Add initial configuration files for cert-manager including Chart, application, and values

2025-11-08 16:31:23 +01:00 · 2025-11-08 16:31:23 +01:00 · 3186dcb16f
commit 3186dcb16f
parent f9af0d4b6e
3 changed files with 125 additions and 0 deletions
--- a/apps/cert-manager/Chart.yaml
+++ b/apps/cert-manager/Chart.yaml
@ -0,0 +1,7 @@
+apiVersion: v2
+name: cert-manager
+version: 1.0.0
+dependencies:
+  - name: cert-manager
+    version: v1.19.1
+    repository: oci://quay.io/jetstack/charts/cert-manager
--- a/apps/cert-manager/application.yaml
+++ b/apps/cert-manager/application.yaml
@ -0,0 +1,31 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cert-manager
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: https://git.mvzijl.nl/marco/veda.git
+    targetRevision: applicationset-rewrite
+    path: apps/cert-manager
+    helm:
+      releaseName: cert-manager
+      valueFiles:
+        - values.yaml
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: cert-manager
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - PruneLast=true
+      - PrunePropagationPolicy=foreground
+      - ServerSideApply=true
--- a/apps/cert-manager/values.yaml
+++ b/apps/cert-manager/values.yaml
@ -0,0 +1,87 @@
+cert-manager:
+
+  installCRDs: true
+
+  global:
+    leaderElection:
+      namespace: cert-manager
+
+  prometheus:
+    enabled: true
+
+  resources:
+    requests:
+      cpu: 10m
+      memory: 32Mi
+    limits:
+      cpu: 100m
+      memory: 128Mi
+
+  webhook:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 32Mi
+      limits:
+        cpu: 100m
+        memory: 128Mi
+
+  cainjector:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 32Mi
+      limits:
+        cpu: 100m
+        memory: 128Mi
+
+extraObjects:
+  - apiVersion: cert-manager.io/v1
+    kind: ClusterIssuer
+    metadata:
+      name: selfsigned-issuer
+    spec:
+      selfSigned: {}
+
+  # CA Certificate (acts as root CA)
+  - apiVersion: cert-manager.io/v1
+    kind: Certificate
+    metadata:
+      name: selfsigned-ca
+      namespace: cert-manager
+    spec:
+      isCA: true
+      commonName: noxxos.nl
+      secretName: selfsigned-ca-secret
+      privateKey:
+        algorithm: ECDSA
+        size: 256
+      issuerRef:
+        name: selfsigned-issuer
+        kind: ClusterIssuer
+
+  # CA ClusterIssuer (uses the CA cert above)
+  - apiVersion: cert-manager.io/v1
+    kind: ClusterIssuer
+    metadata:
+      name: ca-issuer
+    spec:
+      ca:
+        secretName: selfsigned-ca-secret
+
+  # Wildcard certificate for *.noxxos.nl
+  - apiVersion: cert-manager.io/v1
+    kind: Certificate
+    metadata:
+      name: wildcard-noxxos-nl
+      namespace: cert-manager
+    spec:
+      secretName: wildcard-noxxos-nl-tls
+      issuerRef:
+        name: ca-issuer
+        kind: ClusterIssuer
+      dnsNames:
+        - "*.noxxos.nl"
+        - "noxxos.nl"
+      duration: 2160h # 90 days
+      renewBefore: 360h # 15 days