move certmanager-netcup

certmanager/main.yaml

@@ -13141,6 +13141,17 @@ metadata:
   name: cert-manager-webhook
   namespace: cert-manager
 ---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app: cert-manager-webhook-netcup
+    chart: cert-manager-webhook-netcup-1.0.34
+    heritage: Helm
+    release: cert-manager-webhook-netcup
+  name: cert-manager-webhook-netcup
+  namespace: cert-manager
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@@ -13223,6 +13234,20 @@ rules:
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
+metadata:
+  name: cert-manager-webhook-netcup:secret-reader
+  namespace: cert-manager
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
 metadata:
   labels:
     app: webhook
@@ -13942,6 +13967,43 @@ rules:
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
+metadata:
+  labels:
+    app: cert-manager-webhook-netcup
+    chart: cert-manager-webhook-netcup-1.0.34
+    heritage: Helm
+    release: cert-manager-webhook-netcup
+  name: cert-manager-webhook-netcup:domain-solver
+rules:
+- apiGroups:
+  - com.netcup.webhook
+  resources:
+  - '*'
+  verbs:
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app: cert-manager-webhook-netcup
+    chart: cert-manager-webhook-netcup-1.0.34
+    heritage: Helm
+    release: cert-manager-webhook-netcup
+  name: cert-manager-webhook-netcup:flowcontrol
+rules:
+- apiGroups:
+  - flowcontrol.apiserver.k8s.io
+  resources:
+  - flowschemas
+  - prioritylevelconfigurations
+  verbs:
+  - list
+  - watch
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
 metadata:
   labels:
     app: webhook
@@ -14032,6 +14094,21 @@ subjects:
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
+metadata:
+  name: cert-manager-webhook-netcup:secret-reader
+  namespace: cert-manager
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cert-manager-webhook-netcup:secret-reader
+subjects:
+- apiGroup: ""
+  kind: ServiceAccount
+  name: cert-manager-webhook-netcup
+  namespace: cert-manager
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
 metadata:
   labels:
     app: webhook
@@ -14075,6 +14152,26 @@ subjects:
   namespace: cert-manager
 ---
 apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app: cert-manager-webhook-netcup
+    chart: cert-manager-webhook-netcup-1.0.34
+    heritage: Helm
+    release: cert-manager-webhook-netcup
+  name: cert-manager-webhook-netcup:webhook-authentication-reader
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: extension-apiserver-authentication-reader
+subjects:
+- apiGroup: ""
+  kind: ServiceAccount
+  name: cert-manager-webhook-netcup
+  namespace: cert-manager
+---
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
@@ -14265,6 +14362,63 @@ subjects:
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
+metadata:
+  labels:
+    app: cert-manager-webhook-netcup
+    chart: cert-manager-webhook-netcup-1.0.34
+    heritage: Helm
+    release: cert-manager-webhook-netcup
+  name: cert-manager-webhook-netcup:auth-delegator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+- apiGroup: ""
+  kind: ServiceAccount
+  name: cert-manager-webhook-netcup
+  namespace: cert-manager
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app: cert-manager-webhook-netcup
+    chart: cert-manager-webhook-netcup-1.0.34
+    heritage: Helm
+    release: cert-manager-webhook-netcup
+  name: cert-manager-webhook-netcup:domain-solver
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-webhook-netcup:domain-solver
+subjects:
+- apiGroup: ""
+  kind: ServiceAccount
+  name: cert-manager
+  namespace: cert-manager
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app: cert-manager-webhook-netcup
+    chart: cert-manager-webhook-netcup-1.0.34
+    heritage: Helm
+    release: cert-manager-webhook-netcup
+  name: cert-manager-webhook-netcup:flowcontrol
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-webhook-netcup:flowcontrol
+subjects:
+- apiGroup: ""
+  kind: ServiceAccount
+  name: cert-manager-webhook-netcup
+  namespace: cert-manager
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
 metadata:
   labels:
     app: webhook
@@ -14362,6 +14516,27 @@ spec:
     app.kubernetes.io/name: webhook
   type: ClusterIP
 ---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: cert-manager-webhook-netcup
+    chart: cert-manager-webhook-netcup-1.0.34
+    heritage: Helm
+    release: cert-manager-webhook-netcup
+  name: cert-manager-webhook-netcup
+  namespace: cert-manager
+spec:
+  ports:
+  - name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
+  selector:
+    app: cert-manager-webhook-netcup
+    release: cert-manager-webhook-netcup
+  type: ClusterIP
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -14607,6 +14782,83 @@ spec:
           type: RuntimeDefault
       serviceAccountName: cert-manager-webhook
 ---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: cert-manager-webhook-netcup
+    chart: cert-manager-webhook-netcup-1.0.34
+    heritage: Helm
+    release: cert-manager-webhook-netcup
+  name: cert-manager-webhook-netcup
+  namespace: cert-manager
+spec:
+  replicas: null
+  selector:
+    matchLabels:
+      app: cert-manager-webhook-netcup
+      release: cert-manager-webhook-netcup
+  template:
+    metadata:
+      labels:
+        app: cert-manager-webhook-netcup
+        release: cert-manager-webhook-netcup
+    spec:
+      containers:
+      - args:
+        - --tls-cert-file=/tls/tls.crt
+        - --tls-private-key-file=/tls/tls.key
+        env:
+        - name: GROUP_NAME
+          value: com.netcup.webhook
+        image: ghcr.io/aellwein/cert-manager-webhook-netcup:1.0.34
+        imagePullPolicy: IfNotPresent
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: https
+            scheme: HTTPS
+        name: cert-manager-webhook-netcup
+        ports:
+        - containerPort: 443
+          name: https
+          protocol: TCP
+        readinessProbe:
+          httpGet:
+            path: /healthz
+            port: https
+            scheme: HTTPS
+        resources: {}
+        volumeMounts:
+        - mountPath: /tls
+          name: certs
+          readOnly: true
+      serviceAccountName: cert-manager-webhook-netcup
+      volumes:
+      - name: certs
+        secret:
+          secretName: cert-manager-webhook-netcup-webhook-tls
+---
+apiVersion: apiregistration.k8s.io/v1
+kind: APIService
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: cert-manager/cert-manager-webhook-netcup-webhook-tls
+  labels:
+    app: cert-manager-webhook-netcup
+    chart: cert-manager-webhook-netcup-1.0.34
+    heritage: Helm
+    release: cert-manager-webhook-netcup
+  name: v1alpha1.com.netcup.webhook
+spec:
+  group: com.netcup.webhook
+  groupPriorityMinimum: 1000
+  service:
+    name: cert-manager-webhook-netcup
+    namespace: cert-manager
+  version: v1alpha1
+  versionPriority: 15
+---
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -14667,6 +14919,71 @@ spec:
           type: RuntimeDefault
       serviceAccountName: cert-manager-startupapicheck
 ---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  labels:
+    app: cert-manager-webhook-netcup
+    chart: cert-manager-webhook-netcup-1.0.34
+    heritage: Helm
+    release: cert-manager-webhook-netcup
+  name: cert-manager-webhook-netcup-ca
+  namespace: cert-manager
+spec:
+  commonName: ca.cert-manager-webhook-netcup.cert-manager
+  duration: 43800h
+  isCA: true
+  issuerRef:
+    name: cert-manager-webhook-netcup-selfsign
+  secretName: cert-manager-webhook-netcup-ca
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  labels:
+    app: cert-manager-webhook-netcup
+    chart: cert-manager-webhook-netcup-1.0.34
+    heritage: Helm
+    release: cert-manager-webhook-netcup
+  name: cert-manager-webhook-netcup-webhook-tls
+  namespace: cert-manager
+spec:
+  dnsNames:
+  - cert-manager-webhook-netcup
+  - cert-manager-webhook-netcup.cert-manager
+  - cert-manager-webhook-netcup.cert-manager.svc
+  duration: 8760h
+  issuerRef:
+    name: cert-manager-webhook-netcup-ca
+  secretName: cert-manager-webhook-netcup-webhook-tls
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  labels:
+    app: cert-manager-webhook-netcup
+    chart: cert-manager-webhook-netcup-1.0.34
+    heritage: Helm
+    release: cert-manager-webhook-netcup
+  name: cert-manager-webhook-netcup-ca
+  namespace: cert-manager
+spec:
+  ca:
+    secretName: cert-manager-webhook-netcup-ca
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  labels:
+    app: cert-manager-webhook-netcup
+    chart: cert-manager-webhook-netcup-1.0.34
+    heritage: Helm
+    release: cert-manager-webhook-netcup
+  name: cert-manager-webhook-netcup-selfsign
+  namespace: cert-manager
+spec:
+  selfSigned: {}
+---
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:

certmanager/src/kustomization.yaml

@@ -9,3 +9,10 @@ helmCharts:
     releaseName: cert-manager
     namespace: cert-manager
     valuesFile: values.yaml
+
+  - name: cert-manager-webhook-netcup
+    repo: https://aellwein.github.io/cert-manager-webhook-netcup/charts/
+    version: 1.0.34
+    releaseName: cert-manager-webhook-netcup
+    namespace: cert-manager
+    valuesFile: values-netcup.yaml

certmanager/src/values-netcup.yaml

@@ -0,0 +1,49 @@
+# The GroupName here is used to identify your company or business unit that
+# created this webhook.
+# For example, this may be "acme.mycompany.com".
+# This name will need to be referenced in each Issuer's `webhook` stanza to
+# inform cert-manager of where to send ChallengePayload resources in order to
+# solve the DNS01 challenge.
+# This group name should be **unique**, hence using your own company's domain
+# here is recommended.
+
+groupName: com.netcup.webhook
+
+certManager:
+  namespace: cert-manager
+  serviceAccountName: cert-manager
+
+image:
+  repository: ghcr.io/aellwein/cert-manager-webhook-netcup
+  # set version here for upcoming release
+  tag: 1.0.34
+  # sha hash can be used to specify image version, instead of tag
+  hash: ""
+  pullPolicy: IfNotPresent
+
+nameOverride: ""
+fullnameOverride: ""
+
+service:
+  type: ClusterIP
+  port: 443
+
+resources:
+  {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #  cpu: 100m
+  #  memory: 128Mi
+  # requests:
+  #  cpu: 100m
+  #  memory: 128Mi
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}
+