Add scaleway-webhook chart

suda · Jun 29, 2023 · 64c7275 · 64c7275
1 parent 75148f9
commit 64c7275
Show file tree

Hide file tree

Showing 11 changed files with 468 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -23,6 +23,7 @@ See [Artifact Hub](https://artifacthub.io/packages/search?repo=suda) or [charts]
 ## Acknowledgements
 
 * [`documentserver` chart](charts/documentserver) is based on [ONLYOFFICE chart/documentation](https://github.com/ONLYOFFICE/Kubernetes-Docs)
+* [`scaleway-webhook` chart](charts/scaleway-webhook) is based on [`cert-manager-webhook-scaleway` deployment chart](https://github.com/scaleway/cert-manager-webhook-scaleway/tree/main/deploy)
 
 ## License
 

diff --git a/charts/scaleway-webhook/Chart.yaml b/charts/scaleway-webhook/Chart.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+appVersion: "v0.0.1"
+description: Cert-Manager webhook for Scaleway
+name: scaleway-webhook
+version: 0.0.1
diff --git a/charts/scaleway-webhook/README.md b/charts/scaleway-webhook/README.md
@@ -0,0 +1,32 @@
+# scaleway-webhook
+
+![Version: 0.0.1](https://img.shields.io/badge/Version-0.0.1-informational?style=flat-square) ![AppVersion: v0.0.1](https://img.shields.io/badge/AppVersion-v0.0.1-informational?style=flat-square)
+
+Cert-Manager webhook for Scaleway
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| affinity | object | `{}` |  |
+| certManager.namespace | string | `"cert-manager"` |  |
+| certManager.serviceAccountName | string | `"cert-manager"` |  |
+| fullnameOverride | string | `""` |  |
+| groupName | string | `"acme.scaleway.com"` |  |
+| image.imagePullSecrets | list | `[]` |  |
+| image.pullPolicy | string | `"IfNotPresent"` |  |
+| image.repository | string | `"scaleway/cert-manager-webhook-scaleway"` |  |
+| nameOverride | string | `""` |  |
+| nodeSelector | object | `{}` |  |
+| pki.caDuration | string | `"43800h"` |  |
+| pki.servingCertificateDuration | string | `"8760h"` |  |
+| resources | object | `{}` |  |
+| secret.accessKey | string | `""` |  |
+| secret.name | string | `"scaleway-webhook-secret"` |  |
+| secret.secretKey | string | `""` |  |
+| service.port | int | `443` |  |
+| service.type | string | `"ClusterIP"` |  |
+| tolerations | list | `[]` |  |
+
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)
diff --git a/charts/scaleway-webhook/templates/_helpers.tpl b/charts/scaleway-webhook/templates/_helpers.tpl
@@ -0,0 +1,49 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "scaleway-webhook.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "scaleway-webhook.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "scaleway-webhook.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "scaleway-webhook.selfSignedIssuer" -}}
+{{ printf "%s-selfsign" (include "scaleway-webhook.fullname" .) }}
+{{- end -}}
+
+{{- define "scaleway-webhook.rootCAIssuer" -}}
+{{ printf "%s-ca" (include "scaleway-webhook.fullname" .) }}
+{{- end -}}
+
+{{- define "scaleway-webhook.rootCACertificate" -}}
+{{ printf "%s-ca" (include "scaleway-webhook.fullname" .) }}
+{{- end -}}
+
+{{- define "scaleway-webhook.servingCertificate" -}}
+{{ printf "%s-webhook-tls" (include "scaleway-webhook.fullname" .) }}
+{{- end -}}
+
diff --git a/charts/scaleway-webhook/templates/apiservice.yaml b/charts/scaleway-webhook/templates/apiservice.yaml
@@ -0,0 +1,19 @@
+apiVersion: apiregistration.k8s.io/v1
+kind: APIService
+metadata:
+  name: v1alpha1.{{ .Values.groupName }}
+  labels:
+    app: {{ include "scaleway-webhook.name" . }}
+    chart: {{ include "scaleway-webhook.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+  annotations:
+    cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/{{ include "scaleway-webhook.servingCertificate" . }}"
+spec:
+  group: {{ .Values.groupName }}
+  groupPriorityMinimum: 1000
+  versionPriority: 15
+  service:
+    name: {{ include "scaleway-webhook.fullname" . }}
+    namespace: {{ .Release.Namespace }}
+  version: v1alpha1
diff --git a/charts/scaleway-webhook/templates/deployment.yaml b/charts/scaleway-webhook/templates/deployment.yaml
@@ -0,0 +1,78 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "scaleway-webhook.fullname" . }}
+  labels:
+    app: {{ include "scaleway-webhook.name" . }}
+    chart: {{ include "scaleway-webhook.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      app: {{ include "scaleway-webhook.name" . }}
+      release: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app: {{ include "scaleway-webhook.name" . }}
+        release: {{ .Release.Name }}
+    spec:
+      serviceAccountName: {{ include "scaleway-webhook.fullname" . }}
+      {{- with .Values.image.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: {{ .Chart.Name }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          args:
+            - --tls-cert-file=/tls/tls.crt
+            - --tls-private-key-file=/tls/tls.key
+          env:
+            - name: GROUP_NAME
+              value: {{ .Values.groupName | quote }}
+          {{ if and .Values.secret.accessKey .Values.secret.secretKey }}
+          envFrom:
+          - secretRef:
+              name: {{ .Values.secret.name }}
+          {{ end }}
+          ports:
+            - name: https
+              containerPort: 443
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              scheme: HTTPS
+              path: /healthz
+              port: https
+          readinessProbe:
+            timeoutSeconds: 5
+            httpGet:
+              scheme: HTTPS
+              path: /healthz
+              port: https
+          volumeMounts:
+            - name: certs
+              mountPath: /tls
+              readOnly: true
+          resources:
+{{ toYaml .Values.resources | indent 12 }}
+      volumes:
+        - name: certs
+          secret:
+            secretName: {{ include "scaleway-webhook.servingCertificate" . }}
+    {{- with .Values.nodeSelector }}
+      nodeSelector:
+{{ toYaml . | indent 8 }}
+    {{- end }}
+    {{- with .Values.affinity }}
+      affinity:
+{{ toYaml . | indent 8 }}
+    {{- end }}
+    {{- with .Values.tolerations }}
+      tolerations:
+{{ toYaml . | indent 8 }}
+    {{- end }}
diff --git a/charts/scaleway-webhook/templates/pki.yaml b/charts/scaleway-webhook/templates/pki.yaml
@@ -0,0 +1,76 @@
+---
+# Create a selfsigned Issuer, in order to create a root CA certificate for
+# signing webhook serving certificates
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ include "scaleway-webhook.selfSignedIssuer" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    app: {{ include "scaleway-webhook.name" . }}
+    chart: {{ include "scaleway-webhook.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  selfSigned: {}
+
+---
+
+# Generate a CA Certificate used to sign certificates for the webhook
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ include "scaleway-webhook.rootCACertificate" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    app: {{ include "scaleway-webhook.name" . }}
+    chart: {{ include "scaleway-webhook.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  secretName: {{ include "scaleway-webhook.rootCACertificate" . }}
+  duration: {{ .Values.pki.caDuration }}
+  issuerRef:
+    name: {{ include "scaleway-webhook.selfSignedIssuer" . }}
+  commonName: "ca.scaleway-webhook.cert-manager"
+  isCA: true
+
+---
+
+# Create an Issuer that uses the above generated CA certificate to issue certs
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ include "scaleway-webhook.rootCAIssuer" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    app: {{ include "scaleway-webhook.name" . }}
+    chart: {{ include "scaleway-webhook.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  ca:
+    secretName: {{ include "scaleway-webhook.rootCACertificate" . }}
+
+---
+
+# Finally, generate a serving certificate for the webhook to use
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ include "scaleway-webhook.servingCertificate" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    app: {{ include "scaleway-webhook.name" . }}
+    chart: {{ include "scaleway-webhook.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  secretName: {{ include "scaleway-webhook.servingCertificate" . }}
+  duration: {{ .Values.pki.servingCertificateDuration }}
+  issuerRef:
+    name: {{ include "scaleway-webhook.rootCAIssuer" . }}
+  dnsNames:
+  - {{ include "scaleway-webhook.fullname" . }}
+  - {{ include "scaleway-webhook.fullname" . }}.{{ .Release.Namespace }}
+  - {{ include "scaleway-webhook.fullname" . }}.{{ .Release.Namespace }}.svc