From 606c899382b5f18e58920b3d5df45fa842a58988 Mon Sep 17 00:00:00 2001 From: Jpeedroza Date: Fri, 22 Oct 2021 16:05:34 -0300 Subject: [PATCH] Created formula to cert-manager in AWS Route53 --- vkpr/cert-manager/install/aws/README.md | 1 + vkpr/cert-manager/install/aws/build.sh | 11 +++ vkpr/cert-manager/install/aws/config.json | 59 ++++++++++++++++ vkpr/cert-manager/install/aws/help.json | 4 ++ vkpr/cert-manager/install/aws/metadata.json | 18 +++++ vkpr/cert-manager/install/aws/src/main.sh | 11 +++ .../install/aws/src/unix/formula/formula.sh | 67 +++++++++++++++++++ .../install/aws/src/utils/IAM-policy.json | 23 +++++++ .../install/aws/src/utils/cert-manager.yaml | 7 ++ .../install/aws/src/utils/issuers.yaml | 43 ++++++++++++ .../install/aws/src/utils/route53-secret.yaml | 8 +++ .../custom-acme/src/unix/formula/formula.sh | 2 +- .../install/do/src/unix/formula/formula.sh | 2 +- .../do/src/utils/cert-manager-custom-ca.yaml | 15 ----- 14 files changed, 254 insertions(+), 17 deletions(-) create mode 100755 vkpr/cert-manager/install/aws/README.md create mode 100755 vkpr/cert-manager/install/aws/build.sh create mode 100755 vkpr/cert-manager/install/aws/config.json create mode 100644 vkpr/cert-manager/install/aws/help.json create mode 100755 vkpr/cert-manager/install/aws/metadata.json create mode 100755 vkpr/cert-manager/install/aws/src/main.sh create mode 100755 vkpr/cert-manager/install/aws/src/unix/formula/formula.sh create mode 100644 vkpr/cert-manager/install/aws/src/utils/IAM-policy.json create mode 100644 vkpr/cert-manager/install/aws/src/utils/cert-manager.yaml create mode 100644 vkpr/cert-manager/install/aws/src/utils/issuers.yaml create mode 100644 vkpr/cert-manager/install/aws/src/utils/route53-secret.yaml delete mode 100644 vkpr/cert-manager/install/do/src/utils/cert-manager-custom-ca.yaml diff --git a/vkpr/cert-manager/install/aws/README.md b/vkpr/cert-manager/install/aws/README.md new file mode 100755 index 00000000..8b137891 --- /dev/null +++ b/vkpr/cert-manager/install/aws/README.md @@ -0,0 +1 @@ + diff --git a/vkpr/cert-manager/install/aws/build.sh b/vkpr/cert-manager/install/aws/build.sh new file mode 100755 index 00000000..3f067481 --- /dev/null +++ b/vkpr/cert-manager/install/aws/build.sh @@ -0,0 +1,11 @@ +#!/bin/sh + +BIN_FOLDER=bin +BINARY_NAME_UNIX=run.sh +ENTRY_POINT_UNIX=main.sh + +#bash-build: + mkdir -p $BIN_FOLDER + cp -r src/* $BIN_FOLDER + mv $BIN_FOLDER/$ENTRY_POINT_UNIX $BIN_FOLDER/$BINARY_NAME_UNIX + chmod +x $BIN_FOLDER/$BINARY_NAME_UNIX diff --git a/vkpr/cert-manager/install/aws/config.json b/vkpr/cert-manager/install/aws/config.json new file mode 100755 index 00000000..81173851 --- /dev/null +++ b/vkpr/cert-manager/install/aws/config.json @@ -0,0 +1,59 @@ +{ + "inputs": [ + { + "label": "Type your email to use to generate certificates:", + "default": "default@vkpr.com", + "name": "email", + "required": true, + "tutorial": "@", + "type": "text", + "cache": { + "active": true, + "qty": 2, + "newLabel": "Type other email: " + } + }, + { + "default": "letsencrypt-staging", + "items": [ + "letsencrypt-staging", + "letsencrypt-production" + ], + "label": "What is the default cluster issuer? ", + "name": "issuer", + "required": true, + "type": "text" + }, + { + "name": "aws_access_key", + "type": "CREDENTIAL_AWS_ACCESSKEYID" + }, + { + "name": "aws_secret_key", + "type": "CREDENTIAL_AWS_SECRETACCESSKEY" + }, + { + "name": "aws_region", + "label": "Type your aws region: ", + "type": "text", + "default": "us-east-1", + "cache": { + "active": true, + "qty": 2, + "newLabel": "Type another region: " + } + }, + { + "name": "aws_iam_role_arn", + "label": "Type your IAM Role ARN: ", + "type": "text", + "cache": { + "active": true, + "qty": 2, + "newLabel": "Type another IAM Role ARN: " + } + } + ], + "template": "shell-bat", + "templateRelease": "2.17.0" +} \ No newline at end of file diff --git a/vkpr/cert-manager/install/aws/help.json b/vkpr/cert-manager/install/aws/help.json new file mode 100644 index 00000000..8cfcf2e7 --- /dev/null +++ b/vkpr/cert-manager/install/aws/help.json @@ -0,0 +1,4 @@ +{ + "short": "", + "long": "" +} diff --git a/vkpr/cert-manager/install/aws/metadata.json b/vkpr/cert-manager/install/aws/metadata.json new file mode 100755 index 00000000..f6d224df --- /dev/null +++ b/vkpr/cert-manager/install/aws/metadata.json @@ -0,0 +1,18 @@ +{ + "execution": [ + "local" + ], + "os": { + "deps": [], + "support": [ + "mac", + "linux" + ] + }, + "tags": [ + "vkpr", + "cert-manager", + "install", + "aws" + ] +} diff --git a/vkpr/cert-manager/install/aws/src/main.sh b/vkpr/cert-manager/install/aws/src/main.sh new file mode 100755 index 00000000..77b194fb --- /dev/null +++ b/vkpr/cert-manager/install/aws/src/main.sh @@ -0,0 +1,11 @@ +#!/bin/bash + +VKPR_SCRIPTS=~/.vkpr/src + +source $VKPR_SCRIPTS/log.sh +source $VKPR_SCRIPTS/var.sh +source $VKPR_SCRIPTS/helper.sh + +. "$(dirname "$0")"/unix/formula/formula.sh --source-only + +runFormula diff --git a/vkpr/cert-manager/install/aws/src/unix/formula/formula.sh b/vkpr/cert-manager/install/aws/src/unix/formula/formula.sh new file mode 100755 index 00000000..6272966e --- /dev/null +++ b/vkpr/cert-manager/install/aws/src/unix/formula/formula.sh @@ -0,0 +1,67 @@ +#!/bin/sh + +runFormula() { + checkGlobalConfig $EMAIL "default@vkpr.com" "cert-manager.email" "EMAIL" + + startInfos + installCRDS + addCertManager + installCertManager + addTokenDNS + installIssuer +} + +installCRDS() { + echoColor "yellow" "Installing cert-manager CRDS beforehand..." + $VKPR_KUBECTL apply -f "https://github.com/jetstack/cert-manager/releases/download/$VKPR_CERT_VERSION/cert-manager.crds.yaml" +} + +addCertManager() { + registerHelmRepository jetstack https://charts.jetstack.io +} + +installCertManager() { + echoColor "yellow" "Installing cert-manager..." + local VKPR_CERT_MANAGER_VALUES=$(dirname "$0")/utils/cert-manager.yaml + local VKPR_ENV_CERT_ISSUER="$ISSUER" + $VKPR_YQ eval $VKPR_CERT_MANAGER_VALUES \ + | $VKPR_HELM upgrade -i -f - \ + -n cert-manager --create-namespace \ + --set ingressShim.defaultIssuerName="$VKPR_ENV_CERT_ISSUER" \ + --version "$VKPR_CERT_VERSION" \ + --wait \ + cert-manager jetstack/cert-manager +} + + +addTokenDNS() { + local VKPR_CERT_TOKEN=$(dirname "$0")/utils/route53-secret.yaml + local BASE64_ARGS="" # detect OS for proper base64 args + if [[ "$OSTYPE" != "darwin"* ]]; then + BASE64_ARGS="-w0" + fi + echoColor "yellow" "Adding the Token..." + local VKPR_INPUT_SECRET_KEY_BASE64=$(echo "$AWS_SECRET_KEY" | base64 $BASE64_ARGS) + $VKPR_YQ eval '.data.secret-access-key = strenv(VKPR_INPUT_SECRET_KEY_BASE64) | + .data.secret-access-key style = "double"' "$VKPR_CERT_TOKEN" \ + | $VKPR_KUBECTL apply -f - +} + +installIssuer() { + echoColor "yellow" "Installing Issuers and/or ClusterIssuers..." + local VKPR_ISSUER_VALUES=$(dirname "$0")/utils/issuers.yaml + local VKPR_ENV_INPUT_EMAIL="$VKPR_ENV_EMAIL" + $VKPR_YQ eval '.spec.acme.email = "'$VKPR_ENV_INPUT_EMAIL'" | + .spec.acme.solvers[0].dns01.route53.region = "'$AWS_REGION'" | + .spec.acme.solvers[0].dns01.route53.accessKeyID = "'$AWS_ACCESS_KEY'" | + .spec.acme.solvers[0].dns01.route53.role = "'$AWS_IAM_ROLE_ARN'"' "$VKPR_ISSUER_VALUES" \ + | $VKPR_KUBECTL apply -f - +} + +startInfos() { + echo "==============================" + echoColor "bold" "$(echoColor "green" "VKPR Cert-manager Install Routine")" + echoColor "bold" "$(echoColor "blue" "Provider:") AWS" + echoColor "bold" "$(echoColor "blue" "Email:") ${VKPR_ENV_EMAIL}" + echo "==============================" +} diff --git a/vkpr/cert-manager/install/aws/src/utils/IAM-policy.json b/vkpr/cert-manager/install/aws/src/utils/IAM-policy.json new file mode 100644 index 00000000..e4f0aa38 --- /dev/null +++ b/vkpr/cert-manager/install/aws/src/utils/IAM-policy.json @@ -0,0 +1,23 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "route53:GetChange", + "Resource": "arn:aws:route53:::change/*" + }, + { + "Effect": "Allow", + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets" + ], + "Resource": "arn:aws:route53:::hostedzone/*" + }, + { + "Effect": "Allow", + "Action": "route53:ListHostedZonesByName", + "Resource": "*" + } + ] +} \ No newline at end of file diff --git a/vkpr/cert-manager/install/aws/src/utils/cert-manager.yaml b/vkpr/cert-manager/install/aws/src/utils/cert-manager.yaml new file mode 100644 index 00000000..453a5cf9 --- /dev/null +++ b/vkpr/cert-manager/install/aws/src/utils/cert-manager.yaml @@ -0,0 +1,7 @@ +installCRDs: false +ingressShim: + defaultIssuerName: letsencrypt-staging + defaultIssuerKind: ClusterIssuer + defaultIssuerGroup: cert-manager.io +prometheus: + enabled: false diff --git a/vkpr/cert-manager/install/aws/src/utils/issuers.yaml b/vkpr/cert-manager/install/aws/src/utils/issuers.yaml new file mode 100644 index 00000000..241912cc --- /dev/null +++ b/vkpr/cert-manager/install/aws/src/utils/issuers.yaml @@ -0,0 +1,43 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-staging + namespace: cert-manager +spec: + acme: + email: user@example.com + server: https://acme-staging-v02.api.letsencrypt.org/directory + privateKeySecretRef: + name: letsencrypt-staging-key + solvers: + - selector: {} + dns01: + route53: + region: + accessKeyID: + secretAccessKeySecretRef: + name: route53-secret + key: secret-access-key + role: +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-prod + namespace: cert-manager +spec: + acme: + email: user@example.com + server: https://acme-v02.api.letsencrypt.org/directory + privateKeySecretRef: + name: letsencrypt-production-key + solvers: + - selector: {} + dns01: + route53: + region: + accessKeyID: + secretAccessKeySecretRef: + name: route53-secret + key: secret-access-key + role: diff --git a/vkpr/cert-manager/install/aws/src/utils/route53-secret.yaml b/vkpr/cert-manager/install/aws/src/utils/route53-secret.yaml new file mode 100644 index 00000000..178bec31 --- /dev/null +++ b/vkpr/cert-manager/install/aws/src/utils/route53-secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +metadata: + name: route53-secret + namespace: cert-manager +type: Opaque +data: + secret-access-key: diff --git a/vkpr/cert-manager/install/custom-acme/src/unix/formula/formula.sh b/vkpr/cert-manager/install/custom-acme/src/unix/formula/formula.sh index 0cf54711..3af69769 100755 --- a/vkpr/cert-manager/install/custom-acme/src/unix/formula/formula.sh +++ b/vkpr/cert-manager/install/custom-acme/src/unix/formula/formula.sh @@ -25,7 +25,7 @@ installCertManager() { -n cert-manager --create-namespace \ --version "$VKPR_CERT_VERSION" \ --wait \ - vkpr-cert-manager jetstack/cert-manager + cert-manager jetstack/cert-manager } installIssuer() { diff --git a/vkpr/cert-manager/install/do/src/unix/formula/formula.sh b/vkpr/cert-manager/install/do/src/unix/formula/formula.sh index ec0a18d1..ff0b85b5 100755 --- a/vkpr/cert-manager/install/do/src/unix/formula/formula.sh +++ b/vkpr/cert-manager/install/do/src/unix/formula/formula.sh @@ -31,7 +31,7 @@ installCertManager() { --set ingressShim.defaultIssuerName="$VKPR_ENV_CERT_ISSUER" \ --version "$VKPR_CERT_VERSION" \ --wait \ - vkpr-cert-manager jetstack/cert-manager + cert-manager jetstack/cert-manager } diff --git a/vkpr/cert-manager/install/do/src/utils/cert-manager-custom-ca.yaml b/vkpr/cert-manager/install/do/src/utils/cert-manager-custom-ca.yaml deleted file mode 100644 index ba0224c7..00000000 --- a/vkpr/cert-manager/install/do/src/utils/cert-manager-custom-ca.yaml +++ /dev/null @@ -1,15 +0,0 @@ -installCRDs: false -ingressShim: - defaultIssuerName: stepissuer - defaultIssuerKind: ClusterIssuer - defaultIssuerGroup: cert-manager.io -prometheus: - enabled: false -volumes: - - name: custom-ca - secret: - secretName: custom-ca-secret -volumeMounts: - - name: custom-ca - mountPath: "/etc/ssl/certs" - readOnly: true