chore(workflow): add acme config

Author: duanhongyi

_scripts/install.sh

@@ -196,7 +196,12 @@ additionalArguments:
 - "--entrypoints.name.http3"
 - "--providers.kubernetesingress.allowEmptyServices=true"
 EOF
-  helm install cert-manager drycc/cert-manager --namespace cert-manager --create-namespace --set installCRDs=true --wait
+  helm install cert-manager drycc/cert-manager \
+    --namespace cert-manager \
+    --create-namespace \
+    --set clusterResourceNamespace=drycc \
+    --set installCRDs=true --wait
+
   helm install catalog drycc/catalog \
     --set asyncBindingOperationsEnabled=true \
     --set image=docker.io/drycc/service-catalog:canary \
@@ -305,6 +310,9 @@ EOF
     --set database.persistence.enabled=true \
     --set database.persistence.size=${DATABASE_PERSISTENCE_SIZE:-5Gi} \
     --set database.persistence.storageClass=${DATABASE_PERSISTENCE_STORAGE_CLASS:-""} \
+    --set acme.server=${ACME_SERVER:-"https://acme-v02.api.letsencrypt.org/directory"} \
+    --set acme.externalAccountBinding.keyID=${ACME_EAB_KEY_ID:-""} \
+    --set acme.externalAccountBinding.keySecret=${ACME_EAB_KEY_SECRET:-""} \
     --namespace drycc \
     --values /tmp/drycc-values.yaml \
     --create-namespace --wait --timeout 30m0s

charts/workflow/templates/drycc-cluster-issuer-secret.yaml

@@ -0,0 +1,11 @@
+{{- if and (not (empty .Values.acme.externalAccountBinding.keyID)) (not (empty .Values.acme.externalAccountBinding.keySecret)) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: drycc-cluster-issuer-secret
+  labels:
+    heritage: drycc
+type: Opaque
+data:
+  secret: {{.Values.acme.externalAccountBinding.keySecret | b64enc }}
+{{- end }}

charts/workflow/templates/drycc-cluster-issuer.yaml

@@ -4,10 +4,17 @@ metadata:
   name: drycc-cluster-issuer
 spec:
   acme:
-    # The ACME server URL
-    server: https://acme-v02.api.letsencrypt.org/directory
     # Email address used for ACME registration
     email: "{{ .Values.global.email }}"
+    # The ACME server URL
+    server: "{{ .Values.acme.server }}"
+    {{ if and (not (empty .Values.acme.externalAccountBinding.keyID)) (not (empty .Values.acme.externalAccountBinding.keySecret)) }}
+    externalAccountBinding:
+      keyID: {{ .Values.acme.externalAccountBinding.keyID }}
+      keySecretRef:
+        name: drycc-cluster-issuer-secret
+        key: secret
+    {{ end }}
     # Name of a secret used to store the ACME account private key
     privateKeySecretRef:
       name: drycc-cluster-issuer

charts/workflow/templates/objectstorage-secret.yaml

@@ -41,6 +41,6 @@ data:
   accesskey: {{ .Values.minio.accesskey | b64enc }}
   secretkey: {{ .Values.minio.secretkey | b64enc }}
   builder-bucket: {{ .Values.minio.builderBucket | b64enc }}
-  registry-bucket: {{.Values.minio.registryBucket | b64enc }}
-  database-bucket: {{.Values.minio.databaseBucket | b64enc }}
+  registry-bucket: {{ .Values.minio.registryBucket | b64enc }}
+  database-bucket: {{ .Values.minio.databaseBucket | b64enc }}
 {{ end }}

charts/workflow/values.yaml

@@ -3,8 +3,6 @@
 global:
   # Admin email, used for each component to send email to administrator
   email: "drycc@drycc.cc"
-  # Whether to use the template defined by common
-  common: true
   # Set the storage backend
   #
   # Valid values are:
@@ -81,7 +79,7 @@ global:
   #
   # This will be the hostname that is used to build endpoints such as "drycc.$HOSTNAME"
   platformDomain: ""
-  # Whether cert_manager is enabled to automatically generate drycc certificates
+  # Whether certManagerEnabled is true to automatically generate drycc certificates
   certManagerEnabled: true
   # Set the location of Workflow's passport
   #
@@ -168,13 +166,6 @@ builder:
     # If service.type is not set to NodePort, the following statement will be ignored.
     nodePort: ""
 
-#
-passport:
-  # Set passport deployment replicas
-  replicas: 1
-  # Configuring this will no longer use the built-in database component
-  databaseUrl: ""
-
 controller:
   appImagePullPolicy: "IfNotPresent"
   # Possible values are:
@@ -308,3 +299,17 @@ registry:
   organization: ""
   username: ""
   password: ""
+
+passport:
+  # Set passport deployment replicas
+  replicas: 1
+  # Configuring this will no longer use the built-in database component
+  databaseUrl: ""
+
+# acme configuration takes effect if and only if certManagerEnabled is true
+acme:
+  server: https://acme-v02.api.letsencrypt.org/directory
+  #  EAB credentials
+  externalAccountBinding:
+    keyID: ""
+    keySecret: ""

src/installing-workflow/system-requirements.md

@@ -11,7 +11,7 @@ Drycc Workflow requires Kubernetes v1.16.15 or later.
 Drycc uses ingress as a routing implementation, so you have to choose an ingress.
 We recommend using [nginx-ingress](https://github.com/helm/charts/tree/master/stable/nginx-ingress) or [traefik-ingress](https://github.com/helm/charts/tree/master/stable/traefik), which we have adapted to allowlist and force TLS functions.
 
-Workflow supports the use of ACME to manage automatic certificates, [cert-manager](https://github.com/helm/charts/tree/master/stable/cert-manager) is also one of the necessary components.
+Workflow supports the use of ACME to manage automatic certificates, [cert-manager](https://github.com/helm/charts/tree/master/stable/cert-manager) is also one of the necessary components, if you use cert-manager EAB, you need to set the `clusterResourceNamespace` to the namespace of drycc.
 
 Workflow supports stateful apps. You can create and use them through the 'drycc volumes' command. If you want to use this feature, you must have a `StorageClass` that supports `ReadWriteMany`.
 

src/quickstart/install-workflow.md

@@ -198,6 +198,9 @@ HELMBROKER_PERSISTENCE_STORAGE_CLASS       | StorangeClass of `helmbroker`; defa
 K3S_DATA_DIR                               | The config of k3s data dir; If not set, the default path is used
 DEFAULT_STORAGE_CLASS                      | K3s default stroageclass, If not set, the `openebs-hostpath` stroageclass is used
 LOCAL_PROVISIONER_PATH                     | Local path storage path, If not set, the `/var/openebs/local` path is used
+ACME_SERVER                                | ACME Server url, default use letsencrypt
+ACME_EAB_KEY_ID                            | The key ID of which your external account binding is indexed by the external account
+ACME_EAB_KEY_SECRET                        | The key Secret of which your external account symmetric MAC key
 
 Since the installation script will install k3s, other environment variables can refer to k3s installation [environment variables](https://rancher.com/docs/k3s/latest/en/installation/install-options/).