add webhook ovh

helm/certificates/ops/templates/cluster-issuer-letsencrypt-dns01.yaml

@@ -0,0 +1,36 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-dns01-prod
+spec:
+  acme:
+    # Serveur Let's Encrypt production
+    server: https://acme-v02.api.letsencrypt.org/directory
+    # Email pour les notifications Let's Encrypt
+    email: gkpoubelle78@gmail.com
+    # Secret pour stocker la clé privée de l'account ACME
+    privateKeySecretRef:
+      name: letsencrypt-dns01-prod
+    # Challenge DNS-01 pour les certificats wildcard (sites internes)
+    solvers:
+      - dns01:
+          webhook:
+            groupName: acme.gkdomaine.fr
+            solverName: ovh
+            config:
+              # Les credentials OVH sont dans le secret ovh-credentials
+              # Voir helm/certificates/ops/templates/secret-ovh-credentials.yaml
+              applicationKey: "1d1a85ccc3a5bcc9"
+              applicationSecretRef:
+                name: ovh-credentials
+                key: application-secret
+              consumerKeyRef:
+                name: ovh-credentials
+                key: consumer-key
+        # Ce solver s'applique uniquement aux domaines internes
+        selector:
+          dnsZones:
+            - "dev.gkdomaine.fr"
+            - "rct.gkdomaine.fr"
+            - "prd.gkdomaine.fr"
+

helm/certificates/ops/templates/headlamp/certificate-dev.yaml

@@ -0,0 +1,13 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: headlamp-dev-tls
+  namespace: certificates-ops
+spec:
+  secretName: headlamp-dev-tls
+  issuerRef:
+    name: letsencrypt-dns01-prod  # Utilise le wildcard pour site interne
+    kind: ClusterIssuer
+  dnsNames:
+    - headlamp.dev.gkdomaine.fr  # Site interne accessible via .fr
+

helm/certificates/ops/templates/secret-ovh-credentials.yaml

@@ -0,0 +1,27 @@
+# Secret pour les credentials OVH (DNS-01 challenge)
+# IMPORTANT: Remplacez les valeurs base64 par vos vraies credentials OVH
+#
+# Pour créer le Secret manuellement avec vos vraies valeurs :
+# kubectl create secret generic ovh-credentials \
+#   --from-literal=application-secret=VOTRE_APPLICATION_SECRET \
+#   --from-literal=consumer-key=VOTRE_CONSUMER_KEY \
+#   -n certificates-ops \
+#   --context=cluster-ops
+#
+# OU utilisez ce template en remplaçant les valeurs base64 ci-dessous :
+# echo -n 'VOTRE_APPLICATION_SECRET' | base64
+# echo -n 'VOTRE_CONSUMER_KEY' | base64
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ovh-credentials
+  namespace: certificates-ops
+type: Opaque
+data:
+  # Encodez vos credentials en base64 :
+  # echo -n 'VOTRE_APPLICATION_SECRET' | base64
+  # echo -n 'VOTRE_CONSUMER_KEY' | base64
+  application-secret: N2RiNWM3ZTdmNWE5MTM2Y2I5YmE4YmRmNjRjYTNmYTI=
+  consumer-key: M2VjOWM5ZTdmNjgzZWI0NDkyY2IwYjhhZTg1NWU0YWM=
+

helm/certificates/ops/templates/wildcard/certificate-wildcard-dev.yaml

@@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: wildcard-dev-tls
+  namespace: certificates-ops
+spec:
+  secretName: wildcard-dev-tls
+  issuerRef:
+    name: letsencrypt-dns01-prod
+    kind: ClusterIssuer
+  dnsNames:
+    - "*.dev.gkdomaine.fr"
+    - "dev.gkdomaine.fr"
+

helm/certificates/ops/templates/wildcard/certificate-wildcard-prd.yaml

@@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: wildcard-prd-tls
+  namespace: certificates-ops
+spec:
+  secretName: wildcard-prd-tls
+  issuerRef:
+    name: letsencrypt-dns01-prod
+    kind: ClusterIssuer
+  dnsNames:
+    - "*.prd.gkdomaine.fr"
+    - "prd.gkdomaine.fr"
+

helm/certificates/ops/templates/wildcard/certificate-wildcard-rct.yaml

@@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: wildcard-rct-tls
+  namespace: certificates-ops
+spec:
+  secretName: wildcard-rct-tls
+  issuerRef:
+    name: letsencrypt-dns01-prod
+    kind: ClusterIssuer
+  dnsNames:
+    - "*.rct.gkdomaine.fr"
+    - "rct.gkdomaine.fr"
+