Feat: kube secret reference and version bump

.github/workflows/docker-pub.yml

@@ -0,0 +1,72 @@
+name: Docker Publish
+
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+on:
+  push:
+    branches: [ "main" ]
+    # Publish semver tags as releases.
+    tags: [ 'v*.*.*' ]
+
+env:
+  # Use docker.io for Docker Hub if empty
+  REGISTRY: ghcr.io
+  # github.repository as <account>/<repo>
+  IMAGE_NAME: ${{ github.repository }}
+
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      # This is used to complete the identity challenge
+      # with sigstore/fulcio when running outside of PRs.
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Setup Docker buildx
+        uses: docker/setup-buildx-action@v3
+
+      # Login against a Docker registry except on PR
+      # https://github.com/docker/login-action
+      - name: Log into registry ${{ env.REGISTRY }}
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # Extract metadata (tags, labels) for Docker
+      # https://github.com/docker/metadata-action
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          # set latest tag for default branch
+          tags: |
+            type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }}
+            type=semver,pattern={{version}}
+
+      # Build and push Docker image with Buildx (don't push on PR)
+      # https://github.com/docker/build-push-action
+      - name: Build and push Docker image
+        id: build-and-push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

.gitignore

@@ -1 +1,3 @@
 .DS_Store
+.github_token
+dist

.goreleaser.yml

@@ -0,0 +1,70 @@
+# This is an example .goreleaser.yml file with some sensible defaults.
+# Make sure to check the documentation at https://goreleaser.com
+
+# The lines below are called `modelines`. See `:help modeline`
+# Feel free to remove those if you don't want/need to use them.
+# yaml-language-server: $schema=https://goreleaser.com/static/schema.json
+# vim: set ts=2 sw=2 tw=0 fo=cnqoj
+
+version: 2
+
+before:
+  hooks:
+    # You may remove this if you don't use go modules.
+    - go mod tidy
+    # you may remove this if you don't need go generate
+    - go generate ./...
+
+builds:
+  - env: 
+      - CGO_ENABLED=0
+    binary: webhook
+    ldflags:
+      - -w -extldflags "-static"
+    goos:
+      - linux
+      #- windows
+      #- darwin
+    dir: .
+
+# dockers:
+#     - image_templates:
+#       - "ghcr.io/ice-bergtech/cert-manager-linode:{{.Version}}"
+#       - "ghcr.io/ice-bergtech/cert-manager-linode:latest"
+#       use: buildx
+#       goos: linux
+#       dockerfile: "Dockerfile"
+#       build_flag_templates:
+#         - "--pull"
+#         - "--platform=linux/amd64"
+
+archives:
+  - format: tar.gz
+    # this name template makes the OS and Arch compatible with the results of `uname`.
+    name_template: >-
+      {{ .ProjectName }}_
+      {{- title .Os }}_
+      {{- if eq .Arch "amd64" }}x86_64
+      {{- else if eq .Arch "386" }}i386
+      {{- else }}{{ .Arch }}{{ end }}
+      {{- if .Arm }}v{{ .Arm }}{{ end }}
+    # use zip for windows archives
+    format_overrides:
+      - goos: windows
+        format: zip
+
+changelog:
+  sort: asc
+  filters:
+    exclude:
+      - "^docs:"
+      - "^test:"
+
+release:
+  github:
+    owner: ice-bergtech
+    name: cert-manager-linode
+
+force_token: github
+env_files:
+  github_token: .github_token

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.19-alpine3.16 AS build_deps
+FROM golang:1.23-alpine3.21 AS build_deps
 
 WORKDIR /src
 
@@ -13,7 +13,7 @@ COPY . .
 RUN CGO_ENABLED=0 go build -o webhook -ldflags '-w -extldflags "-static"' .
 
 
-FROM alpine:3.16
+FROM alpine:3.21
 
 RUN apk add --no-cache ca-certificates
 COPY --from=build /src/webhook /usr/local/bin/webhook

README.md

@@ -39,3 +39,54 @@ spec:
             config:
               apiKey: your-api-key
 ```
+
+Pass API Key with a Secret:
+
+```yaml
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    email: your-email-address
+    privateKeySecretRef:
+      name: letsencrypt-prod
+    server: https://acme-v02.api.letsencrypt.org/directory
+    solvers:
+      - dns01:
+          webhook:
+            groupName: acme.cluster.local
+            solverName: linode
+            config:
+              apiKeySecretRef:
+                name: linode-token
+                key: data
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: 'linode-token'
+  namespace: cert-manager
+stringData:
+  data: 'your-api-key'
+---
+```
+
+## Troubleshooting
+
+# Visibility
+
+Errors from the service will appear as events in cert-manager `challenge` resources.
+
+```
+Warning  PresentError  10m (x8 over 20m)  cert-manager-challenges  Error presenting challenge: kube secret error: issue fetching secret: resource name may not be empty
+```
+
+### Service account
+```
+linode.acme.cluster.local is forbidden: User "system:serviceaccount:cert-manager:cert-manager-chart" cannot create resource "linode" in API group "acme.cluster.local" at the cluster scope
+```
+
+Make sure the service account is references properly.
+In the chart, set the var `certManager.serviceAccountName` to the service account created by cert manager.

Taskfile.yml

@@ -0,0 +1,84 @@
+# https://taskfile.dev
+
+version: '3'
+
+vars:
+  GREETING: Hello, World!
+
+tasks:
+  default:
+    cmds:
+      - echo "{{.GREETING}}"
+    silent: true
+
+  build:
+    aliases:
+      - b
+    cmds:
+      - go mod tidy
+      - goreleaser release --snapshot --clean
+
+
+  setup:
+    cmds:
+      - go -version
+      - brew install goreleaser
+      - go install github.com/caarlos0/svu@latest
+
+  release:
+    aliases:
+      - r
+    cmds:
+      - task: tag
+      - task: publish
+
+  tag:
+    aliases:
+      - t
+    cmds:
+      - git tag "$($HOME/go/bin/svu next)"
+      - git push --tags
+
+  publish:
+    aliases:
+      - p
+    vars:
+      Version:
+        sh: git tag --contains HEAD | tail -n 1
+    cmds:
+      - goreleaser release --clean
+
+  pub-docker-manual:
+    cmds:
+      - task: publish-docker
+        vars: {IMAGE: "ghcr.io/ice-bergtech/cert-manager-linode:{{.Version}}"}
+      - task: publish-docker
+        vars: {IMAGE: "ghcr.io/ice-bergtech/cert-manager-linode:latest"}
+
+  publish-docker:
+    vars:
+      Version:
+        sh: git tag --contains HEAD | tail -n 1
+      IMAGE: "ghcr.io/ice-bergtech/cert-manager-linode:{{.Version}}"
+    aliases:
+      - pd
+    cmds:
+      - docker build . --pull --platform=linux/amd64 --tag {{.IMAGE}}
+      - docker push {{.IMAGE}}
+
+  edit-api:
+    aliases:
+      - ea
+    cmds:
+      - docker-compose -f docker/compose-api-edit.yml up -d  
+      - echo 'Viewer - https://127.0.0.1:4000'
+      - echo 'Editor - https://127.0.0.1:4001'
+
+  pre_data:
+    aliases: 
+      - pd
+    cmds:
+      - touch netdata.db && rm netdata.db
+      # find each csv and tsv files and load into sqlite db
+      - find ./data \( -name "*.csv" \) | xargs -I {} sh -c 'sqlite3 netdata.db -cmd ".mode csv" ".import {} data_{}"'
+      - find ./data \( -name "*.tsv" \) | xargs -I {} sh -c 'sqlite3 netdata.db -cmd ".mode tabs" ".import {} data_{}"'

chart/templates/deployment.yaml

@@ -30,6 +30,10 @@ spec:
           env:
             - name: GROUP_NAME
               value: {{ .Values.groupName | quote }}
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
           ports:
             - name: https
               containerPort: 443

chart/templates/rbac.yaml

@@ -31,6 +31,40 @@ subjects:
     name: {{ include "cert-manager-linode.fullname" . }}
     namespace: {{ .Release.Namespace }}
 ---
+# Grant the webhook permission to read the linode apikey from secrets
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "cert-manager-linode.fullname" . }}:secret-reader
+  labels:
+    app: {{ include "cert-manager-linode.name" . }}
+    chart: {{ include "cert-manager-linode.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "cert-manager-linode.fullname" . }}:secret-reader
+  labels:
+    app: {{ include "cert-manager-linode.name" . }}
+    chart: {{ include "cert-manager-linode.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "cert-manager-linode.fullname" . }}:secret-reader
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: {{ include "cert-manager-linode.fullname" . }}
+    namespace: {{ .Release.Namespace }}
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata: