projectsyn · bastjan · Jan 16, 2025 · Jan 16, 2025
@@ -22,6 +22,8 @@ parameters:
           ingress:
             class: 'nginx'
     secrets: {}
+    cluster_issuers: {}
+    issuers: {}
     acme_dns_api: {}
     # acme_dns_api:
     #   endpoint: acme-dns-api.example.com

@@ -48,6 +48,9 @@ local secrets = [
   for s in std.objectFields(params.secrets)
 ];
 
+local issuers = com.generateResources(params.issuers, cm.issuer);
+local clusterIssuers = com.generateResources(params.cluster_issuers, cm.clusterIssuer);
+
 local acmedns = import 'acme-dns.libsonnet';
 
 {
@@ -56,8 +59,9 @@ local acmedns = import 'acme-dns.libsonnet';
     [
       if params.letsencrypt_clusterissuers.staging then letsencrypt_staging,
       if params.letsencrypt_clusterissuers.production then letsencrypt_production,
-    ]
+    ] + clusterIssuers
   ),
+  '05_issuer': issuers,
   [if std.length(secrets) > 0 then '10_solver_secrets']:
     secrets,
   [if std.objectHas(acmedns, 'manifests') then '20_acme_dns']:

@@ -127,6 +127,36 @@ By default, secrets are created in the namespace in which cert-manager is deploy
 
 See the https://cert-manager.io/docs/configuration/acme/dns01/[cert-manager documentation] for DNS01 solvers which are supported by cert-manager.
 
+== `cluster_issuers`, `issuers`
+
+[horizontal]
+type:: dictionary
+default:: `{}`
+example::
++
+[source,yaml]
+----
+issuers:
+  ca-issuer:
+    metadata:
+      namespace: mesh-system
+    spec:
+      ca:
+        secretName: ca-key-pair
+
+cluster_issuers:
+  ca-issuer:
+    spec:
+      ca:
+        secretName: ca-key-pair
+----
+
+Dictionaries holding issuers and cluster issuers.
+Each key in the dictionary is used as the name of an issuer.
+The value of the key is merged directly into an empty Kubernetes `(Cluster)Issuer` resource.
+
+See the https://cert-manager.io/docs/concepts/issuer/[cert-manager documentation] for how to configure such issuers.
+
 == `acme_dns_api`
 
 [horizontal]

@@ -18,5 +18,19 @@ parameters:
         - example.com
         - apps.example.com
 
+    issuers:
+      ca-issuer:
+        metadata:
+          namespace: mesh-system
+        spec:
+          ca:
+            secretName: ca-key-pair
+
+    cluster_issuers:
+      ca-issuer:
+        spec:
+          ca:
+            secretName: ca-key-pair
+
   prometheus:
     defaultInstance: infra-monitoring
@@ -33,3 +33,14 @@ spec:
       - http01:
           ingress:
             class: nginx
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  annotations: {}
+  labels:
+    name: ca-issuer
+  name: ca-issuer
+spec:
+  ca:
+    secretName: ca-key-pair
@@ -0,0 +1,11 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  annotations: {}
+  labels:
+    name: ca-issuer
+  name: ca-issuer
+  namespace: mesh-system
+spec:
+  ca:
+    secretName: ca-key-pair