Add manifests

2973cce2 · Thomas Schneider · 1901c414 · 2973cce2 · 2973cce2 · 2973cce2
Commit 2973cce2 authored 2 years ago by Thomas Schneider
--- a/manifests/apiservice.yaml
+++ b/manifests/apiservice.yaml
+---
+apiVersion: apiregistration.k8s.io/v1
+kind: APIService
+metadata:
+  name: v1alpha1.cert-manager-webhook-rwth.thomas.fsmpi.eu
+  annotations:
+    cert-manager.io/inject-ca-from: >-
+      cert-manager/cert-manager-webhook-rwth-webhook-tls
+spec:
+  group: cert-manager-webhook-rwth.thomas.fsmpi.eu
+  groupPriorityMinimum: 1000
+  versionPriority: 15
+  service:
+    name: cert-manager-webhook-rwth
+    namespace: cert-manager
+  version: v1alpha1
--- a/manifests/deployment.yaml
+++ b/manifests/deployment.yaml
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: cert-manager-webhook-rwth
+  namespace: cert-manager
+spec:
+  selector:
+    matchLabels:
+      app: cert-manager-webhook-rwth
+  template:
+    metadata: {}
+    spec:
+      serviceAccountName: cert-manager-webhook-rwth
+      containers:
+        - name: cert-manager-webhook-rwth
+          image: >-
+            registry.git.fsmpi.rwth-aachen.de/thomas/cert-manager-webhook-rwth:latest
+          args:
+            - --tls-cert-file=/tls/tls.crt
+            - --tls-private-key-file=/tls/tls.key
+            - --secure-port=8443
+            - --v=2  # log level
+          securityContext:
+            runAsUser: 65534
+          ports:
+            - name: https
+              containerPort: 8443
+          livenessProbe:
+            httpGet:
+              scheme: HTTPS
+              path: /healthz
+              port: https
+          readinessProbe:
+            httpGet:
+              scheme: HTTPS
+              path: /healthz
+              port: https
+          volumeMounts:
+            - name: certs
+              mountPath: /tls
+              readOnly: true
+      volumes:
+        - name: certs
+          secret:
+            secretName: cert-manager-webhook-rwth-webhook-tls
--- a/manifests/kustomization.yaml
+++ b/manifests/kustomization.yaml
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+commonLabels:
+  app: cert-manager-webhook-rwth
+resources:
+  - apiservice.yaml
+  - deployment.yaml
+  - pki.yaml
+  - rbac.yaml
+  - service.yaml
--- a/manifests/pki.yaml
+++ b/manifests/pki.yaml
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: cert-manager-webhook-rwth-selfsign
+  namespace: cert-manager
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: cert-manager-webhook-rwth-ca
+  namespace: cert-manager
+spec:
+  secretName: cert-manager-webhook-rwth-ca
+  duration: 8760h  # 1y
+  issuerRef:
+    name: cert-manager-webhook-rwth-selfsign
+  commonName: ca.cert-manager-webhook-rwth.cert-manager
+  isCA: true
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: cert-manager-webhook-rwth-ca
+  namespace: cert-manager
+spec:
+  ca:
+    secretName: cert-manager-webhook-rwth-ca
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: cert-manager-webhook-rwth-webhook-tls
+  namespace: cert-manager
+spec:
+  secretName: cert-manager-webhook-rwth-webhook-tls
+  duration: 720h  # 30d
+  issuerRef:
+    name: cert-manager-webhook-rwth-ca
+  dnsNames:
+    - cert-manager-webhook-rwth
+    - cert-manager-webhook-rwth.cert-manager
+    - cert-manager-webhook-rwth.cert-manager.svc
--- a/manifests/rbac.yaml
+++ b/manifests/rbac.yaml
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cert-manager-webhook-rwth
+  namespace: cert-manager
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cert-manager-webhook-rwth:webhook-authentication-reader
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: extension-apiserver-authentication-reader
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: cert-manager-webhook-rwth
+    namespace: cert-manager
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cert-manager-webhook-rwth:auth-delegator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: cert-manager-webhook-rwth
+    namespace: cert-manager
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cert-manager-webhook-rwth:domain-solver
+rules:
+  - apiGroups:
+      - cert-manager-webhook-rwth.thomas.fsmpi.eu
+    resources:
+      - '*'
+    verbs:
+      - 'create'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cert-manager-webhook-rwth:domain-solver
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-webhook-rwth:domain-solver
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: cert-manager
+    namespace: cert-manager
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cert-manager-webhook-rwth:secret-reader
+  namespace: cert-manager
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    resourceNames:
+      - rwthdns-apikey
+    verbs:
+      - get
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cert-manager-webhook-rwth:secret-reader
+  namespace: cert-manager
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cert-manager-webhook-rwth:secret-reader
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: cert-manager-webhook-rwth
+    namespace: cert-manager
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cert-manager-webhook-rwth:flowcontrol-solver
+rules:
+  - apiGroups:
+      - flowcontrol.apiserver.k8s.io
+    resources:
+      - prioritylevelconfigurations
+      - flowschemas
+    verbs:
+      - list
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cert-manager-webhook-rwth:flowcontrol-solver
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-webhook-rwth:flowcontrol-solver
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: cert-manager-webhook-rwth
+    namespace: cert-manager
--- a/manifests/service.yaml
+++ b/manifests/service.yaml
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: cert-manager-webhook-rwth
+  namespace: cert-manager
+spec:
+  type: ClusterIP
+  ports:
+    - port: 443
+      targetPort: https
+      name: https
+  selector:
+    app: cert-manager-webhook-rwth