k8s/helm/cert-manager-stack/install.sh

74 lines
1.9 KiB
Bash
Raw Normal View History

2024-07-31 19:44:04 +00:00
#!/bin/bash -xe
CHART_VERSION="v1.15.2"
2022-12-28 23:06:22 +00:00
NAMESPACE="cert-manager"
EMAIL="amarpreet@minhas.io"
VAULT_AUTH_NAMESPACE="k8s-teapot"
2024-07-31 19:44:04 +00:00
kubectl create ns ${NAMESPACE} || true
2022-12-28 23:06:22 +00:00
kubectl apply -n ${NAMESPACE} -f external-secrets.yaml
HOST_IP=$(ip addr show eth0 | grep -Po 'inet \K[\d.]+')
TOKEN="$(kubectl get secret serviceaccounttoken -n cert-manager -o go-template='{{ .data.token }}' | base64 -d)"
vault write auth/${VAULT_AUTH_NAMESPACE}/role/cert-manager \
bound_service_account_names=cert-manager \
bound_service_account_namespaces=cert-manager \
policies=cert-manager \
ttl=24h
vault write auth/${VAULT_AUTH_NAMESPACE}/login role=cert-manager jwt=${TOKEN} iss=https://${HOST_IP}:6443
2022-12-28 23:06:22 +00:00
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm upgrade --install \
cert-manager \
jetstack/cert-manager \
-n cert-manager \
--version ${CHART_VERSION} \
--set installCRDs=true \
--create-namespace \
--cleanup-on-fail
cat <<EOH | kubectl apply -f -
---
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: serviceaccounttoken
namespace: cert-manager
2022-12-28 23:06:22 +00:00
annotations:
kubernetes.io/service-account.name: "cert-manager"
...
EOH
helm upgrade -install \
cert-manager-csi-driver \
jetstack/cert-manager-csi-driver \
-n ${NAMESPACE} \
--wait \
--cleanup-on-fail
git clone https://github.com/kelvie/cert-manager-webhook-namecheap
pushd cert-manager-webhook-namecheap
helm upgrade --install \
-n ${NAMESPACE} \
namecheap-webhook \
deploy/cert-manager-webhook-namecheap/ \
--wait \
--cleanup-on-fail
helm upgrade --install \
-n ${NAMESPACE} \
--set email=${EMAIL} \
letsencrypt-namecheap-issuer \
deploy/letsencrypt-namecheap-issuer/ \
--wait \
--cleanup-on-fail
popd
rm -rf cert-manager-webhook-namecheap
kubectl apply -f issuers.yaml