Merge pull request #6 from stfc/add-anciliary-charts

add manila and certmanager chart

charts/stfc-cloud-cert-manager/Chart.yaml

@@ -0,0 +1,11 @@
+apiVersion: v2
+name: stfc-cloud-cert-manager
+version: 1.1.0
+description: A Helm chart to deploy opinionated instance of cert-manager for the STFC Cloud
+type: application
+
+dependencies:
+# https://github.com/cert-manager/cert-manager/releases
+  - name: cert-manager
+    version: 1.15.3
+    repository: https://charts.jetstack.io

charts/stfc-cloud-cert-manager/README.md

@@ -0,0 +1,57 @@
+# Cert-manager
+
+Cert-manager is a tool to manage certs.
+
+Our chart configures cert-manager (as subchart) and includes pre-configured issuers including staging and production letsencrypt - to enable you to setup verified HTTPS certs for your web-apps
+
+# Installation
+
+```bash
+helm repo add cloud-charts https://stfc.github.io/cloud-helm-charts/
+helm repo update
+helm install cert-manager cloud-charts/stfc-cloud-cert-manager -n cert-manager --create-namespace
+```
+
+# Configuration
+
+## Enabling letsencrypt issuers 
+
+To enable letsecrypt issuers, you need to add:
+
+```yaml
+cert-manager:
+
+  # for testing your networing - PLEASE USE THIS TO TEST FIRST! 
+  # this will prevent the ENTIRE department getting rate-limited!
+  le-staging:  
+    enabled: true
+
+  # prod issuer
+  le-prod:
+    enabled: true
+```
+
+
+## Using letsencrypt ingress 
+
+To enable letsencrypt issuer - you need to add an annotation to ingress resources and enable tls
+
+> [!CAUTION]
+> This is just an example - read the documentation on the helm chart your trying to install to see how to configure nginx ingress. 
+> You might need to make your own - see [Ingress Controller Docs](https://kubernetes.io/docs/concepts/services-networking/ingress/) 
+
+```yaml
+ingress:
+  annotations:
+    # add the annotation
+    cert-manager.io/cluster-issuer: "letsencrypt-prod" # or letsencrypt-staging or self-signed
+    hosts:
+      - name: myservice.example.com
+        path: /
+        port: http
+    # specify tls and secret name
+    tls:
+      - secretName: my-le-cert
+        hosts:
+          - myservice.example.com
+```

charts/stfc-cloud-cert-manager/templates/le-prod-clusterissuer.yaml

@@ -0,0 +1,20 @@
+{{- if index .Values "cert-manager" "le-prod" "enabled" -}}
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+  namespace: {{ .Release.Namespace }}
+spec:
+  acme:
+    # Let's Encrypt will use this to contact you about expiring
+    # certificates, and issues related to your account.
+    email: {{ .Values.le-prod.email }}
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: le-prod-account-key
+    solvers:
+    - http01:
+        ingress:
+          # Assuming you have used the CAPI Addons Ingress Controller
+          ingressClassName: nginx
+{{- end }}

charts/stfc-cloud-cert-manager/templates/le-staging-clusterissuer.yaml

@@ -0,0 +1,20 @@
+{{- if index .Values "cert-manager" "le-staging" "enabled" -}}
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+  namespace: {{ .Release.Namespace }}
+spec:
+  acme:
+    # Let's Encrypt will use this to contact you about expiring
+    # certificates, and issues related to your account.
+    # For staging we explicitly leave this blank, as we don't need renewal emails...etc.
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: le-staging-account-key
+    solvers:
+    - http01:
+        ingress:
+          # Assuming you have used the CAPI Addons Ingress Controller
+          ingressClassName: nginx
+{{- end }}

charts/stfc-cloud-cert-manager/templates/self-signed-clusterissuer.yaml

@@ -0,0 +1,9 @@
+{{- if index .Values "cert-manager" "self-signed" "enabled" -}}
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: self-signed
+  namespace: {{ .Release.Namespace }}
+spec:
+  selfSigned: {}
+{{- end }}

charts/stfc-cloud-cert-manager/values.yaml

@@ -0,0 +1,15 @@
+cert-manager:
+  # Various issuers which are available
+  self-signed:
+    enabled: true
+
+  le-staging:
+    enabled: false
+
+  le-prod:
+    enabled: false
+    # Let's Encrypt will use this to contact you about expiring
+    # certificates, and issues related to your account.
+    email: "[email protected]"
+
+  installCRDs: true

charts/stfc-cloud-manila-csi/Chart.yaml

@@ -0,0 +1,12 @@
+apiVersion: v2
+name: stfc-cloud-manila-csi
+version: 1.0.0
+dependencies:
+# https://github.com/kubernetes/cloud-provider-openstack/tree/master/charts/cinder-csi-plugin
+- name: openstack-manila-csi
+  version: 2.31.0
+  repository: https://kubernetes.github.io/cloud-provider-openstack
+# https://github.com/ceph/ceph-csi/tree/devel/charts/ceph-csi-cephfs
+- name: ceph-csi-cephfs
+  version: 3.11.0
+  repository: https://ceph.github.io/csi-charts

charts/stfc-cloud-manila-csi/README.md

@@ -0,0 +1,24 @@
+# Manila
+
+This chart provides an opinionated installation of Manila CSI for the STFC Cloud. Using the [Manila CSI Helm Chart](https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/manila-csi-plugin/using-manila-csi-plugin.md) as a dependency chart.
+
+Manila is a service that provides shared filesystem for services. Manila CSI enables kubernetes services to provision and manage Manila shares. 
+
+See our Docs on [using Manila on Kubernetes](https://stfc.atlassian.net/wiki/spaces/SC/pages/117375031/Manila+on+Kubernetes) 
+
+
+# Pre-requisites
+
+Make sure that the project your cluster is built on is permitted to create shares and has spare share instances and share storage capacity - if not, raise a ticket to [email protected] 
+
+Create an application credential on your project for Manila-CSI to access openstack
+
+# Installation
+
+Make sure you have downloaded `clouds.yaml` file containing your application credential.
+
+```bash
+helm repo add cloud-charts https://stfc.github.io/cloud-helm-charts/
+helm repo update
+helm install manila-csi cloud-charts/stfc-cloud-manila-csi -n manila-csi --create-namespace -f path/to/clouds.yaml
+```

charts/stfc-cloud-manila-csi/templates/csi-manila-secret.yaml

@@ -0,0 +1,14 @@
+{{- range $cloud, $cfg := .Values.clouds }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: csi-manila-secret
+  namespace: {{ $.Release.Namespace }}
+type: Opaque
+data:
+  os-region: {{ $cfg.region_name | b64enc }}
+  os-authURL: {{ $cfg.auth.auth_url | b64enc }}
+  os-applicationCredentialID: {{ $cfg.auth.application_credential_id | b64enc }}
+  os-applicationCredentialSecret: {{ $cfg.auth.application_credential_secret | b64enc }}
+{{- end }}

charts/stfc-cloud-manila-csi/templates/manila-sc.yaml

@@ -0,0 +1,18 @@
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: csi-manila-cephfs
+provisioner: cephfs.manila.csi.openstack.org
+allowVolumeExpansion: true
+parameters:
+  # Manila share type
+  type: cephfs
+
+  csi.storage.k8s.io/provisioner-secret-name: csi-manila-secret
+  csi.storage.k8s.io/provisioner-secret-namespace: kube-system
+  csi.storage.k8s.io/controller-expand-secret-name: csi-manila-secret
+  csi.storage.k8s.io/controller-expand-secret-namespace: kube-system
+  csi.storage.k8s.io/node-stage-secret-name: csi-manila-secret
+  csi.storage.k8s.io/node-stage-secret-namespace: kube-system
+  csi.storage.k8s.io/node-publish-secret-name: csi-manila-secret
+  csi.storage.k8s.io/node-publish-secret-namespace: kube-system

charts/stfc-cloud-manila-csi/values.yaml

@@ -0,0 +1,11 @@
+openstack-manila-csi:
+  # Base name of the CSI Manila driver
+  driverName: manila.csi.openstack.org
+
+  # Enabled Manila share protocols
+  shareProtocols:
+  - protocolSelector: CEPHFS
+    fsGroupPolicy: None
+    fwdNodePluginEndpoint:
+      dir: /var/lib/kubelet/plugins/cephfs.csi.ceph.com
+      sockFile: csi.sock