Add certbot deploy configs (#848)

tools/certbot/certbot-bcmi.dc.yaml

@@ -0,0 +1,134 @@
+---
+apiVersion: v1
+kind: Template
+labels:
+  app: certbot
+metadata:
+  name: certbot-${APPLICATION_NAME}
+objects:
+  - apiVersion: v1
+    kind: ServiceAccount
+    metadata:
+      name: certbot
+  - apiVersion: v1
+    groupNames: null
+    kind: RoleBinding
+    metadata:
+      name: certbot_edit
+    roleRef:
+      name: edit
+    subjects:
+      - kind: ServiceAccount
+        name: certbot
+  - apiVersion: v1
+    kind: PersistentVolumeClaim
+    metadata:
+      name: certbot-${APPLICATION_NAME}
+    spec:
+      storageClassName: netapp-file-standard
+      accessModes:
+        - ReadWriteMany
+      resources:
+        requests:
+          storage: 100Mi
+  - apiVersion: batch/v1beta1
+    kind: CronJob
+    metadata:
+      name: certbot-${APPLICATION_NAME}
+    spec:
+      concurrencyPolicy: Replace
+      failedJobsHistoryLimit: 3
+      successfulJobsHistoryLimit: 3
+      startingDeadlineSeconds: 60
+      jobTemplate:
+        metadata:
+        spec:
+          backoffLimit: 6
+          activeDeadlineSeconds: 300
+          parallelism: 1
+          completions: 1
+          template:
+            metadata:
+              labels:
+                app: certbot
+            spec:
+              containers:
+                - name: certbot-${APPLICATION_NAME}
+                  image: "${IMAGE_REGISTRY}/${NAMESPACE}/${SOURCE_IMAGE_NAME}:${TAG_NAME}"
+                  imagePullPolicy: Always
+                  env:
+                    - name: CERTBOT_EMAIL
+                      valueFrom:
+                        secretKeyRef:
+                          name: certbot
+                          key: email
+                    - name: CERTBOT_DEBUG
+                      value: "${DEBUG}"
+                    - name: CERTBOT_DELETE_ACME_ROUTES
+                      value: "${DELETE_ACME_ROUTES}"
+                    - name: CERTBOT_STAGING
+                      value: "${CERTBOT_STAGING}"
+                    - name: CERTBOT_DRY_RUN
+                      value: "${DRYRUN}"
+                    - name: CERTBOT_SERVER
+                      valueFrom:
+                        secretKeyRef:
+                          name: certbot
+                          key: server
+                    - name: APPLICATION_NAME
+                      value: "${APPLICATION_NAME}"
+                  resources:
+                    requests:
+                      cpu: 50m
+                    limits:
+                      cpu: 250m
+                  volumeMounts:
+                    - mountPath: /etc/letsencrypt
+                      name: certbot-config
+              restartPolicy: Never
+              serviceAccountName: certbot
+              volumes:
+                - name: certbot-config
+                  persistentVolumeClaim:
+                    claimName: certbot-${APPLICATION_NAME}
+      schedule: "${CERTBOT_CRON_SCHEDULE}"
+      suspend: "${{CERTBOT_SUSPEND_CRON}}"
+
+parameters:
+  # https://crontab.guru/every-6-hours
+  - name: "CERTBOT_CRON_SCHEDULE"
+    required: false
+    value: "0 */12 * * *"
+    # Let's Encrypt Stage environment will help with non-prod cert renewals, so you don't hit limits
+  - name: "CERTBOT_STAGING"
+    required: true
+    value: "false"
+    # In environments using wildcard *.apps.silver.devops cert, you might want to create the cronjob for consistency, but suspend it
+  - name: "CERTBOT_SUSPEND_CRON"
+    required: false
+    value: "false"
+  - name: "DRYRUN"
+    required: false
+    value: "false"
+  - name: "DEBUG"
+    required: true
+    value: "false"
+  - name: "DELETE_ACME_ROUTES"
+    required: false
+    value: "true"
+    required: true
+    value: "f00029-tools"
+  - name: "IMAGE_REGISTRY"
+    description: The base OpenShift docker registry
+    displayName: Docker Image Registry
+    required: true
+    value: image-registry.openshift-image-registry.svc:5000
+  - name: "SOURCE_IMAGE_NAME"
+    required: false
+    value: "certbot"
+  - name: "TAG_NAME"
+    required: false
+    value: "latest"
+  - name: "APPLICATION_NAME"
+    value: "bcmi"
+    required: true

tools/certbot/certbot-nrced.dc.yaml

@@ -0,0 +1,135 @@
+---
+apiVersion: v1
+kind: Template
+labels:
+  app: certbot
+metadata:
+  name: certbot-${APPLICATION_NAME}
+objects:
+  - apiVersion: v1
+    kind: ServiceAccount
+    metadata:
+      name: certbot
+  - apiVersion: v1
+    groupNames: null
+    kind: RoleBinding
+    metadata:
+      name: certbot_edit
+    roleRef:
+      name: edit
+    subjects:
+      - kind: ServiceAccount
+        name: certbot
+  - apiVersion: v1
+    kind: PersistentVolumeClaim
+    metadata:
+      name: certbot-${APPLICATION_NAME}
+    spec:
+      storageClassName: netapp-file-standard
+      accessModes:
+        - ReadWriteMany
+      resources:
+        requests:
+          storage: 100Mi
+  - apiVersion: batch/v1beta1
+    kind: CronJob
+    metadata:
+      name: certbot-${APPLICATION_NAME}
+    spec:
+      concurrencyPolicy: Replace
+      failedJobsHistoryLimit: 3
+      successfulJobsHistoryLimit: 3
+      startingDeadlineSeconds: 60
+      jobTemplate:
+        metadata:
+        spec:
+          backoffLimit: 6
+          activeDeadlineSeconds: 300
+          parallelism: 1
+          completions: 1
+          template:
+            metadata:
+              labels:
+                app: certbot
+            spec:
+              containers:
+                - name: certbot-${APPLICATION_NAME}
+                  image: "${IMAGE_REGISTRY}/${NAMESPACE}/${SOURCE_IMAGE_NAME}:${TAG_NAME}"
+                  imagePullPolicy: Always
+                  env:
+                    - name: CERTBOT_EMAIL
+                      valueFrom:
+                        secretKeyRef:
+                          name: certbot
+                          key: email
+                    - name: CERTBOT_DEBUG
+                      value: "${DEBUG}"
+                    - name: CERTBOT_DELETE_ACME_ROUTES
+                      value: "${DELETE_ACME_ROUTES}"
+                    - name: CERTBOT_STAGING
+                      value: "${CERTBOT_STAGING}"
+                    - name: CERTBOT_DRY_RUN
+                      value: "${DRYRUN}"
+                    - name: CERTBOT_SERVER
+                      valueFrom:
+                        secretKeyRef:
+                          name: certbot
+                          key: server
+                    - name: APPLICATION_NAME
+                      value: "${APPLICATION_NAME}"
+                  resources:
+                    requests:
+                      cpu: 50m
+                    limits:
+                      cpu: 250m
+                  volumeMounts:
+                    - mountPath: /etc/letsencrypt
+                      name: certbot-config
+              restartPolicy: Never
+              serviceAccountName: certbot
+              volumes:
+                - name: certbot-config
+                  persistentVolumeClaim:
+                    claimName: certbot-${APPLICATION_NAME}
+      schedule: "${CERTBOT_CRON_SCHEDULE}"
+      suspend: "${{CERTBOT_SUSPEND_CRON}}"
+
+parameters:
+  # https://crontab.guru/every-6-hours
+  - name: "CERTBOT_CRON_SCHEDULE"
+    required: false
+    value: "0 */12 * * *"
+    # Let's Encrypt Stage environment will help with non-prod cert renewals, so you don't hit limits
+  - name: "CERTBOT_STAGING"
+    required: true
+    value: "false"
+    # In environments using wildcard *.apps.silver.devops cert, you might want to create the cronjob for consistency, but suspend it
+  - name: "CERTBOT_SUSPEND_CRON"
+    required: false
+    value: "false"
+  - name: "DRYRUN"
+    required: false
+    value: "false"
+  - name: "DEBUG"
+    required: true
+    value: "false"
+  - name: "DELETE_ACME_ROUTES"
+    required: false
+    value: "true"
+  - name: "NAMESPACE"
+    required: true
+    value: "f00029-tools"
+  - name: "IMAGE_REGISTRY"
+    description: The base OpenShift docker registry
+    displayName: Docker Image Registry
+    required: true
+    value: image-registry.openshift-image-registry.svc:5000
+  - name: "SOURCE_IMAGE_NAME"
+    required: false
+    value: "certbot"
+  - name: "TAG_NAME"
+    required: false
+    value: "latest"
+  - name: "APPLICATION_NAME"
+    value: "nrced"
+    required: true