From 69af137e5e24f11c74733625d49c09bd8a45aefe Mon Sep 17 00:00:00 2001 From: Philip Haupt <“der.mad.mob@gmail.com”> Date: Sun, 9 Nov 2025 15:44:08 +0100 Subject: [PATCH] move certmanager-netcup --- certmanager-netcup/README.md | 5 - certmanager-netcup/kustomization.yaml | 7 - certmanager-netcup/main.yaml | 315 ----------------- certmanager-netcup/src/kustomization.yaml | 11 - certmanager/main.yaml | 317 ++++++++++++++++++ certmanager/src/kustomization.yaml | 7 + .../src/values-netcup.yaml | 0 7 files changed, 324 insertions(+), 338 deletions(-) delete mode 100644 certmanager-netcup/README.md delete mode 100644 certmanager-netcup/kustomization.yaml delete mode 100644 certmanager-netcup/main.yaml delete mode 100644 certmanager-netcup/src/kustomization.yaml rename certmanager-netcup/src/values.yaml => certmanager/src/values-netcup.yaml (100%) diff --git a/certmanager-netcup/README.md b/certmanager-netcup/README.md deleted file mode 100644 index 134779e..0000000 --- a/certmanager-netcup/README.md +++ /dev/null @@ -1,5 +0,0 @@ -# cert-manager webhook netcup - - - -das RoleBinding in rb.yaml muss manuell applyt werden. diff --git a/certmanager-netcup/kustomization.yaml b/certmanager-netcup/kustomization.yaml deleted file mode 100644 index 248a2a7..0000000 --- a/certmanager-netcup/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# argocd/kustomization.yaml -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -resources: - - main.yaml - \ No newline at end of file diff --git a/certmanager-netcup/main.yaml b/certmanager-netcup/main.yaml deleted file mode 100644 index 3a4871b..0000000 --- a/certmanager-netcup/main.yaml +++ /dev/null @@ -1,315 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app: cert-manager-webhook-netcup - chart: cert-manager-webhook-netcup-1.0.34 - heritage: Helm - release: cert-manager-webhook-netcup - name: cert-manager-webhook-netcup - namespace: cert-manager ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: cert-manager-webhook-netcup:secret-reader - namespace: cert-manager -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: cert-manager-webhook-netcup - chart: cert-manager-webhook-netcup-1.0.34 - heritage: Helm - release: cert-manager-webhook-netcup - name: cert-manager-webhook-netcup:domain-solver -rules: -- apiGroups: - - com.netcup.webhook - resources: - - '*' - verbs: - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: cert-manager-webhook-netcup - chart: cert-manager-webhook-netcup-1.0.34 - heritage: Helm - release: cert-manager-webhook-netcup - name: cert-manager-webhook-netcup:flowcontrol -rules: -- apiGroups: - - flowcontrol.apiserver.k8s.io - resources: - - flowschemas - - prioritylevelconfigurations - verbs: - - list - - watch - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: cert-manager-webhook-netcup:secret-reader - namespace: cert-manager -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cert-manager-webhook-netcup:secret-reader -subjects: -- apiGroup: "" - kind: ServiceAccount - name: cert-manager-webhook-netcup - namespace: cert-manager ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app: cert-manager-webhook-netcup - chart: cert-manager-webhook-netcup-1.0.34 - heritage: Helm - release: cert-manager-webhook-netcup - name: cert-manager-webhook-netcup:webhook-authentication-reader - namespace: kube-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: extension-apiserver-authentication-reader -subjects: -- apiGroup: "" - kind: ServiceAccount - name: cert-manager-webhook-netcup ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app: cert-manager-webhook-netcup - chart: cert-manager-webhook-netcup-1.0.34 - heritage: Helm - release: cert-manager-webhook-netcup - name: cert-manager-webhook-netcup:auth-delegator -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: -- apiGroup: "" - kind: ServiceAccount - name: cert-manager-webhook-netcup - namespace: cert-manager ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app: cert-manager-webhook-netcup - chart: cert-manager-webhook-netcup-1.0.34 - heritage: Helm - release: cert-manager-webhook-netcup - name: cert-manager-webhook-netcup:domain-solver -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cert-manager-webhook-netcup:domain-solver -subjects: -- apiGroup: "" - kind: ServiceAccount - name: cert-manager - namespace: cert-manager ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app: cert-manager-webhook-netcup - chart: cert-manager-webhook-netcup-1.0.34 - heritage: Helm - release: cert-manager-webhook-netcup - name: cert-manager-webhook-netcup:flowcontrol -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cert-manager-webhook-netcup:flowcontrol -subjects: -- apiGroup: "" - kind: ServiceAccount - name: cert-manager-webhook-netcup - namespace: cert-manager ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app: cert-manager-webhook-netcup - chart: cert-manager-webhook-netcup-1.0.34 - heritage: Helm - release: cert-manager-webhook-netcup - name: cert-manager-webhook-netcup - namespace: cert-manager -spec: - ports: - - name: https - port: 443 - protocol: TCP - targetPort: https - selector: - app: cert-manager-webhook-netcup - release: cert-manager-webhook-netcup - type: ClusterIP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: cert-manager-webhook-netcup - chart: cert-manager-webhook-netcup-1.0.34 - heritage: Helm - release: cert-manager-webhook-netcup - name: cert-manager-webhook-netcup - namespace: cert-manager -spec: - replicas: null - selector: - matchLabels: - app: cert-manager-webhook-netcup - release: cert-manager-webhook-netcup - template: - metadata: - labels: - app: cert-manager-webhook-netcup - release: cert-manager-webhook-netcup - spec: - containers: - - args: - - --tls-cert-file=/tls/tls.crt - - --tls-private-key-file=/tls/tls.key - env: - - name: GROUP_NAME - value: com.netcup.webhook - image: ghcr.io/aellwein/cert-manager-webhook-netcup:1.0.34 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: https - scheme: HTTPS - name: cert-manager-webhook-netcup - ports: - - containerPort: 443 - name: https - protocol: TCP - readinessProbe: - httpGet: - path: /healthz - port: https - scheme: HTTPS - resources: {} - volumeMounts: - - mountPath: /tls - name: certs - readOnly: true - serviceAccountName: cert-manager-webhook-netcup - volumes: - - name: certs - secret: - secretName: cert-manager-webhook-netcup-webhook-tls ---- -apiVersion: apiregistration.k8s.io/v1 -kind: APIService -metadata: - annotations: - cert-manager.io/inject-ca-from: cert-manager/cert-manager-webhook-netcup-webhook-tls - labels: - app: cert-manager-webhook-netcup - chart: cert-manager-webhook-netcup-1.0.34 - heritage: Helm - release: cert-manager-webhook-netcup - name: v1alpha1.com.netcup.webhook -spec: - group: com.netcup.webhook - groupPriorityMinimum: 1000 - service: - name: cert-manager-webhook-netcup - namespace: cert-manager - version: v1alpha1 - versionPriority: 15 ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - labels: - app: cert-manager-webhook-netcup - chart: cert-manager-webhook-netcup-1.0.34 - heritage: Helm - release: cert-manager-webhook-netcup - name: cert-manager-webhook-netcup-ca - namespace: cert-manager -spec: - commonName: ca.cert-manager-webhook-netcup.cert-manager - duration: 43800h - isCA: true - issuerRef: - name: cert-manager-webhook-netcup-selfsign - secretName: cert-manager-webhook-netcup-ca ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - labels: - app: cert-manager-webhook-netcup - chart: cert-manager-webhook-netcup-1.0.34 - heritage: Helm - release: cert-manager-webhook-netcup - name: cert-manager-webhook-netcup-webhook-tls - namespace: cert-manager -spec: - dnsNames: - - cert-manager-webhook-netcup - - cert-manager-webhook-netcup.cert-manager - - cert-manager-webhook-netcup.cert-manager.svc - duration: 8760h - issuerRef: - name: cert-manager-webhook-netcup-ca - secretName: cert-manager-webhook-netcup-webhook-tls ---- -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - labels: - app: cert-manager-webhook-netcup - chart: cert-manager-webhook-netcup-1.0.34 - heritage: Helm - release: cert-manager-webhook-netcup - name: cert-manager-webhook-netcup-ca - namespace: cert-manager -spec: - ca: - secretName: cert-manager-webhook-netcup-ca ---- -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - labels: - app: cert-manager-webhook-netcup - chart: cert-manager-webhook-netcup-1.0.34 - heritage: Helm - release: cert-manager-webhook-netcup - name: cert-manager-webhook-netcup-selfsign - namespace: cert-manager -spec: - selfSigned: {} diff --git a/certmanager-netcup/src/kustomization.yaml b/certmanager-netcup/src/kustomization.yaml deleted file mode 100644 index 0549a78..0000000 --- a/certmanager-netcup/src/kustomization.yaml +++ /dev/null @@ -1,11 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -helmCharts: - - name: cert-manager-webhook-netcup - repo: https://aellwein.github.io/cert-manager-webhook-netcup/charts/ - version: 1.0.34 - releaseName: cert-manager-webhook-netcup - namespace: cert-manager - valuesFile: values.yaml diff --git a/certmanager/main.yaml b/certmanager/main.yaml index 1545fc3..e1d6c02 100644 --- a/certmanager/main.yaml +++ b/certmanager/main.yaml @@ -13141,6 +13141,17 @@ metadata: name: cert-manager-webhook namespace: cert-manager --- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: cert-manager-webhook-netcup + chart: cert-manager-webhook-netcup-1.0.34 + heritage: Helm + release: cert-manager-webhook-netcup + name: cert-manager-webhook-netcup + namespace: cert-manager +--- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -13223,6 +13234,20 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role +metadata: + name: cert-manager-webhook-netcup:secret-reader + namespace: cert-manager +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role metadata: labels: app: webhook @@ -13942,6 +13967,43 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole +metadata: + labels: + app: cert-manager-webhook-netcup + chart: cert-manager-webhook-netcup-1.0.34 + heritage: Helm + release: cert-manager-webhook-netcup + name: cert-manager-webhook-netcup:domain-solver +rules: +- apiGroups: + - com.netcup.webhook + resources: + - '*' + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: cert-manager-webhook-netcup + chart: cert-manager-webhook-netcup-1.0.34 + heritage: Helm + release: cert-manager-webhook-netcup + name: cert-manager-webhook-netcup:flowcontrol +rules: +- apiGroups: + - flowcontrol.apiserver.k8s.io + resources: + - flowschemas + - prioritylevelconfigurations + verbs: + - list + - watch + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: labels: app: webhook @@ -14032,6 +14094,21 @@ subjects: --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding +metadata: + name: cert-manager-webhook-netcup:secret-reader + namespace: cert-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cert-manager-webhook-netcup:secret-reader +subjects: +- apiGroup: "" + kind: ServiceAccount + name: cert-manager-webhook-netcup + namespace: cert-manager +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding metadata: labels: app: webhook @@ -14075,6 +14152,26 @@ subjects: namespace: cert-manager --- apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app: cert-manager-webhook-netcup + chart: cert-manager-webhook-netcup-1.0.34 + heritage: Helm + release: cert-manager-webhook-netcup + name: cert-manager-webhook-netcup:webhook-authentication-reader + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: +- apiGroup: "" + kind: ServiceAccount + name: cert-manager-webhook-netcup + namespace: cert-manager +--- +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: @@ -14265,6 +14362,63 @@ subjects: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding +metadata: + labels: + app: cert-manager-webhook-netcup + chart: cert-manager-webhook-netcup-1.0.34 + heritage: Helm + release: cert-manager-webhook-netcup + name: cert-manager-webhook-netcup:auth-delegator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: +- apiGroup: "" + kind: ServiceAccount + name: cert-manager-webhook-netcup + namespace: cert-manager +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: cert-manager-webhook-netcup + chart: cert-manager-webhook-netcup-1.0.34 + heritage: Helm + release: cert-manager-webhook-netcup + name: cert-manager-webhook-netcup:domain-solver +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cert-manager-webhook-netcup:domain-solver +subjects: +- apiGroup: "" + kind: ServiceAccount + name: cert-manager + namespace: cert-manager +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: cert-manager-webhook-netcup + chart: cert-manager-webhook-netcup-1.0.34 + heritage: Helm + release: cert-manager-webhook-netcup + name: cert-manager-webhook-netcup:flowcontrol +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cert-manager-webhook-netcup:flowcontrol +subjects: +- apiGroup: "" + kind: ServiceAccount + name: cert-manager-webhook-netcup + namespace: cert-manager +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding metadata: labels: app: webhook @@ -14362,6 +14516,27 @@ spec: app.kubernetes.io/name: webhook type: ClusterIP --- +apiVersion: v1 +kind: Service +metadata: + labels: + app: cert-manager-webhook-netcup + chart: cert-manager-webhook-netcup-1.0.34 + heritage: Helm + release: cert-manager-webhook-netcup + name: cert-manager-webhook-netcup + namespace: cert-manager +spec: + ports: + - name: https + port: 443 + protocol: TCP + targetPort: https + selector: + app: cert-manager-webhook-netcup + release: cert-manager-webhook-netcup + type: ClusterIP +--- apiVersion: apps/v1 kind: Deployment metadata: @@ -14607,6 +14782,83 @@ spec: type: RuntimeDefault serviceAccountName: cert-manager-webhook --- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: cert-manager-webhook-netcup + chart: cert-manager-webhook-netcup-1.0.34 + heritage: Helm + release: cert-manager-webhook-netcup + name: cert-manager-webhook-netcup + namespace: cert-manager +spec: + replicas: null + selector: + matchLabels: + app: cert-manager-webhook-netcup + release: cert-manager-webhook-netcup + template: + metadata: + labels: + app: cert-manager-webhook-netcup + release: cert-manager-webhook-netcup + spec: + containers: + - args: + - --tls-cert-file=/tls/tls.crt + - --tls-private-key-file=/tls/tls.key + env: + - name: GROUP_NAME + value: com.netcup.webhook + image: ghcr.io/aellwein/cert-manager-webhook-netcup:1.0.34 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: https + scheme: HTTPS + name: cert-manager-webhook-netcup + ports: + - containerPort: 443 + name: https + protocol: TCP + readinessProbe: + httpGet: + path: /healthz + port: https + scheme: HTTPS + resources: {} + volumeMounts: + - mountPath: /tls + name: certs + readOnly: true + serviceAccountName: cert-manager-webhook-netcup + volumes: + - name: certs + secret: + secretName: cert-manager-webhook-netcup-webhook-tls +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + annotations: + cert-manager.io/inject-ca-from: cert-manager/cert-manager-webhook-netcup-webhook-tls + labels: + app: cert-manager-webhook-netcup + chart: cert-manager-webhook-netcup-1.0.34 + heritage: Helm + release: cert-manager-webhook-netcup + name: v1alpha1.com.netcup.webhook +spec: + group: com.netcup.webhook + groupPriorityMinimum: 1000 + service: + name: cert-manager-webhook-netcup + namespace: cert-manager + version: v1alpha1 + versionPriority: 15 +--- apiVersion: batch/v1 kind: Job metadata: @@ -14667,6 +14919,71 @@ spec: type: RuntimeDefault serviceAccountName: cert-manager-startupapicheck --- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + app: cert-manager-webhook-netcup + chart: cert-manager-webhook-netcup-1.0.34 + heritage: Helm + release: cert-manager-webhook-netcup + name: cert-manager-webhook-netcup-ca + namespace: cert-manager +spec: + commonName: ca.cert-manager-webhook-netcup.cert-manager + duration: 43800h + isCA: true + issuerRef: + name: cert-manager-webhook-netcup-selfsign + secretName: cert-manager-webhook-netcup-ca +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + app: cert-manager-webhook-netcup + chart: cert-manager-webhook-netcup-1.0.34 + heritage: Helm + release: cert-manager-webhook-netcup + name: cert-manager-webhook-netcup-webhook-tls + namespace: cert-manager +spec: + dnsNames: + - cert-manager-webhook-netcup + - cert-manager-webhook-netcup.cert-manager + - cert-manager-webhook-netcup.cert-manager.svc + duration: 8760h + issuerRef: + name: cert-manager-webhook-netcup-ca + secretName: cert-manager-webhook-netcup-webhook-tls +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + app: cert-manager-webhook-netcup + chart: cert-manager-webhook-netcup-1.0.34 + heritage: Helm + release: cert-manager-webhook-netcup + name: cert-manager-webhook-netcup-ca + namespace: cert-manager +spec: + ca: + secretName: cert-manager-webhook-netcup-ca +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + app: cert-manager-webhook-netcup + chart: cert-manager-webhook-netcup-1.0.34 + heritage: Helm + release: cert-manager-webhook-netcup + name: cert-manager-webhook-netcup-selfsign + namespace: cert-manager +spec: + selfSigned: {} +--- apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: diff --git a/certmanager/src/kustomization.yaml b/certmanager/src/kustomization.yaml index 45d2d4e..b822299 100644 --- a/certmanager/src/kustomization.yaml +++ b/certmanager/src/kustomization.yaml @@ -9,3 +9,10 @@ helmCharts: releaseName: cert-manager namespace: cert-manager valuesFile: values.yaml + + - name: cert-manager-webhook-netcup + repo: https://aellwein.github.io/cert-manager-webhook-netcup/charts/ + version: 1.0.34 + releaseName: cert-manager-webhook-netcup + namespace: cert-manager + valuesFile: values-netcup.yaml diff --git a/certmanager-netcup/src/values.yaml b/certmanager/src/values-netcup.yaml similarity index 100% rename from certmanager-netcup/src/values.yaml rename to certmanager/src/values-netcup.yaml