From 53a9e0c20f468b12bc010c2aa6a56561ed287296 Mon Sep 17 00:00:00 2001
From: Philip Haupt <“der.mad.mob@gmail.com”>
Date: Wed, 26 Mar 2025 23:29:13 +0100
Subject: [PATCH] webhook netcup

---
 certmanager-netcup/kustomization.yaml     |   7 +
 certmanager-netcup/src/kustomization.yaml |  10 +
 certmanager-netcup/webhook-netcup.yaml    | 313 ++++++++++++++++++++++
 3 files changed, 330 insertions(+)
 create mode 100644 certmanager-netcup/kustomization.yaml
 create mode 100644 certmanager-netcup/src/kustomization.yaml
 create mode 100644 certmanager-netcup/webhook-netcup.yaml

diff --git a/certmanager-netcup/kustomization.yaml b/certmanager-netcup/kustomization.yaml
new file mode 100644
index 0000000..c6fbba5
--- /dev/null
+++ b/certmanager-netcup/kustomization.yaml
@@ -0,0 +1,7 @@
+# argocd/kustomization.yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - webhook-netcup.yaml
+  
\ No newline at end of file
diff --git a/certmanager-netcup/src/kustomization.yaml b/certmanager-netcup/src/kustomization.yaml
new file mode 100644
index 0000000..3522b5e
--- /dev/null
+++ b/certmanager-netcup/src/kustomization.yaml
@@ -0,0 +1,10 @@
+# argocd/kustomization.yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+helmCharts:
+  - name: cert-manager-webhook-netcup
+    repo: https://aellwein.github.io/cert-manager-webhook-netcup/charts/
+    version: 1.0.29
+    releaseName: cert-manager-webhook-netcup
+    namespace: cert-manager
diff --git a/certmanager-netcup/webhook-netcup.yaml b/certmanager-netcup/webhook-netcup.yaml
new file mode 100644
index 0000000..b92ea16
--- /dev/null
+++ b/certmanager-netcup/webhook-netcup.yaml
@@ -0,0 +1,313 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app: cert-manager-webhook-netcup
+    chart: cert-manager-webhook-netcup-1.0.29
+    heritage: Helm
+    release: cert-manager-webhook-netcup
+  name: cert-manager-webhook-netcup
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cert-manager-webhook-netcup:secret-reader
+  namespace: cert-manager
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app: cert-manager-webhook-netcup
+    chart: cert-manager-webhook-netcup-1.0.29
+    heritage: Helm
+    release: cert-manager-webhook-netcup
+  name: cert-manager-webhook-netcup:domain-solver
+rules:
+- apiGroups:
+  - com.netcup.webhook
+  resources:
+  - '*'
+  verbs:
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app: cert-manager-webhook-netcup
+    chart: cert-manager-webhook-netcup-1.0.29
+    heritage: Helm
+    release: cert-manager-webhook-netcup
+  name: cert-manager-webhook-netcup:flowcontrol
+rules:
+- apiGroups:
+  - flowcontrol.apiserver.k8s.io
+  resources:
+  - flowschemas
+  - prioritylevelconfigurations
+  verbs:
+  - list
+  - watch
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cert-manager-webhook-netcup:secret-reader
+  namespace: cert-manager
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cert-manager-webhook-netcup:secret-reader
+subjects:
+- apiGroup: ""
+  kind: ServiceAccount
+  name: cert-manager-webhook-netcup
+  namespace: cert-manager
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app: cert-manager-webhook-netcup
+    chart: cert-manager-webhook-netcup-1.0.29
+    heritage: Helm
+    release: cert-manager-webhook-netcup
+  name: cert-manager-webhook-netcup:webhook-authentication-reader
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: extension-apiserver-authentication-reader
+subjects:
+- apiGroup: ""
+  kind: ServiceAccount
+  name: cert-manager-webhook-netcup
+  namespace: cert-manager
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app: cert-manager-webhook-netcup
+    chart: cert-manager-webhook-netcup-1.0.29
+    heritage: Helm
+    release: cert-manager-webhook-netcup
+  name: cert-manager-webhook-netcup:auth-delegator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+- apiGroup: ""
+  kind: ServiceAccount
+  name: cert-manager-webhook-netcup
+  namespace: cert-manager
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app: cert-manager-webhook-netcup
+    chart: cert-manager-webhook-netcup-1.0.29
+    heritage: Helm
+    release: cert-manager-webhook-netcup
+  name: cert-manager-webhook-netcup:domain-solver
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-webhook-netcup:domain-solver
+subjects:
+- apiGroup: ""
+  kind: ServiceAccount
+  name: cert-manager
+  namespace: cert-manager
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app: cert-manager-webhook-netcup
+    chart: cert-manager-webhook-netcup-1.0.29
+    heritage: Helm
+    release: cert-manager-webhook-netcup
+  name: cert-manager-webhook-netcup:flowcontrol
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-webhook-netcup:flowcontrol
+subjects:
+- apiGroup: ""
+  kind: ServiceAccount
+  name: cert-manager-webhook-netcup
+  namespace: cert-manager
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: cert-manager-webhook-netcup
+    chart: cert-manager-webhook-netcup-1.0.29
+    heritage: Helm
+    release: cert-manager-webhook-netcup
+  name: cert-manager-webhook-netcup
+spec:
+  ports:
+  - name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
+  selector:
+    app: cert-manager-webhook-netcup
+    release: cert-manager-webhook-netcup
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: cert-manager-webhook-netcup
+    chart: cert-manager-webhook-netcup-1.0.29
+    heritage: Helm
+    release: cert-manager-webhook-netcup
+  name: cert-manager-webhook-netcup
+spec:
+  replicas: null
+  selector:
+    matchLabels:
+      app: cert-manager-webhook-netcup
+      release: cert-manager-webhook-netcup
+  template:
+    metadata:
+      labels:
+        app: cert-manager-webhook-netcup
+        release: cert-manager-webhook-netcup
+    spec:
+      containers:
+      - args:
+        - --tls-cert-file=/tls/tls.crt
+        - --tls-private-key-file=/tls/tls.key
+        env:
+        - name: GROUP_NAME
+          value: com.netcup.webhook
+        image: ghcr.io/aellwein/cert-manager-webhook-netcup:1.0.29
+        imagePullPolicy: IfNotPresent
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: https
+            scheme: HTTPS
+        name: cert-manager-webhook-netcup
+        ports:
+        - containerPort: 443
+          name: https
+          protocol: TCP
+        readinessProbe:
+          httpGet:
+            path: /healthz
+            port: https
+            scheme: HTTPS
+        resources: {}
+        volumeMounts:
+        - mountPath: /tls
+          name: certs
+          readOnly: true
+      serviceAccountName: cert-manager-webhook-netcup
+      volumes:
+      - name: certs
+        secret:
+          secretName: cert-manager-webhook-netcup-webhook-tls
+---
+apiVersion: apiregistration.k8s.io/v1
+kind: APIService
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: cert-manager/cert-manager-webhook-netcup-webhook-tls
+  labels:
+    app: cert-manager-webhook-netcup
+    chart: cert-manager-webhook-netcup-1.0.29
+    heritage: Helm
+    release: cert-manager-webhook-netcup
+  name: v1alpha1.com.netcup.webhook
+spec:
+  group: com.netcup.webhook
+  groupPriorityMinimum: 1000
+  service:
+    name: cert-manager-webhook-netcup
+    namespace: cert-manager
+  version: v1alpha1
+  versionPriority: 15
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  labels:
+    app: cert-manager-webhook-netcup
+    chart: cert-manager-webhook-netcup-1.0.29
+    heritage: Helm
+    release: cert-manager-webhook-netcup
+  name: cert-manager-webhook-netcup-ca
+  namespace: cert-manager
+spec:
+  commonName: ca.cert-manager-webhook-netcup.cert-manager
+  duration: 43800h
+  isCA: true
+  issuerRef:
+    name: cert-manager-webhook-netcup-selfsign
+  secretName: cert-manager-webhook-netcup-ca
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  labels:
+    app: cert-manager-webhook-netcup
+    chart: cert-manager-webhook-netcup-1.0.29
+    heritage: Helm
+    release: cert-manager-webhook-netcup
+  name: cert-manager-webhook-netcup-webhook-tls
+  namespace: cert-manager
+spec:
+  dnsNames:
+  - cert-manager-webhook-netcup
+  - cert-manager-webhook-netcup.cert-manager
+  - cert-manager-webhook-netcup.cert-manager.svc
+  duration: 8760h
+  issuerRef:
+    name: cert-manager-webhook-netcup-ca
+  secretName: cert-manager-webhook-netcup-webhook-tls
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  labels:
+    app: cert-manager-webhook-netcup
+    chart: cert-manager-webhook-netcup-1.0.29
+    heritage: Helm
+    release: cert-manager-webhook-netcup
+  name: cert-manager-webhook-netcup-ca
+  namespace: cert-manager
+spec:
+  ca:
+    secretName: cert-manager-webhook-netcup-ca
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  labels:
+    app: cert-manager-webhook-netcup
+    chart: cert-manager-webhook-netcup-1.0.29
+    heritage: Helm
+    release: cert-manager-webhook-netcup
+  name: cert-manager-webhook-netcup-selfsign
+  namespace: cert-manager
+spec:
+  selfSigned: {}