diff --git a/charts/Makefile b/charts/Makefile index 39844abbf..40c6945d9 100644 --- a/charts/Makefile +++ b/charts/Makefile @@ -4,7 +4,7 @@ REPO_BASE_DIR := $(shell git rev-parse --show-toplevel) include ${REPO_BASE_DIR}/scripts/common.Makefile include $(REPO_CONFIG_LOCATION) -CONFIG_DIR := $(shell dirname $(REPO_CONFIG_LOCATION)) +export CONFIG_DIR := $(shell dirname $(REPO_CONFIG_LOCATION)) CHART_DIRS := $(wildcard $(REPO_BASE_DIR)/charts/*/) .PHONY: .check-helmfile-installed diff --git a/charts/cert-manager/values.acme-dns.yaml.gotmpl b/charts/cert-manager/values.acme-dns.yaml.gotmpl new file mode 100644 index 000000000..5fcd0d60f --- /dev/null +++ b/charts/cert-manager/values.acme-dns.yaml.gotmpl @@ -0,0 +1,40 @@ +cert-manager: + extraArgs: + - --dns01-recursive-nameservers="8.8.8.8:53" + - --dns01-recursive-nameservers-only + startupapicheck: + enabled: false + skipDNSResolutionCheck: true + maxConcurrentChallenges: 2 + extraObjects: + - | + apiVersion: v1 + kind: Secret + metadata: + name: acme-dns-secret + namespace: {{ .Release.Namespace }} # secret must be in same namespace as Cert Manager deployment + type: Opaque + stringData: +{{ $configDir := requiredEnv "CONFIG_DIR" }} + acmedns.json: | +{{ readFile (printf "%s/lego-acme-accounts/acme-dns-accounts.json" $configDir) | indent 8 }} + - | + apiVersion: cert-manager.io/v1 + kind: ClusterIssuer + metadata: + name: cert-issuer + namespace: {{ .Release.Namespace }} + spec: + acme: + email: {{ requiredEnv "OSPARC_DEVOPS_MAIL_ADRESS" }} + server: {{ requiredEnv "DNS_CHALLENGE_ACME_SERVER" }} + privateKeySecretRef: + name: cert-manager-acme-private-key + solvers: + - dns01: + cnameStrategy: Follow + acmeDNS: + accountSecretRef: + name: acme-dns-secret + key: acmedns.json + host: {{ requiredEnv "ACME_DNS_API_BASE" }} diff --git a/charts/cert-manager/values.common.yaml.gotmpl b/charts/cert-manager/values.common.yaml.gotmpl index ba7971087..6affd24ae 100644 --- a/charts/cert-manager/values.common.yaml.gotmpl +++ b/charts/cert-manager/values.common.yaml.gotmpl @@ -8,3 +8,8 @@ cert-manager: webhook: securePort: 10250 + cainjector: + replicaCount: 1 + replicaCount: 1 + webhook: + replicaCount: 1 diff --git a/charts/cert-manager/values.rfc2136.yaml.gotmpl b/charts/cert-manager/values.rfc2136.yaml.gotmpl deleted file mode 100644 index f6a249058..000000000 --- a/charts/cert-manager/values.rfc2136.yaml.gotmpl +++ /dev/null @@ -1,36 +0,0 @@ -cert-manager: - extraObjects: - - | - apiVersion: v1 - kind: Secret - metadata: - name: rfc2136-credentials - namespace: {{ .Release.Namespace }} # secret must be in same namespace as Cert Manager deployment - type: Opaque - data: - tsig-secret-key: {{ requiredEnv "RFC2136_TSIG_SECRET" | b64enc }} # Base64 encoded Secret Access Key - - | - apiVersion: cert-manager.io/v1 - kind: ClusterIssuer - metadata: - name: cert-issuer - namespace: {{ .Release.Namespace }} - annotations: - # ClusterIssuer depends on cert-manager CRDs. We need to wait for them to be installed before creating the ClusterIssuer - "helm.sh/hook": post-install,post-upgrade - "helm.sh/hook-weight": "1" - spec: - acme: - email: {{ requiredEnv "OSPARC_DEVOPS_MAIL_ADRESS" }} - server: {{ requiredEnv "DNS_CHALLENGE_ACME_SERVER" }} - privateKeySecretRef: - name: cert-manager-acme-private-key - solvers: - - dns01: - rfc2136: - nameserver: {{ requiredEnv "RFC2136_NAMESERVER" }} - tsigKeyName: {{ requiredEnv "RFC2136_TSIG_KEY" }} - tsigAlgorithm: {{ requiredEnv "RFC2136_TSIG_ALGORITHM_CERT_MANAGER" }} - tsigSecretSecretRef: - name: rfc2136-credentials - key: tsig-secret-key