Skip to content

Commit

Permalink
feat(cert-manager): configurable cluster issuers (grafana#441)
Browse files Browse the repository at this point in the history 
* feat(cert-manager): configurable cluster issuers

* correct name
  • Loading branch information
@Duologic
Duologic authored Feb 1, 2021
1 parent 6db386f commit 739cda1
Show file tree
Hide file tree
Showing 3 changed files with 87 additions and 72 deletions.
5 changes: 4 additions & 1 deletion cert-manager/config.libsonnet
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,12 @@
name: 'cert-manager',
namespace: error '$._config.namespace needs to be configured.',
version: 'v1.1.0',
install_crds: !$._config.custom_crds,
issuer_email: error '$._config.issuer_email needs to be configured.',

// backwards compat
custom_crds: false, // newer cert-manager charts can install CRDs
default_issuer: null,
default_issuer_group: 'cert-manager.io',
issuer_email: error '$._config.issuer_email needs to be configured.',
},
}
152 changes: 82 additions & 70 deletions cert-manager/default_clusterissuers.libsonnet
View file
Original file line number Diff line number Diff line change
@@ -1,86 +1,98 @@
{
local _containers = super.labeled.deployment_cert_manager.spec.template.spec.containers,
labeled+: {
deployment_cert_manager+: {
spec+: {
template+: {
spec+: {
containers: [
_container {
args+:
[
'--default-issuer-kind=ClusterIssuer',
]
+ (if $._config.default_issuer != null then ['--default-issuer-name=' + $._config.default_issuer] else [])
+ (if $._config.default_issuer_group != null then ['--default-issuer-group=' + $._config.default_issuer_group] else []),
}
for _container in _containers
],
},
},

withDefaultIssuer(name, kind='ClusterIssuer', group='cert-manager.io'):: {
values+:: {
ingressShim: {
defaultIssuerName: name,
defaultIssuerKind: kind,
defaultIssuerGroup: group,
},
},
},

cluster_issuer_staging: {
apiVersion: 'cert-manager.io/v1alpha2',
kind: 'ClusterIssuer',
metadata: {
name: 'letsencrypt-staging',
clusterIssuer:: {
new(name): {
apiVersion: 'cert-manager.io/v1alpha2',
kind: 'ClusterIssuer',
metadata: {
name: name,
},
},
spec: {
acme: {
// You must replace this email address with your own.
// Let's Encrypt will use this to contact you about expiring
// certificates, and issues related to your account.
email: $._config.issuer_email,
server: 'https://acme-staging-v02.api.letsencrypt.org/directory',
privateKeySecretRef: {
// Secret resource used to store the account's private key.
name: 'letsencrypt-staging-account',
},
// Add a single challenge solver, HTTP01 using nginx
solvers: [
{
http01: {
ingress: {
class: 'nginx',
},
},
withACME(email, server='https://acme-v02.api.letsencrypt.org/directory'): {
local name = super.metadata.name,
spec+: {
acme: {
// You must replace this email address with your own.
// Let's Encrypt will use this to contact you about expiring
// certificates, and issues related to your account.
email: email,
server: server,
privateKeySecretRef: {
// Secret resource used to store the account's private key.
name: '%s-account' % name,
},
],
},
},
},
},

cluster_issuer_prod: {
apiVersion: 'cert-manager.io/v1alpha2',
kind: 'ClusterIssuer',
metadata: {
name: 'letsencrypt-prod',
},
spec: {
acme: {
// You must replace this email address with your own.
// Let's Encrypt will use this to contact you about expiring
// certificates, and issues related to your account.
email: $._config.issuer_email,
server: 'https://acme-v02.api.letsencrypt.org/directory',
privateKeySecretRef: {
// Secret resource used to store the account's private key.
name: 'letsencrypt-prod-account',
reuseAccount(secret_name): {
spec+: {
acme+: {
// re-use an existing account
// https://cert-manager.io/docs/configuration/acme/#reusing-an-acme-account
disableAccountKeyGeneration: true,
privateKeySecretRef: {
// Secret resource used to retrieve the account's private key.
name: secret_name,
},
},
// Add a single challenge solver, HTTP01 using nginx
solvers: [
{
http01: {
ingress: {
class: 'nginx',
},
},
withACMESolverHttp01(class='nginx'): {
spec+: {
acme+: {
// Add a single challenge solver, HTTP01 using nginx
solvers: [
{
http01: {
ingress: {
class: class,
},
},
},
},
],
],
},
},
},
},

// backward compat
values+:: {
ingressShim:
{
defaultIssuerKind: 'ClusterIssuer',
}

+ (
if $._config.default_issuer != null
then { defaultIssuerName: $._config.default_issuer }
else {}
)
+ (
if $._config.default_issuer_group != null
then { defaultIssuerGroup: $._config.default_issuer_group }
else {}
),
},

// backward compat
cluster_issuer_staging:
self.clusterIssuer.new('letsencrypt-staging')
+ self.clusterIssuer.withACME($._config.issuer_email, 'https://acme-staging-v02.api.letsencrypt.org/directory')
+ self.clusterIssuer.withACMESolverHttp01(),

// backward compat
cluster_issuer_prod:
self.clusterIssuer.new('letsencrypt-prod')
+ self.clusterIssuer.withACME($._config.issuer_email)
+ self.clusterIssuer.withACMESolverHttp01(),
}
2 changes: 1 addition & 1 deletion cert-manager/main.libsonnet
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ local helm = tanka.helm.new(std.thisFile);

{
values:: {
installCRDs: if $._config.custom_crds then false else true,
installCRDs: $._config.install_crds,
global: {
podSecurityPolicy: {
enabled: true,
Expand Down

0 comments on commit 739cda1

Please sign in to comment.