diff --git a/test/sthome-webhook/.helmignore b/test/sthome-webhook/.helmignore new file mode 100644 index 0000000..bb15161 --- /dev/null +++ b/test/sthome-webhook/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.vs +.project +.idea/ +*.tmproj diff --git a/test/sthome-webhook/0.0.1/app-readme.md b/test/sthome-webhook/0.0.1/app-readme.md new file mode 100644 index 0000000..2809b30 --- /dev/null +++ b/test/sthome-webhook/0.0.1/app-readme.md @@ -0,0 +1,5 @@ + +# sthome-webhook + +sthome-webhook is a chart designed to let user deploy a cert-manager webhook docker image in a TrueNAS SCALE kubernetes cluster. +It provides a mechanism to specify workload type, add external host interfaces in the pods, configure volumes and allocate host resources to the workload. \ No newline at end of file diff --git a/test/sthome-webhook/0.0.1/ix_values.yaml b/test/sthome-webhook/0.0.1/ix_values.yaml new file mode 100644 index 0000000..a27567a --- /dev/null +++ b/test/sthome-webhook/0.0.1/ix_values.yaml @@ -0,0 +1,38 @@ +image: + repository: docker.io/stuurmcp/cert-manager-webhook-sthome + pullPolicy: Always + tag: 0.0.1@sha256:06a1c99b0a4853d0a69a4076ea7fd8e04e8b7dd523aad5dbf06e887ff3145690 + +securityContext: + container: + readOnlyRootFilesystem: false + +service: + main: + ports: + main: + protocol: http + targetPort: 9117 + port: 9117 + +workload: + main: + podSpec: + containers: + main: + probes: + liveness: + path: "/UI/Login" + readiness: + path: "/UI/Login" + startup: + path: "/UI/Login" + +persistence: + config: + enabled: true + mountPath: "/config" + +portal: + open: + enabled: true \ No newline at end of file diff --git a/test/sthome-webhook/CHANGELOG.md b/test/sthome-webhook/CHANGELOG.md new file mode 100644 index 0000000..c95dbf6 --- /dev/null +++ b/test/sthome-webhook/CHANGELOG.md @@ -0,0 +1,10 @@ +--- +title: Changelog +--- + +## [sthome-webhook-0.0.1] + +### Chore + +- Development in progress + diff --git a/test/sthome-webhook/Chart.yaml b/test/sthome-webhook/Chart.yaml new file mode 100644 index 0000000..eb2c2c2 --- /dev/null +++ b/test/sthome-webhook/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +appVersion: "v0.0.1" +description: Cert-Manager webhook for sthome +name: sthome-webhook +version: 0.0.1 diff --git a/test/sthome-webhook/icon.png b/test/sthome-webhook/icon.png new file mode 100644 index 0000000..3883899 Binary files /dev/null and b/test/sthome-webhook/icon.png differ diff --git a/test/sthome-webhook/item.yaml b/test/sthome-webhook/item.yaml new file mode 100644 index 0000000..7f722e0 --- /dev/null +++ b/test/sthome-webhook/item.yaml @@ -0,0 +1,3 @@ +icon_url: "https://gitea.sthome.net/ACME/cert-manager-webhook-sthome/src/branch/main/icon.png" +categories: + - generic diff --git a/test/sthome-webhook/questions.yaml b/test/sthome-webhook/questions.yaml new file mode 100644 index 0000000..502f2ff --- /dev/null +++ b/test/sthome-webhook/questions.yaml @@ -0,0 +1,63 @@ +groups: + - name: "Container Images" + description: "Image to be used for container" +questions: + - variable: image + label: "Docker Image" + description: "Docker Image Details" + group: "Container Images" + schema: + type: dict + required: true + attrs: + - variable: repository + description: "Docker image repository" + label: "Image repository" + schema: + type: string + required: true + - variable: tag + description: "Tag to use for specified image" + label: "Image Tag" + schema: + type: string + default: "latest" + - variable: pullPolicy + description: "Docker Image Pull Policy" + label: "Image Pull Policy" + schema: + type: string + default: "IfNotPresent" + enum: + - value: "IfNotPresent" + description: "Only pull image if not present on host" + - value: "Always" + description: "Always pull image even if present on host" + - value: "Never" + description: "Never pull image even if it's not present on host" + - variable: volume + label: "Volume" + schema: + type: dict + $ref: + - "normalize/ixVolume" + attrs: + - variable: mountPath + label: "Mount Path" + description: "Path where the volume will be mounted inside the pod" + schema: + type: path + required: true + - variable: datasetName + label: "Dataset Name" + schema: + type: string + required: true + - variable: hostInterface + description: "Please specify host interface" + label: "Host Interface" + schema: + type: string + required: true + $ref: + - "definitions/interface" \ No newline at end of file diff --git a/test/sthome-webhook/templates/NOTES.txt b/test/sthome-webhook/templates/NOTES.txt new file mode 100644 index 0000000..e69de29 diff --git a/test/sthome-webhook/templates/_helpers.tpl b/test/sthome-webhook/templates/_helpers.tpl new file mode 100644 index 0000000..d889995 --- /dev/null +++ b/test/sthome-webhook/templates/_helpers.tpl @@ -0,0 +1,55 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "sthome-webhook.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "sthome-webhook.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "sthome-webhook.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "sthome-webhook.selfSignedIssuer" -}} +{{ printf "%s-selfsign" (include "sthome-webhook.fullname" .) }} +{{- end -}} + +{{- define "sthome-webhook.rootCAIssuer" -}} +{{ printf "%s-ca" (include "sthome-webhook.fullname" .) }} +{{- end -}} + +{{- define "sthome-webhook.rootCACertificate" -}} +{{ printf "%s-ca" (include "sthome-webhook.fullname" .) }} +{{- end -}} + +{{- define "sthome-webhook.servingCertificate" -}} +{{ printf "%s-webhook-tls" (include "sthome-webhook.fullname" .) }} +{{- end -}} + +{{/* +Create base64 imagePullSecret using username and password. +*/}} +{{- define "imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.imageCredentials.registry (printf "%s:%s" .Values.imageCredentials.username .Values.imageCredentials.password | b64enc) | b64enc }} +{{- end }} \ No newline at end of file diff --git a/test/sthome-webhook/templates/apiservice.yaml b/test/sthome-webhook/templates/apiservice.yaml new file mode 100644 index 0000000..7f79f6d --- /dev/null +++ b/test/sthome-webhook/templates/apiservice.yaml @@ -0,0 +1,19 @@ +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + name: v1alpha1.{{ .Values.groupName }} + labels: + app: {{ include "sthome-webhook.name" . }} + chart: {{ include "sthome-webhook.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/{{ include "sthome-webhook.servingCertificate" . }}" +spec: + group: {{ .Values.groupName }} + groupPriorityMinimum: 1000 + versionPriority: 15 + service: + name: {{ include "sthome-webhook.fullname" . }} + namespace: {{ .Release.Namespace }} + version: v1alpha1 diff --git a/test/sthome-webhook/templates/deployment.yaml b/test/sthome-webhook/templates/deployment.yaml new file mode 100644 index 0000000..b505a12 --- /dev/null +++ b/test/sthome-webhook/templates/deployment.yaml @@ -0,0 +1,71 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "sthome-webhook.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ include "sthome-webhook.name" . }} + chart: {{ include "sthome-webhook.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app: {{ include "sthome-webhook.name" . }} + release: {{ .Release.Name }} + template: + metadata: + labels: + app: {{ include "sthome-webhook.name" . }} + release: {{ .Release.Name }} + spec: + serviceAccountName: {{ include "sthome-webhook.fullname" . }} + imagePullSecrets: + - name: {{ .Values.imageCredentials.name }} + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + args: + - --tls-cert-file=/tls/tls.crt + - --tls-private-key-file=/tls/tls.key + env: + - name: GROUP_NAME + value: {{ .Values.groupName | quote }} + ports: + - name: https + containerPort: 443 + protocol: TCP + livenessProbe: + httpGet: + scheme: HTTPS + path: /healthz + port: https + readinessProbe: + httpGet: + scheme: HTTPS + path: /healthz + port: https + volumeMounts: + - name: certs + mountPath: /tls + readOnly: true + resources: +{{ toYaml .Values.resources | indent 12 }} + volumes: + - name: certs + secret: + secretName: {{ include "sthome-webhook.servingCertificate" . }} + {{- with .Values.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} diff --git a/test/sthome-webhook/templates/pki.yaml b/test/sthome-webhook/templates/pki.yaml new file mode 100644 index 0000000..1c61fa5 --- /dev/null +++ b/test/sthome-webhook/templates/pki.yaml @@ -0,0 +1,76 @@ +--- +# Create a selfsigned Issuer, in order to create a root CA certificate for +# signing webhook serving certificates +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ include "sthome-webhook.selfSignedIssuer" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ include "sthome-webhook.name" . }} + chart: {{ include "sthome-webhook.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + selfSigned: {} + +--- + +# Generate a CA Certificate used to sign certificates for the webhook +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ include "sthome-webhook.rootCACertificate" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ include "sthome-webhook.name" . }} + chart: {{ include "sthome-webhook.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + secretName: {{ include "sthome-webhook.rootCACertificate" . }} + duration: 43800h # 5y + issuerRef: + name: {{ include "sthome-webhook.selfSignedIssuer" . }} + commonName: "ca.sthome-webhook.cert-manager" + isCA: true + +--- + +# Create an Issuer that uses the above generated CA certificate to issue certs +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ include "sthome-webhook.rootCAIssuer" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ include "sthome-webhook.name" . }} + chart: {{ include "sthome-webhook.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + ca: + secretName: {{ include "sthome-webhook.rootCACertificate" . }} + +--- + +# Finally, generate a serving certificate for the webhook to use +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ include "sthome-webhook.servingCertificate" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ include "sthome-webhook.name" . }} + chart: {{ include "sthome-webhook.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + secretName: {{ include "sthome-webhook.servingCertificate" . }} + duration: 8760h # 1y + issuerRef: + name: {{ include "sthome-webhook.rootCAIssuer" . }} + dnsNames: + - {{ include "sthome-webhook.fullname" . }} + - {{ include "sthome-webhook.fullname" . }}.{{ .Release.Namespace }} + - {{ include "sthome-webhook.fullname" . }}.{{ .Release.Namespace }}.svc diff --git a/test/sthome-webhook/templates/rbac.yaml b/test/sthome-webhook/templates/rbac.yaml new file mode 100644 index 0000000..4c9a49d --- /dev/null +++ b/test/sthome-webhook/templates/rbac.yaml @@ -0,0 +1,91 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "sthome-webhook.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ include "sthome-webhook.name" . }} + chart: {{ include "sthome-webhook.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +--- +# Grant the webhook permission to read the ConfigMap containing the Kubernetes +# apiserver's requestheader-ca-certificate. +# This ConfigMap is automatically created by the Kubernetes apiserver. +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "sthome-webhook.fullname" . }}:webhook-authentication-reader + namespace: kube-system + labels: + app: {{ include "sthome-webhook.name" . }} + chart: {{ include "sthome-webhook.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: + - apiGroup: "" + kind: ServiceAccount + name: {{ include "sthome-webhook.fullname" . }} + namespace: {{ .Release.Namespace }} +--- +# apiserver gets the auth-delegator role to delegate auth decisions to +# the core apiserver +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "sthome-webhook.fullname" . }}:auth-delegator + labels: + app: {{ include "sthome-webhook.name" . }} + chart: {{ include "sthome-webhook.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: + - apiGroup: "" + kind: ServiceAccount + name: {{ include "sthome-webhook.fullname" . }} + namespace: {{ .Release.Namespace }} +--- +# Grant cert-manager permission to validate using our apiserver +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "sthome-webhook.fullname" . }}:domain-solver + labels: + app: {{ include "sthome-webhook.name" . }} + chart: {{ include "sthome-webhook.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: + - apiGroups: + - {{ .Values.groupName }} + resources: + - '*' + verbs: + - 'create' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "sthome-webhook.fullname" . }}:domain-solver + labels: + app: {{ include "sthome-webhook.name" . }} + chart: {{ include "sthome-webhook.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "sthome-webhook.fullname" . }}:domain-solver +subjects: + - apiGroup: "" + kind: ServiceAccount + name: {{ .Values.certManager.serviceAccountName }} + namespace: {{ .Values.certManager.namespace }} diff --git a/test/sthome-webhook/templates/service.yaml b/test/sthome-webhook/templates/service.yaml new file mode 100644 index 0000000..35c40de --- /dev/null +++ b/test/sthome-webhook/templates/service.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "sthome-webhook.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ include "sthome-webhook.name" . }} + chart: {{ include "sthome-webhook.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: https + protocol: TCP + name: https + selector: + app: {{ include "sthome-webhook.name" . }} + release: {{ .Release.Name }} diff --git a/test/sthome-webhook/values.yaml b/test/sthome-webhook/values.yaml new file mode 100644 index 0000000..b7d6369 --- /dev/null +++ b/test/sthome-webhook/values.yaml @@ -0,0 +1,59 @@ +# The GroupName here is used to identify your company or business unit that +# created this webhook. +# For sthome, this may be "webhook.acme.cert-manager.io". +# This name will need to be referenced in each Issuer's `webhook` stanza to +# inform cert-manager of where to send ChallengePayload resources in order to +# solve the DNS01 challenge. +# This group name should be **unique**, hence using your own company's domain +# here is recommended. +groupName: acme.sthome.net + +certManager: + namespace: ix-cert-manager + serviceAccountName: cert-manager + +image: + repository: stuurmcp/cert-manager-webhook-sthome + tag: 0.0.1 + #pullPolicy should be IfNotPresent. Set to Always for testing purposes + pullPolicy: Always + +imageCredentials: + name: docker-registry-credentials + +nameOverride: "" +fullnameOverride: "" + +replicaCount: 1 + +pki: + caDuration: 43800h # 5y + servingCertificateDuration: 8760h # 1y + +secret: + accessKey: "" + secretKey: "" + name: sthome-webhook-secret + +service: + type: ClusterIP + port: 443 + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +nodeSelector: {} + +tolerations: [] + +affinity: {} + \ No newline at end of file