From d79da98ee702147af30add2bdea634bc8f1d9ff6 Mon Sep 17 00:00:00 2001 From: Denis Prokhorchik Date: Sun, 19 Jun 2022 23:31:35 +0300 Subject: [PATCH 1/4] feat(issue-390): add deploy scripts for deploy with azure-cli --- .../azure-cli/aks/create-aks.sh | 33 ++++++ .../azure-cli/aks/delete-aks.sh | 29 +++++ .../azure-cli/check-deployment-tools.sh | 28 +++++ .../azure-cli/check-deployment-vars.sh | 9 ++ .../microsoft-azure/azure-cli/check-limits.sh | 2 + deploy/microsoft-azure/azure-cli/deploy.sh | 80 +++++++++++++ .../azure-cli/dns/create-dns-primary.sh | 36 ++++++ .../azure-cli/dns/create-dns.sh | 36 ++++++ .../azure-cli/dns/delete-dns-primary.sh | 26 +++++ .../azure-cli/dns/delete-dns.sh | 26 +++++ .../dns/install-external-dns-in-aks.sh | 106 ++++++++++++++++++ .../azure-cli/dns/set-config-dns-primary.sh | 78 +++++++++++++ .../azure-cli/dns/set-config-dns.sh | 84 ++++++++++++++ .../dns/uninstall-external-dns-in-aks.sh | 0 .../azure-cli/install-tools.sh | 1 + .../microsoft-azure/azure-cli/rc/create-rc.sh | 16 +++ .../microsoft-azure/azure-cli/rc/delete-rc.sh | 32 ++++++ .../azure-cli/tools/dashboard.sh | 5 + .../azure-cli/tools/install-prometheus.sh | 28 +++++ .../azure-cli/tools/install.sh | 25 +++++ .../azure-cli/tools/prometheus/values.yml | 18 +++ .../tools/promitor-scrape-config.yaml | 6 + .../azure-cli/tools/uninstall-prometheus.sh | 13 +++ .../azure-cli/vars/export-vars.sh | 29 +++++ 24 files changed, 746 insertions(+) create mode 100644 deploy/microsoft-azure/azure-cli/aks/create-aks.sh create mode 100644 deploy/microsoft-azure/azure-cli/aks/delete-aks.sh create mode 100644 deploy/microsoft-azure/azure-cli/check-deployment-tools.sh create mode 100644 deploy/microsoft-azure/azure-cli/check-deployment-vars.sh create mode 100644 deploy/microsoft-azure/azure-cli/check-limits.sh create mode 100644 deploy/microsoft-azure/azure-cli/deploy.sh create mode 100644 deploy/microsoft-azure/azure-cli/dns/create-dns-primary.sh create mode 100644 deploy/microsoft-azure/azure-cli/dns/create-dns.sh create mode 100644 deploy/microsoft-azure/azure-cli/dns/delete-dns-primary.sh create mode 100644 deploy/microsoft-azure/azure-cli/dns/delete-dns.sh create mode 100644 deploy/microsoft-azure/azure-cli/dns/install-external-dns-in-aks.sh create mode 100644 deploy/microsoft-azure/azure-cli/dns/set-config-dns-primary.sh create mode 100644 deploy/microsoft-azure/azure-cli/dns/set-config-dns.sh create mode 100644 deploy/microsoft-azure/azure-cli/dns/uninstall-external-dns-in-aks.sh create mode 100644 deploy/microsoft-azure/azure-cli/install-tools.sh create mode 100644 deploy/microsoft-azure/azure-cli/rc/create-rc.sh create mode 100644 deploy/microsoft-azure/azure-cli/rc/delete-rc.sh create mode 100644 deploy/microsoft-azure/azure-cli/tools/dashboard.sh create mode 100644 deploy/microsoft-azure/azure-cli/tools/install-prometheus.sh create mode 100644 deploy/microsoft-azure/azure-cli/tools/install.sh create mode 100644 deploy/microsoft-azure/azure-cli/tools/prometheus/values.yml create mode 100644 deploy/microsoft-azure/azure-cli/tools/promitor-scrape-config.yaml create mode 100644 deploy/microsoft-azure/azure-cli/tools/uninstall-prometheus.sh create mode 100644 deploy/microsoft-azure/azure-cli/vars/export-vars.sh diff --git a/deploy/microsoft-azure/azure-cli/aks/create-aks.sh b/deploy/microsoft-azure/azure-cli/aks/create-aks.sh new file mode 100644 index 00000000..2d76f6d3 --- /dev/null +++ b/deploy/microsoft-azure/azure-cli/aks/create-aks.sh @@ -0,0 +1,33 @@ +#!/bin/bash +echo "\r\n====> Create AKS in Microsoft Azure" +echo "Running create-dns.sh script.." +set -e + +LOCATION=${LOCATION} +RG=${RG} +NODECOUNT=${NODECOUNT-1} +NODESIZE=${NODESIZE-Standard_F2s} + +echo "================================" +echo "\$LOCATION: $LOCATION" +echo "\$RG: $RG" +echo "\$AKS_NAME: $AKS_NAME" +echo "\$NODECOUNT: $NODECOUNT" +echo "\$NODESIZE: $NODESIZE" +echo "================================" + +az aks create \ + --resource-group $RG \ + --name $AKS_NAME \ + --vm-set-type VirtualMachineScaleSets \ + --node-count $NODECOUNT \ + --load-balancer-sku standard \ + --node-vm-size $NODESIZE \ + --generate-ssh-keys \ + --location $LOCATION + +az aks get-credentials \ + --name $AKS_NAME \ + --resource-group $RG + +echo "AKS is created: COMPLETED \r\n" \ No newline at end of file diff --git a/deploy/microsoft-azure/azure-cli/aks/delete-aks.sh b/deploy/microsoft-azure/azure-cli/aks/delete-aks.sh new file mode 100644 index 00000000..a4dfb8d7 --- /dev/null +++ b/deploy/microsoft-azure/azure-cli/aks/delete-aks.sh @@ -0,0 +1,29 @@ +#!/bin/bash +echo "\r\n====> DELETE AKS in Microsoft Azure" +echo "Running delete-dns.sh script.." +set -e + +LOCATION=${LOCATION} +RG=${RG} +NODECOUNT=${NODECOUNT-1} +NODESIZE=${NODESIZE-Standard_F2s} + +echo "================================" +echo "\$LOCATION: $LOCATION" +echo "\$RG: $RG" +echo "\$AKS_NAME: $AKS_NAME" +echo "\$NODECOUNT: $NODECOUNT" +echo "\$NODESIZE: $NODESIZE" +echo "================================" + +# Verify if we want to proceed +read -p "Are you sure you wish to delete an AKS Cluster [y/N]?" +if [[ ! "$REPLY" =~ ^[Yy]$ ]]; then + exit +fi + +az aks delete \ + --resource-group $RG \ + --name $AKS_NAME + +echo "AKS is deleted: COMPLETED \r\n" \ No newline at end of file diff --git a/deploy/microsoft-azure/azure-cli/check-deployment-tools.sh b/deploy/microsoft-azure/azure-cli/check-deployment-tools.sh new file mode 100644 index 00000000..5af4e990 --- /dev/null +++ b/deploy/microsoft-azure/azure-cli/check-deployment-tools.sh @@ -0,0 +1,28 @@ +#!/bin/bash +echo "\r\n====> Checking deployment tools" +echo "Running check-deployment-tools.sh script.." +set -e +validateTools() { + command -v az 2&> /dev/null + if [ $? -ne 0 ]; then + echo "ERROR: Requires Azure CLI (az). Aborting..." + exit 1 + fi + command -v az 2&> /dev/null + if [ $? -ne 0 ]; then + echo "ERROR: Requires Azure CLI (az). Aborting..." + exit 1 + fi + command -v kubectl 2&> /dev/null + if [ $? -ne 0 ]; then + echo "ERROR: Requires Kubectl (kubectl). Aborting..." + exit 1 + fi + command -v helm 2&> /dev/null + if [ $? -ne 0 ]; then + echo "ERROR: Requires Helm v3.1.2_1+ (helm). Aborting..." + exit 1 + fi +} +validateTools +echo "Tools for deploayment AKS: OK! \r\n" \ No newline at end of file diff --git a/deploy/microsoft-azure/azure-cli/check-deployment-vars.sh b/deploy/microsoft-azure/azure-cli/check-deployment-vars.sh new file mode 100644 index 00000000..5841cf40 --- /dev/null +++ b/deploy/microsoft-azure/azure-cli/check-deployment-vars.sh @@ -0,0 +1,9 @@ +#!/bin/bash +echo "\r\n====> Checking deployment variables" +echo "Running check-deployment-tools.sh script.." +set -e +# validateVars() { + +# } +# validateVars +echo "Variables for deploayment AKS: VALID! \r\n" diff --git a/deploy/microsoft-azure/azure-cli/check-limits.sh b/deploy/microsoft-azure/azure-cli/check-limits.sh new file mode 100644 index 00000000..0b0ca2f5 --- /dev/null +++ b/deploy/microsoft-azure/azure-cli/check-limits.sh @@ -0,0 +1,2 @@ +# https://docs.microsoft.com/en-us/azure/azure-resource-manager/troubleshooting/error-sku-not-available?tabs=azure-cli +az vm list-skus --location centralus --size Standard_D --all --output table diff --git a/deploy/microsoft-azure/azure-cli/deploy.sh b/deploy/microsoft-azure/azure-cli/deploy.sh new file mode 100644 index 00000000..109f2963 --- /dev/null +++ b/deploy/microsoft-azure/azure-cli/deploy.sh @@ -0,0 +1,80 @@ +#!/bin/bash +# Bash Menu Script Example +clear +echo "\r\nSearch tools for deployment" +sh check-deployment-tools.sh +sh vars/export-vars.sh +sh check-deployment-vars.sh +PS3='Please enter your choice: ' +options=( + "Create new Resource GROUP in Azure" + "Remove Azure Resource GROUP in Azure" + "Create new DNS in Azure" + "Remove Azure DNS in Azure" + "Create AKS cluster" + "Delete AKS cluster" + "Full install application in AKS cluster" + "Full uninstall application in AKS cluster" + "Install analize tools in AKS cluster" + "Create main DNS" + "Delete main DNS" + "Configure main DNS" + "Install cert-manager AKS cluster" + "Uninstall cert-manager AKS cluster" + "Create namespaces for Deployment" + "Delete namespaces for Deployment" + "Create external-dns for AKS" + "Install nginx controller with Public IP" + "Uninstall nginx controller with Public IP" + "Install test-app" + "Uninstall test-app" + "Quit") + +select opt in "${options[@]}" +do + case $opt in + "Create new Resource GROUP in Azure") + echo "you chose choice $REPLY which is '$opt'" + sh rc/create-rc.sh + ;; + "Remove Azure Resource GROUP in Azure") + echo "you chose choice $REPLY which is $opt" + sh rc/delete-rc.sh + ;; + "Create new DNS in Azure") + echo "you chose choice $REPLY which is '$opt'" + sh dns/create-dns.sh + ;; + "Remove Azure DNS in Azure") + echo "you chose choice $REPLY which is $opt" + sh dns/delete-dns.sh + ;; + "Create AKS cluster") + echo "you chose choice $REPLY which is $opt" + sh aks/create-aks.sh + ;; + "Delete AKS cluster") + echo "you chose choice $REPLY which is $opt" + ;; + "Full install application in AKS cluster") + echo "you chose choice $REPLY which is $opt" + sh rc/create-rc.sh + sh dns/create-dns.sh + sh dns/create-dns-primary.sh + sh aks/create-aks.sh + sh tools/install.sh + ;; + "Full uninstall application in AKS cluster") + echo "you chose choice $REPLY which is $opt" + sh aks/delete-aks.sh + sh dns/delete-dns.sh + sh dns/delete-dns-primary.sh + sh rc/delete-rc.sh + ;; + + "Quit") + break + ;; + *) echo "invalid option $REPLY";; + esac +done \ No newline at end of file diff --git a/deploy/microsoft-azure/azure-cli/dns/create-dns-primary.sh b/deploy/microsoft-azure/azure-cli/dns/create-dns-primary.sh new file mode 100644 index 00000000..1bc28767 --- /dev/null +++ b/deploy/microsoft-azure/azure-cli/dns/create-dns-primary.sh @@ -0,0 +1,36 @@ +#!/bin/bash +echo "\r\n====> Create DNS in Microsoft Azure" +echo "Running create-dns-primary.sh script.." +set -e + +LOCATION=${LOCATION} +RG=${RG} + +echo "================================" +echo "\$DOMAIN_NAME_PRIMARY: $DOMAIN_NAME_PRIMARY" +echo "\$RG: $RG" +echo "================================" + +# Verify if we want to proceed +read -p "Are you sure you want to create primary-dns [y/N]?" +if [[ ! "$REPLY" =~ ^[Yy]$ ]]; then + exit +fi + +# Create RG for DNS Zone. If one already exists +# return the id for it. +DNS_RG_ID=$( + az group create \ + --name $RG \ + --location $LOCATION \ + --query id -o tsv +) +# Create DNS Zone. If one already exists +# return id for it. +DNS_ZONE_ID=$( + az network dns zone create \ + -g $RG -n $DOMAIN_NAME_PRIMARY \ + --query id -o tsv +) + +echo "DNS is created: COMPLETED \r\n" \ No newline at end of file diff --git a/deploy/microsoft-azure/azure-cli/dns/create-dns.sh b/deploy/microsoft-azure/azure-cli/dns/create-dns.sh new file mode 100644 index 00000000..99832bb6 --- /dev/null +++ b/deploy/microsoft-azure/azure-cli/dns/create-dns.sh @@ -0,0 +1,36 @@ +#!/bin/bash +echo "\r\n====> Create DNS in Microsoft Azure" +echo "Running create-dns.sh script.." +set -e + +LOCATION=${LOCATION} +RG=${RG} + +echo "================================" +echo "\$DOMAIN_NAME: $DOMAIN_NAME" +echo "\$RG: $RG" +echo "================================" + +# Verify if we want to proceed +read -p "Are you sure you want to create master-dns [y/N]?" +if [[ ! "$REPLY" =~ ^[Yy]$ ]]; then + exit +fi + +# Create RG for DNS Zone. If one already exists +# return the id for it. +DNS_RG_ID=$( + az group create \ + --name $RG \ + --location $LOCATION \ + --query id -o tsv +) +# Create DNS Zone. If one already exists +# return id for it. +DNS_ZONE_ID=$( + az network dns zone create \ + -g $RG -n $DOMAIN_NAME \ + --query id -o tsv +) + +echo "DNS is created: COMPLETED \r\n" \ No newline at end of file diff --git a/deploy/microsoft-azure/azure-cli/dns/delete-dns-primary.sh b/deploy/microsoft-azure/azure-cli/dns/delete-dns-primary.sh new file mode 100644 index 00000000..a9de68e2 --- /dev/null +++ b/deploy/microsoft-azure/azure-cli/dns/delete-dns-primary.sh @@ -0,0 +1,26 @@ +#!/bin/bash +echo "\r\n====> Create DNS in Microsoft Azure" +echo "Running delete-dns-primary.sh script.." +set -e + +LOCATION=${LOCATION} +RG=${RG} + +echo "================================" +echo "\$DOMAIN_NAME_PRIMARY: $DOMAIN_NAME_PRIMARY" +echo "\$RG: $RG" +echo "================================" + +# Verify if we want to proceed +read -p "Are you sure you want to delete primary-dns [y/N]?" +if [[ ! "$REPLY" =~ ^[Yy]$ ]]; then + exit +fi + +# Create DNS Zone. If one already exists +# return id for it. + az network dns zone delete \ + -g $RG -n $DOMAIN_NAME_PRIMARY \ + + +echo "DNS is created: COMPLETED \r\n" \ No newline at end of file diff --git a/deploy/microsoft-azure/azure-cli/dns/delete-dns.sh b/deploy/microsoft-azure/azure-cli/dns/delete-dns.sh new file mode 100644 index 00000000..02b1b904 --- /dev/null +++ b/deploy/microsoft-azure/azure-cli/dns/delete-dns.sh @@ -0,0 +1,26 @@ +#!/bin/bash +echo "\r\n====> Create DNS in Microsoft Azure" +echo "Running delete-dns.sh script.." +set -e + +LOCATION=${LOCATION} +RG=${RG} + +echo "================================" +echo "\$DOMAIN_NAME: $DOMAIN_NAME" +echo "\$RG: $RG" +echo "================================" + +# Verify if we want to proceed +read -p "Are you sure you want to delete master-dns [y/N]?" +if [[ ! "$REPLY" =~ ^[Yy]$ ]]; then + exit +fi + +# Create DNS Zone. If one already exists +# return id for it. + az network dns zone delete \ + -g $RG -n $DOMAIN_NAME \ + + +echo "DNS is created: COMPLETED \r\n" \ No newline at end of file diff --git a/deploy/microsoft-azure/azure-cli/dns/install-external-dns-in-aks.sh b/deploy/microsoft-azure/azure-cli/dns/install-external-dns-in-aks.sh new file mode 100644 index 00000000..892c7d1c --- /dev/null +++ b/deploy/microsoft-azure/azure-cli/dns/install-external-dns-in-aks.sh @@ -0,0 +1,106 @@ +#!/bin/bash +echo "\r\n====> Set external DNS in Microsoft Azure" +echo "Running create-dns.sh script.." +set -e + +DNS_RG=${RG} +AZURE_CLOUD=${AZURE_CLOUD-AzureUSGovernmentCloud} +LOCATION=${LOCATION} +SP_NAME=${SP_NAME-AKS_DNS_SP_$RANDOM} +K8S_CONTEXT=$(kubectl config current-context) + +if [[ -z "$DOMAIN_NAME" || -z "$RG" ]]; then + echo "ERROR: Some Environment variables are missing!" + echo -e "ERROR: The following are required:\n" + echo " DNS_RG: Resource Group for DNS Zone" + echo " DOMAIN_NAME: Domain Name (ie. example.com)" + echo " LOCATION (optional): Azure region. Default is usgovvirginia" + echo " AZURE_CLOUD (optional): Selected Azure Cloud. " + echo " Default is AzureUSGovernmentCloud." + echo " Use 'AzurePublicCloud' for Commercial" + exit 1 +fi + +echo "DNS_RG: $DNS_RG" +echo "DOMAIN_NAME: $DOMAIN_NAME" +echo "LOCATION: $LOCATION" +echo "AZURE_CLOUD: $AZURE_CLOUD" +echo -e "K8S_CONTEXT: $K8S_CONTEXT" +echo "SP_NAME $SP_NAME\n" + +# Verify if we want to proceed +read -p "Are you sure you want to install external-dns [y/N]?" +if [[ ! "$REPLY" =~ ^[Yy]$ ]]; then + exit +fi + +# Create RG for DNS Zone. If one already exists +# return the id for it. +DNS_RG_ID=$( + az group create \ + --name $DNS_RG \ + --location $LOCATION \ + --query id -o tsv +) +# Create DNS Zone. If one already exists +# return id for it. +DNS_ZONE_ID=$( + az network dns zone create \ + -g $DNS_RG -n $DOMAIN_NAME \ + --query id -o tsv +) + +# # Create Service Principal +SP_TOKEN=$(az ad sp create-for-rbac -n $SP_NAME -o json) + +# Grab info from the Service Principal +SP_APPID=$(echo $SP_TOKEN | jq -e -r 'select(.appId != null) | .appId') +SP_TENANTID=$(echo $SP_TOKEN | jq -e -r 'select(.tenant != null) | .tenant') +SP_PASSWORD=$(echo $SP_TOKEN | jq -e -r 'select(.password != null) | .password') +SUBSCRIPTION_ID=$(az account show --query id -o tsv) + +# Assign Reader to SP for RG +az role assignment create \ + --role "Reader" \ + --assignee $SP_APPID \ + --scope $DNS_RG_ID 1>/dev/null + +# Assign Contributor to SP for DNSZone +az role assignment create \ + --role "Contributor" \ + --assignee $SP_APPID \ + --scope $DNS_ZONE_ID 1>/dev/null + +# Add bitnami repo for external-dns chart +helm repo add bitnami https://charts.bitnami.com/bitnami + +# Create namespace for external-dns +kubectl create namespace external-dns + +# Install external-dns chart +helm install external-dns bitnami/external-dns \ + --wait --namespace external-dns \ + --set provider=azure \ + --set azure.resourceGroup=AzureDNS \ + --set azure.tenantId=$SP_TENANTID \ + --set azure.subscriptionId=$SUBSCRIPTION_ID \ + --set azure.aadClientId=$SP_APPID \ + --set azure.aadClientSecret=$SP_PASSWORD \ + --set azure.cloud=$AZURE_CLOUD \ + --set policy=sync \ + --set domainFilters={$DOMAIN_NAME} + +echo "==================================================" +echo "Current DNS Nameservers for $DOMAIN_NAME" +host -t ns $DOMAIN_NAME + +echo "NOTE: ++++++++++++++++++++++++++++++++++++++++++++" +echo " Ensure your domain registrar is using" +echo " the following DNS nameservers for resolution" +echo " before continuing." +echo " +++++++++++++++++++++++++++++++++++++++++++++" +az network dns zone show \ + -g $DNS_RG -n $DOMAIN_NAME \ + -o tsv --query nameServers + +echo "Set external DNS is created: COMPLETED \r\n" diff --git a/deploy/microsoft-azure/azure-cli/dns/set-config-dns-primary.sh b/deploy/microsoft-azure/azure-cli/dns/set-config-dns-primary.sh new file mode 100644 index 00000000..0af3fd8f --- /dev/null +++ b/deploy/microsoft-azure/azure-cli/dns/set-config-dns-primary.sh @@ -0,0 +1,78 @@ +#!/bin/bash +echo "\r\n====> create DNS records in Microsoft Azure" +echo "Running create-primary-dns.sh script.." +set -e + +LOCATION=${LOCATION} +RG=${RG} +IP=10.10.10.10 + +echo "================================" +echo "\$DOMAIN_NAME_PRIMARY: $DOMAIN_NAME_PRIMARY" +echo "\$RG: $RG" +echo "\$IP: $IP" +echo "================================" + + +# Get the Resource Group of our AKS Cluster +AKS_CLUSTER_RG=$( + az aks show \ + --resource-group $RG \ + --name $AKS_NAME \ + --query nodeResourceGroup -o tsv +) +# Create a Public IP and get the id of the address. If one exists already +# in the RG with the same name. The existing IP will be returned. +PUBLIC_IP=$( + az network public-ip create \ + --resource-group $AKS_CLUSTER_RG \ + --name IP-PublicIP1 \ + --sku Standard \ + --allocation-method static \ + --query publicIp.ipAddress -o tsv +) +# set public IP +IP=$PUBLIC_IP + +#https://docs.microsoft.com/en-us/azure/dns/dns-getstarted-cli +DNS_NAME=$DOMAIN_NAME_PRIMARY +createRecord(){ + echo "create dnsRecord = $1.$DNS_NAME" + az network dns record-set a add-record -g $RG -z $DNS_NAME -n $1 -a $IP +} + +createDNSForRecordProductionAndStage(){ + stageName=.staging + stageDNS="$1$stageName" + createRecord $1 + createRecord $stageDNS +} + +createRecordSpecial(){ + IP_SP=$2 + echo "create dnsRecord = $1.$DNS_NAME" + az network dns record-set a add-record -g $RG -z $DNS_NAME -n $1 -a $IP_SP +} + +createDNSForRecordProductionAndStage "www" +createDNSForRecordProductionAndStage "slink" +createRecordSpecial "conf-free" "35.170.204.88" +createRecordSpecial "@" + +# # Get-AzDnsRecordSet -ZoneName $DOMAIN_NAME -ResourceGroupName $RG + +# # New-AzDnsRecordSet -Name www -RecordType A -ZoneName $DOMAIN_NAME -ResourceGroupName $RG -Ttl 3600 -DnsRecords (New-AzDnsRecordConfig -IPv4Address $IP) +# # # app.dns-name.com +# # New-AzDnsRecordSet -Name app -RecordType A -ZoneName $DOMAIN_NAME -ResourceGroupName $RG -Ttl 3600 -DnsRecords (New-AzDnsRecordConfig -IPv4Address "$IP") + +# # Run the following cmdlet to get the list of name servers for your zone: +# az network dns record-set ns show --resource-group $RG --zone-name $DOMAIN_NAME --name @ + +# # # app.dns-name.com +# # New-AzDnsRecordSet -Name identity -RecordType A -ZoneName $DOMAIN_NAME -ResourceGroupName $RG -Ttl 3600 -DnsRecords (New-AzDnsRecordConfig -IPv4Address "$IP") +# # Get-AzDnsRecordSet -ZoneName $DOMAIN_NAME -ResourceGroupName $RG +# az network dns record-set list -g $RG -z $DOMAIN_NAME + +# nslookup www.contoso.xyz +# nslookup www.contoso.xyz ns1-08.azure-dns.com. +echo "DNS records is created: COMPLETED \r\n" \ No newline at end of file diff --git a/deploy/microsoft-azure/azure-cli/dns/set-config-dns.sh b/deploy/microsoft-azure/azure-cli/dns/set-config-dns.sh new file mode 100644 index 00000000..89ef3149 --- /dev/null +++ b/deploy/microsoft-azure/azure-cli/dns/set-config-dns.sh @@ -0,0 +1,84 @@ +#!/bin/bash +echo "\r\n====> create DNS records in Microsoft Azure" +echo "Running create-dns.sh script.." +set -e + +LOCATION=${LOCATION} +RG=${RG} +IP=20.62.222.36 + +echo "================================" +echo "\$DOMAIN_NAME: $DOMAIN_NAME" +echo "\$RG: $RG" +echo "\$IP: $IP" +echo "================================" + +# Get the Resource Group of our AKS Cluster +AKS_CLUSTER_RG=$( + az aks show \ + --resource-group $RG \ + --name $AKS_NAME \ + --query nodeResourceGroup -o tsv +) +# Create a Public IP and get the id of the address. If one exists already +# in the RG with the same name. The existing IP will be returned. +PUBLIC_IP=$( + az network public-ip create \ + --resource-group $AKS_CLUSTER_RG \ + --name IP-PublicIP1 \ + --sku Standard \ + --allocation-method static \ + --query publicIp.ipAddress -o tsv +) +# set public IP +IP=$PUBLIC_IP + + +#https://docs.microsoft.com/en-us/azure/dns/dns-getstarted-cli + +createRecord(){ + echo "create dnsRecord = $1.$DOMAIN_NAME" + # az network dns record-set a delete -g $RG -z $DOMAIN_NAME -n $1 + az network dns record-set a add-record -g $RG -z $DOMAIN_NAME -n $1 -a $IP +} + +createDNSForRecordProductionAndStage(){ + stageName=.staging + stageDNS="$1$stageName" + createRecord $1 + createRecord $stageDNS +} + +createRecord "@" # added new fix +createDNSForRecordProductionAndStage "nginx" #for test +createDNSForRecordProductionAndStage "test-app" +createDNSForRecordProductionAndStage "www" +createDNSForRecordProductionAndStage "app" +createDNSForRecordProductionAndStage "identity" +createDNSForRecordProductionAndStage "pfr-community" +createDNSForRecordProductionAndStage "media-api" +createDNSForRecordProductionAndStage "services-api" +createDNSForRecordProductionAndStage "certificate-api" +createDNSForRecordProductionAndStage "shortlink-api" +createDNSForRecordProductionAndStage "chat-api" +createDNSForRecordProductionAndStage "notification-api" +createDNSForRecordProductionAndStage "subscribe-api" +createDNSForRecordProductionAndStage "timeline-api" + +# # Get-AzDnsRecordSet -ZoneName $DOMAIN_NAME -ResourceGroupName $RG + +# # New-AzDnsRecordSet -Name www -RecordType A -ZoneName $DOMAIN_NAME -ResourceGroupName $RG -Ttl 3600 -DnsRecords (New-AzDnsRecordConfig -IPv4Address $IP) +# # # app.dns-name.com +# # New-AzDnsRecordSet -Name app -RecordType A -ZoneName $DOMAIN_NAME -ResourceGroupName $RG -Ttl 3600 -DnsRecords (New-AzDnsRecordConfig -IPv4Address "$IP") + +# # Run the following cmdlet to get the list of name servers for your zone: +# az network dns record-set ns show --resource-group $RG --zone-name $DOMAIN_NAME --name @ + +# # # app.dns-name.com +# # New-AzDnsRecordSet -Name identity -RecordType A -ZoneName $DOMAIN_NAME -ResourceGroupName $RG -Ttl 3600 -DnsRecords (New-AzDnsRecordConfig -IPv4Address "$IP") +# # Get-AzDnsRecordSet -ZoneName $DOMAIN_NAME -ResourceGroupName $RG +# az network dns record-set list -g $RG -z $DOMAIN_NAME + +# nslookup www.contoso.xyz +# nslookup www.contoso.xyz ns1-08.azure-dns.com. +echo "DNS records is created: COMPLETED \r\n" \ No newline at end of file diff --git a/deploy/microsoft-azure/azure-cli/dns/uninstall-external-dns-in-aks.sh b/deploy/microsoft-azure/azure-cli/dns/uninstall-external-dns-in-aks.sh new file mode 100644 index 00000000..e69de29b diff --git a/deploy/microsoft-azure/azure-cli/install-tools.sh b/deploy/microsoft-azure/azure-cli/install-tools.sh new file mode 100644 index 00000000..66a84b4a --- /dev/null +++ b/deploy/microsoft-azure/azure-cli/install-tools.sh @@ -0,0 +1 @@ +brew update && brew install azure-cli \ No newline at end of file diff --git a/deploy/microsoft-azure/azure-cli/rc/create-rc.sh b/deploy/microsoft-azure/azure-cli/rc/create-rc.sh new file mode 100644 index 00000000..f6074029 --- /dev/null +++ b/deploy/microsoft-azure/azure-cli/rc/create-rc.sh @@ -0,0 +1,16 @@ +#!/bin/bash +echo "\r\n====> Create Resource Groups in Microsoft Azure" +echo "Running create-rs.sh script.." +set -e + +LOCATION=${LOCATION} +RG=${RG} + +echo "================================" +echo "\$LOCATION: $LOCATION" +echo "\$RG: $RG" +echo "================================" + +az group create -l $LOCATION -n $RG + +echo "Resource Groups is created: COMPLETED \r\n" \ No newline at end of file diff --git a/deploy/microsoft-azure/azure-cli/rc/delete-rc.sh b/deploy/microsoft-azure/azure-cli/rc/delete-rc.sh new file mode 100644 index 00000000..7b7a04fc --- /dev/null +++ b/deploy/microsoft-azure/azure-cli/rc/delete-rc.sh @@ -0,0 +1,32 @@ +#!/bin/bash + + +# TRY THIS: +# az group delete --resource-group MyResourceGroup +# Delete a resource group. + +# az group create --location westus --resource-group MyResourceGroup +# Create a new resource group in the West US region. + +# az group list --query "[?location=='westus']" +# List all resource groups located in the West US region. + +echo "\r\n====> Delete Resource Groups in Microsoft Azure" +echo "Running delete-rs.sh script.." +set -e + +echo "================================" +echo "\$LOCATION: $LOCATION" +echo "\$RG: $RG" +echo "================================" + +# az group list --query "[?location=='$LOCATION']" + +# Verify if we want to proceed +read -p "Are you sure you wish to delete an Resource Groups [y/N]?" +if [[ ! "$REPLY" =~ ^[Yy]$ ]]; then + exit +fi + +az group delete --resource-group $RG +echo "Resource Groups is deleted: COMPLETED \r\n" \ No newline at end of file diff --git a/deploy/microsoft-azure/azure-cli/tools/dashboard.sh b/deploy/microsoft-azure/azure-cli/tools/dashboard.sh new file mode 100644 index 00000000..3ec181e4 --- /dev/null +++ b/deploy/microsoft-azure/azure-cli/tools/dashboard.sh @@ -0,0 +1,5 @@ + + +# create proxy AKS +kubectl proxy +http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/. \ No newline at end of file diff --git a/deploy/microsoft-azure/azure-cli/tools/install-prometheus.sh b/deploy/microsoft-azure/azure-cli/tools/install-prometheus.sh new file mode 100644 index 00000000..bc041a3d --- /dev/null +++ b/deploy/microsoft-azure/azure-cli/tools/install-prometheus.sh @@ -0,0 +1,28 @@ + +helm repo add stable https://charts.helm.sh/stable +helm repo update + + +# # If using helm for the first time, add the stable repo +# helm repo add stable https://kubernetes-charts.storage.googleapis.com/ + +kubectl create namespace monitoring +# kubectl create ns monitoring +helm install prometheus stable/prometheus-operator --namespace monitoring +# Check pods +kubectl --namespace monitoring get pods + + + +# helm install promitor-agent-scraper promitor/promitor-agent-scraper \ +# --values your/path/to/metric-declaration.yaml + +# cat > promitor-scrape-config.yaml < Install Analize Tools in AKS" +echo "Running tools.sh script.." +set -e + +echo "\$AKS_NAME: $AKS_NAME" +echo "\$RG: $RG" + +kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0/aio/deploy/recommended.yaml +kubectl cluster-info + +# Go to Cluster page in browser +# az aks browse --resource-group $RG --name $AKS_NAME + +# create auto(dont't running it) +# echo "create service account for UI dashboard" +# kubectl create clusterrolebinding kubernetes-dashboard --clusterrole=cluster-admin --serviceaccount=kube-system:kubernetes-dashboard + +# Set the admin kubeconfig with az aks get-credentials -a --resource-group --name +# Select Kubeconfig and click Choose kubeconfig file to open file selector +# Select your kubeconfig file (defaults to $HOME/.kube/config) +# Click Sign In +az aks get-credentials -a --resource-group $RG --name $AKS_NAME + +echo "tools is installed: COMPLETED \r\n" \ No newline at end of file diff --git a/deploy/microsoft-azure/azure-cli/tools/prometheus/values.yml b/deploy/microsoft-azure/azure-cli/tools/prometheus/values.yml new file mode 100644 index 00000000..648a140e --- /dev/null +++ b/deploy/microsoft-azure/azure-cli/tools/prometheus/values.yml @@ -0,0 +1,18 @@ +--- +# Forcing Kubelet metrics scraping on http +kubelet: + enabled: true +serviceMonitor: + https: false +# Disabling scraping of Master Nodes Components +kubeControllerManager: + enabled: false +kubeScheduler: + enabled: false +kubeEtcd: + enabled: false +kubeProxy: + enabled: false +# Optional: Disable Grafana if you have your own deployment +grafana: + enabled: false \ No newline at end of file diff --git a/deploy/microsoft-azure/azure-cli/tools/promitor-scrape-config.yaml b/deploy/microsoft-azure/azure-cli/tools/promitor-scrape-config.yaml new file mode 100644 index 00000000..21bf2db1 --- /dev/null +++ b/deploy/microsoft-azure/azure-cli/tools/promitor-scrape-config.yaml @@ -0,0 +1,6 @@ +extraScrapeConfigs: | + - job_name: promitor-agent-scraper + metrics_path: /metrics + static_configs: + - targets: + - promitor-agent-scraper.default.svc.cluster.local:80 diff --git a/deploy/microsoft-azure/azure-cli/tools/uninstall-prometheus.sh b/deploy/microsoft-azure/azure-cli/tools/uninstall-prometheus.sh new file mode 100644 index 00000000..ff6045ae --- /dev/null +++ b/deploy/microsoft-azure/azure-cli/tools/uninstall-prometheus.sh @@ -0,0 +1,13 @@ +# Uninstall/delete the prometheus deployment: +helm delete --namespace monitoring prometheus + +# CRDs created by this chart are not removed by default and should be manually cleaned up +kubectl delete crd prometheuses.monitoring.coreos.com +kubectl delete crd prometheusrules.monitoring.coreos.com +kubectl delete crd servicemonitors.monitoring.coreos.com +kubectl delete crd podmonitors.monitoring.coreos.com +kubectl delete crd alertmanagers.monitoring.coreos.com +kubectl delete crd thanosrulers.monitoring.coreos.com + +# Finally, delete the namespace +kubectl delete namespace monitoring --cascade=true \ No newline at end of file diff --git a/deploy/microsoft-azure/azure-cli/vars/export-vars.sh b/deploy/microsoft-azure/azure-cli/vars/export-vars.sh new file mode 100644 index 00000000..fe67bca6 --- /dev/null +++ b/deploy/microsoft-azure/azure-cli/vars/export-vars.sh @@ -0,0 +1,29 @@ +#!/bin/bash +echo "\r\n====> Exporting vars for local machine" +echo "Running export-vars.sh script.." +echo "================================================" +export LOCATION=centralus +export RG=products-group #new version products-group | old version o2bionics-group +export DOMAIN_NAME=o2bus.com +export DOMAIN_NAME_PRIMARY=pfr-centr.com + +export AKS_NAME=o2nextgen-aks #new version o2nextgen-aks | old version o2-aks +export NODECOUNT=1 +export NODESIZE=Standard_D4as_v5 # Standard_F2s | Standard_D4s_v4 | Standard_DS2_v2 | Standard_B2s + +export LETS_ENCRYPT_EMAIL=live-dev@hotmail.com + + +echo "\$LOCATION | $LOCATION" +echo "\$RG | $RG" + +echo "\$DOMAIN_NAME | $DOMAIN_NAME" + +echo "\$AKS_NAME: $AKS_NAME" +echo "\$NODECOUNT: $NODECOUNT" +echo "\$NODESIZE: $NODESIZE" + +echo "\$LETS_ENCRYPT_EMAIL: $LETS_ENCRYPT_EMAIL" + +echo "================================================" +echo "Export vars: COMPLETED \r\n" From 95f3103626837afa0ed87708a6c6bb1679e5c4d1 Mon Sep 17 00:00:00 2001 From: Denis Prokhorchik Date: Sun, 19 Jun 2022 23:50:09 +0300 Subject: [PATCH 2/4] feat(issue-390): update scripts for deploy in azure --- .../azure-cli/blob/create-blob.sh | 36 + .../azure-cli/blob/delete-blob.sh | 13 + .../azure-cli/cert-manager/00-crds.yaml | 5544 +++++++++++++++++ .../azure-cli/cert-manager/install-tls.sh | 91 + .../azure-cli/cert-manager/tls-issuer.sh | 53 + .../azure-cli/cert-manager/uninstall-tls.sh | 13 + deploy/microsoft-azure/azure-cli/deploy.sh | 68 +- .../azure-cli/helm/test-app/.helmignore | 23 + .../azure-cli/helm/test-app/Chart.yaml | 24 + .../helm/test-app/templates/NOTES.txt | 22 + .../helm/test-app/templates/_helpers.tpl | 62 + .../helm/test-app/templates/deployment.yaml | 61 + .../helm/test-app/templates/hpa.yaml | 28 + .../helm/test-app/templates/ingress.yaml | 61 + .../helm/test-app/templates/service.yaml | 15 + .../test-app/templates/serviceaccount.yaml | 12 + .../templates/tests/test-connection.yaml | 15 + .../azure-cli/helm/test-app/values.yaml | 84 + .../helm/o2-sql-data/.helmignore | 23 + .../helm/o2-sql-data/Chart.yaml | 23 + .../helm/o2-sql-data/templates/NOTES.txt | 21 + .../helm/o2-sql-data/templates/_helpers.tpl | 51 + .../o2-sql-data/templates/deployment.yaml | 83 + .../helm/o2-sql-data/templates/ingress.yaml | 54 + .../helm/o2-sql-data/templates/service.yaml | 15 + .../helm/o2-sql-data/values.yaml | 33 + .../azure-cli/nginx/install-nginx.sh | 71 + .../azure-cli/nginx/nginx-staging.yaml | 58 + .../azure-cli/nginx/nginx.yaml | 58 + .../microsoft-azure/azure-cli/ns/create-ns.sh | 12 + .../microsoft-azure/azure-cli/ns/delete-ns.sh | 0 31 files changed, 6726 insertions(+), 1 deletion(-) create mode 100644 deploy/microsoft-azure/azure-cli/blob/create-blob.sh create mode 100644 deploy/microsoft-azure/azure-cli/blob/delete-blob.sh create mode 100644 deploy/microsoft-azure/azure-cli/cert-manager/00-crds.yaml create mode 100644 deploy/microsoft-azure/azure-cli/cert-manager/install-tls.sh create mode 100644 deploy/microsoft-azure/azure-cli/cert-manager/tls-issuer.sh create mode 100644 deploy/microsoft-azure/azure-cli/cert-manager/uninstall-tls.sh create mode 100644 deploy/microsoft-azure/azure-cli/helm/test-app/.helmignore create mode 100644 deploy/microsoft-azure/azure-cli/helm/test-app/Chart.yaml create mode 100644 deploy/microsoft-azure/azure-cli/helm/test-app/templates/NOTES.txt create mode 100644 deploy/microsoft-azure/azure-cli/helm/test-app/templates/_helpers.tpl create mode 100644 deploy/microsoft-azure/azure-cli/helm/test-app/templates/deployment.yaml create mode 100644 deploy/microsoft-azure/azure-cli/helm/test-app/templates/hpa.yaml create mode 100644 deploy/microsoft-azure/azure-cli/helm/test-app/templates/ingress.yaml create mode 100644 deploy/microsoft-azure/azure-cli/helm/test-app/templates/service.yaml create mode 100644 deploy/microsoft-azure/azure-cli/helm/test-app/templates/serviceaccount.yaml create mode 100644 deploy/microsoft-azure/azure-cli/helm/test-app/templates/tests/test-connection.yaml create mode 100644 deploy/microsoft-azure/azure-cli/helm/test-app/values.yaml create mode 100644 deploy/microsoft-azure/azure-cli/infrastructure/helm/o2-sql-data/.helmignore create mode 100644 deploy/microsoft-azure/azure-cli/infrastructure/helm/o2-sql-data/Chart.yaml create mode 100644 deploy/microsoft-azure/azure-cli/infrastructure/helm/o2-sql-data/templates/NOTES.txt create mode 100644 deploy/microsoft-azure/azure-cli/infrastructure/helm/o2-sql-data/templates/_helpers.tpl create mode 100644 deploy/microsoft-azure/azure-cli/infrastructure/helm/o2-sql-data/templates/deployment.yaml create mode 100644 deploy/microsoft-azure/azure-cli/infrastructure/helm/o2-sql-data/templates/ingress.yaml create mode 100644 deploy/microsoft-azure/azure-cli/infrastructure/helm/o2-sql-data/templates/service.yaml create mode 100644 deploy/microsoft-azure/azure-cli/infrastructure/helm/o2-sql-data/values.yaml create mode 100644 deploy/microsoft-azure/azure-cli/nginx/install-nginx.sh create mode 100644 deploy/microsoft-azure/azure-cli/nginx/nginx-staging.yaml create mode 100644 deploy/microsoft-azure/azure-cli/nginx/nginx.yaml create mode 100644 deploy/microsoft-azure/azure-cli/ns/create-ns.sh create mode 100644 deploy/microsoft-azure/azure-cli/ns/delete-ns.sh diff --git a/deploy/microsoft-azure/azure-cli/blob/create-blob.sh b/deploy/microsoft-azure/azure-cli/blob/create-blob.sh new file mode 100644 index 00000000..d6edb76d --- /dev/null +++ b/deploy/microsoft-azure/azure-cli/blob/create-blob.sh @@ -0,0 +1,36 @@ +#!/bin/bash +echo "\r\n====> Create BLOB Stogare in Microsoft Azure" +echo "Running create-blob.sh script.." +# https://markheath.net/post/manage-blob-storage-azure-cli +set -e + +LOCATION=${LOCATION} +RG=${RG} + +echo "================================" +echo "\$DOMAIN_NAME: $DOMAIN_NAME" +echo "\$RG: $RG" +echo "================================" + + +storageAccount="o2nextgen" + +# create our resource group +az group create -n $RG -l $LOCATION + +# create a storage account +az storage account create -n $storageAccount -g $RG -l $LOCATION --sku Standard_LRS + +# az storage container create -n o2-storage --resource-group $RG --public-access blob +# az storage container delete --name o2-storage +# az ad signed-in-user show --query objectId -o tsv | az role assignment create \ +# --role "Storage Blob Data Contributor" \ +# --assignee @- \ +# --scope "/subscriptions//resourceGroups/$RG/providers/Microsoft.Storage/storageAccounts/" + +# az storage container create \ +# --account-name "" \ +# --name \ +# --auth-mode login + +echo "Created BLOB Storage: COMPLETED \r\n" \ No newline at end of file diff --git a/deploy/microsoft-azure/azure-cli/blob/delete-blob.sh b/deploy/microsoft-azure/azure-cli/blob/delete-blob.sh new file mode 100644 index 00000000..8f8059f9 --- /dev/null +++ b/deploy/microsoft-azure/azure-cli/blob/delete-blob.sh @@ -0,0 +1,13 @@ +#!/bin/bash +echo "\r\n====> Delete BLOB Storage in Microsoft Azure" +echo "Running delete-blob.sh script.." +set -e + +echo "================================" +echo "\$DOMAIN_NAME: $DOMAIN_NAME" +echo "\$RG: $RG" +echo "================================" + +az storage container delete --name o2-storage + +echo "Deleted BLOB Storage: COMPLETED \r\n" \ No newline at end of file diff --git a/deploy/microsoft-azure/azure-cli/cert-manager/00-crds.yaml b/deploy/microsoft-azure/azure-cli/cert-manager/00-crds.yaml new file mode 100644 index 00000000..25688c49 --- /dev/null +++ b/deploy/microsoft-azure/azure-cli/cert-manager/00-crds.yaml @@ -0,0 +1,5544 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: certificaterequests.cert-manager.io +spec: + additionalPrinterColumns: + - JSONPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - JSONPath: .spec.issuerRef.name + name: Issuer + priority: 1 + type: string + - JSONPath: .status.conditions[?(@.type=="Ready")].message + name: Status + priority: 1 + type: string + - JSONPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + name: Age + type: date + group: cert-manager.io + preserveUnknownFields: false + names: + kind: CertificateRequest + listKind: CertificateRequestList + plural: certificaterequests + shortNames: + - cr + - crs + singular: certificaterequest + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: CertificateRequest is a type to represent a Certificate Signing + Request + type: object + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: CertificateRequestSpec defines the desired state of CertificateRequest + type: object + required: + - csr + - issuerRef + properties: + csr: + description: Byte slice containing the PEM encoded CertificateSigningRequest + type: string + format: byte + duration: + description: Requested certificate default Duration + type: string + isCA: + description: IsCA will mark the resulting certificate as valid for signing. + This implies that the 'cert sign' usage is set + type: boolean + issuerRef: + description: IssuerRef is a reference to the issuer for this CertificateRequest. If + the 'kind' field is not set, or set to 'Issuer', an Issuer resource + with the given name in the same namespace as the CertificateRequest + will be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer + with the provided name will be used. The 'name' field in this stanza + is required at all times. The group field refers to the API group + of the issuer which defaults to 'cert-manager.io' if empty. + type: object + required: + - name + properties: + group: + type: string + kind: + type: string + name: + type: string + usages: + description: Usages is the set of x509 actions that are enabled for + a given key. Defaults are ('digital signature', 'key encipherment') + if empty + type: array + items: + description: 'KeyUsage specifies valid usage contexts for keys. See: + https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 + Valid KeyUsage values are as follows: "signing", "digital signature", + "content commitment", "key encipherment", "key agreement", "data + encipherment", "cert sign", "crl sign", "encipher only", "decipher + only", "any", "server auth", "client auth", "code signing", "email + protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec + user", "timestamping", "ocsp signing", "microsoft sgc", "netscape + sgc"' + type: string + enum: + - signing + - digital signature + - content commitment + - key encipherment + - key agreement + - data encipherment + - cert sign + - crl sign + - encipher only + - decipher only + - any + - server auth + - client auth + - code signing + - email protection + - s/mime + - ipsec end system + - ipsec tunnel + - ipsec user + - timestamping + - ocsp signing + - microsoft sgc + - netscape sgc + status: + description: CertificateStatus defines the observed state of CertificateRequest + and resulting signed certificate. + type: object + properties: + ca: + description: Byte slice containing the PEM encoded certificate authority + of the signed certificate. + type: string + format: byte + certificate: + description: Byte slice containing a PEM encoded signed certificate + resulting from the given certificate signing request. + type: string + format: byte + conditions: + type: array + items: + description: CertificateRequestCondition contains condition information + for a CertificateRequest. + type: object + required: + - status + - type + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + type: string + format: date-time + message: + description: Message is a human readable description of the details + of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation for + the condition's last transition. + type: string + status: + description: Status of the condition, one of ('True', 'False', + 'Unknown'). + type: string + enum: + - "True" + - "False" + - Unknown + type: + description: Type of the condition, currently ('Ready', 'InvalidRequest'). + type: string + failureTime: + description: FailureTime stores the time that this CertificateRequest + failed. This is used to influence garbage collection and back-off. + type: string + format: date-time + version: v1alpha2 + versions: + - name: v1alpha2 + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: certificates.cert-manager.io +spec: + additionalPrinterColumns: + - JSONPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - JSONPath: .spec.secretName + name: Secret + type: string + - JSONPath: .spec.issuerRef.name + name: Issuer + priority: 1 + type: string + - JSONPath: .status.conditions[?(@.type=="Ready")].message + name: Status + priority: 1 + type: string + - JSONPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + name: Age + type: date + group: cert-manager.io + preserveUnknownFields: false + names: + kind: Certificate + listKind: CertificateList + plural: certificates + shortNames: + - cert + - certs + singular: certificate + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: Certificate is a type to represent a Certificate from ACME + type: object + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: CertificateSpec defines the desired state of Certificate. A + valid Certificate requires at least one of a CommonName, DNSName, or URISAN + to be valid. + type: object + required: + - issuerRef + - secretName + properties: + commonName: + description: CommonName is a common name to be used on the Certificate. + The CommonName should have a length of 64 characters or fewer to avoid + generating invalid CSRs. + type: string + dnsNames: + description: DNSNames is a list of subject alt names to be used on the + Certificate. + type: array + items: + type: string + duration: + description: Certificate default Duration + type: string + ipAddresses: + description: IPAddresses is a list of IP addresses to be used on the + Certificate + type: array + items: + type: string + isCA: + description: IsCA will mark this Certificate as valid for signing. This + implies that the 'cert sign' usage is set + type: boolean + issuerRef: + description: IssuerRef is a reference to the issuer for this certificate. + If the 'kind' field is not set, or set to 'Issuer', an Issuer resource + with the given name in the same namespace as the Certificate will + be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer + with the provided name will be used. The 'name' field in this stanza + is required at all times. + type: object + required: + - name + properties: + group: + type: string + kind: + type: string + name: + type: string + keyAlgorithm: + description: KeyAlgorithm is the private key algorithm of the corresponding + private key for this certificate. If provided, allowed values are + either "rsa" or "ecdsa" If KeyAlgorithm is specified and KeySize is + not provided, key size of 256 will be used for "ecdsa" key algorithm + and key size of 2048 will be used for "rsa" key algorithm. + type: string + enum: + - rsa + - ecdsa + keyEncoding: + description: KeyEncoding is the private key cryptography standards (PKCS) + for this certificate's private key to be encoded in. If provided, + allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and PKCS#8, + respectively. If KeyEncoding is not specified, then PKCS#1 will be + used by default. + type: string + enum: + - pkcs1 + - pkcs8 + keySize: + description: KeySize is the key bit size of the corresponding private + key for this certificate. If provided, value must be between 2048 + and 8192 inclusive when KeyAlgorithm is empty or is set to "rsa", + and value must be one of (256, 384, 521) when KeyAlgorithm is set + to "ecdsa". + type: integer + organization: + description: Organization is the organization to be used on the Certificate + type: array + items: + type: string + renewBefore: + description: Certificate renew before expiration duration + type: string + secretName: + description: SecretName is the name of the secret resource to store + this secret in + type: string + subject: + description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). + type: object + properties: + countries: + description: Countries to be used on the Certificate. + type: array + items: + type: string + localities: + description: Cities to be used on the Certificate. + type: array + items: + type: string + organizationalUnits: + description: Organizational Units to be used on the Certificate. + type: array + items: + type: string + postalCodes: + description: Postal codes to be used on the Certificate. + type: array + items: + type: string + provinces: + description: State/Provinces to be used on the Certificate. + type: array + items: + type: string + serialNumber: + description: Serial number to be used on the Certificate. + type: string + streetAddresses: + description: Street addresses to be used on the Certificate. + type: array + items: + type: string + uriSANs: + description: URISANs is a list of URI Subject Alternative Names to be + set on this Certificate. + type: array + items: + type: string + usages: + description: Usages is the set of x509 actions that are enabled for + a given key. Defaults are ('digital signature', 'key encipherment') + if empty + type: array + items: + description: 'KeyUsage specifies valid usage contexts for keys. See: + https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 + Valid KeyUsage values are as follows: "signing", "digital signature", + "content commitment", "key encipherment", "key agreement", "data + encipherment", "cert sign", "crl sign", "encipher only", "decipher + only", "any", "server auth", "client auth", "code signing", "email + protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec + user", "timestamping", "ocsp signing", "microsoft sgc", "netscape + sgc"' + type: string + enum: + - signing + - digital signature + - content commitment + - key encipherment + - key agreement + - data encipherment + - cert sign + - crl sign + - encipher only + - decipher only + - any + - server auth + - client auth + - code signing + - email protection + - s/mime + - ipsec end system + - ipsec tunnel + - ipsec user + - timestamping + - ocsp signing + - microsoft sgc + - netscape sgc + status: + description: CertificateStatus defines the observed state of Certificate + type: object + properties: + conditions: + type: array + items: + description: CertificateCondition contains condition information for + an Certificate. + type: object + required: + - status + - type + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + type: string + format: date-time + message: + description: Message is a human readable description of the details + of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation for + the condition's last transition. + type: string + status: + description: Status of the condition, one of ('True', 'False', + 'Unknown'). + type: string + enum: + - "True" + - "False" + - Unknown + type: + description: Type of the condition, currently ('Ready'). + type: string + lastFailureTime: + type: string + format: date-time + notAfter: + description: The expiration time of the certificate stored in the secret + named by this resource in spec.secretName. + type: string + format: date-time + version: v1alpha2 + versions: + - name: v1alpha2 + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: challenges.acme.cert-manager.io +spec: + additionalPrinterColumns: + - JSONPath: .status.state + name: State + type: string + - JSONPath: .spec.dnsName + name: Domain + type: string + - JSONPath: .status.reason + name: Reason + priority: 1 + type: string + - JSONPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + name: Age + type: date + group: acme.cert-manager.io + preserveUnknownFields: false + names: + kind: Challenge + listKind: ChallengeList + plural: challenges + singular: challenge + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: Challenge is a type to represent a Challenge request with an ACME + server + type: object + required: + - metadata + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + type: object + required: + - authzURL + - dnsName + - issuerRef + - key + - token + - type + - url + properties: + authzURL: + description: AuthzURL is the URL to the ACME Authorization resource + that this challenge is a part of. + type: string + dnsName: + description: DNSName is the identifier that this challenge is for, e.g. + example.com. + type: string + issuerRef: + description: IssuerRef references a properly configured ACME-type Issuer + which should be used to create this Challenge. If the Issuer does + not exist, processing will be retried. If the Issuer is not an 'ACME' + Issuer, an error will be returned and the Challenge will be marked + as failed. + type: object + required: + - name + properties: + group: + type: string + kind: + type: string + name: + type: string + key: + description: Key is the ACME challenge key for this challenge + type: string + solver: + description: Solver contains the domain solving configuration that should + be used to solve this challenge resource. + type: object + properties: + dns01: + type: object + properties: + acmedns: + description: ACMEIssuerDNS01ProviderAcmeDNS is a structure containing + the configuration for ACME-DNS servers + type: object + required: + - accountSecretRef + - host + properties: + accountSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + host: + type: string + akamai: + description: ACMEIssuerDNS01ProviderAkamai is a structure containing + the DNS configuration for Akamai DNS—Zone Record Management + API + type: object + required: + - accessTokenSecretRef + - clientSecretSecretRef + - clientTokenSecretRef + - serviceConsumerDomain + properties: + accessTokenSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + clientSecretSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + clientTokenSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + serviceConsumerDomain: + type: string + azuredns: + description: ACMEIssuerDNS01ProviderAzureDNS is a structure + containing the configuration for Azure DNS + type: object + required: + - clientID + - clientSecretSecretRef + - resourceGroupName + - subscriptionID + - tenantID + properties: + clientID: + type: string + clientSecretSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + environment: + type: string + enum: + - AzurePublicCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureUSGovernmentCloud + hostedZoneName: + type: string + resourceGroupName: + type: string + subscriptionID: + type: string + tenantID: + type: string + clouddns: + description: ACMEIssuerDNS01ProviderCloudDNS is a structure + containing the DNS configuration for Google Cloud DNS + type: object + required: + - project + properties: + project: + type: string + serviceAccountSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + cloudflare: + description: ACMEIssuerDNS01ProviderCloudflare is a structure + containing the DNS configuration for Cloudflare + type: object + required: + - email + properties: + apiKeySecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + apiTokenSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + email: + type: string + cnameStrategy: + description: CNAMEStrategy configures how the DNS01 provider + should handle CNAME records when found in DNS zones. + type: string + enum: + - None + - Follow + digitalocean: + description: ACMEIssuerDNS01ProviderDigitalOcean is a structure + containing the DNS configuration for DigitalOcean Domains + type: object + required: + - tokenSecretRef + properties: + tokenSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + rfc2136: + description: ACMEIssuerDNS01ProviderRFC2136 is a structure containing + the configuration for RFC2136 DNS + type: object + required: + - nameserver + properties: + nameserver: + description: 'The IP address of the DNS supporting RFC2136. + Required. Note: FQDN is not a valid value, only IP.' + type: string + tsigAlgorithm: + description: 'The TSIG Algorithm configured in the DNS supporting + RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` + are defined. Supported values are (case-insensitive): + ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or + ``HMACSHA512``.' + type: string + tsigKeyName: + description: The TSIG Key name configured in the DNS. If + ``tsigSecretSecretRef`` is defined, this field is required. + type: string + tsigSecretSecretRef: + description: The name of the secret containing the TSIG + value. If ``tsigKeyName`` is defined, this field is required. + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + route53: + description: ACMEIssuerDNS01ProviderRoute53 is a structure containing + the Route 53 configuration for AWS + type: object + required: + - region + properties: + accessKeyID: + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared credentials + file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: string + hostedZoneID: + description: If set, the provider will manage only this + zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName + api call. + type: string + region: + description: Always set the region when using AccessKeyID + and SecretAccessKey + type: string + role: + description: Role is a Role ARN which the Route53 provider + will assume using either the explicit credentials AccessKeyID/SecretAccessKey + or the inferred credentials from environment variables, + shared credentials file or AWS Instance metadata + type: string + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared credentials + file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + webhook: + description: ACMEIssuerDNS01ProviderWebhook specifies configuration + for a webhook DNS01 provider, including where to POST ChallengePayload + resources. + type: object + required: + - groupName + - solverName + properties: + config: + description: Additional configuration that should be passed + to the webhook apiserver when challenges are processed. + This can contain arbitrary JSON data. Secret values should + not be specified in this stanza. If secret values are + needed (e.g. credentials for a DNS service), you should + use a SecretKeySelector to reference a Secret resource. + For details on the schema of this field, consult the webhook + provider implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + groupName: + description: The API group name that should be used when + POSTing ChallengePayload resources to the webhook apiserver. + This should be the same as the GroupName specified in + the webhook provider implementation. + type: string + solverName: + description: The name of the solver to use, as defined in + the webhook provider implementation. This will typically + be the name of the provider, e.g. 'cloudflare'. + type: string + http01: + description: ACMEChallengeSolverHTTP01 contains configuration detailing + how to solve HTTP01 challenges within a Kubernetes cluster. Typically + this is accomplished through creating 'routes' of some description + that configure ingress controllers to direct traffic to 'solver + pods', which are responsible for responding to the ACME server's + HTTP requests. + type: object + properties: + ingress: + description: The ingress based HTTP01 challenge solver will + solve challenges by creating or modifying Ingress resources + in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by cert-manager + for each Challenge to be completed. + type: object + properties: + class: + description: The ingress class to use when creating Ingress + resources to solve ACME challenges that use this challenge + solver. Only one of 'class' or 'name' may be specified. + type: string + name: + description: The name of the ingress resource that should + have ACME challenge solving routes inserted into it in + order to solve HTTP01 challenges. This is typically used + in conjunction with ingress controllers like ingress-gce, + which maintains a 1:1 mapping between external IPs and + ingress resources. + type: string + podTemplate: + description: Optional pod template used to configure the + ACME challenge solver pods used for HTTP01 challenges + type: object + properties: + metadata: + description: ObjectMeta overrides for the pod used to + solve HTTP01 challenges. Only the 'labels' and 'annotations' + fields may be set. If labels or annotations overlap + with in-built values, the values here will override + the in-built values. + type: object + properties: + annotations: + description: Annotations that should be added to + the create ACME HTTP01 solver pods. + type: object + additionalProperties: + type: string + labels: + description: Labels that should be added to the + created ACME HTTP01 solver pods. + type: object + additionalProperties: + type: string + spec: + description: PodSpec defines overrides for the HTTP01 + challenge solver pod. Only the 'nodeSelector', 'affinity' + and 'tolerations' fields are supported currently. + All other fields will be ignored. + type: object + properties: + affinity: + description: If specified, the pod's scheduling + constraints + type: object + properties: + nodeAffinity: + description: Describes node affinity scheduling + rules for the pod. + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to + schedule pods to nodes that satisfy the + affinity expressions specified by this + field, but it may choose a node that violates + one or more of the expressions. The node + that is most preferred is the one with + the greatest sum of weights, i.e. for + each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + affinity expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" to the + sum if the node matches the corresponding + matchExpressions; the node(s) with the + highest sum are the most preferred. + type: array + items: + description: An empty preferred scheduling + term matches all objects with implicit + weight 0 (i.e. it's a no-op). A null + preferred scheduling term matches no + objects (i.e. is also a no-op). + type: object + required: + - preference + - weight + properties: + preference: + description: A node selector term, + associated with the corresponding + weight. + type: object + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + type: array + items: + description: A node selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key + that the selector applies + to. + type: string + operator: + description: Represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of + string values. If the + operator is In or NotIn, + the values array must + be non-empty. If the operator + is Exists or DoesNotExist, + the values array must + be empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will be + interpreted as an integer. + This array is replaced + during a strategic merge + patch. + type: array + items: + type: string + matchFields: + description: A list of node selector + requirements by node's fields. + type: array + items: + description: A node selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key + that the selector applies + to. + type: string + operator: + description: Represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of + string values. If the + operator is In or NotIn, + the values array must + be non-empty. If the operator + is Exists or DoesNotExist, + the values array must + be empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will be + interpreted as an integer. + This array is replaced + during a strategic merge + patch. + type: array + items: + type: string + weight: + description: Weight associated with + matching the corresponding nodeSelectorTerm, + in the range 1-100. + type: integer + format: int32 + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not met at + scheduling time, the pod will not be scheduled + onto the node. If the affinity requirements + specified by this field cease to be met + at some point during pod execution (e.g. + due to an update), the system may or may + not try to eventually evict the pod from + its node. + type: object + required: + - nodeSelectorTerms + properties: + nodeSelectorTerms: + description: Required. A list of node + selector terms. The terms are ORed. + type: array + items: + description: A null or empty node + selector term matches no objects. + The requirements of them are ANDed. + The TopologySelectorTerm type implements + a subset of the NodeSelectorTerm. + type: object + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + type: array + items: + description: A node selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key + that the selector applies + to. + type: string + operator: + description: Represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of + string values. If the + operator is In or NotIn, + the values array must + be non-empty. If the operator + is Exists or DoesNotExist, + the values array must + be empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will be + interpreted as an integer. + This array is replaced + during a strategic merge + patch. + type: array + items: + type: string + matchFields: + description: A list of node selector + requirements by node's fields. + type: array + items: + description: A node selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key + that the selector applies + to. + type: string + operator: + description: Represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of + string values. If the + operator is In or NotIn, + the values array must + be non-empty. If the operator + is Exists or DoesNotExist, + the values array must + be empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will be + interpreted as an integer. + This array is replaced + during a strategic merge + patch. + type: array + items: + type: string + podAffinity: + description: Describes pod affinity scheduling + rules (e.g. co-locate this pod in the same + node, zone, etc. as some other pod(s)). + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to + schedule pods to nodes that satisfy the + affinity expressions specified by this + field, but it may choose a node that violates + one or more of the expressions. The node + that is most preferred is the one with + the greatest sum of weights, i.e. for + each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + affinity expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" to the + sum if the node has pods which matches + the corresponding podAffinityTerm; the + node(s) with the highest sum are the most + preferred. + type: array + items: + description: The weights of all of the + matched WeightedPodAffinityTerm fields + are added per-node to find the most + preferred node(s) + type: object + required: + - podAffinityTerm + - weight + properties: + podAffinityTerm: + description: Required. A pod affinity + term, associated with the corresponding + weight. + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + type: object + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + type: array + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key and + values. + type: object + required: + - key + - operator + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to a + set of values. Valid + operators are In, + NotIn, Exists and + DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, the + values array must + be non-empty. If the + operator is Exists + or DoesNotExist, the + values array must + be empty. This array + is replaced during + a strategic merge + patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is + a map of {key,value} pairs. + A single {key,value} in + the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + additionalProperties: + type: string + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + type: array + items: + type: string + topologyKey: + description: This pod should be + co-located (affinity) or not + co-located (anti-affinity) with + the pods matching the labelSelector + in the specified namespaces, + where co-located is defined + as running on a node whose value + of the label with key topologyKey + matches that of any node on + which any of the selected pods + is running. Empty topologyKey + is not allowed. + type: string + weight: + description: weight associated with + matching the corresponding podAffinityTerm, + in the range 1-100. + type: integer + format: int32 + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not met at + scheduling time, the pod will not be scheduled + onto the node. If the affinity requirements + specified by this field cease to be met + at some point during pod execution (e.g. + due to a pod label update), the system + may or may not try to eventually evict + the pod from its node. When there are + multiple elements, the lists of nodes + corresponding to each podAffinityTerm + are intersected, i.e. all terms must be + satisfied. + type: array + items: + description: Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this + pod should be co-located (affinity) + or not co-located (anti-affinity) with, + where co-located is defined as running + on a node whose value of the label with + key matches that of any + node on which a pod of the set of pods + is running + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over a + set of resources, in this case pods. + type: object + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + type: array + items: + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In + or NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + additionalProperties: + type: string + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); null + or empty list means "this pod's + namespace" + type: array + items: + type: string + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + type: string + podAntiAffinity: + description: Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in the + same node, zone, etc. as some other pod(s)). + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to + schedule pods to nodes that satisfy the + anti-affinity expressions specified by + this field, but it may choose a node that + violates one or more of the expressions. + The node that is most preferred is the + one with the greatest sum of weights, + i.e. for each node that meets all of the + scheduling requirements (resource request, + requiredDuringScheduling anti-affinity + expressions, etc.), compute a sum by iterating + through the elements of this field and + adding "weight" to the sum if the node + has pods which matches the corresponding + podAffinityTerm; the node(s) with the + highest sum are the most preferred. + type: array + items: + description: The weights of all of the + matched WeightedPodAffinityTerm fields + are added per-node to find the most + preferred node(s) + type: object + required: + - podAffinityTerm + - weight + properties: + podAffinityTerm: + description: Required. A pod affinity + term, associated with the corresponding + weight. + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + type: object + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + type: array + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key and + values. + type: object + required: + - key + - operator + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to a + set of values. Valid + operators are In, + NotIn, Exists and + DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, the + values array must + be non-empty. If the + operator is Exists + or DoesNotExist, the + values array must + be empty. This array + is replaced during + a strategic merge + patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is + a map of {key,value} pairs. + A single {key,value} in + the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + additionalProperties: + type: string + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + type: array + items: + type: string + topologyKey: + description: This pod should be + co-located (affinity) or not + co-located (anti-affinity) with + the pods matching the labelSelector + in the specified namespaces, + where co-located is defined + as running on a node whose value + of the label with key topologyKey + matches that of any node on + which any of the selected pods + is running. Empty topologyKey + is not allowed. + type: string + weight: + description: weight associated with + matching the corresponding podAffinityTerm, + in the range 1-100. + type: integer + format: int32 + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements + specified by this field are not met at + scheduling time, the pod will not be scheduled + onto the node. If the anti-affinity requirements + specified by this field cease to be met + at some point during pod execution (e.g. + due to a pod label update), the system + may or may not try to eventually evict + the pod from its node. When there are + multiple elements, the lists of nodes + corresponding to each podAffinityTerm + are intersected, i.e. all terms must be + satisfied. + type: array + items: + description: Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this + pod should be co-located (affinity) + or not co-located (anti-affinity) with, + where co-located is defined as running + on a node whose value of the label with + key matches that of any + node on which a pod of the set of pods + is running + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over a + set of resources, in this case pods. + type: object + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + type: array + items: + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In + or NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + additionalProperties: + type: string + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); null + or empty list means "this pod's + namespace" + type: array + items: + type: string + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + type: string + nodeSelector: + description: 'NodeSelector is a selector which must + be true for the pod to fit on a node. Selector + which must match a node''s labels for the pod + to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + additionalProperties: + type: string + tolerations: + description: If specified, the pod's tolerations. + type: array + items: + description: The pod this Toleration is attached + to tolerates any taint that matches the triple + using the matching operator + . + type: object + properties: + effect: + description: Effect indicates the taint effect + to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, + PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the + toleration applies to. Empty means match + all taint keys. If the key is empty, operator + must be Exists; this combination means to + match all values and all keys. + type: string + operator: + description: Operator represents a key's relationship + to the value. Valid operators are Exists + and Equal. Defaults to Equal. Exists is + equivalent to wildcard for value, so that + a pod can tolerate all taints of a particular + category. + type: string + tolerationSeconds: + description: TolerationSeconds represents + the period of time the toleration (which + must be of effect NoExecute, otherwise this + field is ignored) tolerates the taint. By + default, it is not set, which means tolerate + the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict + immediately) by the system. + type: integer + format: int64 + value: + description: Value is the taint value the + toleration matches to. If the operator is + Exists, the value should be empty, otherwise + just a regular string. + type: string + serviceType: + description: Optional service type for Kubernetes solver + service + type: string + selector: + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + type: object + properties: + dnsNames: + description: List of DNSNames that this solver will be used + to solve. If specified and a match is found, a dnsNames selector + will take precedence over a dnsZones selector. If multiple + solvers match with the same dnsNames value, the solver with + the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier in + the list will be selected. + type: array + items: + type: string + dnsZones: + description: List of DNSZones that this solver will be used + to solve. The most specific DNS zone match specified here + will take precedence over other DNS zone matches, so a solver + specifying sys.example.com will be selected over one specifying + example.com for the domain www.sys.example.com. If multiple + solvers match with the same dnsZones value, the solver with + the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier in + the list will be selected. + type: array + items: + type: string + matchLabels: + description: A label selector that is used to refine the set + of certificate's that this challenge solver will apply to. + type: object + additionalProperties: + type: string + token: + description: Token is the ACME challenge token for this challenge. + type: string + type: + description: Type is the type of ACME challenge this resource represents, + e.g. "dns01" or "http01" + type: string + url: + description: URL is the URL of the ACME Challenge resource for this + challenge. This can be used to lookup details about the status of + this challenge. + type: string + wildcard: + description: Wildcard will be true if this challenge is for a wildcard + identifier, for example '*.example.com' + type: boolean + status: + type: object + properties: + presented: + description: Presented will be set to true if the challenge values for + this challenge are currently 'presented'. This *does not* imply the + self check is passing. Only that the values have been 'submitted' + for the appropriate challenge mechanism (i.e. the DNS01 TXT record + has been presented, or the HTTP01 configuration has been configured). + type: boolean + processing: + description: Processing is used to denote whether this challenge should + be processed or not. This field will only be set to true by the 'scheduling' + component. It will only be set to false by the 'challenges' controller, + after the challenge has reached a final state or timed out. If this + field is set to false, the challenge controller will not take any + more action. + type: boolean + reason: + description: Reason contains human readable information on why the Challenge + is in the current state. + type: string + state: + description: State contains the current 'state' of the challenge. If + not set, the state of the challenge is unknown. + type: string + enum: + - valid + - ready + - pending + - processing + - invalid + - expired + - errored + version: v1alpha2 + versions: + - name: v1alpha2 + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterissuers.cert-manager.io +spec: + additionalPrinterColumns: + - JSONPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - JSONPath: .status.conditions[?(@.type=="Ready")].message + name: Status + priority: 1 + type: string + - JSONPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + name: Age + type: date + group: cert-manager.io + preserveUnknownFields: false + names: + kind: ClusterIssuer + listKind: ClusterIssuerList + plural: clusterissuers + singular: clusterissuer + scope: Cluster + subresources: + status: {} + validation: + openAPIV3Schema: + type: object + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IssuerSpec is the specification of an Issuer. This includes + any configuration required for the issuer. + type: object + properties: + acme: + description: ACMEIssuer contains the specification for an ACME issuer + type: object + required: + - privateKeySecretRef + - server + properties: + email: + description: Email is the email for this account + type: string + externalAccountBinding: + description: ExternalAcccountBinding is a reference to a CA external + account of the ACME server. + type: object + required: + - keyAlgorithm + - keyID + - keySecretRef + properties: + keyAlgorithm: + description: keyAlgorithm is the MAC key algorithm that the + key is used for. Valid values are "HS256", "HS384" and "HS512". + type: string + enum: + - HS256 + - HS384 + - HS512 + keyID: + description: keyID is the ID of the CA key that the External + Account is bound to. + type: string + keySecretRef: + description: keySecretRef is a Secret Key Selector referencing + a data item in a Kubernetes Secret which holds the symmetric + MAC key of the External Account Binding. The `key` is the + index string that is paired with the key data in the Secret + and should not be confused with the key data itself, or indeed + with the External Account Binding keyID above. The secret + key stored in the Secret **must** be un-padded, base64 URL + encoded data. + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + privateKeySecretRef: + description: PrivateKey is the name of a secret containing the private + key for this user account. + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must be a + valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + server: + description: Server is the ACME server URL + type: string + skipTLSVerify: + description: If true, skip verifying the ACME server TLS certificate + type: boolean + solvers: + description: Solvers is a list of challenge solvers that will be + used to solve ACME challenges for the matching domains. + type: array + items: + type: object + properties: + dns01: + type: object + properties: + acmedns: + description: ACMEIssuerDNS01ProviderAcmeDNS is a structure + containing the configuration for ACME-DNS servers + type: object + required: + - accountSecretRef + - host + properties: + accountSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + host: + type: string + akamai: + description: ACMEIssuerDNS01ProviderAkamai is a structure + containing the DNS configuration for Akamai DNS—Zone + Record Management API + type: object + required: + - accessTokenSecretRef + - clientSecretSecretRef + - clientTokenSecretRef + - serviceConsumerDomain + properties: + accessTokenSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + clientSecretSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + clientTokenSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + serviceConsumerDomain: + type: string + azuredns: + description: ACMEIssuerDNS01ProviderAzureDNS is a structure + containing the configuration for Azure DNS + type: object + required: + - clientID + - clientSecretSecretRef + - resourceGroupName + - subscriptionID + - tenantID + properties: + clientID: + type: string + clientSecretSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + environment: + type: string + enum: + - AzurePublicCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureUSGovernmentCloud + hostedZoneName: + type: string + resourceGroupName: + type: string + subscriptionID: + type: string + tenantID: + type: string + clouddns: + description: ACMEIssuerDNS01ProviderCloudDNS is a structure + containing the DNS configuration for Google Cloud DNS + type: object + required: + - project + properties: + project: + type: string + serviceAccountSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + cloudflare: + description: ACMEIssuerDNS01ProviderCloudflare is a structure + containing the DNS configuration for Cloudflare + type: object + required: + - email + properties: + apiKeySecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + apiTokenSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + email: + type: string + cnameStrategy: + description: CNAMEStrategy configures how the DNS01 provider + should handle CNAME records when found in DNS zones. + type: string + enum: + - None + - Follow + digitalocean: + description: ACMEIssuerDNS01ProviderDigitalOcean is a + structure containing the DNS configuration for DigitalOcean + Domains + type: object + required: + - tokenSecretRef + properties: + tokenSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + rfc2136: + description: ACMEIssuerDNS01ProviderRFC2136 is a structure + containing the configuration for RFC2136 DNS + type: object + required: + - nameserver + properties: + nameserver: + description: 'The IP address of the DNS supporting + RFC2136. Required. Note: FQDN is not a valid value, + only IP.' + type: string + tsigAlgorithm: + description: 'The TSIG Algorithm configured in the + DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` + and ``tsigKeyName`` are defined. Supported values + are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, + ``HMACSHA256`` or ``HMACSHA512``.' + type: string + tsigKeyName: + description: The TSIG Key name configured in the DNS. + If ``tsigSecretSecretRef`` is defined, this field + is required. + type: string + tsigSecretSecretRef: + description: The name of the secret containing the + TSIG value. If ``tsigKeyName`` is defined, this + field is required. + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + route53: + description: ACMEIssuerDNS01ProviderRoute53 is a structure + containing the Route 53 configuration for AWS + type: object + required: + - region + properties: + accessKeyID: + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: string + hostedZoneID: + description: If set, the provider will manage only + this zone in Route53 and will not do an lookup using + the route53:ListHostedZonesByName api call. + type: string + region: + description: Always set the region when using AccessKeyID + and SecretAccessKey + type: string + role: + description: Role is a Role ARN which the Route53 + provider will assume using either the explicit credentials + AccessKeyID/SecretAccessKey or the inferred credentials + from environment variables, shared credentials file + or AWS Instance metadata + type: string + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + webhook: + description: ACMEIssuerDNS01ProviderWebhook specifies + configuration for a webhook DNS01 provider, including + where to POST ChallengePayload resources. + type: object + required: + - groupName + - solverName + properties: + config: + description: Additional configuration that should + be passed to the webhook apiserver when challenges + are processed. This can contain arbitrary JSON data. + Secret values should not be specified in this stanza. + If secret values are needed (e.g. credentials for + a DNS service), you should use a SecretKeySelector + to reference a Secret resource. For details on the + schema of this field, consult the webhook provider + implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + groupName: + description: The API group name that should be used + when POSTing ChallengePayload resources to the webhook + apiserver. This should be the same as the GroupName + specified in the webhook provider implementation. + type: string + solverName: + description: The name of the solver to use, as defined + in the webhook provider implementation. This will + typically be the name of the provider, e.g. 'cloudflare'. + type: string + http01: + description: ACMEChallengeSolverHTTP01 contains configuration + detailing how to solve HTTP01 challenges within a Kubernetes + cluster. Typically this is accomplished through creating + 'routes' of some description that configure ingress controllers + to direct traffic to 'solver pods', which are responsible + for responding to the ACME server's HTTP requests. + type: object + properties: + ingress: + description: The ingress based HTTP01 challenge solver + will solve challenges by creating or modifying Ingress + resources in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by cert-manager + for each Challenge to be completed. + type: object + properties: + class: + description: The ingress class to use when creating + Ingress resources to solve ACME challenges that + use this challenge solver. Only one of 'class' or + 'name' may be specified. + type: string + name: + description: The name of the ingress resource that + should have ACME challenge solving routes inserted + into it in order to solve HTTP01 challenges. This + is typically used in conjunction with ingress controllers + like ingress-gce, which maintains a 1:1 mapping + between external IPs and ingress resources. + type: string + podTemplate: + description: Optional pod template used to configure + the ACME challenge solver pods used for HTTP01 challenges + type: object + properties: + metadata: + description: ObjectMeta overrides for the pod + used to solve HTTP01 challenges. Only the 'labels' + and 'annotations' fields may be set. If labels + or annotations overlap with in-built values, + the values here will override the in-built values. + type: object + properties: + annotations: + description: Annotations that should be added + to the create ACME HTTP01 solver pods. + type: object + additionalProperties: + type: string + labels: + description: Labels that should be added to + the created ACME HTTP01 solver pods. + type: object + additionalProperties: + type: string + spec: + description: PodSpec defines overrides for the + HTTP01 challenge solver pod. Only the 'nodeSelector', + 'affinity' and 'tolerations' fields are supported + currently. All other fields will be ignored. + type: object + properties: + affinity: + description: If specified, the pod's scheduling + constraints + type: object + properties: + nodeAffinity: + description: Describes node affinity scheduling + rules for the pod. + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified + by this field, but it may choose + a node that violates one or more + of the expressions. The node that + is most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + affinity expressions, etc.), compute + a sum by iterating through the elements + of this field and adding "weight" + to the sum if the node matches the + corresponding matchExpressions; + the node(s) with the highest sum + are the most preferred. + type: array + items: + description: An empty preferred + scheduling term matches all objects + with implicit weight 0 (i.e. it's + a no-op). A null preferred scheduling + term matches no objects (i.e. + is also a no-op). + type: object + required: + - preference + - weight + properties: + preference: + description: A node selector + term, associated with the + corresponding weight. + type: object + properties: + matchExpressions: + description: A list of node + selector requirements + by node's labels. + type: array + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + type: object + required: + - key + - operator + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + type: array + items: + type: string + matchFields: + description: A list of node + selector requirements + by node's fields. + type: array + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + type: object + required: + - key + - operator + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + type: array + items: + type: string + weight: + description: Weight associated + with matching the corresponding + nodeSelectorTerm, in the range + 1-100. + type: integer + format: int32 + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the node. + If the affinity requirements specified + by this field cease to be met at + some point during pod execution + (e.g. due to an update), the system + may or may not try to eventually + evict the pod from its node. + type: object + required: + - nodeSelectorTerms + properties: + nodeSelectorTerms: + description: Required. A list + of node selector terms. The + terms are ORed. + type: array + items: + description: A null or empty + node selector term matches + no objects. The requirements + of them are ANDed. The TopologySelectorTerm + type implements a subset of + the NodeSelectorTerm. + type: object + properties: + matchExpressions: + description: A list of node + selector requirements + by node's labels. + type: array + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + type: object + required: + - key + - operator + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + type: array + items: + type: string + matchFields: + description: A list of node + selector requirements + by node's fields. + type: array + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + type: object + required: + - key + - operator + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + type: array + items: + type: string + podAffinity: + description: Describes pod affinity scheduling + rules (e.g. co-locate this pod in the + same node, zone, etc. as some other + pod(s)). + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified + by this field, but it may choose + a node that violates one or more + of the expressions. The node that + is most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + affinity expressions, etc.), compute + a sum by iterating through the elements + of this field and adding "weight" + to the sum if the node has pods + which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + type: array + items: + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to find + the most preferred node(s) + type: object + required: + - podAffinityTerm + - weight + properties: + podAffinityTerm: + description: Required. A pod + affinity term, associated + with the corresponding weight. + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + type: object + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements are + ANDed. + type: array + items: + description: A label + selector requirement + is a selector that + contains values, + a key, and an operator + that relates the + key and values. + type: object + required: + - key + - operator + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents a + key's relationship + to a set of + values. Valid + operators are + In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or + DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic + merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels + map is equivalent + to an element of matchExpressions, + whose key field is + "key", the operator + is "In", and the values + array contains only + "value". The requirements + are ANDed. + type: object + additionalProperties: + type: string + namespaces: + description: namespaces + specifies which namespaces + the labelSelector applies + to (matches against); + null or empty list means + "this pod's namespace" + type: array + items: + type: string + topologyKey: + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching + the labelSelector in the + specified namespaces, + where co-located is defined + as running on a node whose + value of the label with + key topologyKey matches + that of any node on which + any of the selected pods + is running. Empty topologyKey + is not allowed. + type: string + weight: + description: weight associated + with matching the corresponding + podAffinityTerm, in the range + 1-100. + type: integer + format: int32 + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the node. + If the affinity requirements specified + by this field cease to be met at + some point during pod execution + (e.g. due to a pod label update), + the system may or may not try to + eventually evict the pod from its + node. When there are multiple elements, + the lists of nodes corresponding + to each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + type: array + items: + description: Defines a set of pods + (namely those matching the labelSelector + relative to the given namespace(s)) + that this pod should be co-located + (affinity) or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value + of the label with key + matches that of any node on which + a pod of the set of pods is running + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + type: object + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + type: array + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + type: object + required: + - key + - operator + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. This + array is replaced + during a strategic + merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an element + of matchExpressions, whose + key field is "key", the + operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + additionalProperties: + type: string + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + type: array + items: + type: string + topologyKey: + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + is not allowed. + type: string + podAntiAffinity: + description: Describes pod anti-affinity + scheduling rules (e.g. avoid putting + this pod in the same node, zone, etc. + as some other pod(s)). + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the anti-affinity expressions specified + by this field, but it may choose + a node that violates one or more + of the expressions. The node that + is most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + anti-affinity expressions, etc.), + compute a sum by iterating through + the elements of this field and adding + "weight" to the sum if the node + has pods which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + type: array + items: + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to find + the most preferred node(s) + type: object + required: + - podAffinityTerm + - weight + properties: + podAffinityTerm: + description: Required. A pod + affinity term, associated + with the corresponding weight. + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + type: object + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements are + ANDed. + type: array + items: + description: A label + selector requirement + is a selector that + contains values, + a key, and an operator + that relates the + key and values. + type: object + required: + - key + - operator + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents a + key's relationship + to a set of + values. Valid + operators are + In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or + DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic + merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels + map is equivalent + to an element of matchExpressions, + whose key field is + "key", the operator + is "In", and the values + array contains only + "value". The requirements + are ANDed. + type: object + additionalProperties: + type: string + namespaces: + description: namespaces + specifies which namespaces + the labelSelector applies + to (matches against); + null or empty list means + "this pod's namespace" + type: array + items: + type: string + topologyKey: + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching + the labelSelector in the + specified namespaces, + where co-located is defined + as running on a node whose + value of the label with + key topologyKey matches + that of any node on which + any of the selected pods + is running. Empty topologyKey + is not allowed. + type: string + weight: + description: weight associated + with matching the corresponding + podAffinityTerm, in the range + 1-100. + type: integer + format: int32 + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity + requirements specified by this field + are not met at scheduling time, + the pod will not be scheduled onto + the node. If the anti-affinity requirements + specified by this field cease to + be met at some point during pod + execution (e.g. due to a pod label + update), the system may or may not + try to eventually evict the pod + from its node. When there are multiple + elements, the lists of nodes corresponding + to each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + type: array + items: + description: Defines a set of pods + (namely those matching the labelSelector + relative to the given namespace(s)) + that this pod should be co-located + (affinity) or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value + of the label with key + matches that of any node on which + a pod of the set of pods is running + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + type: object + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + type: array + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + type: object + required: + - key + - operator + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. This + array is replaced + during a strategic + merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an element + of matchExpressions, whose + key field is "key", the + operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + additionalProperties: + type: string + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + type: array + items: + type: string + topologyKey: + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + is not allowed. + type: string + nodeSelector: + description: 'NodeSelector is a selector which + must be true for the pod to fit on a node. + Selector which must match a node''s labels + for the pod to be scheduled on that node. + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + additionalProperties: + type: string + tolerations: + description: If specified, the pod's tolerations. + type: array + items: + description: The pod this Toleration is + attached to tolerates any taint that matches + the triple using the + matching operator . + type: object + properties: + effect: + description: Effect indicates the taint + effect to match. Empty means match + all taint effects. When specified, + allowed values are NoSchedule, PreferNoSchedule + and NoExecute. + type: string + key: + description: Key is the taint key that + the toleration applies to. Empty means + match all taint keys. If the key is + empty, operator must be Exists; this + combination means to match all values + and all keys. + type: string + operator: + description: Operator represents a key's + relationship to the value. Valid operators + are Exists and Equal. Defaults to + Equal. Exists is equivalent to wildcard + for value, so that a pod can tolerate + all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents + the period of time the toleration + (which must be of effect NoExecute, + otherwise this field is ignored) tolerates + the taint. By default, it is not set, + which means tolerate the taint forever + (do not evict). Zero and negative + values will be treated as 0 (evict + immediately) by the system. + type: integer + format: int64 + value: + description: Value is the taint value + the toleration matches to. If the + operator is Exists, the value should + be empty, otherwise just a regular + string. + type: string + serviceType: + description: Optional service type for Kubernetes + solver service + type: string + selector: + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + type: object + properties: + dnsNames: + description: List of DNSNames that this solver will be + used to solve. If specified and a match is found, a + dnsNames selector will take precedence over a dnsZones + selector. If multiple solvers match with the same dnsNames + value, the solver with the most matching labels in matchLabels + will be selected. If neither has more matches, the solver + defined earlier in the list will be selected. + type: array + items: + type: string + dnsZones: + description: List of DNSZones that this solver will be + used to solve. The most specific DNS zone match specified + here will take precedence over other DNS zone matches, + so a solver specifying sys.example.com will be selected + over one specifying example.com for the domain www.sys.example.com. + If multiple solvers match with the same dnsZones value, + the solver with the most matching labels in matchLabels + will be selected. If neither has more matches, the solver + defined earlier in the list will be selected. + type: array + items: + type: string + matchLabels: + description: A label selector that is used to refine the + set of certificate's that this challenge solver will + apply to. + type: object + additionalProperties: + type: string + ca: + type: object + required: + - secretName + properties: + secretName: + description: SecretName is the name of the secret used to sign Certificates + issued by this Issuer. + type: string + selfSigned: + type: object + vault: + type: object + required: + - auth + - path + - server + properties: + auth: + description: Vault authentication + type: object + properties: + appRole: + description: This Secret contains a AppRole and Secret + type: object + required: + - path + - roleId + - secretRef + properties: + path: + description: Where the authentication path is mounted in + Vault. + type: string + roleId: + type: string + secretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + kubernetes: + description: This contains a Role and Secret with a ServiceAccount + token to authenticate with vault. + type: object + required: + - role + - secretRef + properties: + mountPath: + description: The Vault mountPath here is the mount path + to use when authenticating with Vault. For example, setting + a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` + to authenticate with Vault. If unspecified, the default + value "/v1/auth/kubernetes" will be used. + type: string + role: + description: A required field containing the Vault Role + to assume. A Role binds a Kubernetes ServiceAccount with + a set of Vault policies. + type: string + secretRef: + description: The required Secret field containing a Kubernetes + ServiceAccount JWT used for authenticating with Vault. + Use of 'ambient credentials' is not supported. + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + tokenSecretRef: + description: This Secret contains the Vault token key + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + caBundle: + description: Base64 encoded CA bundle to validate Vault server certificate. + Only used if the Server URL is using HTTPS protocol. This parameter + is ignored for plain HTTP protocol connection. If not set the + system root certificates are used to validate the TLS connection. + type: string + format: byte + path: + description: Vault URL path to the certificate role + type: string + server: + description: Server is the vault connection address + type: string + venafi: + description: VenafiIssuer describes issuer configuration details for + Venafi Cloud. + type: object + required: + - zone + properties: + cloud: + description: Cloud specifies the Venafi cloud configuration settings. + Only one of TPP or Cloud may be specified. + type: object + required: + - apiTokenSecretRef + properties: + apiTokenSecretRef: + description: APITokenSecretRef is a secret key selector for + the Venafi Cloud API token. + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + url: + description: URL is the base URL for Venafi Cloud + type: string + tpp: + description: TPP specifies Trust Protection Platform configuration + settings. Only one of TPP or Cloud may be specified. + type: object + required: + - credentialsRef + - url + properties: + caBundle: + description: CABundle is a PEM encoded TLS certifiate to use + to verify connections to the TPP instance. If specified, system + roots will not be used and the issuing CA for the TPP instance + must be verifiable using the provided root. If not specified, + the connection will be verified using the cert-manager system + root certificates. + type: string + format: byte + credentialsRef: + description: CredentialsRef is a reference to a Secret containing + the username and password for the TPP server. The secret must + contain two keys, 'username' and 'password'. + type: object + required: + - name + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + url: + description: URL is the base URL for the Venafi TPP instance + type: string + zone: + description: Zone is the Venafi Policy Zone to use for this issuer. + All requests made to the Venafi platform will be restricted by + the named zone policy. This field is required. + type: string + status: + description: IssuerStatus contains status information about an Issuer + type: object + properties: + acme: + type: object + properties: + lastRegisteredEmail: + description: LastRegisteredEmail is the email associated with the + latest registered ACME account, in order to track changes made + to registered account associated with the Issuer + type: string + uri: + description: URI is the unique account identifier, which can also + be used to retrieve account details from the CA + type: string + conditions: + type: array + items: + description: IssuerCondition contains condition information for an + Issuer. + type: object + required: + - status + - type + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + type: string + format: date-time + message: + description: Message is a human readable description of the details + of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation for + the condition's last transition. + type: string + status: + description: Status of the condition, one of ('True', 'False', + 'Unknown'). + type: string + enum: + - "True" + - "False" + - Unknown + type: + description: Type of the condition, currently ('Ready'). + type: string + version: v1alpha2 + versions: + - name: v1alpha2 + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: issuers.cert-manager.io +spec: + additionalPrinterColumns: + - JSONPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - JSONPath: .status.conditions[?(@.type=="Ready")].message + name: Status + priority: 1 + type: string + - JSONPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + name: Age + type: date + group: cert-manager.io + preserveUnknownFields: false + names: + kind: Issuer + listKind: IssuerList + plural: issuers + singular: issuer + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + type: object + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IssuerSpec is the specification of an Issuer. This includes + any configuration required for the issuer. + type: object + properties: + acme: + description: ACMEIssuer contains the specification for an ACME issuer + type: object + required: + - privateKeySecretRef + - server + properties: + email: + description: Email is the email for this account + type: string + externalAccountBinding: + description: ExternalAcccountBinding is a reference to a CA external + account of the ACME server. + type: object + required: + - keyAlgorithm + - keyID + - keySecretRef + properties: + keyAlgorithm: + description: keyAlgorithm is the MAC key algorithm that the + key is used for. Valid values are "HS256", "HS384" and "HS512". + type: string + enum: + - HS256 + - HS384 + - HS512 + keyID: + description: keyID is the ID of the CA key that the External + Account is bound to. + type: string + keySecretRef: + description: keySecretRef is a Secret Key Selector referencing + a data item in a Kubernetes Secret which holds the symmetric + MAC key of the External Account Binding. The `key` is the + index string that is paired with the key data in the Secret + and should not be confused with the key data itself, or indeed + with the External Account Binding keyID above. The secret + key stored in the Secret **must** be un-padded, base64 URL + encoded data. + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + privateKeySecretRef: + description: PrivateKey is the name of a secret containing the private + key for this user account. + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must be a + valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + server: + description: Server is the ACME server URL + type: string + skipTLSVerify: + description: If true, skip verifying the ACME server TLS certificate + type: boolean + solvers: + description: Solvers is a list of challenge solvers that will be + used to solve ACME challenges for the matching domains. + type: array + items: + type: object + properties: + dns01: + type: object + properties: + acmedns: + description: ACMEIssuerDNS01ProviderAcmeDNS is a structure + containing the configuration for ACME-DNS servers + type: object + required: + - accountSecretRef + - host + properties: + accountSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + host: + type: string + akamai: + description: ACMEIssuerDNS01ProviderAkamai is a structure + containing the DNS configuration for Akamai DNS—Zone + Record Management API + type: object + required: + - accessTokenSecretRef + - clientSecretSecretRef + - clientTokenSecretRef + - serviceConsumerDomain + properties: + accessTokenSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + clientSecretSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + clientTokenSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + serviceConsumerDomain: + type: string + azuredns: + description: ACMEIssuerDNS01ProviderAzureDNS is a structure + containing the configuration for Azure DNS + type: object + required: + - clientID + - clientSecretSecretRef + - resourceGroupName + - subscriptionID + - tenantID + properties: + clientID: + type: string + clientSecretSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + environment: + type: string + enum: + - AzurePublicCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureUSGovernmentCloud + hostedZoneName: + type: string + resourceGroupName: + type: string + subscriptionID: + type: string + tenantID: + type: string + clouddns: + description: ACMEIssuerDNS01ProviderCloudDNS is a structure + containing the DNS configuration for Google Cloud DNS + type: object + required: + - project + properties: + project: + type: string + serviceAccountSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + cloudflare: + description: ACMEIssuerDNS01ProviderCloudflare is a structure + containing the DNS configuration for Cloudflare + type: object + required: + - email + properties: + apiKeySecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + apiTokenSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + email: + type: string + cnameStrategy: + description: CNAMEStrategy configures how the DNS01 provider + should handle CNAME records when found in DNS zones. + type: string + enum: + - None + - Follow + digitalocean: + description: ACMEIssuerDNS01ProviderDigitalOcean is a + structure containing the DNS configuration for DigitalOcean + Domains + type: object + required: + - tokenSecretRef + properties: + tokenSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + rfc2136: + description: ACMEIssuerDNS01ProviderRFC2136 is a structure + containing the configuration for RFC2136 DNS + type: object + required: + - nameserver + properties: + nameserver: + description: 'The IP address of the DNS supporting + RFC2136. Required. Note: FQDN is not a valid value, + only IP.' + type: string + tsigAlgorithm: + description: 'The TSIG Algorithm configured in the + DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` + and ``tsigKeyName`` are defined. Supported values + are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, + ``HMACSHA256`` or ``HMACSHA512``.' + type: string + tsigKeyName: + description: The TSIG Key name configured in the DNS. + If ``tsigSecretSecretRef`` is defined, this field + is required. + type: string + tsigSecretSecretRef: + description: The name of the secret containing the + TSIG value. If ``tsigKeyName`` is defined, this + field is required. + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + route53: + description: ACMEIssuerDNS01ProviderRoute53 is a structure + containing the Route 53 configuration for AWS + type: object + required: + - region + properties: + accessKeyID: + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: string + hostedZoneID: + description: If set, the provider will manage only + this zone in Route53 and will not do an lookup using + the route53:ListHostedZonesByName api call. + type: string + region: + description: Always set the region when using AccessKeyID + and SecretAccessKey + type: string + role: + description: Role is a Role ARN which the Route53 + provider will assume using either the explicit credentials + AccessKeyID/SecretAccessKey or the inferred credentials + from environment variables, shared credentials file + or AWS Instance metadata + type: string + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + webhook: + description: ACMEIssuerDNS01ProviderWebhook specifies + configuration for a webhook DNS01 provider, including + where to POST ChallengePayload resources. + type: object + required: + - groupName + - solverName + properties: + config: + description: Additional configuration that should + be passed to the webhook apiserver when challenges + are processed. This can contain arbitrary JSON data. + Secret values should not be specified in this stanza. + If secret values are needed (e.g. credentials for + a DNS service), you should use a SecretKeySelector + to reference a Secret resource. For details on the + schema of this field, consult the webhook provider + implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + groupName: + description: The API group name that should be used + when POSTing ChallengePayload resources to the webhook + apiserver. This should be the same as the GroupName + specified in the webhook provider implementation. + type: string + solverName: + description: The name of the solver to use, as defined + in the webhook provider implementation. This will + typically be the name of the provider, e.g. 'cloudflare'. + type: string + http01: + description: ACMEChallengeSolverHTTP01 contains configuration + detailing how to solve HTTP01 challenges within a Kubernetes + cluster. Typically this is accomplished through creating + 'routes' of some description that configure ingress controllers + to direct traffic to 'solver pods', which are responsible + for responding to the ACME server's HTTP requests. + type: object + properties: + ingress: + description: The ingress based HTTP01 challenge solver + will solve challenges by creating or modifying Ingress + resources in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by cert-manager + for each Challenge to be completed. + type: object + properties: + class: + description: The ingress class to use when creating + Ingress resources to solve ACME challenges that + use this challenge solver. Only one of 'class' or + 'name' may be specified. + type: string + name: + description: The name of the ingress resource that + should have ACME challenge solving routes inserted + into it in order to solve HTTP01 challenges. This + is typically used in conjunction with ingress controllers + like ingress-gce, which maintains a 1:1 mapping + between external IPs and ingress resources. + type: string + podTemplate: + description: Optional pod template used to configure + the ACME challenge solver pods used for HTTP01 challenges + type: object + properties: + metadata: + description: ObjectMeta overrides for the pod + used to solve HTTP01 challenges. Only the 'labels' + and 'annotations' fields may be set. If labels + or annotations overlap with in-built values, + the values here will override the in-built values. + type: object + properties: + annotations: + description: Annotations that should be added + to the create ACME HTTP01 solver pods. + type: object + additionalProperties: + type: string + labels: + description: Labels that should be added to + the created ACME HTTP01 solver pods. + type: object + additionalProperties: + type: string + spec: + description: PodSpec defines overrides for the + HTTP01 challenge solver pod. Only the 'nodeSelector', + 'affinity' and 'tolerations' fields are supported + currently. All other fields will be ignored. + type: object + properties: + affinity: + description: If specified, the pod's scheduling + constraints + type: object + properties: + nodeAffinity: + description: Describes node affinity scheduling + rules for the pod. + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified + by this field, but it may choose + a node that violates one or more + of the expressions. The node that + is most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + affinity expressions, etc.), compute + a sum by iterating through the elements + of this field and adding "weight" + to the sum if the node matches the + corresponding matchExpressions; + the node(s) with the highest sum + are the most preferred. + type: array + items: + description: An empty preferred + scheduling term matches all objects + with implicit weight 0 (i.e. it's + a no-op). A null preferred scheduling + term matches no objects (i.e. + is also a no-op). + type: object + required: + - preference + - weight + properties: + preference: + description: A node selector + term, associated with the + corresponding weight. + type: object + properties: + matchExpressions: + description: A list of node + selector requirements + by node's labels. + type: array + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + type: object + required: + - key + - operator + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + type: array + items: + type: string + matchFields: + description: A list of node + selector requirements + by node's fields. + type: array + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + type: object + required: + - key + - operator + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + type: array + items: + type: string + weight: + description: Weight associated + with matching the corresponding + nodeSelectorTerm, in the range + 1-100. + type: integer + format: int32 + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the node. + If the affinity requirements specified + by this field cease to be met at + some point during pod execution + (e.g. due to an update), the system + may or may not try to eventually + evict the pod from its node. + type: object + required: + - nodeSelectorTerms + properties: + nodeSelectorTerms: + description: Required. A list + of node selector terms. The + terms are ORed. + type: array + items: + description: A null or empty + node selector term matches + no objects. The requirements + of them are ANDed. The TopologySelectorTerm + type implements a subset of + the NodeSelectorTerm. + type: object + properties: + matchExpressions: + description: A list of node + selector requirements + by node's labels. + type: array + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + type: object + required: + - key + - operator + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + type: array + items: + type: string + matchFields: + description: A list of node + selector requirements + by node's fields. + type: array + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + type: object + required: + - key + - operator + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + type: array + items: + type: string + podAffinity: + description: Describes pod affinity scheduling + rules (e.g. co-locate this pod in the + same node, zone, etc. as some other + pod(s)). + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified + by this field, but it may choose + a node that violates one or more + of the expressions. The node that + is most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + affinity expressions, etc.), compute + a sum by iterating through the elements + of this field and adding "weight" + to the sum if the node has pods + which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + type: array + items: + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to find + the most preferred node(s) + type: object + required: + - podAffinityTerm + - weight + properties: + podAffinityTerm: + description: Required. A pod + affinity term, associated + with the corresponding weight. + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + type: object + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements are + ANDed. + type: array + items: + description: A label + selector requirement + is a selector that + contains values, + a key, and an operator + that relates the + key and values. + type: object + required: + - key + - operator + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents a + key's relationship + to a set of + values. Valid + operators are + In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or + DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic + merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels + map is equivalent + to an element of matchExpressions, + whose key field is + "key", the operator + is "In", and the values + array contains only + "value". The requirements + are ANDed. + type: object + additionalProperties: + type: string + namespaces: + description: namespaces + specifies which namespaces + the labelSelector applies + to (matches against); + null or empty list means + "this pod's namespace" + type: array + items: + type: string + topologyKey: + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching + the labelSelector in the + specified namespaces, + where co-located is defined + as running on a node whose + value of the label with + key topologyKey matches + that of any node on which + any of the selected pods + is running. Empty topologyKey + is not allowed. + type: string + weight: + description: weight associated + with matching the corresponding + podAffinityTerm, in the range + 1-100. + type: integer + format: int32 + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the node. + If the affinity requirements specified + by this field cease to be met at + some point during pod execution + (e.g. due to a pod label update), + the system may or may not try to + eventually evict the pod from its + node. When there are multiple elements, + the lists of nodes corresponding + to each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + type: array + items: + description: Defines a set of pods + (namely those matching the labelSelector + relative to the given namespace(s)) + that this pod should be co-located + (affinity) or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value + of the label with key + matches that of any node on which + a pod of the set of pods is running + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + type: object + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + type: array + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + type: object + required: + - key + - operator + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. This + array is replaced + during a strategic + merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an element + of matchExpressions, whose + key field is "key", the + operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + additionalProperties: + type: string + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + type: array + items: + type: string + topologyKey: + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + is not allowed. + type: string + podAntiAffinity: + description: Describes pod anti-affinity + scheduling rules (e.g. avoid putting + this pod in the same node, zone, etc. + as some other pod(s)). + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the anti-affinity expressions specified + by this field, but it may choose + a node that violates one or more + of the expressions. The node that + is most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + anti-affinity expressions, etc.), + compute a sum by iterating through + the elements of this field and adding + "weight" to the sum if the node + has pods which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + type: array + items: + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to find + the most preferred node(s) + type: object + required: + - podAffinityTerm + - weight + properties: + podAffinityTerm: + description: Required. A pod + affinity term, associated + with the corresponding weight. + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + type: object + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements are + ANDed. + type: array + items: + description: A label + selector requirement + is a selector that + contains values, + a key, and an operator + that relates the + key and values. + type: object + required: + - key + - operator + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents a + key's relationship + to a set of + values. Valid + operators are + In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or + DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic + merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels + map is equivalent + to an element of matchExpressions, + whose key field is + "key", the operator + is "In", and the values + array contains only + "value". The requirements + are ANDed. + type: object + additionalProperties: + type: string + namespaces: + description: namespaces + specifies which namespaces + the labelSelector applies + to (matches against); + null or empty list means + "this pod's namespace" + type: array + items: + type: string + topologyKey: + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching + the labelSelector in the + specified namespaces, + where co-located is defined + as running on a node whose + value of the label with + key topologyKey matches + that of any node on which + any of the selected pods + is running. Empty topologyKey + is not allowed. + type: string + weight: + description: weight associated + with matching the corresponding + podAffinityTerm, in the range + 1-100. + type: integer + format: int32 + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity + requirements specified by this field + are not met at scheduling time, + the pod will not be scheduled onto + the node. If the anti-affinity requirements + specified by this field cease to + be met at some point during pod + execution (e.g. due to a pod label + update), the system may or may not + try to eventually evict the pod + from its node. When there are multiple + elements, the lists of nodes corresponding + to each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + type: array + items: + description: Defines a set of pods + (namely those matching the labelSelector + relative to the given namespace(s)) + that this pod should be co-located + (affinity) or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value + of the label with key + matches that of any node on which + a pod of the set of pods is running + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + type: object + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + type: array + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + type: object + required: + - key + - operator + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. This + array is replaced + during a strategic + merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an element + of matchExpressions, whose + key field is "key", the + operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + additionalProperties: + type: string + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + type: array + items: + type: string + topologyKey: + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + is not allowed. + type: string + nodeSelector: + description: 'NodeSelector is a selector which + must be true for the pod to fit on a node. + Selector which must match a node''s labels + for the pod to be scheduled on that node. + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + additionalProperties: + type: string + tolerations: + description: If specified, the pod's tolerations. + type: array + items: + description: The pod this Toleration is + attached to tolerates any taint that matches + the triple using the + matching operator . + type: object + properties: + effect: + description: Effect indicates the taint + effect to match. Empty means match + all taint effects. When specified, + allowed values are NoSchedule, PreferNoSchedule + and NoExecute. + type: string + key: + description: Key is the taint key that + the toleration applies to. Empty means + match all taint keys. If the key is + empty, operator must be Exists; this + combination means to match all values + and all keys. + type: string + operator: + description: Operator represents a key's + relationship to the value. Valid operators + are Exists and Equal. Defaults to + Equal. Exists is equivalent to wildcard + for value, so that a pod can tolerate + all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents + the period of time the toleration + (which must be of effect NoExecute, + otherwise this field is ignored) tolerates + the taint. By default, it is not set, + which means tolerate the taint forever + (do not evict). Zero and negative + values will be treated as 0 (evict + immediately) by the system. + type: integer + format: int64 + value: + description: Value is the taint value + the toleration matches to. If the + operator is Exists, the value should + be empty, otherwise just a regular + string. + type: string + serviceType: + description: Optional service type for Kubernetes + solver service + type: string + selector: + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + type: object + properties: + dnsNames: + description: List of DNSNames that this solver will be + used to solve. If specified and a match is found, a + dnsNames selector will take precedence over a dnsZones + selector. If multiple solvers match with the same dnsNames + value, the solver with the most matching labels in matchLabels + will be selected. If neither has more matches, the solver + defined earlier in the list will be selected. + type: array + items: + type: string + dnsZones: + description: List of DNSZones that this solver will be + used to solve. The most specific DNS zone match specified + here will take precedence over other DNS zone matches, + so a solver specifying sys.example.com will be selected + over one specifying example.com for the domain www.sys.example.com. + If multiple solvers match with the same dnsZones value, + the solver with the most matching labels in matchLabels + will be selected. If neither has more matches, the solver + defined earlier in the list will be selected. + type: array + items: + type: string + matchLabels: + description: A label selector that is used to refine the + set of certificate's that this challenge solver will + apply to. + type: object + additionalProperties: + type: string + ca: + type: object + required: + - secretName + properties: + secretName: + description: SecretName is the name of the secret used to sign Certificates + issued by this Issuer. + type: string + selfSigned: + type: object + vault: + type: object + required: + - auth + - path + - server + properties: + auth: + description: Vault authentication + type: object + properties: + appRole: + description: This Secret contains a AppRole and Secret + type: object + required: + - path + - roleId + - secretRef + properties: + path: + description: Where the authentication path is mounted in + Vault. + type: string + roleId: + type: string + secretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + kubernetes: + description: This contains a Role and Secret with a ServiceAccount + token to authenticate with vault. + type: object + required: + - role + - secretRef + properties: + mountPath: + description: The Vault mountPath here is the mount path + to use when authenticating with Vault. For example, setting + a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` + to authenticate with Vault. If unspecified, the default + value "/v1/auth/kubernetes" will be used. + type: string + role: + description: A required field containing the Vault Role + to assume. A Role binds a Kubernetes ServiceAccount with + a set of Vault policies. + type: string + secretRef: + description: The required Secret field containing a Kubernetes + ServiceAccount JWT used for authenticating with Vault. + Use of 'ambient credentials' is not supported. + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + tokenSecretRef: + description: This Secret contains the Vault token key + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + caBundle: + description: Base64 encoded CA bundle to validate Vault server certificate. + Only used if the Server URL is using HTTPS protocol. This parameter + is ignored for plain HTTP protocol connection. If not set the + system root certificates are used to validate the TLS connection. + type: string + format: byte + path: + description: Vault URL path to the certificate role + type: string + server: + description: Server is the vault connection address + type: string + venafi: + description: VenafiIssuer describes issuer configuration details for + Venafi Cloud. + type: object + required: + - zone + properties: + cloud: + description: Cloud specifies the Venafi cloud configuration settings. + Only one of TPP or Cloud may be specified. + type: object + required: + - apiTokenSecretRef + properties: + apiTokenSecretRef: + description: APITokenSecretRef is a secret key selector for + the Venafi Cloud API token. + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + url: + description: URL is the base URL for Venafi Cloud + type: string + tpp: + description: TPP specifies Trust Protection Platform configuration + settings. Only one of TPP or Cloud may be specified. + type: object + required: + - credentialsRef + - url + properties: + caBundle: + description: CABundle is a PEM encoded TLS certifiate to use + to verify connections to the TPP instance. If specified, system + roots will not be used and the issuing CA for the TPP instance + must be verifiable using the provided root. If not specified, + the connection will be verified using the cert-manager system + root certificates. + type: string + format: byte + credentialsRef: + description: CredentialsRef is a reference to a Secret containing + the username and password for the TPP server. The secret must + contain two keys, 'username' and 'password'. + type: object + required: + - name + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + url: + description: URL is the base URL for the Venafi TPP instance + type: string + zone: + description: Zone is the Venafi Policy Zone to use for this issuer. + All requests made to the Venafi platform will be restricted by + the named zone policy. This field is required. + type: string + status: + description: IssuerStatus contains status information about an Issuer + type: object + properties: + acme: + type: object + properties: + lastRegisteredEmail: + description: LastRegisteredEmail is the email associated with the + latest registered ACME account, in order to track changes made + to registered account associated with the Issuer + type: string + uri: + description: URI is the unique account identifier, which can also + be used to retrieve account details from the CA + type: string + conditions: + type: array + items: + description: IssuerCondition contains condition information for an + Issuer. + type: object + required: + - status + - type + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + type: string + format: date-time + message: + description: Message is a human readable description of the details + of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation for + the condition's last transition. + type: string + status: + description: Status of the condition, one of ('True', 'False', + 'Unknown'). + type: string + enum: + - "True" + - "False" + - Unknown + type: + description: Type of the condition, currently ('Ready'). + type: string + version: v1alpha2 + versions: + - name: v1alpha2 + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: orders.acme.cert-manager.io +spec: + additionalPrinterColumns: + - JSONPath: .status.state + name: State + type: string + - JSONPath: .spec.issuerRef.name + name: Issuer + priority: 1 + type: string + - JSONPath: .status.reason + name: Reason + priority: 1 + type: string + - JSONPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + name: Age + type: date + group: acme.cert-manager.io + preserveUnknownFields: false + names: + kind: Order + listKind: OrderList + plural: orders + singular: order + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: Order is a type to represent an Order with an ACME server + type: object + required: + - metadata + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + type: object + required: + - csr + - issuerRef + properties: + commonName: + description: CommonName is the common name as specified on the DER encoded + CSR. If CommonName is not specified, the first DNSName specified will + be used as the CommonName. At least one of CommonName or a DNSNames + must be set. This field must match the corresponding field on the + DER encoded CSR. + type: string + csr: + description: Certificate signing request bytes in DER encoding. This + will be used when finalizing the order. This field must be set on + the order. + type: string + format: byte + dnsNames: + description: DNSNames is a list of DNS names that should be included + as part of the Order validation process. If CommonName is not specified, + the first DNSName specified will be used as the CommonName. At least + one of CommonName or a DNSNames must be set. This field must match + the corresponding field on the DER encoded CSR. + type: array + items: + type: string + issuerRef: + description: IssuerRef references a properly configured ACME-type Issuer + which should be used to create this Order. If the Issuer does not + exist, processing will be retried. If the Issuer is not an 'ACME' + Issuer, an error will be returned and the Order will be marked as + failed. + type: object + required: + - name + properties: + group: + type: string + kind: + type: string + name: + type: string + status: + type: object + properties: + authorizations: + description: Authorizations contains data returned from the ACME server + on what authoriations must be completed in order to validate the DNS + names specified on the Order. + type: array + items: + description: ACMEAuthorization contains data returned from the ACME + server on an authorization that must be completed in order validate + a DNS name on an ACME Order resource. + type: object + required: + - url + properties: + challenges: + description: Challenges specifies the challenge types offered + by the ACME server. One of these challenge types will be selected + when validating the DNS name and an appropriate Challenge resource + will be created to perform the ACME challenge process. + type: array + items: + description: Challenge specifies a challenge offered by the + ACME server for an Order. An appropriate Challenge resource + can be created to perform the ACME challenge process. + type: object + required: + - token + - type + - url + properties: + token: + description: Token is the token that must be presented for + this challenge. This is used to compute the 'key' that + must also be presented. + type: string + type: + description: Type is the type of challenge being offered, + e.g. http-01, dns-01 + type: string + url: + description: URL is the URL of this challenge. It can be + used to retrieve additional metadata about the Challenge + from the ACME server. + type: string + identifier: + description: Identifier is the DNS name to be validated as part + of this authorization + type: string + url: + description: URL is the URL of the Authorization that must be + completed + type: string + wildcard: + description: Wildcard will be true if this authorization is for + a wildcard DNS name. If this is true, the identifier will be + the *non-wildcard* version of the DNS name. For example, if + '*.example.com' is the DNS name being validated, this field + will be 'true' and the 'identifier' field will be 'example.com'. + type: boolean + certificate: + description: Certificate is a copy of the PEM encoded certificate for + this Order. This field will be populated after the order has been + successfully finalized with the ACME server, and the order has transitioned + to the 'valid' state. + type: string + format: byte + failureTime: + description: FailureTime stores the time that this order failed. This + is used to influence garbage collection and back-off. + type: string + format: date-time + finalizeURL: + description: FinalizeURL of the Order. This is used to obtain certificates + for this order once it has been completed. + type: string + reason: + description: Reason optionally provides more information about a why + the order is in the current state. + type: string + state: + description: State contains the current state of this Order resource. + States 'success' and 'expired' are 'final' + type: string + enum: + - valid + - ready + - pending + - processing + - invalid + - expired + - errored + url: + description: URL of the Order. This will initially be empty when the + resource is first created. The Order controller will populate this + field when the Order is first processed. This field will be immutable + after it is initially set. + type: string + version: v1alpha2 + versions: + - name: v1alpha2 + served: true + storage: true +--- \ No newline at end of file diff --git a/deploy/microsoft-azure/azure-cli/cert-manager/install-tls.sh b/deploy/microsoft-azure/azure-cli/cert-manager/install-tls.sh new file mode 100644 index 00000000..5d61508f --- /dev/null +++ b/deploy/microsoft-azure/azure-cli/cert-manager/install-tls.sh @@ -0,0 +1,91 @@ +#!/bin/bash +echo "\r\n====> Install Cert-Manager in Microsoft Azure" +echo "Running install-tls.sh script.." +set -e + +# # Install the CustomResourceDefinition resources separately +# # Note: --validate=false is required per https://github.com/jetstack/cert-manager/issues/2208#issuecomment-541311021 +# # kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.13/deploy/manifests/00-crds.yaml --validate=false +# kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.4.0/cert-manager.yaml --validate=false +# # Create the namespace for cert-manager +# kubectl create namespace cert-manager + +# # Label the cert-manager namespace to disable resource validation +# kubectl label namespace cert-manager cert-manager.io/disable-validation=true + +# # Add the Jetstack Helm repository +# helm repo add jetstack https://charts.jetstack.io + +# # Update your local Helm chart repository cache +# helm repo update + +# # Install v0.11 of cert-manager Helm chart +# helm install cert-manager \ +# --namespace cert-manager \ +# --version v1.4.0 \ +# jetstack/c + +# Install the CustomResourceDefinition resources using kubectl: +kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.4.0/cert-manager.yaml +# Create the namespace for cert-manager: +kubectl create namespace cert-manager + +# Label the ingress namespace to disable resource validation +kubectl label namespace ingress cert-manager.io/disable-validation=true + +# Label the cert-manager namespace to disable resource validation +kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true + +# Add the Jetstack Helm repository: +helm repo add jetstack https://charts.jetstack.io + +# Update your local Helm chart repository cache: +helm repo update + + +# To install the cert-manager Helm chart: + helm install \ + cert-manager jetstack/cert-manager \ + --namespace cert-manager \ + --create-namespace \ + --version v1.4.0 \ + # --set installCRDs=true + +# Verifying the installation +# kubectl get pods --namespace cert-manager + +# cat < test-resources.yaml +# apiVersion: v1 +# kind: Namespace +# metadata: +# name: cert-manager-test +# --- +# apiVersion: cert-manager.io/v1 +# kind: Issuer +# metadata: +# name: test-selfsigned +# namespace: cert-manager-test +# spec: +# selfSigned: {} +# --- +# apiVersion: cert-manager.io/v1 +# kind: Certificate +# metadata: +# name: selfsigned-cert +# namespace: cert-manager-test +# spec: +# dnsNames: +# - example.com +# secretName: selfsigned-cert-tls +# issuerRef: +# name: test-selfsigned +# EOF + +# #Create the test resources. +# kubectl apply -f test-resources.yaml + + +# Check the status of the newly created certificate. You may need to wait a few seconds before cert-manager processes the certificate request. +# kubectl describe certificate -n cert-manager-test + +echo "Cert-Manager is created: COMPLETED \r\n" \ No newline at end of file diff --git a/deploy/microsoft-azure/azure-cli/cert-manager/tls-issuer.sh b/deploy/microsoft-azure/azure-cli/cert-manager/tls-issuer.sh new file mode 100644 index 00000000..c64d071c --- /dev/null +++ b/deploy/microsoft-azure/azure-cli/cert-manager/tls-issuer.sh @@ -0,0 +1,53 @@ +cat <<-EOF | kubectl apply --namespace default -f - +apiVersion: cert-manager.io/v1 + +kind: ClusterIssuer +metadata: + name: letsencrypt +spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + email: $LETS_ENCRYPT_EMAIL + privateKeySecretRef: + name: letsencrypt + solvers: + - http01: + ingress: + class: nginx +EOF + +cat <<-EOF | kubectl apply --namespace production -f - +apiVersion: cert-manager.io/v1 + +kind: ClusterIssuer +metadata: + name: letsencrypt +spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + email: $LETS_ENCRYPT_EMAIL + privateKeySecretRef: + name: letsencrypt + solvers: + - http01: + ingress: + class: nginx +EOF + +cat <<-EOF | kubectl apply --namespace staging -f - +apiVersion: cert-manager.io/v1 + +kind: ClusterIssuer +metadata: + name: letsencrypt +spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + email: $LETS_ENCRYPT_EMAIL + privateKeySecretRef: + name: letsencrypt + solvers: + - http01: + ingress: + class: nginx +EOF \ No newline at end of file diff --git a/deploy/microsoft-azure/azure-cli/cert-manager/uninstall-tls.sh b/deploy/microsoft-azure/azure-cli/cert-manager/uninstall-tls.sh new file mode 100644 index 00000000..576eeb3c --- /dev/null +++ b/deploy/microsoft-azure/azure-cli/cert-manager/uninstall-tls.sh @@ -0,0 +1,13 @@ +#!/bin/bash +echo "\r\n====> Uninstall Cert-Manager in Microsoft Azure" +echo "Running uninstall-tls.sh script.." +set -e + + +# Clean up the test resources. +# kubectl delete -f test-resources.yaml +kubectl delete -f https://github.com/jetstack/cert-manager/releases/download/v1.4.0/cert-manager.crds.yaml + +kubectl delete ns cert-manager + +echo "Cert-Manager is deleted: COMPLETED \r\n" \ No newline at end of file diff --git a/deploy/microsoft-azure/azure-cli/deploy.sh b/deploy/microsoft-azure/azure-cli/deploy.sh index 109f2963..495d7e49 100644 --- a/deploy/microsoft-azure/azure-cli/deploy.sh +++ b/deploy/microsoft-azure/azure-cli/deploy.sh @@ -71,7 +71,73 @@ do sh dns/delete-dns-primary.sh sh rc/delete-rc.sh ;; - + "Install analize tools in AKS cluster") + echo "you chose choice $REPLY which is $opt" + sh tools/install-prometheus.sh + # sh tools/install.sh + ;; + "Uninstall analize tools in AKS cluster") + echo "you chose choice $REPLY which is $opt" + # sh tools/uninstall-prometheus.sh + # sh tools/uninstall.sh + ;; + "Create main DNS") + echo "you chose choice $REPLY which is $opt" + sh dns/create-dns.sh + sh dns/create-dns-primary.sh + # sh tools/install.sh + ;; + "Delete main DNS") + echo "you chose choice $REPLY which is $opt" + sh dns/delete-dns.sh + sh dns/delete-dns-primary.sh + # sh tools/install.sh + ;; + "Configure main DNS") + echo "you chose choice $REPLY which is $opt" + sh dns/set-config-dns.sh + sh dns/set-config-dns-primary.sh + # sh tools/install.sh + ;; + "Install cert-manager AKS cluster") + echo "you chose choice $REPLY which is $opt" + sh cert-manager/install-tls.sh + # sh tools/install.sh + ;; + "Uninstall cert-manager AKS cluster") + echo "you chose choice $REPLY which is $opt" + sh cert-manager/uninstall-tls.sh + # sh tools/uninstall-prometheus.sh + # sh tools/uninstall.sh + ;; + "Create namespaces for Deployment") + echo "you chose choice $REPLY which is $opt" + sh ns/create-ns.sh + # sh tools/install.sh + ;; + "Delete namespaces for Deployment") + echo "you chose choice $REPLY which is $opt" + sh ns/delete-ns.sh + # sh tools/install.sh + ;; + "Create external-dns for AKS") + echo "you chose choice $REPLY which is $opt" + sh dns/install-external-dns-in-aks.sh + # sh tools/install.sh + ;; + "Install nginx controller with Public IP") + sh nginx/install-nginx.sh + ;; + "Uninstall nginx controller with Public IP") + sh nginx/uninstall-aks-nginx.sh + kubectl apply -f nginx/nginx.yaml --namespace=production + ;; + "Install test-app") + helm upgrade --namespace production --install --values helm/test-app/values.yaml --set image.tag=latest --wait test-app helm/test-app + ;; + "Uninstall test-app") + helm uninstall test-app --namespace production + ;; "Quit") break ;; diff --git a/deploy/microsoft-azure/azure-cli/helm/test-app/.helmignore b/deploy/microsoft-azure/azure-cli/helm/test-app/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/deploy/microsoft-azure/azure-cli/helm/test-app/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/deploy/microsoft-azure/azure-cli/helm/test-app/Chart.yaml b/deploy/microsoft-azure/azure-cli/helm/test-app/Chart.yaml new file mode 100644 index 00000000..9f0654b7 --- /dev/null +++ b/deploy/microsoft-azure/azure-cli/helm/test-app/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: test-app +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.16.0" diff --git a/deploy/microsoft-azure/azure-cli/helm/test-app/templates/NOTES.txt b/deploy/microsoft-azure/azure-cli/helm/test-app/templates/NOTES.txt new file mode 100644 index 00000000..2c0f109e --- /dev/null +++ b/deploy/microsoft-azure/azure-cli/helm/test-app/templates/NOTES.txt @@ -0,0 +1,22 @@ +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} +{{- range $host := .Values.ingress.hosts }} + {{- range .paths }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }} + {{- end }} +{{- end }} +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "test-app.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "test-app.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "test-app.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + echo http://$SERVICE_IP:{{ .Values.service.port }} +{{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "test-app.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") + echo "Visit http://127.0.0.1:8080 to use your application" + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT +{{- end }} diff --git a/deploy/microsoft-azure/azure-cli/helm/test-app/templates/_helpers.tpl b/deploy/microsoft-azure/azure-cli/helm/test-app/templates/_helpers.tpl new file mode 100644 index 00000000..77d474ef --- /dev/null +++ b/deploy/microsoft-azure/azure-cli/helm/test-app/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "test-app.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "test-app.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "test-app.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "test-app.labels" -}} +helm.sh/chart: {{ include "test-app.chart" . }} +{{ include "test-app.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "test-app.selectorLabels" -}} +app.kubernetes.io/name: {{ include "test-app.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "test-app.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "test-app.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/deploy/microsoft-azure/azure-cli/helm/test-app/templates/deployment.yaml b/deploy/microsoft-azure/azure-cli/helm/test-app/templates/deployment.yaml new file mode 100644 index 00000000..69bfe12c --- /dev/null +++ b/deploy/microsoft-azure/azure-cli/helm/test-app/templates/deployment.yaml @@ -0,0 +1,61 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "test-app.fullname" . }} + labels: + {{- include "test-app.labels" . | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "test-app.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "test-app.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "test-app.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: 80 + protocol: TCP + livenessProbe: + httpGet: + path: / + port: http + readinessProbe: + httpGet: + path: / + port: http + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/deploy/microsoft-azure/azure-cli/helm/test-app/templates/hpa.yaml b/deploy/microsoft-azure/azure-cli/helm/test-app/templates/hpa.yaml new file mode 100644 index 00000000..7350552f --- /dev/null +++ b/deploy/microsoft-azure/azure-cli/helm/test-app/templates/hpa.yaml @@ -0,0 +1,28 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "test-app.fullname" . }} + labels: + {{- include "test-app.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "test-app.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/deploy/microsoft-azure/azure-cli/helm/test-app/templates/ingress.yaml b/deploy/microsoft-azure/azure-cli/helm/test-app/templates/ingress.yaml new file mode 100644 index 00000000..4538b070 --- /dev/null +++ b/deploy/microsoft-azure/azure-cli/helm/test-app/templates/ingress.yaml @@ -0,0 +1,61 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "test-app.fullname" . -}} +{{- $svcPort := .Values.service.port -}} +{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} + {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }} + {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}} + {{- end }} +{{- end }} +{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1 +{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1beta1 +{{- else -}} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + {{- include "test-app.labels" . | nindent 4 }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} + ingressClassName: {{ .Values.ingress.className }} + {{- end }} + {{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} + pathType: {{ .pathType }} + {{- end }} + backend: + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + service: + name: {{ $fullName }} + port: + number: {{ $svcPort }} + {{- else }} + serviceName: {{ $fullName }} + servicePort: {{ $svcPort }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} diff --git a/deploy/microsoft-azure/azure-cli/helm/test-app/templates/service.yaml b/deploy/microsoft-azure/azure-cli/helm/test-app/templates/service.yaml new file mode 100644 index 00000000..fc4e49fe --- /dev/null +++ b/deploy/microsoft-azure/azure-cli/helm/test-app/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "test-app.fullname" . }} + labels: + {{- include "test-app.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "test-app.selectorLabels" . | nindent 4 }} diff --git a/deploy/microsoft-azure/azure-cli/helm/test-app/templates/serviceaccount.yaml b/deploy/microsoft-azure/azure-cli/helm/test-app/templates/serviceaccount.yaml new file mode 100644 index 00000000..8dcb158f --- /dev/null +++ b/deploy/microsoft-azure/azure-cli/helm/test-app/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "test-app.serviceAccountName" . }} + labels: + {{- include "test-app.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/deploy/microsoft-azure/azure-cli/helm/test-app/templates/tests/test-connection.yaml b/deploy/microsoft-azure/azure-cli/helm/test-app/templates/tests/test-connection.yaml new file mode 100644 index 00000000..f7bc8d10 --- /dev/null +++ b/deploy/microsoft-azure/azure-cli/helm/test-app/templates/tests/test-connection.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "test-app.fullname" . }}-test-connection" + labels: + {{- include "test-app.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "test-app.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never diff --git a/deploy/microsoft-azure/azure-cli/helm/test-app/values.yaml b/deploy/microsoft-azure/azure-cli/helm/test-app/values.yaml new file mode 100644 index 00000000..7d1627ea --- /dev/null +++ b/deploy/microsoft-azure/azure-cli/helm/test-app/values.yaml @@ -0,0 +1,84 @@ +# Default values for test-app. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +image: + repository: nginx + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "latest" + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +podAnnotations: {} + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +service: + type: ClusterIP + port: 80 + +ingress: + enabled: true + className: "" + annotations: + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + nginx.ingress.kubernetes.io/ingress.class: nginx + cert-manager.io/cluster-issuer: letsencrypt + hosts: + - host: test-app.o2bus.com + paths: + - path: / + pathType: ImplementationSpecific + tls: + - secretName: test-app-tls + hosts: + - test-app.o2bus.com + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +nodeSelector: {} + +tolerations: [] + +affinity: {} diff --git a/deploy/microsoft-azure/azure-cli/infrastructure/helm/o2-sql-data/.helmignore b/deploy/microsoft-azure/azure-cli/infrastructure/helm/o2-sql-data/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/deploy/microsoft-azure/azure-cli/infrastructure/helm/o2-sql-data/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/deploy/microsoft-azure/azure-cli/infrastructure/helm/o2-sql-data/Chart.yaml b/deploy/microsoft-azure/azure-cli/infrastructure/helm/o2-sql-data/Chart.yaml new file mode 100644 index 00000000..6ceafaff --- /dev/null +++ b/deploy/microsoft-azure/azure-cli/infrastructure/helm/o2-sql-data/Chart.yaml @@ -0,0 +1,23 @@ +apiVersion: v2 +name: o2-sql-data +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.1 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +appVersion: 1.16.0 diff --git a/deploy/microsoft-azure/azure-cli/infrastructure/helm/o2-sql-data/templates/NOTES.txt b/deploy/microsoft-azure/azure-cli/infrastructure/helm/o2-sql-data/templates/NOTES.txt new file mode 100644 index 00000000..06caf7a5 --- /dev/null +++ b/deploy/microsoft-azure/azure-cli/infrastructure/helm/o2-sql-data/templates/NOTES.txt @@ -0,0 +1,21 @@ +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} +{{- range $host := .Values.ingress.hosts }} + {{- range .paths }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ . }} + {{- end }} +{{- end }} +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "o2-sql-data.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "o2-sql-data.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "o2-sql-data.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + echo http://$SERVICE_IP:{{ .Values.service.port }} +{{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "o2-sql-data.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + echo "Visit http://127.0.0.1:8080 to use your application" + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:80 +{{- end }} diff --git a/deploy/microsoft-azure/azure-cli/infrastructure/helm/o2-sql-data/templates/_helpers.tpl b/deploy/microsoft-azure/azure-cli/infrastructure/helm/o2-sql-data/templates/_helpers.tpl new file mode 100644 index 00000000..6530963d --- /dev/null +++ b/deploy/microsoft-azure/azure-cli/infrastructure/helm/o2-sql-data/templates/_helpers.tpl @@ -0,0 +1,51 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "o2-sql-data.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "o2-sql-data.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "o2-sql-data.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "o2-sql-data.labels" -}} +helm.sh/chart: {{ include "o2-sql-data.chart" . }} +{{ include "o2-sql-data.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "o2-sql-data.selectorLabels" -}} +app.kubernetes.io/name: {{ include "o2-sql-data.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/deploy/microsoft-azure/azure-cli/infrastructure/helm/o2-sql-data/templates/deployment.yaml b/deploy/microsoft-azure/azure-cli/infrastructure/helm/o2-sql-data/templates/deployment.yaml new file mode 100644 index 00000000..ef9264be --- /dev/null +++ b/deploy/microsoft-azure/azure-cli/infrastructure/helm/o2-sql-data/templates/deployment.yaml @@ -0,0 +1,83 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "o2-sql-data.fullname" . }} + labels: + {{- include "o2-sql-data.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "o2-sql-data.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "o2-sql-data.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + - name: ACCEPT_EULA + value: "Y" + - name: MSSQL_PID + value: Developer + - name: SA_PASSWORD + value: Pass@word + volumeMounts: + - name: mssql-persistent-storage + mountPath: /var/opt/mssql + ports: + - name: http + containerPort: 1433 + protocol: TCP + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + - name: mssql-persistent-storage + persistentVolumeClaim: + claimName: mssql-pv-data-claim + +--- +kind: StorageClass +apiVersion: storage.k8s.io/v1 +metadata: + name: azure-disk +provisioner: kubernetes.io/azure-disk +parameters: + storageaccounttype: Standard_LRS + kind: Managed +--- +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: mssql-pv-data-claim + annotations: + volume.beta.kubernetes.io/storage-class: azure-disk +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 8Gi \ No newline at end of file diff --git a/deploy/microsoft-azure/azure-cli/infrastructure/helm/o2-sql-data/templates/ingress.yaml b/deploy/microsoft-azure/azure-cli/infrastructure/helm/o2-sql-data/templates/ingress.yaml new file mode 100644 index 00000000..035d4919 --- /dev/null +++ b/deploy/microsoft-azure/azure-cli/infrastructure/helm/o2-sql-data/templates/ingress.yaml @@ -0,0 +1,54 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "o2-sql-data.fullname" . -}} +{{- $svcPort := .Values.service.port -}} +{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1 +{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1beta1 +{{- else -}} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + {{- include "o2-sql-data.labels" . | nindent 4 }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} + pathType: {{ .pathType }} + {{- end }} + backend: + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + service: + name: {{ $fullName }} + port: + number: {{ $svcPort }} + {{- else }} + serviceName: {{ $fullName }} + servicePort: {{ $svcPort }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + diff --git a/deploy/microsoft-azure/azure-cli/infrastructure/helm/o2-sql-data/templates/service.yaml b/deploy/microsoft-azure/azure-cli/infrastructure/helm/o2-sql-data/templates/service.yaml new file mode 100644 index 00000000..1231035a --- /dev/null +++ b/deploy/microsoft-azure/azure-cli/infrastructure/helm/o2-sql-data/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "o2-sql-data.fullname" . }} + labels: + {{- include "o2-sql-data.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: 1433 + protocol: TCP + name: tcp + selector: + {{- include "o2-sql-data.selectorLabels" . | nindent 4 }} diff --git a/deploy/microsoft-azure/azure-cli/infrastructure/helm/o2-sql-data/values.yaml b/deploy/microsoft-azure/azure-cli/infrastructure/helm/o2-sql-data/values.yaml new file mode 100644 index 00000000..2b985fe6 --- /dev/null +++ b/deploy/microsoft-azure/azure-cli/infrastructure/helm/o2-sql-data/values.yaml @@ -0,0 +1,33 @@ +replicaCount: 1 + +image: + repository: mcr.microsoft.com/mssql/server + tag: 2017-latest + pullPolicy: IfNotPresent + +service: + type: LoadBalancer + port: 1433 + +ingress: + enabled: true + annotations: + nginx.ingress.kubernetes.io/ingress.class: nginx + cert-manager.io/cluster-issuer: letsencrypt + hosts: + - host: db.o2bus.com + paths: + - path: / + pathType: ImplementationSpecific + tls: [] + # - secretName: tls-secret-db-o2bus + # hosts: + # - db.o2bus.com + +resources: {} + +nodeSelector: {} + +tolerations: [] + +affinity: {} diff --git a/deploy/microsoft-azure/azure-cli/nginx/install-nginx.sh b/deploy/microsoft-azure/azure-cli/nginx/install-nginx.sh new file mode 100644 index 00000000..f40bcc79 --- /dev/null +++ b/deploy/microsoft-azure/azure-cli/nginx/install-nginx.sh @@ -0,0 +1,71 @@ +#!/bin/bash +echo "\r\n====> Install NGINX Ingress controller (Azure Public IP)" +echo "Running install-nginx.sh script.." +set -e +# This script creates an Azure Public IP and binds +# an the NGINX Ingress controller to it + +# aksName="o2-aks" +# resourceGroup = "o2bionics-group" + +RG=${RG} +AKS_NAME=${AKS_NAME} + +set -e + +if [[ -z "$RG" || -z "$AKS_NAME" ]]; then + echo "ERROR: Some Environment variables are missing!" + echo -e "ERROR: These are required:\n" + echo " RG: Resource Group" + echo " AKS_NAME: AKS.Cluster Name" + echo " LOCATION (optional): Azure region. Default is usgovvirginia" + exit 1 +fi + +LOCATION=${LOCATION} +K8S_CONTEXT=$(kubectl config current-context) + +echo "AKS_NAME: $AKS_NAME" +echo "RG: $RG" +echo "LOCATION: $LOCATION" +echo -e "K8S_CONTEXT: $K8S_CONTEXT\n" + +# Verify if we want to proceed +read -p "Are you sure you want to install NGINX [y/N]?" +if [[ ! "$REPLY" =~ ^[Yy]$ ]]; then + exit +fi + +# Get the Resource Group of our AKS Cluster +AKS_CLUSTER_RG=$( + az aks show \ + --resource-group $RG \ + --name $AKS_NAME \ + --query nodeResourceGroup -o tsv +) +# Create a Public IP and get the id of the address. If one exists already +# in the RG with the same name. The existing IP will be returned. +PUBLIC_IP=$( + az network public-ip create \ + --resource-group $AKS_CLUSTER_RG \ + --name IP-PublicIP1 \ + --sku Standard \ + --allocation-method static \ + --query publicIp.ipAddress -o tsv +) +# Add stable chart repo +# helm repo add stable https://kubernetes-charts.storage.googleapis.com (old repo) +helm repo add stable https://charts.helm.sh/stable +# Create namespace for Ingress +kubectl create namespace ingress + +# Use Helm to deploy an NGINX ingress controller with static IP +helm install nginx-ingress stable/nginx-ingress \ + --wait --namespace ingress \ + --set controller.replicaCount=2 \ + --set controller.service.loadBalancerIP="$PUBLIC_IP" \ + --set controller.publishService.enabled=true \ + --set controller.publishService.pathOverride=ingress/nginx-ingress-controller + + +# kubectl apply -f identity-nginx.yaml --namespace=production \ No newline at end of file diff --git a/deploy/microsoft-azure/azure-cli/nginx/nginx-staging.yaml b/deploy/microsoft-azure/azure-cli/nginx/nginx-staging.yaml new file mode 100644 index 00000000..0cc6bb9e --- /dev/null +++ b/deploy/microsoft-azure/azure-cli/nginx/nginx-staging.yaml @@ -0,0 +1,58 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-staging +spec: + selector: + matchLabels: + app: nginx-staging + template: + metadata: + labels: + app: nginx-staging + spec: + containers: + - image: nginx + name: nginx-staging + ports: + - containerPort: 80 +--- +apiVersion: v1 +kind: Service +metadata: + name: nginx-staging-svc +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 80 + selector: + app: nginx-staging + type: ClusterIP + +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: nginx + annotations: + nginx.ingress.kubernetes.io/ingress.class: nginx + cert-manager.io/cluster-issuer: letsencrypt +spec: + tls: + - hosts: + - nginx.staging.o2bus.com + secretName: tls-secret + rules: + - host: nginx.staging.o2bus.com + http: + paths: + - backend: + service: + name: nginx-staging-svc + port: + number: 80 + # serviceName: nginx-svc + # servicePort: 80 + path: / + pathType: ImplementationSpecific \ No newline at end of file diff --git a/deploy/microsoft-azure/azure-cli/nginx/nginx.yaml b/deploy/microsoft-azure/azure-cli/nginx/nginx.yaml new file mode 100644 index 00000000..e7ed33a0 --- /dev/null +++ b/deploy/microsoft-azure/azure-cli/nginx/nginx.yaml @@ -0,0 +1,58 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx +spec: + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - image: nginx + name: nginx + ports: + - containerPort: 80 +--- +apiVersion: v1 +kind: Service +metadata: + name: nginx-svc +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 80 + selector: + app: nginx + type: ClusterIP + +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: nginx + annotations: + nginx.ingress.kubernetes.io/ingress.class: nginx + cert-manager.io/cluster-issuer: letsencrypt +spec: + tls: + - hosts: + - nginx.o2bus.com + secretName: tls-secret + rules: + - host: nginx.o2bus.com + http: + paths: + - backend: + service: + name: nginx-svc + port: + number: 80 + # serviceName: nginx-svc + # servicePort: 80 + path: / + pathType: ImplementationSpecific \ No newline at end of file diff --git a/deploy/microsoft-azure/azure-cli/ns/create-ns.sh b/deploy/microsoft-azure/azure-cli/ns/create-ns.sh new file mode 100644 index 00000000..c5fa7ee1 --- /dev/null +++ b/deploy/microsoft-azure/azure-cli/ns/create-ns.sh @@ -0,0 +1,12 @@ +#!/bin/bash +echo "\r\n====> Create Deployment namespace in Microsoft Azure" +echo "Running install-ns.sh script.." +set -e + + +# Create the namespace for deployment +kubectl create namespace production +kubectl create namespace staging + + +echo "Deployment namespace is created: COMPLETED \r\n" \ No newline at end of file diff --git a/deploy/microsoft-azure/azure-cli/ns/delete-ns.sh b/deploy/microsoft-azure/azure-cli/ns/delete-ns.sh new file mode 100644 index 00000000..e69de29b From 6bb248b99ba4f929a35941a35f9b7aa6ab09a973 Mon Sep 17 00:00:00 2001 From: Denis Prokhorchik Date: Sun, 19 Jun 2022 23:56:30 +0300 Subject: [PATCH 3/4] feat(issue-390): update ignore files --- .gitignore | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.gitignore b/.gitignore index f4837ae5..2ffd1756 100644 --- a/.gitignore +++ b/.gitignore @@ -352,3 +352,6 @@ MigrationBackup/ .DS_Store .idea src/Database/Prototype/Output +deploy/clouds/digital-ocean/.terraform/providers/registry.terraform.io +deploy/clouds/digital-ocean/terraform.tfstate +deploy/clouds/digital-ocean/.terraform.lock.hcl From 7d4b13e9b8edc63a44c25ec815de010a10ce0dfd Mon Sep 17 00:00:00 2001 From: Denis Prokhorchik Date: Fri, 15 Jul 2022 16:11:25 +0300 Subject: [PATCH 4/4] feat(issue-390): update scripts for deploy --- ...xternal-dns-in-aks.sh => uninstall-external-dns-in-aks.sh} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename deploy/microsoft-azure/azure-cli/dns/{uninstall-external-dns-in-aks.sh => uninstall-external-dns-in-aks.sh} (100%) diff --git a/deploy/microsoft-azure/azure-cli/dns/uninstall-external-dns-in-aks.sh b/deploy/microsoft-azure/azure-cli/dns/uninstall-external-dns-in-aks.sh similarity index 100% rename from deploy/microsoft-azure/azure-cli/dns/uninstall-external-dns-in-aks.sh rename to deploy/microsoft-azure/azure-cli/dns/uninstall-external-dns-in-aks.sh