{{ if .Values.certmanager.enabled }}
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: {{ .Values.cluster.name }}-cert-manager
labels:
cluster: {{ .Values.cluster.name | quote }}
app: cert-manager
namespace: {{ .Values.cluster.namespace | default "argocd" | quote }}
annotations:
{{- toYaml .Values.notifications | nindent 4 }}
spec:
project: {{ .Values.cluster.name }}
destination:
server: {{ .Values.cluster.url }}
namespace: cert-manager
syncPolicy:
{{- if .Values.sync }}
automated:
prune: true
selfHeal: true
allowEmpty: false
{{- end }}
syncOptions:
- CreateNamespace=true
managedNamespaceMetadata:
labels:
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/warn: privileged
source:
repoURL: https://charts.jetstack.io
chart: cert-manager
targetRevision: {{ .Values.certmanager.version | quote }}
helm:
version: v3
releaseName: cert-manager
values: |
ingressShim:
defaultIssuerKind: ClusterIssuer
defaultIssuerName: letsencrypt-prod
installCRDs: true
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: {{ .Values.cluster.name }}-cert-manager-issuer
labels:
cluster: {{ .Values.cluster.name | quote }}
app: cert-manager-issuer
namespace: {{ .Values.cluster.namespace | default "argocd" | quote }}
annotations:
{{- toYaml .Values.notifications | nindent 4 }}
spec:
project: {{ .Values.cluster.name }}
destination:
server: {{ .Values.cluster.url }}
namespace: cert-manager
syncPolicy:
{{- if .Values.sync }}
automated:
prune: true
selfHeal: true
allowEmpty: false
{{- end }}
source:
repoURL: https://bedag.github.io/helm-charts/
chart: raw
targetRevision: {{ .Values.raw.version | quote }}
helm:
version: v3
releaseName: raw
values: |
resources:
- apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: {{ .Values.certmanager.email }}
privateKeySecretRef:
name: letsencrypt-prod-account
solvers:
- http01:
ingress:
ingressClassName: {{ .Values.certmanager.class | default .Values.ingresscontroller.class }}
ingressTemplate:
metadata:
annotations:
"traefik.ingress.kubernetes.io/router.priority": "99999"
"traefik.ingress.kubernetes.io/frontend-entry-points": "web"
- apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: {{ .Values.certmanager.email }}
privateKeySecretRef:
name: letsencrypt-staging-account
solvers:
- http01:
ingress:
ingressClassName: {{ .Values.certmanager.class | default .Values.ingresscontroller.class }}
ingressTemplate:
metadata:
annotations:
"traefik.ingress.kubernetes.io/router.priority": "99999"
"traefik.ingress.kubernetes.io/frontend-entry-points": "web"
{{- if eq .Values.ingresscontroller.class "traefik" }}
- apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-certmanager
namespace: traefik
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: traefik-certmanager
rules:
- apiGroups: ["traefik.containo.us"]
resources: ["ingressroutes"]
verbs: ["watch", "patch"]
- apiGroups: ["traefik.io"]
resources: ["ingressroutes"]
verbs: ["watch", "patch"]
- apiGroups: ["cert-manager.io"]
resources: ["certificates"]
verbs: ["get", "create", "delete"]
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: traefik-certmanager
subjects:
- kind: ServiceAccount
name: traefik-certmanager
namespace: traefik
roleRef:
kind: ClusterRole
name: traefik-certmanager
apiGroup: rbac.authorization.k8s.io
- apiVersion: apps/v1
kind: Deployment
metadata:
name: traefik-certmanager
namespace: traefik
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: traefik-certmanager
template:
metadata:
labels:
app.kubernetes.io/name: traefik-certmanager
spec:
serviceAccount: traefik-certmanager
containers:
- name: traefik-certmanager
image: kooper/traefik-certmanager
imagePullPolicy: Always
env:
- name: ISSUER_NAME
value: letsencrypt-prod
- name: ISSUER_KIND
value: ClusterIssuer
- name: CERT_CLEANUP
value: "false"
- name: PATCH_SECRETNAME
value: "true"
{{- end }}
{{- end }}