Add cert-manager-setup chart, make dex + traefik use cert-manager issued certificates

staging/cert-manager-setup/.helmignore

@@ -0,0 +1,22 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

staging/cert-manager-setup/Chart.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+name: cert-manager-setup
+home: https://github.com/mesosphere/charts
+version: 0.1.0
+appVersion: 0.10.0
+description: Install cert-manager and optionally add a ClusterIssuer
+keywords:
+- cert-manager
+- issuer
+- clusterissuer
+sources:
+- https://github.com/jetstack/cert-manager
+- https://github.com/jetstack/cert-manager/tree/master/deploy/charts/cert-manager
+maintainers:
+- name: timaa2k
+  email: [email protected]
+engine: gotpl

staging/cert-manager-setup/README.md

@@ -0,0 +1,25 @@
+# cert-manager-setup
+
+cert-manager-setup installs [cert-manager](https://github.com/jetstack/cert-manager/blob/master/deploy/charts/cert-manager/README.md) which is a Kubernetes addon to automate the management and issuance of
+TLS certificates from various issuing sources.
+
+`cert-manager` will ensure certificates are valid and up to date periodically, and attempt
+to renew certificates at an appropriate time before expiry.
+
+In addition to installing `cert-manager`, `cert-manager-setup` provides the capability to specify a `ClusterIssuer` in the `values.yaml` file which will be applied directly after the `cert-manager` installation has completed.
+
+# Supported values format
+
+```yaml
+clusterissuer:
+  name: clusterissuer-name
+  spec:
+    ca:
+      secretName: clusterissuer-secret
+```
+
+In the given example we create a `ClusterIssuer` named `clusterissuer-name` with the `ca` type. The `ca` type expects a secret that contains the Certificate Authority (CA) to be used by this `ClusterIssuer`. The spec follows the original `cert-manager` [spec](https://docs.cert-manager.io/en/latest/tasks/issuers/setup-ca.html#creating-an-issuer-referencing-the-secret).
+
+# Notes
+
+In order to submit the `ClusterIssuer` post installation, `cert-manager-setup` runs a post-install `Job` hook. In case that the hook fails the Job will not be cleaned up by Helm. This behavior is intended to ease debugging.

staging/cert-manager-setup/requirements.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: cert-manager
+  repository: https://charts.jetstack.io
+  version: v0.10.0
+digest: sha256:28e79a359d2563500962b1791ffb542092daf6a6ee73e58b9681d21b9955974e
+generated: "2019-09-13T12:14:07.505937281+02:00"

staging/cert-manager-setup/requirements.yaml

@@ -0,0 +1,4 @@
+dependencies:
+  - name: cert-manager
+    version: 0.10.0
+    repository: https://charts.jetstack.io

staging/cert-manager-setup/templates/NOTES.txt

@@ -0,0 +1 @@
+Deploys cert-manager and submits the kubernetes-ca ClusterIssuer post installation.

staging/cert-manager-setup/templates/_helpers.tpl

@@ -0,0 +1,45 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "cert-manager-setup.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "cert-manager-setup.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "cert-manager-setup.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "cert-manager-setup.labels" -}}
+app.kubernetes.io/name: {{ include "cert-manager-setup.name" . }}
+helm.sh/chart: {{ include "cert-manager-setup.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}

staging/cert-manager-setup/templates/clusterissuer.yaml

@@ -0,0 +1,11 @@
+{{ if .Values.clusterissuer }}
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: ClusterIssuer
+metadata:
+  name: {{ required "clusterissuer must have a name" .Values.clusterissuer.name }}
+  annotations:
+    "helm.sh/hook": "post-install"
+    "helm.sh/hook-weight": "-4"
+spec:
+{{ required "clusterissuer must have a spec" .Values.clusterissuer.spec | toYaml | indent 4 }}
+{{ end }}

staging/cert-manager-setup/templates/clusterrole.yaml

@@ -0,0 +1,8 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: read-apiservices
+rules:
+- apiGroups: ["apiregistration.k8s.io"]
+  resources: ["apiservices"]
+  verbs: ["get", "watch", "list"]

staging/cert-manager-setup/templates/clusterrolebinding.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: read-apiservices-rolebinding
+  namespace: kubeaddons
+subjects:
+- kind: ServiceAccount
+  namespace: kubeaddons
+  name: default
+roleRef:
+  kind: ClusterRole
+  name: read-apiservices
+  apiGroup: rbac.authorization.k8s.io