diff --git a/base/argocd-resources-manager/values.yaml b/base/argocd-resources-manager/values.yaml index 9d22fdb..123f36c 100644 --- a/base/argocd-resources-manager/values.yaml +++ b/base/argocd-resources-manager/values.yaml @@ -4,8 +4,8 @@ # Set cluster names ... # https://issues.redhat.com/browse/GITOPS-1777 # The issue that the in-cluster cannot be renamed has been resolved -mgmt-cluster: &mgmtcluster https://api.ocp.aws.ispworld.at:6443 -mgmt-cluster-name: &mgmtclustername local-cluster +mgmt-cluster: &mgmtcluster https://kubernetes.default.svc +mgmt-cluster-name: &mgmtclustername in-cluster production-cluster: &prodcluster https://api.ocp.aws.ispworld.at:6443 production-cluster-name: &prodclustername prod diff --git a/clusters/management-cluster/cert-manager/Chart.yaml b/clusters/management-cluster/cert-manager/Chart.yaml new file mode 100644 index 0000000..7206c56 --- /dev/null +++ b/clusters/management-cluster/cert-manager/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: cert-manager +description: Setup and configure the cert Manager operator +home: https://github.com/tjungbauer/openshift-clusterconfig-gitops/tree/main/clusters/management-cluster/cert-manager +version: 1.0.0 +dependencies: + - name: helper-operator + version: ~1.0.21 + repository: https://charts.stderr.at/ + - name: helper-status-checker + version: ~4.0.0 + repository: https://charts.stderr.at/ + condition: helper-status-checker.enabled +maintainers: + - name: tjungbauer + email: tjungbau@redhat.com + url: https://blog.stderr.at/ +sources: + - https://github.com/tjungbauer/helm-charts + - https://charts.stderr.at/ + - https://github.com/tjungbauer/openshift-clusterconfig-gitops +keywords: + - compliance + - security diff --git a/clusters/management-cluster/cert-manager/LICENSE b/clusters/management-cluster/cert-manager/LICENSE new file mode 100644 index 0000000..1652d17 --- /dev/null +++ b/clusters/management-cluster/cert-manager/LICENSE @@ -0,0 +1,13 @@ +Copyright 2022 Thomas Jungbauer + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. \ No newline at end of file diff --git a/clusters/management-cluster/cert-manager/templates/CertManager.yaml b/clusters/management-cluster/cert-manager/templates/CertManager.yaml new file mode 100644 index 0000000..1cb74e2 --- /dev/null +++ b/clusters/management-cluster/cert-manager/templates/CertManager.yaml @@ -0,0 +1,23 @@ +{{- with .Values.clusterManager }} +{{ if eq (.enable_patch | toString) "true" }} +--- +apiVersion: operator.openshift.io/v1alpha1 +kind: CertManager +metadata: + name: cluster + labels: + {{- include "common.labels" $ | nindent 4 }} + annotations: + argocd.argoproj.io/sync-wave: {{ .syncwave | default 10 | quote }} +spec: + logLevel: Normal + managementState: Managed + observedConfig: null + operatorLogLevel: Normal + controllerConfig: + overrideArgs: + {{- range .overrideArgs }} + - {{ . }} + {{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/clusters/management-cluster/cert-manager/templates/ClusterIssuer.yaml b/clusters/management-cluster/cert-manager/templates/ClusterIssuer.yaml new file mode 100644 index 0000000..eaec8de --- /dev/null +++ b/clusters/management-cluster/cert-manager/templates/ClusterIssuer.yaml @@ -0,0 +1,25 @@ +{{- with .Values.clusterIssuer }} +{{ if eq (.enabled | toString) "true" }} +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: {{ .name }} + labels: + {{- include "common.labels" $ | nindent 4 }} + annotations: + argocd.argoproj.io/sync-wave: {{ .syncwave | default 20 | quote }} +spec: + {{- if .acme }} + {{- with .acme }} + acme: + email: {{ .email }} + privateKeySecretRef: + name: {{ .privKeyRef | default "letsencrypt-account-key" }} + server: {{ .server | default "https://acme-v02.api.letsencrypt.org/directory" }} + solvers: + {{- toYaml .solvers | nindent 6 }} + {{- end }} + {{- end }} +{{- end }} +{{- end }} diff --git a/clusters/management-cluster/cert-manager/templates/_helpers.tpl b/clusters/management-cluster/cert-manager/templates/_helpers.tpl new file mode 100644 index 0000000..b067f32 --- /dev/null +++ b/clusters/management-cluster/cert-manager/templates/_helpers.tpl @@ -0,0 +1,51 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "common.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "common.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "common.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "common.labels" -}} +helm.sh/chart: {{ include "common.chart" . }} +{{ include "common.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "common.selectorLabels" -}} +app.kubernetes.io/name: {{ include "common.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} \ No newline at end of file diff --git a/clusters/management-cluster/cert-manager/values.yaml b/clusters/management-cluster/cert-manager/values.yaml new file mode 100644 index 0000000..398a6f3 --- /dev/null +++ b/clusters/management-cluster/cert-manager/values.yaml @@ -0,0 +1,62 @@ +--- + +# Install Operator Compliance Operator +# Deploys Operator --> Subscription and Operatorgroup +# Syncwave: 0 +helper-operator: + operators: + compliance-operator: + enabled: true + syncwave: '0' + namespace: + name: cert-manager-operator + create: true + subscription: + channel: stable-v1 + approval: Automatic + operatorName: openshift-cert-manager-operator + source: redhat-operators + sourceNamespace: openshift-marketplace + operatorgroup: + create: true + notownnamespace: true + +helper-status-checker: + enabled: true + + checks: + - operatorName: openshift-cert-manager-operator + namespace: + name: cert-manager-operator + serviceAccount: + name: "status-checker-cert-manager" + +clusterManager: + enable_patch: true + + overrideArgs: + - '--dns01-recursive-nameservers-only' + - --dns01-recursive-nameservers=ns-362.awsdns-45.com:53,ns-930.awsdns-52.net:53 + +clusterIssuer: + enabled: true + name: letsencrypt-prod + syncwave: 20 + + acme: + email: tjungbau@redhat.com + + solvers: + - dns01: + route53: + accessKeyIDSecretRef: + key: access-key-id + name: prod-route53-credentials-secret + region: us-west-1 + secretAccessKeySecretRef: + key: secret-access-key + name: prod-route53-credentials-secret + selector: + dnsZones: + - aws.ispworld.at +