From 9524b17b56d02abc2380a1f380c7f87f5c7b633c Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Wed, 18 Mar 2026 21:29:38 +1100 Subject: [PATCH] feat: migrate cert-manager from Terraform to ArgoCD - Add cert-manager base ArgoCD application with namespace, RBAC resources - Create cert-manager overlay for au-syd1 with Helm chart configuration - Update platform ApplicationSet to include cert-manager deployment - Configure cert-manager v1.19.2 with jetstack Helm repository - Maintain one-to-one migration from Terraform configuration --- apps/base/cert-manager/clusterrole.yaml | 12 ++++++++ .../base/cert-manager/clusterrolebinding.yaml | 16 ++++++++++ apps/base/cert-manager/kustomization.yaml | 9 ++++++ apps/base/cert-manager/namespace.yaml | 5 ++++ apps/base/cert-manager/serviceaccount.yaml | 11 +++++++ .../au-syd1/cert-manager/kustomization.yaml | 14 +++++++++ .../overlays/au-syd1/cert-manager/values.yaml | 29 +++++++++++++++++++ argocd/applicationsets/platform.yaml | 1 + argocd/projects/platform.yaml | 7 +++++ 9 files changed, 104 insertions(+) create mode 100644 apps/base/cert-manager/clusterrole.yaml create mode 100644 apps/base/cert-manager/clusterrolebinding.yaml create mode 100644 apps/base/cert-manager/kustomization.yaml create mode 100644 apps/base/cert-manager/namespace.yaml create mode 100644 apps/base/cert-manager/serviceaccount.yaml create mode 100644 apps/overlays/au-syd1/cert-manager/kustomization.yaml create mode 100644 apps/overlays/au-syd1/cert-manager/values.yaml diff --git a/apps/base/cert-manager/clusterrole.yaml b/apps/base/cert-manager/clusterrole.yaml new file mode 100644 index 0000000..a4278ad --- /dev/null +++ b/apps/base/cert-manager/clusterrole.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cert-manager-vault-token-creator + labels: + app.kubernetes.io/name: "cert-manager-config" + app.kubernetes.io/instance: "cert-manager-config" +rules: +- apiGroups: [""] + resources: ["serviceaccounts/token"] + verbs: ["create"] diff --git a/apps/base/cert-manager/clusterrolebinding.yaml b/apps/base/cert-manager/clusterrolebinding.yaml new file mode 100644 index 0000000..6798045 --- /dev/null +++ b/apps/base/cert-manager/clusterrolebinding.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cert-manager-vault-token-creator + labels: + app.kubernetes.io/name: "cert-manager-config" + app.kubernetes.io/instance: "cert-manager-config" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cert-manager-vault-token-creator +subjects: +- kind: ServiceAccount + name: cert-manager + namespace: cert-manager diff --git a/apps/base/cert-manager/kustomization.yaml b/apps/base/cert-manager/kustomization.yaml new file mode 100644 index 0000000..23bd056 --- /dev/null +++ b/apps/base/cert-manager/kustomization.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - namespace.yaml + - serviceaccount.yaml + - clusterrole.yaml + - clusterrolebinding.yaml diff --git a/apps/base/cert-manager/namespace.yaml b/apps/base/cert-manager/namespace.yaml new file mode 100644 index 0000000..6bc19f4 --- /dev/null +++ b/apps/base/cert-manager/namespace.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager diff --git a/apps/base/cert-manager/serviceaccount.yaml b/apps/base/cert-manager/serviceaccount.yaml new file mode 100644 index 0000000..276b4cf --- /dev/null +++ b/apps/base/cert-manager/serviceaccount.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault-issuer + namespace: cert-manager + labels: + app.kubernetes.io/name: "cert-manager-config" + app.kubernetes.io/instance: "cert-manager-config" + app.kubernetes.io/component: "vault-issuer" +automountServiceAccountToken: true diff --git a/apps/overlays/au-syd1/cert-manager/kustomization.yaml b/apps/overlays/au-syd1/cert-manager/kustomization.yaml new file mode 100644 index 0000000..906e39b --- /dev/null +++ b/apps/overlays/au-syd1/cert-manager/kustomization.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../../base/cert-manager + +helmCharts: + - name: cert-manager + repo: https://charts.jetstack.io + version: "v1.19.2" + releaseName: cert-manager + namespace: cert-manager + valuesFile: values.yaml diff --git a/apps/overlays/au-syd1/cert-manager/values.yaml b/apps/overlays/au-syd1/cert-manager/values.yaml new file mode 100644 index 0000000..16a91a0 --- /dev/null +++ b/apps/overlays/au-syd1/cert-manager/values.yaml @@ -0,0 +1,29 @@ +crds: + enabled: true + +replicaCount: 2 + +resources: + requests: + cpu: 10m + memory: 32Mi + +strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 + +webhook: + replicaCount: 2 + resources: + requests: + cpu: 10m + memory: 32Mi + +cainjector: + replicaCount: 2 + resources: + requests: + cpu: 10m + memory: 32Mi diff --git a/argocd/applicationsets/platform.yaml b/argocd/applicationsets/platform.yaml index df6994a..5553b4f 100644 --- a/argocd/applicationsets/platform.yaml +++ b/argocd/applicationsets/platform.yaml @@ -13,6 +13,7 @@ spec: - path: apps/overlays/*/artifactapi - path: apps/overlays/*/cattle-system - path: apps/overlays/*/certificates + - path: apps/overlays/*/cert-manager - path: apps/overlays/*/reflector-system - path: apps/overlays/*/reloader-system - path: apps/overlays/*/jfrog diff --git a/argocd/projects/platform.yaml b/argocd/projects/platform.yaml index 9663c62..830e9eb 100644 --- a/argocd/projects/platform.yaml +++ b/argocd/projects/platform.yaml @@ -11,11 +11,14 @@ spec: - oci://ghcr.io/emberstack/helm-charts - oci://ghcr.io/woodpecker-ci/helm/woodpecker - https://releases.rancher.com/server-charts/stable + - https://charts.jetstack.io destinations: - namespace: '*-system' server: https://kubernetes.default.svc - namespace: 'artifactapi' server: https://kubernetes.default.svc + - namespace: 'cert-manager' + server: https://kubernetes.default.svc - namespace: 'certificates' server: https://kubernetes.default.svc - namespace: 'jfrog' @@ -33,6 +36,10 @@ spec: kind: ClusterRoleBinding - group: 'apiextensions.k8s.io' kind: CustomResourceDefinition + - group: 'admissionregistration.k8s.io' + kind: MutatingWebhookConfiguration + - group: 'admissionregistration.k8s.io' + kind: ValidatingWebhookConfiguration - group: 'scheduling.k8s.io' kind: PriorityClass namespaceResourceWhitelist: