Initial release

.yamllint.yml

@@ -22,3 +22,4 @@ ignore: |
   manifests/
   vendor/
   compiled/
+  tests/golden/

class/cert-exoscale.yml

@@ -9,3 +9,16 @@ parameters:
           - ${_base_directory}/component/main.jsonnet
         input_type: jsonnet
         output_path: cert-exoscale/
+      # kustomize
+      - input_paths:
+          - ${_base_directory}/component/cert-exoscale.jsonnet
+        input_type: jsonnet
+        output_path: ${_base_directory}/manifests/cert-exoscale
+      - input_paths:
+          - ${_kustomize_wrapper}
+        input_type: external
+        output_path: .
+        env_vars:
+          INPUT_DIR: ${_base_directory}/manifests/cert-exoscale
+        args:
+          - \${compiled_target_dir}/${_instance}/10_kustomize/cert-exoscale

class/defaults.yml

@@ -2,3 +2,17 @@ parameters:
   cert_exoscale:
     =_metadata: {}
     namespace: syn-cert-exoscale
+
+    manifestVersion: v0.3.0
+    kustomizeInput:
+      namespace: ${cert_exoscale:namespace}
+
+    images:
+      webhook:
+        registry: docker.io
+        repository: exoscale/cert-manager-webhook-exoscale
+        tag: 0.3.0
+
+    secret:
+      accessKey: '?{vaultkv:${cluster:tenant}/${cluster:name}/exoscale/cert_webhook/s3_access_key}'
+      secretKey: '?{vaultkv:${cluster:tenant}/${cluster:name}/exoscale/cert_webhook/s3_secret_key}'

component/app.jsonnet

@@ -3,7 +3,15 @@ local inv = kap.inventory();
 local params = inv.parameters.cert_exoscale;
 local argocd = import 'lib/argocd.libjsonnet';
 
-local app = argocd.App('cert-exoscale', params.namespace);
+local app = argocd.App('cert-exoscale', params.namespace) {
+  spec+: {
+    syncPolicy+: {
+      syncOptions+: [
+        'ServerSideApply=true',
+      ],
+    },
+  },
+};
 
 {
   'cert-exoscale': app,

component/cert-exoscale.jsonnet

@@ -0,0 +1,101 @@
+// main template for cm-hetznercloud
+local com = import 'lib/commodore.libjsonnet';
+local kap = import 'lib/kapitan.libjsonnet';
+local kube = import 'lib/kube.libjsonnet';
+local inv = kap.inventory();
+
+// The hiera parameters for the component
+local params = inv.parameters.cert_exoscale;
+local paramsCertManager = inv.parameters.cert_manager;
+
+
+local certExoscale = com.Kustomization(
+  'https://github.com/exoscale/cert-manager-webhook-exoscale//deploy/exoscale-webhook-kustomize',
+  params.manifestVersion,
+  {
+    'exoscale/cert-manager-webhook-exoscale': {
+      newTag: params.images.webhook.tag,
+      newName: '%(registry)s/%(repository)s' % params.images.webhook,
+    },
+  },
+  {
+    patches: [
+      {
+        target: {
+          kind: 'Deployment',
+          name: 'cert-manager-webhook-exoscale',
+          namespace: 'cert-manager',
+        },
+        patch: |||
+          - op: add
+            path: /spec/template/spec/containers/0/args/-
+            value: --secure-port=8443
+          - op: replace
+            path: /spec/template/spec/containers/0/ports/0/containerPort
+            value: 8443
+          - op: replace
+            path: /spec/replicas
+            value: 1
+        |||,
+      },
+      {
+        target: {
+          kind: 'ClusterRoleBinding',
+          name: 'cert-manager-webhook-exoscale:domain-solver',
+        },
+        patch: |||
+          - op: replace
+            path: /subjects/0/namespace
+            value: %(namespace)s
+        ||| % { namespace: paramsCertManager.namespace },
+      },
+      {
+        target: {
+          kind: 'APIService',
+          name: 'v1alpha1.acme.exoscale.com',
+        },
+        patch: |||
+          - op: replace
+            path: /metadata/annotations
+            value:
+              cert-manager.io/inject-ca-from: %(namespace)s/cert-manager-webhook-exoscale-webhook-tls
+        ||| % { namespace: params.namespace },
+      },
+      {
+        target: {
+          kind: 'Certificate',
+          name: 'cert-manager-webhook-exoscale-ca',
+          namespace: 'cert-manager',
+        },
+        patch: |||
+          - op: replace
+            path: /spec/commonName
+            value: ca.exoscale-webhook.%(namespace)s
+          - op: replace
+            path: /spec/duration
+            value: 43800h0m0s
+        ||| % { namespace: params.namespace },
+      },
+      {
+        target: {
+          kind: 'Certificate',
+          name: 'cert-manager-webhook-exoscale-webhook-tls',
+          namespace: 'cert-manager',
+        },
+        patch: |||
+          - op: replace
+            path: /spec/dnsNames
+            value:
+              - cert-manager-webhook-exoscale
+              - cert-manager-webhook-exoscale.%(namespace)s
+              - cert-manager-webhook-exoscale.%(namespace)s.svc
+          - op: replace
+            path: /spec/duration
+            value: 8760h0m0s
+        ||| % { namespace: params.namespace },
+      },
+    ],
+  } + com.makeMergeable(params.kustomizeInput),
+) {};
+
+certExoscale

component/main.jsonnet

@@ -2,9 +2,34 @@
 local kap = import 'lib/kapitan.libjsonnet';
 local kube = import 'lib/kube.libjsonnet';
 local inv = kap.inventory();
+
 // The hiera parameters for the component
 local params = inv.parameters.cert_exoscale;
+local isOpenshift = std.member([ 'openshift', 'oke' ], inv.parameters.facts.distribution);
+
+local namespace = kube.Namespace(params.namespace) {
+  metadata+: {
+    labels+: {
+      'app.kubernetes.io/name': params.namespace,
+      // Configure the namespaces so that the OCP4 cluster-monitoring
+      // Prometheus can find the servicemonitors and rules.
+      [if isOpenshift then 'openshift.io/cluster-monitoring']: 'true',
+    },
+  },
+};
+
+local secret = kube.Secret('exoscale-secret') {
+  metadata+: {
+    namespace: params.namespace,
+  },
+  stringData: {
+    EXOSCALE_API_KEY: params.secret.accessKey,
+    EXOSCALE_API_SECRET: params.secret.secretKey,
+  },
+};
 
 // Define outputs below
 {
+  '00_namespace': namespace,
+  '20_secret': secret,
 }

docs/modules/ROOT/pages/references/parameters.adoc

@@ -11,6 +11,53 @@ default:: `syn-cert-exoscale`
 The namespace in which to deploy this component.
 
 
+== `kustomizeInput`
+
+[horizontal]
+type:: string
+default::
++
+[source,yaml]
+----
+namespace: ${cert_exoscale:namespace}
+----
+
+Values passed to Kustomize.
+
+See https://github.com/exoscale/cert-manager-webhook-exoscale/tree/master/deploy/exoscale-webhook-kustomize[Upstream Kustomize].
+
+
+== `secret`
+
+[horizontal]
+type:: string
+default::
++
+[source,yaml]
+----
+accessKey: '?{vaultkv:${cluster:tenant}/${cluster:name}/exoscale/cert_webhook/s3_access_key}'
+secretKey: '?{vaultkv:${cluster:tenant}/${cluster:name}/exoscale/cert_webhook/s3_secret_key}'
+----
+
+The API access key and secret key for managing DNS records.
+
+See https://www.exoscale.com/syslog/cert-manager-webhook-exoscale/[Exoscale Documentation].
+
+=== Create API Key
+
+[source,yaml]
+----
+exo iam access-key create \
+  --operation list-dns-domains \
+  --operation list-dns-domain-records \
+  --operation  get-dns-domain-record \
+  --operation get-operation \
+  --operation create-dns-domain-record \
+  --operation delete-dns-domain-record \
+  cert-manager-webhook-key
+----
+
+
 == Example
 
 [source,yaml]

tests/defaults.yml

@@ -1,3 +1,3 @@
-# Overwrite parameters here
-
-# parameters: {...}
+parameters:
+  cert_manager:
+    namespace: syn-cert-manager

tests/golden/defaults/cert-exoscale/apps/cert-exoscale.yaml

@@ -0,0 +1,4 @@
+spec:
+  syncPolicy:
+    syncOptions:
+      - ServerSideApply=true

tests/golden/defaults/cert-exoscale/cert-exoscale/00_namespace.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  annotations: {}
+  labels:
+    app.kubernetes.io/name: syn-cert-exoscale
+    name: syn-cert-exoscale
+  name: syn-cert-exoscale

tests/golden/defaults/cert-exoscale/cert-exoscale/10_kustomize/cert-exoscale/apiregistration.k8s.io_v1_apiservice_v1alpha1.acme.exoscale.com.yaml

@@ -0,0 +1,19 @@
+apiVersion: apiregistration.k8s.io/v1
+kind: APIService
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: syn-cert-exoscale/cert-manager-webhook-exoscale-webhook-tls
+  labels:
+    app: exoscale-webhook
+    chart: exoscale-webhook-0.3.0
+    heritage: Helm
+    release: exoscale-webhook
+  name: v1alpha1.acme.exoscale.com
+spec:
+  group: acme.exoscale.com
+  groupPriorityMinimum: 1000
+  service:
+    name: cert-manager-webhook-exoscale
+    namespace: syn-cert-exoscale
+  version: v1alpha1
+  versionPriority: 15

tests/golden/defaults/cert-exoscale/cert-exoscale/10_kustomize/cert-exoscale/apps_v1_deployment_cert-manager-webhook-exoscale.yaml

@@ -0,0 +1,61 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: exoscale-webhook
+    chart: exoscale-webhook-0.3.0
+    heritage: Helm
+    release: exoscale-webhook
+  name: cert-manager-webhook-exoscale
+  namespace: syn-cert-exoscale
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: exoscale-webhook
+      release: exoscale-webhook
+  template:
+    metadata:
+      labels:
+        app: exoscale-webhook
+        release: exoscale-webhook
+    spec:
+      containers:
+      - args:
+        - --tls-cert-file=/tls/tls.crt
+        - --tls-private-key-file=/tls/tls.key
+        - --secure-port=8443
+        env:
+        - name: GROUP_NAME
+          value: acme.exoscale.com
+        - name: EXOSCALE_DEBUG
+          value: ""
+        - name: EXOSCALE_API_TRACE
+          value: ""
+        image: docker.io/exoscale/cert-manager-webhook-exoscale:0.3.0
+        imagePullPolicy: IfNotPresent
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: https
+            scheme: HTTPS
+        name: exoscale-webhook
+        ports:
+        - containerPort: 8443
+          name: https
+          protocol: TCP
+        readinessProbe:
+          httpGet:
+            path: /healthz
+            port: https
+            scheme: HTTPS
+        resources: {}
+        volumeMounts:
+        - mountPath: /tls
+          name: certs
+          readOnly: true
+      serviceAccountName: cert-manager-webhook-exoscale
+      volumes:
+      - name: certs
+        secret:
+          secretName: cert-manager-webhook-exoscale-webhook-tls

tests/golden/defaults/cert-exoscale/cert-exoscale/10_kustomize/cert-exoscale/cert-manager.io_v1_certificate_cert-manager-webhook-exoscale-ca.yaml

@@ -0,0 +1,17 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  labels:
+    app: exoscale-webhook
+    chart: exoscale-webhook-0.3.0
+    heritage: Helm
+    release: exoscale-webhook
+  name: cert-manager-webhook-exoscale-ca
+  namespace: syn-cert-exoscale
+spec:
+  commonName: ca.exoscale-webhook.syn-cert-exoscale
+  duration: 43800h0m0s
+  isCA: true
+  issuerRef:
+    name: cert-manager-webhook-exoscale-selfsign
+  secretName: cert-manager-webhook-exoscale-ca

tests/golden/defaults/cert-exoscale/cert-exoscale/10_kustomize/cert-exoscale/cert-manager.io_v1_certificate_cert-manager-webhook-exoscale-webhook-tls.yaml

@@ -0,0 +1,19 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  labels:
+    app: exoscale-webhook
+    chart: exoscale-webhook-0.3.0
+    heritage: Helm
+    release: exoscale-webhook
+  name: cert-manager-webhook-exoscale-webhook-tls
+  namespace: syn-cert-exoscale
+spec:
+  dnsNames:
+  - cert-manager-webhook-exoscale
+  - cert-manager-webhook-exoscale.syn-cert-exoscale
+  - cert-manager-webhook-exoscale.syn-cert-exoscale.svc
+  duration: 8760h0m0s
+  issuerRef:
+    name: cert-manager-webhook-exoscale-ca
+  secretName: cert-manager-webhook-exoscale-webhook-tls