Merge pull request #43 from adhoc-dev/t-51238

[ADD] Cloudflare support

Author: az-adhoc

charts/cert-cfg/v0.1.2/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/cert-cfg/v0.1.2/Chart.yaml

@@ -0,0 +1,22 @@
+annotations:
+  category: DevOps
+apiVersion: v2
+name: cert-cfg
+description: Default configurations for cert-manager
+
+type: application
+
+version: 0.1.2
+
+appVersion: "1.0.0"
+
+home: "https://github.com/adhoc-dev/helm-charts"
+sources:
+  - "https://github.com/adhoc-dev/"
+maintainers:
+  - name: dbollini
+    email: dib@adhoc.com.ar
+  - name: jjscarafia
+    email: jjs@adhoc.com.ar
+
+icon: "https://github.com/adhoc-dev/helm-charts/raw/master/img/kube-cert-manager-nginx-kubernetes.png"

charts/cert-cfg/v0.1.2/README.md

@@ -0,0 +1,19 @@
+# Platform configurations
+
+## Cert Issuer configurations
+
+Files:
+
+* prod_issuer.yaml
+* staging_issuer.yaml
+
+## nginx configs
+
+[+info](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/)
+[+info](https://kubernetes.github.io/ingress-nginx/examples/customization/custom-configuration/)
+[+info](https://docs.nginx.com/nginx-ingress-controller/configuration/global-configuration/configmap-resource/)
+[+info](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#x-forwarded-prefix-header)
+
+Files:
+
+* nginx_configMap.yaml

charts/cert-cfg/v0.1.2/questions.yml

@@ -0,0 +1,109 @@
+questions:
+  - variable: issuerEmail
+    label: "Email"
+    description: "email used for let's encrypt notifications"
+    type: "string"
+    required: true
+    default: "bot@adhoc.com.ar"
+    group: "Common"
+
+  - variable: defaultWildcardIssuer
+    label: "Default Wildcard Issuer"
+    description: "Issuer to use for wildcard certificates"
+    type: "select"
+    required: true
+    options:
+      - value: "cloudDNS"
+        label: "Google Cloud DNS"
+      - value: "cloudflare"
+        label: "Cloudflare"
+    default: "cloudDNS"
+    group: "Common"
+
+# Google Cloud DNS issuer
+  - variable: issuerCloudDNS.enabled
+    label: "Enable Google Cloud DNS Issuer"
+    description: "Enable the Google Cloud DNS Issuer"
+    type: "boolean"
+    required: true
+    default: true
+    group: "Common"
+  - variable: issuerCloudDNS.hostedZoneName
+    label: "CloudDomain"
+    description: ""
+    type: "string"
+    required: true
+    default: "dev-adhoc.com"
+    group: "Google Cloud"
+    show_if:
+      - variable: issuerCloudDNS.enabled
+        value: true
+  - variable: issuerCloudDNS.dnsZoneName
+    label: "CloudDomain"
+    description: "DNS Zone in Google Compute Engine"
+    type: "string"
+    required: true
+    default: "dev-adhoc"
+    group: "Google Cloud"
+    show_if:
+      - variable: issuerCloudDNS.enabled
+        value: true
+  - variable: issuerCloudDNS.project
+    label: "Project"
+    description: "Google Compute Engine Project"
+    type: "string"
+    required: true
+    default: "proyecto-laboratorios"
+    group: "Google Cloud"
+    show_if:
+      - variable: issuerCloudDNS.enabled
+        value: true
+
+# Cloudflare issuer
+  - variable: issuerCloudflare.enabled
+    label: "Enable Cloudflare Issuer"
+    description: "Enable the Cloudflare Issuer"
+    type: "boolean"
+    required: true
+    default: false
+    group: "Common"
+  - variable: issuerCloudflare.email
+    label: "Cloudflare Email"
+    description: "Email used for Cloudflare account"
+    type: "string"
+    required: true
+    default: "user@cloudflare.com"
+    group: "Cloudflare"
+    show_if:
+      - variable: issuerCloudflare.enabled
+        value: true
+  - variable: issuerCloudflare.apiToken
+    label: "Cloudflare API Token"
+    description: "API Token used for Cloudflare account"
+    type: "string"
+    required: true
+    default: ""
+    group: "Cloudflare"
+    show_if:
+      - variable: issuerCloudflare.enabled
+        value: true
+  - variable: issuerCloudflare.hostedZoneName
+    label: "Cloudflare Domain"
+    description: "Domain name in Cloudflare"
+    type: "string"
+    required: true
+    default: "dev-adhoc.com"
+    group: "Cloudflare"
+    show_if:
+      - variable: issuerCloudflare.enabled
+        value: true
+  - variable: issuerCloudflare.hostedZoneName
+    label: "Cloudflare Domain"
+    description: "Domain name in Cloudflare"
+    type: "string"
+    required: true
+    default: "dev-adhoc.com"
+    group: "Cloudflare"
+    show_if:
+      - variable: issuerCloudflare.enabled
+        value: true

charts/cert-cfg/v0.1.2/templates/_helpers.tpl

@@ -0,0 +1,52 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "cert-cfg.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "cert-cfg.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "cert-cfg.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "cert-cfg.labels" -}}
+helm.sh/chart: {{ include "cert-cfg.chart" . }}
+{{ include "cert-cfg.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "cert-cfg.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "cert-cfg.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+

charts/cert-cfg/v0.1.2/templates/nginx_configMap.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ingress-nginx-controller
+  namespace: nginx-ingress
+data:
+  enable-real-ip: "true"
+  use-forwarded-headers: "true"
+  use-proxy-protocol: "true"
+  proxy-read-timeout: "720s"
+  proxy-send-timeout: "720s"
+  proxy-connect-timeout: "720s"
+  ssl-redirect: "true"
+  # client-max-body-size: "2m"

charts/cert-cfg/v0.1.2/templates/prod_issuer.yaml

@@ -0,0 +1,22 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: adhoc-letsencrypt-prod-issuer
+  namespace: cert-manager
+spec:
+  acme:
+    # The ACME server URL
+    server: https://acme-v02.api.letsencrypt.org/directory
+    # Email address used for ACME registration
+    email: {{ .Values.issuerEmail }}
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: {{ include "cert-cfg.fullname" . }}-letsencrypt-prod
+    # Enable the HTTP-01 challenge provider
+    solvers:
+    # Selector if not set, so the solver will be treated as the 'default' solver with the lowest priority.
+    - selector: {}
+      # https://cert-manager.io/docs/configuration/acme/http01/
+      http01:
+        ingress:
+            class:  nginx

charts/cert-cfg/v0.1.2/templates/staging_issuer.yaml

@@ -0,0 +1,22 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: adhoc-letsencrypt-staging-issuer
+  namespace: cert-manager
+spec:
+  acme:
+    # https://cert-manager.io/docs/configuration/acme/
+    # The ACME server URL
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    # Email address used for ACME registration
+    email: {{ .Values.issuerEmail }}
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: {{ include "cert-cfg.fullname" . }}-letsencrypt-staging
+    solvers:
+    # Selector if not set, so the solver will be treated as the 'default' solver with the lowest priority.
+    - selector: {}
+      # https://cert-manager.io/docs/configuration/acme/http01/
+      http01:
+        ingress:
+            class:  nginx

charts/cert-cfg/v0.1.2/templates/wildcard-cert.yaml

@@ -0,0 +1,88 @@
+{{ if or .Values.issuerCloudDNS.enabled .Values.issuerCloudflare.enabled }}
+{{- if .Values.issuerCloudflare.enabled }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cloudflare-api-token-secret
+  namespace: cert-manager
+type: Opaque
+stringData:
+  api-token: {{ .Values.issuerCloudflare.apiToken }}
+{{- end }}
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: adhoc-wildcard
+  namespace: cert-manager
+spec:
+  acme:
+    # The ACME server URL
+    server: https://acme-v02.api.letsencrypt.org/directory
+    #server: https://acme-staging-v02.api.letsencrypt.org/directory
+    # Email address used for ACME registration
+    email: {{ .Values.issuerEmail }}
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: {{ include "cert-cfg.fullname" . }}-wildcard
+    # Enable the HTTP-01 challenge provider
+    solvers:
+    {{- if .Values.issuerCloudflare.enabled }}
+    - dns01:
+        cloudflare:
+          email: {{ .Values.issuerCloudflare.email }}
+          apiTokenSecretRef:
+            name: cloudflare-api-token-secret
+            key: api-token
+      # Selector if not set, so the solver will be treated as the 'default' solver with the lowest priority.
+      {{- if ne .Values.defaultWildcardIssuer "cloudflare" }}
+      selector:
+        dnsNames:
+          - '{{ .Values.issuerCloudflare.hostedZoneName }}'
+          - '*.{{ .Values.issuerCloudflare.hostedZoneName }}'
+      {{- end }}
+    {{- end }}
+    {{- if .Values.issuerCloudDNS.enabled }}
+    - dns01:
+        cloudDNS:
+          project: {{ .Values.issuerCloudDNS.project }}
+          hostedZoneName: {{ .Values.issuerCloudDNS.dnsZoneName }}
+          # This was created in cert-manager namespace by terraform, so it's a constant.
+          serviceAccountSecretRef:
+            # The key of the entry in the Secret resource's `data` field to be used. Some
+            # instances of this field may be defaulted, in others it may be required.
+            key: key.json
+            # Name of the resource being referred to. More info:
+            # https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+            name: clouddns-dns01-solver-svc-acct
+      # Selector if not set, so the solver will be treated as the 'default' solver with the lowest priority.
+      {{- if ne .Values.defaultWildcardIssuer "cloudDNS" }}
+      selector:
+        dnsNames:
+          - '{{ .Values.issuerCloudDNS.hostedZoneName }}'
+          - '*.{{ .Values.issuerCloudDNS.hostedZoneName }}'
+      {{- end }}
+      {{- end }}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: wildcard-certificate
+  namespace: cert-manager
+spec:
+  commonName:  '{{ .Values.issuerCloudDNS.hostedZoneName }}'
+  dnsNames:
+  {{- if .Values.issuerCloudDNS.enabled }}
+  - '{{ .Values.issuerCloudDNS.hostedZoneName }}'
+  - '*.{{ .Values.issuerCloudDNS.hostedZoneName }}'
+  {{- end }}
+  {{- if .Values.issuerCloudflare.enabled }}
+  - '{{ .Values.issuerCloudflare.hostedZoneName }}'
+  - '*.{{ .Values.issuerCloudflare.hostedZoneName }}'
+  {{- end }}
+  issuerRef:
+    kind: ClusterIssuer
+    name: adhoc-wildcard
+  secretName: wildcard-domain-com-tls
+{{ end }}