cert-manager to argo kustomize helm

.gitignore

@@ -5,6 +5,10 @@
 *.save
 *.1
 
+# Kustomize with Helm and secrets:
+charts/
+*.env
+
 ### IntelliJ IDEA ###
 .idea
 *.iml

argocd/applications/cert-manager.yaml

@@ -0,0 +1,21 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cert-manager
+  namespace: argocd
+spec:
+  project: k-space.ee
+  source:
+    # also depends on git@git.k-space.ee:secretspace/kube.git
+    repoURL: git@git.k-space.ee:k-space/kube.git
+    targetRevision: HEAD
+    path: cert-manager
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: cert-manager
+  syncPolicy:
+    automated:
+      prune: true
+    syncOptions:
+      - CreateNamespace=true

bind/README.md

@@ -36,7 +36,7 @@ which are internally exposed IP-s of the secondaries.
 
 To configure TSIG secrets:
 
-```
+```sh
 kubectl create secret generic -n bind bind-readonly-secret \
   --from-file=readonly.key
 kubectl create secret generic -n bind bind-readwrite-secret \
@@ -45,9 +45,8 @@ kubectl create secret generic -n bind external-dns
 kubectl -n bind delete secret tsig-secret
 kubectl -n bind create secret generic tsig-secret \
     --from-literal=TSIG_SECRET=$(cat readwrite.key | grep secret | cut -d '"' -f 2)
-kubectl -n cert-manager delete secret tsig-secret
+
-kubectl -n cert-manager create secret generic tsig-secret \
+# ^ same tsig-secret is in git.k-space.ee/secretspace/kube cert-manager
-    --from-literal=TSIG_SECRET=$(cat readwrite.key | grep secret | cut -d '"' -f 2)
 ```
 
 # Serving additional zones

cert-manager/.gitignore

@@ -1 +0,0 @@
-cert-manager.yaml

cert-manager/README.md

@@ -7,7 +7,7 @@ Refer to the [Bind primary Ansible playbook](https://git.k-space.ee/k-space/ansi
 [Bind namespace on Kubernetes cluster](https://git.k-space.ee/k-space/kube/src/branch/master/bind)
 for more details
 
-# For user
+# For developer
 
 Use `Certificate` CRD of cert-manager, refer to
 [official documentation](https://cert-manager.io/docs/usage/certificate/).
@@ -15,23 +15,14 @@ Use `Certificate` CRD of cert-manager, refer to
 To find usage examples in this repository use
 `grep -r -A10 "^kind: Certificate" .`
 
-# For administrator
+# Deployment
+With ArgoCD. Render it locally:
 
-Deployed with:
+```sh
-
+kustomize build . --enable-helm
-```
-curl -L https://github.com/jetstack/cert-manager/releases/download/v1.15.1/cert-manager.yaml -O
-kubectl apply -f cert-manager.yaml
-```
-
-To update the issuer configuration or TSIG secret:
-
-```
-kubectl apply -f default-issuer.yml
- kubectl -n cert-manager create secret generic tsig-secret \
-    --from-literal=TSIG_SECRET=<secret>
 ```
 
+## Webhook timeout
 Workaround for webhook timeout issue https://github.com/jetstack/cert-manager/issues/2602
 It's not very clear why this is happening, deserves further investigation - presumably Calico related somehow:
 

cert-manager/default-cluster-cert-issuer.yaml

@@ -9,7 +9,7 @@ spec:
     email: info@k-space.ee
     server: https://acme-v02.api.letsencrypt.org/directory
     privateKeySecretRef:
-      name: default-cluster-cert-issuer-accountKey # auto-generated by cert-manager
+      name: example-issuer-account-key # auto-generated by cert-manager
     solvers:
       - dns01:
           rfc2136:

cert-manager/kustomization.yaml

@@ -9,7 +9,12 @@ helmCharts:
   name: &name cert-manager
   releaseName: *name
   repo: https://charts.jetstack.io
-  version: v1.15.1
+  valuesInline:
+    namespace: *name
+    global:
+      leaderElection:
+        namespace: *name
+  version: v1.18.1
 
 resources:
 - ssh://git@git.k-space.ee/secretspace/kube/cert-manager # secrets (.env): tsig-secret

tigera-operator/.gitignore

@@ -1 +0,0 @@
-*.env

woodpecker/.gitignore

@@ -1,2 +0,0 @@
-charts/
-*.env