feat: migrate cert-manager from Terraform to ArgoCD (#42)
- Add cert-manager base ArgoCD application with namespace, RBAC resources - Create cert-manager overlay for au-syd1 with Helm chart configuration - Update platform ApplicationSet to include cert-manager deployment - Configure cert-manager v1.19.2 with jetstack Helm repository - Maintain one-to-one migration from Terraform configuration Reviewed-on: #42
This commit was merged in pull request #42.
This commit is contained in:
@@ -0,0 +1,12 @@
|
|||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: cert-manager-vault-token-creator
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: "cert-manager-config"
|
||||||
|
app.kubernetes.io/instance: "cert-manager-config"
|
||||||
|
rules:
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["serviceaccounts/token"]
|
||||||
|
verbs: ["create"]
|
||||||
@@ -0,0 +1,16 @@
|
|||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: cert-manager-vault-token-creator
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: "cert-manager-config"
|
||||||
|
app.kubernetes.io/instance: "cert-manager-config"
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: cert-manager-vault-token-creator
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: cert-manager
|
||||||
|
namespace: cert-manager
|
||||||
@@ -0,0 +1,9 @@
|
|||||||
|
---
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- namespace.yaml
|
||||||
|
- serviceaccount.yaml
|
||||||
|
- clusterrole.yaml
|
||||||
|
- clusterrolebinding.yaml
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Namespace
|
||||||
|
metadata:
|
||||||
|
name: cert-manager
|
||||||
@@ -0,0 +1,11 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: vault-issuer
|
||||||
|
namespace: cert-manager
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: "cert-manager-config"
|
||||||
|
app.kubernetes.io/instance: "cert-manager-config"
|
||||||
|
app.kubernetes.io/component: "vault-issuer"
|
||||||
|
automountServiceAccountToken: true
|
||||||
@@ -0,0 +1,14 @@
|
|||||||
|
---
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- ../../../base/cert-manager
|
||||||
|
|
||||||
|
helmCharts:
|
||||||
|
- name: cert-manager
|
||||||
|
repo: https://charts.jetstack.io
|
||||||
|
version: "v1.19.2"
|
||||||
|
releaseName: cert-manager
|
||||||
|
namespace: cert-manager
|
||||||
|
valuesFile: values.yaml
|
||||||
@@ -0,0 +1,29 @@
|
|||||||
|
crds:
|
||||||
|
enabled: true
|
||||||
|
|
||||||
|
replicaCount: 2
|
||||||
|
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 10m
|
||||||
|
memory: 32Mi
|
||||||
|
|
||||||
|
strategy:
|
||||||
|
type: RollingUpdate
|
||||||
|
rollingUpdate:
|
||||||
|
maxSurge: 0
|
||||||
|
maxUnavailable: 1
|
||||||
|
|
||||||
|
webhook:
|
||||||
|
replicaCount: 2
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 10m
|
||||||
|
memory: 32Mi
|
||||||
|
|
||||||
|
cainjector:
|
||||||
|
replicaCount: 2
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 10m
|
||||||
|
memory: 32Mi
|
||||||
@@ -13,6 +13,7 @@ spec:
|
|||||||
- path: apps/overlays/*/artifactapi
|
- path: apps/overlays/*/artifactapi
|
||||||
- path: apps/overlays/*/cattle-system
|
- path: apps/overlays/*/cattle-system
|
||||||
- path: apps/overlays/*/certificates
|
- path: apps/overlays/*/certificates
|
||||||
|
- path: apps/overlays/*/cert-manager
|
||||||
- path: apps/overlays/*/reflector-system
|
- path: apps/overlays/*/reflector-system
|
||||||
- path: apps/overlays/*/reloader-system
|
- path: apps/overlays/*/reloader-system
|
||||||
- path: apps/overlays/*/jfrog
|
- path: apps/overlays/*/jfrog
|
||||||
|
|||||||
@@ -11,11 +11,14 @@ spec:
|
|||||||
- oci://ghcr.io/emberstack/helm-charts
|
- oci://ghcr.io/emberstack/helm-charts
|
||||||
- oci://ghcr.io/woodpecker-ci/helm/woodpecker
|
- oci://ghcr.io/woodpecker-ci/helm/woodpecker
|
||||||
- https://releases.rancher.com/server-charts/stable
|
- https://releases.rancher.com/server-charts/stable
|
||||||
|
- https://charts.jetstack.io
|
||||||
destinations:
|
destinations:
|
||||||
- namespace: '*-system'
|
- namespace: '*-system'
|
||||||
server: https://kubernetes.default.svc
|
server: https://kubernetes.default.svc
|
||||||
- namespace: 'artifactapi'
|
- namespace: 'artifactapi'
|
||||||
server: https://kubernetes.default.svc
|
server: https://kubernetes.default.svc
|
||||||
|
- namespace: 'cert-manager'
|
||||||
|
server: https://kubernetes.default.svc
|
||||||
- namespace: 'certificates'
|
- namespace: 'certificates'
|
||||||
server: https://kubernetes.default.svc
|
server: https://kubernetes.default.svc
|
||||||
- namespace: 'jfrog'
|
- namespace: 'jfrog'
|
||||||
@@ -33,6 +36,10 @@ spec:
|
|||||||
kind: ClusterRoleBinding
|
kind: ClusterRoleBinding
|
||||||
- group: 'apiextensions.k8s.io'
|
- group: 'apiextensions.k8s.io'
|
||||||
kind: CustomResourceDefinition
|
kind: CustomResourceDefinition
|
||||||
|
- group: 'admissionregistration.k8s.io'
|
||||||
|
kind: MutatingWebhookConfiguration
|
||||||
|
- group: 'admissionregistration.k8s.io'
|
||||||
|
kind: ValidatingWebhookConfiguration
|
||||||
- group: 'scheduling.k8s.io'
|
- group: 'scheduling.k8s.io'
|
||||||
kind: PriorityClass
|
kind: PriorityClass
|
||||||
namespaceResourceWhitelist:
|
namespaceResourceWhitelist:
|
||||||
|
|||||||
Reference in New Issue
Block a user