[WIP] Upgrade to cert-manager from kube-lego

.gitignore

@@ -13,3 +13,5 @@ mybinder/requirements.lock
 docs/_build
 travis/crypt-key
 env
+
+.vscode/

config/staging.yaml

@@ -11,6 +11,11 @@ binderhub:
     hosts:
       - gke.staging.mybinder.org
       - gke2.staging.mybinder.org
+    tls:
+      - secretName: certmanager-tls-binder-staging
+        hosts:
+          - gke.staging.mybinder.org
+          - gke2.staging.mybinder.org
 
   jupyterhub:
     singleuser:
@@ -119,3 +124,7 @@ federationRedirect:
       url: https://gke2.staging.mybinder.org
       weight: 1
       health: https://gke2.staging.mybinder.org/versions
+
+cert-manager:
+  ingressShim:
+    defaultIssuerName: "staging"

mybinder/requirements.yaml

@@ -8,9 +8,9 @@ dependencies:
  - name: grafana
    version: 1.18.0
    repository: https://kubernetes-charts.storage.googleapis.com
- - name: kube-lego
-   version: 0.4.2
-   repository: https://kubernetes-charts.storage.googleapis.com
+ - name: cert-manager
+   repository: https://charts.jetstack.io
+   version: v0.10.0
  - name: binderhub
    version: 0.2.0-fbbc302
    repository: https://jupyterhub.github.io/helm-chart

mybinder/templates/_helpers.tpl

@@ -0,0 +1,32 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "mybinder.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "mybinder.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "mybinder.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}

mybinder/templates/clusterissuer.yaml

@@ -0,0 +1,34 @@
+---
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: ClusterIssuer
+metadata:
+  name: prod
+  labels:
+    helm.sh/chart: {{ include "mybinder.chart" . }}
+    app.kubernetes.io/name: {{ include "mybinder.name" . }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: {{ .Values.letsencrypt.contactEmail }}
+    privateKeySecretRef:
+      name: mybinder-prod-acme-key
+    http01: {}
+---
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: ClusterIssuer
+metadata:
+  name: staging
+  labels:
+    helm.sh/chart: {{ include "mybinder.chart" . }}
+    app.kubernetes.io/name: {{ include "mybinder.name" . }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+spec:
+  acme:
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    email: {{ .Values.letsencrypt.contactEmail }}
+    privateKeySecretRef:
+      name: mybinder-staging-acme-key
+    http01: {}

mybinder/templates/gcs-proxy/ingress.yaml

@@ -28,4 +28,4 @@ spec:
       {{- range $bucket := .Values.gcsProxy.buckets }}
       - {{ $bucket.host }}
       {{- end }}
-{{- end }}
+{{- end }}

mybinder/templates/matomo/ingress.yaml

@@ -27,4 +27,4 @@ spec:
       {{ range $host := .Values.matomo.ingress.hosts }}
       - {{ $host }}
       {{- end }}
-{{- end }}
+{{- end }}

mybinder/templates/pdb-kube-lego.yaml

@@ -1,13 +1,13 @@
 apiVersion: policy/v1beta1
 kind: PodDisruptionBudget
 metadata:
-  name: kube-lego
+  name: cert-manager
   labels:
-    app: kube-lego
+    app: cert-manager
     release: {{ .Release.Name }}
 spec:
   minAvailable: 0
   selector:
     matchLabels:
-      app: kube-lego
+      app: cert-manager
       release: {{ .Release.Name }}

mybinder/values.yaml

@@ -138,9 +138,7 @@ binderhub:
     enabled: true
     annotations:
       kubernetes.io/ingress.class: nginx
-    https:
-      enabled: true
-      type: kube-lego
+      kubernetes.io/tls-acme: "true"
 
   dind:
     enabled: true
@@ -316,14 +314,14 @@ static:
     - /badge.svg
     - /badge_logo.svg
 
-kube-lego:
-  config:
-    LEGO_EMAIL: [email protected]
-    LEGO_URL: https://acme-v01.api.letsencrypt.org/directory
-  rbac:
-    create: true
-  image:
-    tag: 0.1.7
+cert-manager:
+  ingressShim:
+    defaultIssuerName: "staging"
+    defaultIssuerKind: "ClusterIssuer"
+    defaultACMEChallengeType: "http01"
+
+letsencrypt:
+  contactEmail: [email protected]
 
 grafana:
   ingress: