Hide file tree

Showing 23 changed files with 7,796 additions and 21 deletions.
diff --git a/stable/dex/Chart.yaml b/stable/dex/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v1
 name: dex
-version: 1.5.4
+version: 1.6.0
 appVersion: 2.17.0
 description: CoreOS Dex
 keywords:

diff --git a/stable/dex/templates/certificate.yaml b/stable/dex/templates/certificate.yaml
@@ -0,0 +1,19 @@
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: Certificate
+metadata:
+  name: dex
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-install
+spec:
+  secretName: dex
+  issuerRef:
+    name: kubernetes-ca
+    kind: ClusterIssuer
+  commonName: dex
+  organization:
+    - D2iQ
+  dnsNames:
+    - dex-kubeaddons
+    - dex-kubeaddons.kubeaddons
+    - dex-kubeaddons.kubeaddons.svc.cluster.local
diff --git a/staging/cert-manager-setup/.helmignore b/staging/cert-manager-setup/.helmignore
@@ -0,0 +1,22 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/staging/cert-manager-setup/Chart.yaml b/staging/cert-manager-setup/Chart.yaml
@@ -0,0 +1,17 @@
+apiVersion: v1
+name: cert-manager-setup
+home: https://github.com/mesosphere/charts
+version: 0.1.0
+appVersion: 0.10.0
+description: Install cert-manager and optionally add a ClusterIssuer
+keywords:
+- cert-manager
+- issuer
+- clusterissuer
+sources:
+- https://github.com/jetstack/cert-manager
+- https://github.com/jetstack/cert-manager/tree/master/deploy/charts/cert-manager
+maintainers:
+- name: timaa2k
+  email: tweidner@d2iq.com
+engine: gotpl
diff --git a/staging/cert-manager-setup/README.md b/staging/cert-manager-setup/README.md
@@ -0,0 +1,27 @@
+# cert-manager-setup
+
+cert-manager-setup installs [cert-manager](https://github.com/jetstack/cert-manager/blob/master/deploy/charts/cert-manager/README.md) which is a Kubernetes addon to automate the management and issuance of
+TLS certificates from various issuing sources.
+
+`cert-manager` will ensure certificates are valid and up to date periodically, and attempt
+to renew certificates at an appropriate time before expiry.
+
+`cert-manager-setup` deploys the cert-manager
+
+In addition to installing `cert-manager`, `cert-manager-setup` provides the capability to specify a `ClusterIssuer` in the `values.yaml` file which will be applied directly after the `cert-manager` installation has completed. In order for this to happen, `cert-manager-setup` sets up an `Issuer` in the `cert-manager` namespace. It then creates an intermediate certificate from the secret `kubernetes-root-ca` which must already contain ideally the Kubernetes root CA. The `ClusterIssuer` then uses the intermediate certificate derived from the Kubernetes root CA.
+
+# Supported values format
+
+```yaml
+clusterissuer:
+  name: clusterissuer-name
+  spec:
+    ca:
+      secretName: clusterissuer-secret
+```
+
+In the given example we create a `ClusterIssuer` named `clusterissuer-name` with the `ca` type. The `ca` type expects a secret that contains the Certificate Authority (CA) to be used by this `ClusterIssuer`. The spec follows the original `cert-manager` [spec](https://docs.cert-manager.io/en/latest/tasks/issuers/setup-ca.html#creating-an-issuer-referencing-the-secret).
+
+# Notes
+
+In order to submit the `ClusterIssuer` post installation, `cert-manager-setup` runs a post-install `Job` hook. In case that the hook fails the Job will not be cleaned up by Helm. This behavior is intended to ease debugging.
diff --git a/staging/cert-manager-setup/charts/cert-manager-v0.10.0.tgz b/staging/cert-manager-setup/charts/cert-manager-v0.10.0.tgz
diff --git a/staging/cert-manager-setup/requirements.lock b/staging/cert-manager-setup/requirements.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: cert-manager
+  repository: https://charts.jetstack.io
+  version: v0.10.0
+digest: sha256:28e79a359d2563500962b1791ffb542092daf6a6ee73e58b9681d21b9955974e
+generated: "2019-09-13T12:14:07.505937281+02:00"
diff --git a/staging/cert-manager-setup/requirements.yaml b/staging/cert-manager-setup/requirements.yaml
@@ -0,0 +1,4 @@
+dependencies:
+  - name: cert-manager
+    version: 0.10.0
+    repository: https://charts.jetstack.io
diff --git a/staging/cert-manager-setup/templates/NOTES.txt b/staging/cert-manager-setup/templates/NOTES.txt
@@ -0,0 +1 @@
+Deploys cert-manager and submits the kubernetes-ca ClusterIssuer post installation.
diff --git a/staging/cert-manager-setup/templates/_helpers.tpl b/staging/cert-manager-setup/templates/_helpers.tpl
@@ -0,0 +1,45 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "cert-manager-setup.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "cert-manager-setup.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "cert-manager-setup.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "cert-manager-setup.labels" -}}
+app.kubernetes.io/name: {{ include "cert-manager-setup.name" . }}
+helm.sh/chart: {{ include "cert-manager-setup.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
diff --git a/staging/cert-manager-setup/templates/clusterrole.yaml b/staging/cert-manager-setup/templates/clusterrole.yaml
@@ -0,0 +1,8 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: read-apiservices
+rules:
+- apiGroups: ["apiregistration.k8s.io"]
+  resources: ["apiservices"]
+  verbs: ["get", "watch", "list"]
diff --git a/staging/cert-manager-setup/templates/clusterrolebinding.yaml b/staging/cert-manager-setup/templates/clusterrolebinding.yaml
@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: read-apiservices-rolebinding
+  namespace: {{ .Release.Namespace }}
+subjects:
+- kind: ServiceAccount
+  namespace: {{ .Release.Namespace }}
+  name: default
+roleRef:
+  kind: ClusterRole
+  name: read-apiservices
+  apiGroup: rbac.authorization.k8s.io