chore(workflow): add acme config

duanhongyi · duanhongyi · commit 6fe292232779 · 2022-03-18T09:02:55.000+08:00
diff --git a/_scripts/install.sh b/_scripts/install.sh
@@ -305,6 +305,9 @@ EOF
     --set database.persistence.enabled=true \
     --set database.persistence.size=${DATABASE_PERSISTENCE_SIZE:-5Gi} \
     --set database.persistence.storageClass=${DATABASE_PERSISTENCE_STORAGE_CLASS:-""} \
+    --set acme.server=${ACME_SERVER:-"https://acme-v02.api.letsencrypt.org/directory"} \
+    --set acme.externalAccountBinding.keyID=${ACME_EAB_KEY_ID:-""} \
+    --set acme.externalAccountBinding.keySecret=${ACME_EAB_KEY_SECRET:-""} \
     --namespace drycc \
     --values /tmp/drycc-values.yaml \
     --create-namespace --wait --timeout 30m0s
diff --git a/charts/workflow/templates/drycc-cluster-issuer-secret.yaml b/charts/workflow/templates/drycc-cluster-issuer-secret.yaml
@@ -0,0 +1,11 @@
+{{- if and (not (empty .Values.acme.externalAccountBinding.keyID)) (not (empty .Values.acme.externalAccountBinding.keySecret)) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: drycc-cluster-issuer-secret
+  labels:
+    heritage: drycc
+type: Opaque
+data:
+  secret: {{.Values.acme.externalAccountBinding.keySecret | b64enc }}
+{{- end }}
diff --git a/charts/workflow/templates/drycc-cluster-issuer.yaml b/charts/workflow/templates/drycc-cluster-issuer.yaml
@@ -4,10 +4,17 @@ metadata:
   name: drycc-cluster-issuer
 spec:
   acme:
-    # The ACME server URL
-    server: https://acme-v02.api.letsencrypt.org/directory
     # Email address used for ACME registration
     email: "{{ .Values.global.email }}"
+    # The ACME server URL
+    server: "{{ .Values.acme.server }}"
+    {{ if and (not (empty .Values.acme.externalAccountBinding.keyID)) (not (empty .Values.acme.externalAccountBinding.keySecret)) }}
+    externalAccountBinding:
+      keyID: {{ .Values.acme.externalAccountBinding.keyID }}
+      keySecretRef:
+        name: drycc-cluster-issuer-secret
+        key: secret
+    {{ end }}
     # Name of a secret used to store the ACME account private key
     privateKeySecretRef:
       name: drycc-cluster-issuer
diff --git a/charts/workflow/templates/objectstorage-secret.yaml b/charts/workflow/templates/objectstorage-secret.yaml
@@ -41,6 +41,6 @@ data:
   accesskey: {{ .Values.minio.accesskey | b64enc }}
   secretkey: {{ .Values.minio.secretkey | b64enc }}
   builder-bucket: {{ .Values.minio.builderBucket | b64enc }}
-  registry-bucket: {{.Values.minio.registryBucket | b64enc }}
-  database-bucket: {{.Values.minio.databaseBucket | b64enc }}
+  registry-bucket: {{ .Values.minio.registryBucket | b64enc }}
+  database-bucket: {{ .Values.minio.databaseBucket | b64enc }}
 {{ end }}
diff --git a/charts/workflow/values.yaml b/charts/workflow/values.yaml
@@ -3,8 +3,6 @@
 global:
   # Admin email, used for each component to send email to administrator
   email: "drycc@drycc.cc"
-  # Whether to use the template defined by common
-  common: true
   # Set the storage backend
   #
   # Valid values are:
@@ -81,7 +79,7 @@ global:
   #
   # This will be the hostname that is used to build endpoints such as "drycc.$HOSTNAME"
   platformDomain: ""
-  # Whether cert_manager is enabled to automatically generate drycc certificates
+  # Whether certManagerEnabled is true to automatically generate drycc certificates
   certManagerEnabled: true
   # Set the location of Workflow's passport
   #
@@ -168,13 +166,6 @@ builder:
     # If service.type is not set to NodePort, the following statement will be ignored.
     nodePort: ""
 
-#
-passport:
-  # Set passport deployment replicas
-  replicas: 1
-  # Configuring this will no longer use the built-in database component
-  databaseUrl: ""
-
 controller:
   appImagePullPolicy: "IfNotPresent"
   # Possible values are:
@@ -308,3 +299,17 @@ registry:
   organization: ""
   username: ""
   password: ""
+
+passport:
+  # Set passport deployment replicas
+  replicas: 1
+  # Configuring this will no longer use the built-in database component
+  databaseUrl: ""
+
+# acme configuration takes effect if and only if certManagerEnabled is true
+acme:
+  server: https://acme-v02.api.letsencrypt.org/directory
+  #  EAB credentials
+  externalAccountBinding:
+    keyID: ""
+    keySecret: ""
diff --git a/src/quickstart/install-workflow.md b/src/quickstart/install-workflow.md
@@ -198,6 +198,9 @@ HELMBROKER_PERSISTENCE_STORAGE_CLASS       | StorangeClass of `helmbroker`; defa
 K3S_DATA_DIR                               | The config of k3s data dir; If not set, the default path is used
 DEFAULT_STORAGE_CLASS                      | K3s default stroageclass, If not set, the `openebs-hostpath` stroageclass is used
 LOCAL_PROVISIONER_PATH                     | Local path storage path, If not set, the `/var/openebs/local` path is used
+ACME_SERVER                                | ACME Server url, default use letsencrypt
+ACME_EAB_KEY_ID                            | The key ID of which your external account binding is indexed by the external account
+ACME_EAB_KEY_SECRET                        | The key Secret of which your external account symmetric MAC key
 
 Since the installation script will install k3s, other environment variables can refer to k3s installation [environment variables](https://rancher.com/docs/k3s/latest/en/installation/install-options/).
 
