enable

helm/cert-manager-webhook-ovh/ops/templates/clustersecretstore-vault.yaml

@@ -0,0 +1,40 @@
+{{- if .Values.externalSecret.enabled }}
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: {{ .Values.externalSecret.vault.secretStoreName | default "vault-backend" }}
+  labels:
+    app.kubernetes.io/name: cert-manager-webhook-ovh
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+spec:
+  provider:
+    vault:
+      server: {{ .Values.externalSecret.vault.server }}
+      path: {{ .Values.externalSecret.vault.path | default "secret" }}
+      version: {{ .Values.externalSecret.vault.version | default "v2" }}
+      auth:
+        {{- if .Values.externalSecret.vault.auth.kubernetes }}
+        kubernetes:
+          mountPath: {{ .Values.externalSecret.vault.auth.kubernetes.mountPath | default "kubernetes" }}
+          role: {{ .Values.externalSecret.vault.auth.kubernetes.role }}
+          {{- if .Values.externalSecret.vault.auth.kubernetes.serviceAccountRef }}
+          serviceAccountRef:
+            name: {{ .Values.externalSecret.vault.auth.kubernetes.serviceAccountRef.name }}
+            {{- if .Values.externalSecret.vault.auth.kubernetes.serviceAccountRef.namespace }}
+            namespace: {{ .Values.externalSecret.vault.auth.kubernetes.serviceAccountRef.namespace }}
+            {{- end }}
+          {{- end }}
+        {{- else if .Values.externalSecret.vault.auth.token }}
+        tokenSecretRef:
+          name: {{ .Values.externalSecret.vault.auth.token.secretName }}
+          key: {{ .Values.externalSecret.vault.auth.token.secretKey | default "token" }}
+        {{- else if .Values.externalSecret.vault.auth.appRole }}
+        appRole:
+          path: {{ .Values.externalSecret.vault.auth.appRole.path | default "approle" }}
+          roleId: {{ .Values.externalSecret.vault.auth.appRole.roleId }}
+          secretRef:
+            name: {{ .Values.externalSecret.vault.auth.appRole.secretRef.name }}
+            key: {{ .Values.externalSecret.vault.auth.appRole.secretRef.key | default "secretId" }}
+        {{- end }}
+{{- end }}

helm/cert-manager-webhook-ovh/ops/templates/externalsecret-ovh-credentials.yaml

@@ -0,0 +1,64 @@
+{{- if .Values.externalSecret.enabled }}
+{{- if and .Values.externalSecret.vault.server .Values.externalSecret.remoteRef.applicationKey .Values.externalSecret.remoteRef.applicationSecret .Values.externalSecret.remoteRef.consumerKey }}
+---
+# ExternalSecret pour cert-manager-webhook-ovh-ops
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: {{ .Values.externalSecret.secretName | default "cert-manager-webhook-ovh" }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: cert-manager-webhook-ovh
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+spec:
+  refreshInterval: {{ .Values.externalSecret.refreshInterval | default "1h" }}
+  secretStoreRef:
+    name: {{ .Values.externalSecret.vault.secretStoreName | default "vault-backend" }}
+    kind: ClusterSecretStore
+  target:
+    name: {{ .Values.externalSecret.secretName | default "cert-manager-webhook-ovh" }}
+    creationPolicy: Owner
+  data:
+    - secretKey: application-key
+      remoteRef:
+        key: {{ .Values.externalSecret.remoteRef.applicationKey }}
+    - secretKey: application-secret
+      remoteRef:
+        key: {{ .Values.externalSecret.remoteRef.applicationSecret }}
+    - secretKey: consumer-key
+      remoteRef:
+        key: {{ .Values.externalSecret.remoteRef.consumerKey }}
+---
+# ExternalSecret pour cert-manager-ops (partage du même secret)
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: {{ .Values.externalSecret.secretName | default "cert-manager-webhook-ovh" }}
+  namespace: {{ .Values.certManager.namespace }}
+  labels:
+    app.kubernetes.io/name: cert-manager-webhook-ovh
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+spec:
+  refreshInterval: {{ .Values.externalSecret.refreshInterval | default "1h" }}
+  secretStoreRef:
+    name: {{ .Values.externalSecret.vault.secretStoreName | default "vault-backend" }}
+    kind: ClusterSecretStore
+  target:
+    name: {{ .Values.externalSecret.secretName | default "cert-manager-webhook-ovh" }}
+    creationPolicy: Owner
+  data:
+    - secretKey: application-key
+      remoteRef:
+        key: {{ .Values.externalSecret.remoteRef.applicationKey }}
+    - secretKey: application-secret
+      remoteRef:
+        key: {{ .Values.externalSecret.remoteRef.applicationSecret }}
+    - secretKey: consumer-key
+      remoteRef:
+        key: {{ .Values.externalSecret.remoteRef.consumerKey }}
+{{- else }}
+{{- fail "External Secrets est activé mais la configuration est incomplète. Veuillez définir externalSecret.vault.server et tous les remoteRef (applicationKey, applicationSecret, consumerKey)" }}
+{{- end }}
+{{- end }}

helm/cert-manager-webhook-ovh/ops/templates/rbac-cert-manager.yaml

@@ -1,48 +0,0 @@
-# ClusterRole pour permettre à cert-manager d'utiliser le webhook OVH
-# Le ServiceAccount cert-manager doit pouvoir créer des ressources "ovh" 
-# dans le groupe API acme.gkdomaine.fr
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: cert-manager-webhook-ovh:cert-manager
-  labels:
-    app: cert-manager-webhook-ovh
-rules:
-  - apiGroups:
-      - acme.gkdomaine.fr
-    resources:
-      - ovh
-    verbs:
-      - create
-      - get
-      - list
-      - watch
-      - update
-      - patch
-      - delete
-  # Permissions pour lire les secrets (nécessaire pour lire ovh-credentials)
-  - apiGroups:
-      - ""
-    resources:
-      - secrets
-    verbs:
-      - get
-      - list
----
-# ClusterRoleBinding pour lier le ClusterRole au ServiceAccount cert-manager
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: cert-manager-webhook-ovh:cert-manager
-  labels:
-    app: cert-manager-webhook-ovh
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cert-manager-webhook-ovh:cert-manager
-subjects:
-  # Le ServiceAccount cert-manager dans cert-manager-ops (selon l'erreur RBAC)
-  - kind: ServiceAccount
-    name: cert-manager
-    namespace: cert-manager-ops
-

helm/cert-manager-webhook-ovh/ops/templates/rbac-webhook.yaml

@@ -1,38 +0,0 @@
-# ClusterRole pour permettre au webhook OVH de lire les secrets OVH
-# Utilisation d'un ClusterRole pour éviter tout problème de permissions
-# Le ServiceAccount du webhook doit pouvoir lire le secret ovh-credentials
-# dans le namespace cert-manager-ops
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: cert-manager-webhook-ovh:secrets
-  labels:
-    app: cert-manager-webhook-ovh
-rules:
-  - apiGroups:
-      - ""
-    resources:
-      - secrets
-    # Pas de resourceNames avec ClusterRole, mais on limite au namespace via le ClusterRoleBinding
-    verbs:
-      - get
-      - list
----
-# ClusterRoleBinding pour lier le ClusterRole au ServiceAccount du webhook
-# Le nom du ServiceAccount est défini par le chart officiel
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: cert-manager-webhook-ovh:secrets
-  labels:
-    app: cert-manager-webhook-ovh
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cert-manager-webhook-ovh:secrets
-subjects:
-  # Le ServiceAccount du webhook (nom basé sur le release name du chart)
-  - kind: ServiceAccount
-    name: cert-manager-webhook-ovh-ops
-    namespace: cert-manager-ops
-

helm/cert-manager-webhook-ovh/ops/templates/service-account.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cert-manager-webhook-ovh-sa
+  namespace: cert-manager-webhook-ovh-ops