From 3a6d578faa311275bf7585147839f62a1d582780 Mon Sep 17 00:00:00 2001 From: Massaki Archambault Date: Sat, 16 May 2020 22:17:14 -0400 Subject: [PATCH] install cert-manager --- Makefile | 4 +- kustomize/base/cert-manager/cert-manager.yaml | 7 ++ .../base/cert-manager/kustomization.yaml | 5 ++ .../base/gitea/drone-server-deployment.yaml | 5 ++ kustomize/base/gitea/gitea-deployment.yaml | 5 ++ .../base/kubernetes-dashboard/ingress.yaml | 23 +++++ .../kubernetes-dashboard/kustomization.yaml | 1 + .../base/nextcloud/nextcloud-deployment.yaml | 5 ++ .../dev/cert-manager/clusterissuer.yaml | 25 ++++++ .../dev/kubernetes-dashboard/ingress.yaml | 17 ---- kustomize/environment/dev/kustomization.yaml | 85 +++++++++++++------ .../dev/kustomizeconfig/clusterissuer.yaml | 6 ++ 12 files changed, 141 insertions(+), 47 deletions(-) create mode 100644 kustomize/base/cert-manager/cert-manager.yaml create mode 100644 kustomize/base/cert-manager/kustomization.yaml create mode 100644 kustomize/base/kubernetes-dashboard/ingress.yaml create mode 100644 kustomize/environment/dev/cert-manager/clusterissuer.yaml delete mode 100644 kustomize/environment/dev/kubernetes-dashboard/ingress.yaml create mode 100644 kustomize/environment/dev/kustomizeconfig/clusterissuer.yaml diff --git a/Makefile b/Makefile index e70a36c..47362cf 100644 --- a/Makefile +++ b/Makefile @@ -3,7 +3,7 @@ KUSTOMIZEFLAGS = --enable_alpha_plugins KUBECTL = kubectl KUBECTLFLAGS = -KUBECTLDIFFFLAGS = --server-side +KUBECTLDIFFFLAGS = KUBECTLAPPLYFLAGS = -l managed-by=kustomize --prune SRC := $(shell find kustomize/ -type f) @@ -33,7 +33,7 @@ clean: $(KUSTOMIZEOUT): $(SRC) @mkdir -p $(dir $(KUSTOMIZEOUT)) - $(KUSTOMIZE) build $(KUSTOMIZEFLAGS) $(KUSTOMIZEDIR) >$(KUSTOMIZEOUT) || rm $(KUSTOMIZEOUT) + $(KUSTOMIZE) build $(KUSTOMIZEFLAGS) $(KUSTOMIZEDIR) >$(KUSTOMIZEOUT) || (rm $(KUSTOMIZEOUT); exit 1) diff: $(KUSTOMIZEOUT) $(KUBECTL) $(KUBECTLFLAGS) diff $(KUBECTLDIFFFLAGS) -f $(KUSTOMIZEOUT) diff --git a/kustomize/base/cert-manager/cert-manager.yaml b/kustomize/base/cert-manager/cert-manager.yaml new file mode 100644 index 0000000..1325871 --- /dev/null +++ b/kustomize/base/cert-manager/cert-manager.yaml @@ -0,0 +1,7 @@ +apiVersion: badjware/v1 +kind: RemoteResources +metadata: + name: cert-manager +resources: + - url: https://github.com/jetstack/cert-manager/releases/download/v0.15.0/cert-manager.yaml + sha256: 255a558beaa4009f43aaf7f9aeadac9beca7b4e0d58c9c92cdf5aece3b3f2b2c \ No newline at end of file diff --git a/kustomize/base/cert-manager/kustomization.yaml b/kustomize/base/cert-manager/kustomization.yaml new file mode 100644 index 0000000..418b788 --- /dev/null +++ b/kustomize/base/cert-manager/kustomization.yaml @@ -0,0 +1,5 @@ +generators: + - cert-manager.yaml + +commonlabels: + app: cert-manager \ No newline at end of file diff --git a/kustomize/base/gitea/drone-server-deployment.yaml b/kustomize/base/gitea/drone-server-deployment.yaml index 0c84d9b..be81ad3 100644 --- a/kustomize/base/gitea/drone-server-deployment.yaml +++ b/kustomize/base/gitea/drone-server-deployment.yaml @@ -67,7 +67,12 @@ metadata: app: drone annotations: nginx.ingress.kubernetes.io/rewrite-target: / + cert-manager.io/cluster-issuer: letsencrypt spec: + tls: + - hosts: + - drone.127.0.0.1.nip.io + secretName: letsencrypt-cert rules: - host: drone.127.0.0.1.nip.io http: diff --git a/kustomize/base/gitea/gitea-deployment.yaml b/kustomize/base/gitea/gitea-deployment.yaml index bc9e8ca..3adc33a 100644 --- a/kustomize/base/gitea/gitea-deployment.yaml +++ b/kustomize/base/gitea/gitea-deployment.yaml @@ -118,7 +118,12 @@ metadata: app: gitea annotations: nginx.ingress.kubernetes.io/rewrite-target: / + cert-manager.io/cluster-issuer: letsencrypt spec: + tls: + - hosts: + - gitea.127.0.0.1.nip.io + secretName: letsencrypt-cert rules: - host: gitea.127.0.0.1.nip.io http: diff --git a/kustomize/base/kubernetes-dashboard/ingress.yaml b/kustomize/base/kubernetes-dashboard/ingress.yaml new file mode 100644 index 0000000..641dc5c --- /dev/null +++ b/kustomize/base/kubernetes-dashboard/ingress.yaml @@ -0,0 +1,23 @@ +apiVersion: networking.k8s.io/v1beta1 +kind: Ingress +metadata: + name: kubernetes-dashboard-ingress + labels: + app: kubernetes-dashboard + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + cert-manager.io/cluster-issuer: letsencrypt +spec: + tls: + - hosts: + - kubernetes-dashboard.127.0.0.1.nip.io + secretName: letsencrypt-cert + rules: + - host: kubernetes-dashboard.127.0.0.1.nip.io + http: + paths: + - path: / + backend: + serviceName: kubernetes-dashboard + servicePort: 443 \ No newline at end of file diff --git a/kustomize/base/kubernetes-dashboard/kustomization.yaml b/kustomize/base/kubernetes-dashboard/kustomization.yaml index fd20fbd..26cda2f 100644 --- a/kustomize/base/kubernetes-dashboard/kustomization.yaml +++ b/kustomize/base/kubernetes-dashboard/kustomization.yaml @@ -1,5 +1,6 @@ resources: - admin-user.yaml + - ingress.yaml generators: - kubernetes-dashboard.yaml diff --git a/kustomize/base/nextcloud/nextcloud-deployment.yaml b/kustomize/base/nextcloud/nextcloud-deployment.yaml index 39fe753..82acf3f 100644 --- a/kustomize/base/nextcloud/nextcloud-deployment.yaml +++ b/kustomize/base/nextcloud/nextcloud-deployment.yaml @@ -83,7 +83,12 @@ metadata: app: nextcloud annotations: nginx.ingress.kubernetes.io/rewrite-target: / + cert-manager.io/cluster-issuer: letsencrypt spec: + tls: + - hosts: + - nextcloud.127.0.0.1.nip.io + secretName: letsencrypt-cert rules: - host: nextcloud.127.0.0.1.nip.io http: diff --git a/kustomize/environment/dev/cert-manager/clusterissuer.yaml b/kustomize/environment/dev/cert-manager/clusterissuer.yaml new file mode 100644 index 0000000..3793dc1 --- /dev/null +++ b/kustomize/environment/dev/cert-manager/clusterissuer.yaml @@ -0,0 +1,25 @@ +apiVersion: cert-manager.io/v1alpha2 +kind: ClusterIssuer +metadata: + name: letsencrypt + namespace: cert-manager +spec: + acme: + # You must replace this email address with your own. + # Let's Encrypt will use this to contact you about expiring + # certificates, and issues related to your account. + email: marchambault@badjware.dev + server: https://acme-v02.api.letsencrypt.org/directory + privateKeySecretRef: + # Secret resource that will be used to store the account's private key. + name: letsencrypt-cert + solvers: + - selector: + dnsZones: + - badjware.dev + dns01: + cnameStrategy: Follow + digitalocean: + tokenSecretRef: + name: digitalocean-api-key + key: access-token \ No newline at end of file diff --git a/kustomize/environment/dev/kubernetes-dashboard/ingress.yaml b/kustomize/environment/dev/kubernetes-dashboard/ingress.yaml deleted file mode 100644 index c37b33d..0000000 --- a/kustomize/environment/dev/kubernetes-dashboard/ingress.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: networking.k8s.io/v1beta1 -kind: Ingress -metadata: - name: kubernetes-dashboard-ingress - labels: - app: kubernetes-dashboard - annotations: - nginx.ingress.kubernetes.io/rewrite-target: / -spec: - rules: - - host: kubernetes-dashboard.staging.massaki.ca - http: - paths: - - path: / - backend: - serviceName: kubernetes-dashboard - servicePort: http \ No newline at end of file diff --git a/kustomize/environment/dev/kustomization.yaml b/kustomize/environment/dev/kustomization.yaml index 588af48..6ab20d7 100644 --- a/kustomize/environment/dev/kustomization.yaml +++ b/kustomize/environment/dev/kustomization.yaml @@ -1,38 +1,20 @@ bases: - ../../base/ingress-nginx + - ../../base/cert-manager - ../../base/kubernetes-dashboard - ../../base/gitea - ../../base/nextcloud resources: - - kubernetes-dashboard/ingress.yaml + - cert-manager/clusterissuer.yaml -patchesJson6902: - - target: &ingress_target - group: networking.k8s.io - version: v1beta1 - kind: Ingress - name: nextcloud-ingress - patch: |- - - op: replace - path: /spec/rules/0/host - value: nextcloud.staging.massaki.ca - - target: - <<: *ingress_target - name: gitea-ingress - patch: |- - - op: replace - path: /spec/rules/0/host - value: gitea.staging.massaki.ca - - target: - <<: *ingress_target - name: drone-ingress - patch: |- - - op: replace - path: /spec/rules/0/host - value: drone.staging.massaki.ca +secretGenerator: + - name: digitalocean-api-key + type: Opaque + namespace: cert-manager + literals: + - 'access-token=${ssm:/prod/digitalocean/api_token}' -# secretGenerator: # - name: drone-gitea-oauth-secret # type: Opaque # namespace: gitea @@ -41,9 +23,56 @@ patchesJson6902: # - client_id=749cde98-9b3b-4e19-8933-2937e12625f2 # - client_secret=12wTErChjQQW3CGEzbDMiSxEt08i-abeB0pbRbXEKKg= +patchesJson6902: + - target: &ingress_target + group: networking.k8s.io + version: v1beta1 + kind: Ingress + name: kubernetes-dashboard-ingress + patch: |- + - op: replace + path: /spec/tls/0/hosts/0 + value: kubernetes-dashboard.staging.badjware.dev + - op: replace + path: /spec/rules/0/host + value: kubernetes-dashboard.staging.badjware.dev + - target: + <<: *ingress_target + name: nextcloud-ingress + patch: |- + - op: replace + path: /spec/tls/0/hosts/0 + value: nextcloud.staging.badjware.dev + - op: replace + path: /spec/rules/0/host + value: nextcloud.staging.badjware.dev + - target: + <<: *ingress_target + name: gitea-ingress + patch: |- + - op: replace + path: /spec/tls/0/hosts/0 + value: gitea.staging.badjware.dev + - op: replace + path: /spec/rules/0/host + value: gitea.staging.badjware.dev + - target: + <<: *ingress_target + name: drone-ingress + patch: |- + - op: replace + path: /spec/tls/0/hosts/0 + value: drone.staging.badjware.dev + - op: replace + path: /spec/rules/0/host + value: drone.staging.badjware.dev + # allow "kubectl apply -l managed-by=kustomize --prune ..." commonlabels: managed-by: kustomize -# transformers: -# - ssm-secrets.yaml \ No newline at end of file +transformers: + - ssm-secrets.yaml + +configurations: + - kustomizeconfig/clusterissuer.yaml diff --git a/kustomize/environment/dev/kustomizeconfig/clusterissuer.yaml b/kustomize/environment/dev/kustomizeconfig/clusterissuer.yaml new file mode 100644 index 0000000..e4c3acb --- /dev/null +++ b/kustomize/environment/dev/kustomizeconfig/clusterissuer.yaml @@ -0,0 +1,6 @@ +nameReference: + - version: v1 + kind: Secret + fieldSpecs: + - kind: ClusterIssuer + path: spec/acme/solvers/dns01/digitalocean/tokenSecretRef/name