fp/cert-manager.yaml at aef5684d91b840edb91b17a5a724a692f5f1c3eb - fp - Futureporn Gitea

futureporn/fp

CJ_Clippy aef5684d91

ci / build (push) Waiting to run

Details

le in dev env

2024-06-29 14:37:23 -08:00

125 lines

3.2 KiB

YAML

Raw Blame History

 ## roles to deal with the following error
 ##   exoscale.acme.exoscale.com is forbidden: User "system:serviceaccount:cert-manager:cert-manager" cannot create resource "exoscale"
 ##   cannot create resource "exoscale" in API group "acme.exoscale.com" at the cluster scope
 # I don't think I need the following commented yaml. I think the problem I was seeing was actually caused by the lack of cert-manager-webhook-exoscale
 # ---
 # apiVersion: rbac.authorization.k8s.io/v1
 # kind: ClusterRole
 # metadata:
 #   name: cert-manager-webhook-exoscale
 #   namespace: cert-manager
 #   labels:
 #     app: webhook
 # rules:
 #   - apiGroups:
 #       - acme.exoscale.com
 #     resources:
 #       - '*'
 #     verbs:
 #       - 'create'
 # ---
 # apiVersion: rbac.authorization.k8s.io/v1
 # kind: ClusterRoleBinding
 # metadata:
 #   name: cert-manager-webhook-exoscale
 #   namespace: cert-manager
 #   labels:
 #     app: webhook
 # roleRef:
 #   apiGroup: rbac.authorization.k8s.io
 #   kind: ClusterRole
 #   name: cert-manager-webhook-exoscale
 # subjects:
 # - apiGroup: ""
 #   kind: ServiceAccount
 #   name: cert-manager
 #   namespace: cert-manager
 ## Role & RoleBinding to give cert-manager access to the exoscale secret
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: cert-manager-webhook-exoscale:secret-reader
   namespace: cert-manager
 rules:
 - apiGroups: [""]
   resources: ["secrets"]
   resourceNames: ["exoscale"]
   verbs: ["get", "watch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: cert-manager-webhook-exoscale:secret-reader
   namespace: cert-manager
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
   name: cert-manager-webhook-exoscale:secret-reader
 subjects:
   - apiGroup: ""
     kind: ServiceAccount
     name: cert-manager-webhook-exoscale
 ---
 {{ if eq .Values.environment "staging" }}
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
   name: letsencrypt-staging
 spec:
   acme:
     # You must replace this email address with your own.
     # Let's Encrypt will use this to contact you about expiring
     # certificates, and issues related to your account.
     email: {{ .Values.adminEmail }}
     server: https://acme-staging-v02.api.letsencrypt.org/directory
     privateKeySecretRef:
       # Secret resource that will be used to store the account's private key.
       name: letsencrypt-staging
     solvers:
     - dns01:
         webhook:
           groupName: acme.exoscale.com
           solverName: exoscale
           config:
             apiKeyRef:
               name: exoscale
               key: apiKey
             apiSecretRef:
               name: exoscale
               key: apiSecret
 {{ end }}
 {{ if eq .Values.environment "production" }}
 ---
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
   name: letsencrypt-prod
 spec:
   acme:
     server: https://acme-v02.api.letsencrypt.org/directory
     email: {{ .Values.adminEmail }}
     privateKeySecretRef:
       name: letsencrypt-prod
     solvers:
     - dns01:
         webhook:
           groupName: acme.exoscale.com
           solverName: exoscale
           config:
             apiKeyRef:
               name: exoscale
               key: apiKey
             apiSecretRef:
               name: exoscale
               key: apiSecret
 {{ end }}