install cert-manager
This commit is contained in:
parent
88a34cb3d2
commit
3a6d578faa
4
Makefile
4
Makefile
|
@ -3,7 +3,7 @@ KUSTOMIZEFLAGS = --enable_alpha_plugins
|
||||||
|
|
||||||
KUBECTL = kubectl
|
KUBECTL = kubectl
|
||||||
KUBECTLFLAGS =
|
KUBECTLFLAGS =
|
||||||
KUBECTLDIFFFLAGS = --server-side
|
KUBECTLDIFFFLAGS =
|
||||||
KUBECTLAPPLYFLAGS = -l managed-by=kustomize --prune
|
KUBECTLAPPLYFLAGS = -l managed-by=kustomize --prune
|
||||||
|
|
||||||
SRC := $(shell find kustomize/ -type f)
|
SRC := $(shell find kustomize/ -type f)
|
||||||
|
@ -33,7 +33,7 @@ clean:
|
||||||
|
|
||||||
$(KUSTOMIZEOUT): $(SRC)
|
$(KUSTOMIZEOUT): $(SRC)
|
||||||
@mkdir -p $(dir $(KUSTOMIZEOUT))
|
@mkdir -p $(dir $(KUSTOMIZEOUT))
|
||||||
$(KUSTOMIZE) build $(KUSTOMIZEFLAGS) $(KUSTOMIZEDIR) >$(KUSTOMIZEOUT) || rm $(KUSTOMIZEOUT)
|
$(KUSTOMIZE) build $(KUSTOMIZEFLAGS) $(KUSTOMIZEDIR) >$(KUSTOMIZEOUT) || (rm $(KUSTOMIZEOUT); exit 1)
|
||||||
|
|
||||||
diff: $(KUSTOMIZEOUT)
|
diff: $(KUSTOMIZEOUT)
|
||||||
$(KUBECTL) $(KUBECTLFLAGS) diff $(KUBECTLDIFFFLAGS) -f $(KUSTOMIZEOUT)
|
$(KUBECTL) $(KUBECTLFLAGS) diff $(KUBECTLDIFFFLAGS) -f $(KUSTOMIZEOUT)
|
||||||
|
|
|
@ -0,0 +1,7 @@
|
||||||
|
apiVersion: badjware/v1
|
||||||
|
kind: RemoteResources
|
||||||
|
metadata:
|
||||||
|
name: cert-manager
|
||||||
|
resources:
|
||||||
|
- url: https://github.com/jetstack/cert-manager/releases/download/v0.15.0/cert-manager.yaml
|
||||||
|
sha256: 255a558beaa4009f43aaf7f9aeadac9beca7b4e0d58c9c92cdf5aece3b3f2b2c
|
|
@ -0,0 +1,5 @@
|
||||||
|
generators:
|
||||||
|
- cert-manager.yaml
|
||||||
|
|
||||||
|
commonlabels:
|
||||||
|
app: cert-manager
|
|
@ -67,7 +67,12 @@ metadata:
|
||||||
app: drone
|
app: drone
|
||||||
annotations:
|
annotations:
|
||||||
nginx.ingress.kubernetes.io/rewrite-target: /
|
nginx.ingress.kubernetes.io/rewrite-target: /
|
||||||
|
cert-manager.io/cluster-issuer: letsencrypt
|
||||||
spec:
|
spec:
|
||||||
|
tls:
|
||||||
|
- hosts:
|
||||||
|
- drone.127.0.0.1.nip.io
|
||||||
|
secretName: letsencrypt-cert
|
||||||
rules:
|
rules:
|
||||||
- host: drone.127.0.0.1.nip.io
|
- host: drone.127.0.0.1.nip.io
|
||||||
http:
|
http:
|
||||||
|
|
|
@ -118,7 +118,12 @@ metadata:
|
||||||
app: gitea
|
app: gitea
|
||||||
annotations:
|
annotations:
|
||||||
nginx.ingress.kubernetes.io/rewrite-target: /
|
nginx.ingress.kubernetes.io/rewrite-target: /
|
||||||
|
cert-manager.io/cluster-issuer: letsencrypt
|
||||||
spec:
|
spec:
|
||||||
|
tls:
|
||||||
|
- hosts:
|
||||||
|
- gitea.127.0.0.1.nip.io
|
||||||
|
secretName: letsencrypt-cert
|
||||||
rules:
|
rules:
|
||||||
- host: gitea.127.0.0.1.nip.io
|
- host: gitea.127.0.0.1.nip.io
|
||||||
http:
|
http:
|
||||||
|
|
|
@ -0,0 +1,23 @@
|
||||||
|
apiVersion: networking.k8s.io/v1beta1
|
||||||
|
kind: Ingress
|
||||||
|
metadata:
|
||||||
|
name: kubernetes-dashboard-ingress
|
||||||
|
labels:
|
||||||
|
app: kubernetes-dashboard
|
||||||
|
annotations:
|
||||||
|
nginx.ingress.kubernetes.io/rewrite-target: /
|
||||||
|
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
|
||||||
|
cert-manager.io/cluster-issuer: letsencrypt
|
||||||
|
spec:
|
||||||
|
tls:
|
||||||
|
- hosts:
|
||||||
|
- kubernetes-dashboard.127.0.0.1.nip.io
|
||||||
|
secretName: letsencrypt-cert
|
||||||
|
rules:
|
||||||
|
- host: kubernetes-dashboard.127.0.0.1.nip.io
|
||||||
|
http:
|
||||||
|
paths:
|
||||||
|
- path: /
|
||||||
|
backend:
|
||||||
|
serviceName: kubernetes-dashboard
|
||||||
|
servicePort: 443
|
|
@ -1,5 +1,6 @@
|
||||||
resources:
|
resources:
|
||||||
- admin-user.yaml
|
- admin-user.yaml
|
||||||
|
- ingress.yaml
|
||||||
|
|
||||||
generators:
|
generators:
|
||||||
- kubernetes-dashboard.yaml
|
- kubernetes-dashboard.yaml
|
||||||
|
|
|
@ -83,7 +83,12 @@ metadata:
|
||||||
app: nextcloud
|
app: nextcloud
|
||||||
annotations:
|
annotations:
|
||||||
nginx.ingress.kubernetes.io/rewrite-target: /
|
nginx.ingress.kubernetes.io/rewrite-target: /
|
||||||
|
cert-manager.io/cluster-issuer: letsencrypt
|
||||||
spec:
|
spec:
|
||||||
|
tls:
|
||||||
|
- hosts:
|
||||||
|
- nextcloud.127.0.0.1.nip.io
|
||||||
|
secretName: letsencrypt-cert
|
||||||
rules:
|
rules:
|
||||||
- host: nextcloud.127.0.0.1.nip.io
|
- host: nextcloud.127.0.0.1.nip.io
|
||||||
http:
|
http:
|
||||||
|
|
|
@ -0,0 +1,25 @@
|
||||||
|
apiVersion: cert-manager.io/v1alpha2
|
||||||
|
kind: ClusterIssuer
|
||||||
|
metadata:
|
||||||
|
name: letsencrypt
|
||||||
|
namespace: cert-manager
|
||||||
|
spec:
|
||||||
|
acme:
|
||||||
|
# You must replace this email address with your own.
|
||||||
|
# Let's Encrypt will use this to contact you about expiring
|
||||||
|
# certificates, and issues related to your account.
|
||||||
|
email: marchambault@badjware.dev
|
||||||
|
server: https://acme-v02.api.letsencrypt.org/directory
|
||||||
|
privateKeySecretRef:
|
||||||
|
# Secret resource that will be used to store the account's private key.
|
||||||
|
name: letsencrypt-cert
|
||||||
|
solvers:
|
||||||
|
- selector:
|
||||||
|
dnsZones:
|
||||||
|
- badjware.dev
|
||||||
|
dns01:
|
||||||
|
cnameStrategy: Follow
|
||||||
|
digitalocean:
|
||||||
|
tokenSecretRef:
|
||||||
|
name: digitalocean-api-key
|
||||||
|
key: access-token
|
|
@ -1,17 +0,0 @@
|
||||||
apiVersion: networking.k8s.io/v1beta1
|
|
||||||
kind: Ingress
|
|
||||||
metadata:
|
|
||||||
name: kubernetes-dashboard-ingress
|
|
||||||
labels:
|
|
||||||
app: kubernetes-dashboard
|
|
||||||
annotations:
|
|
||||||
nginx.ingress.kubernetes.io/rewrite-target: /
|
|
||||||
spec:
|
|
||||||
rules:
|
|
||||||
- host: kubernetes-dashboard.staging.massaki.ca
|
|
||||||
http:
|
|
||||||
paths:
|
|
||||||
- path: /
|
|
||||||
backend:
|
|
||||||
serviceName: kubernetes-dashboard
|
|
||||||
servicePort: http
|
|
|
@ -1,38 +1,20 @@
|
||||||
bases:
|
bases:
|
||||||
- ../../base/ingress-nginx
|
- ../../base/ingress-nginx
|
||||||
|
- ../../base/cert-manager
|
||||||
- ../../base/kubernetes-dashboard
|
- ../../base/kubernetes-dashboard
|
||||||
- ../../base/gitea
|
- ../../base/gitea
|
||||||
- ../../base/nextcloud
|
- ../../base/nextcloud
|
||||||
|
|
||||||
resources:
|
resources:
|
||||||
- kubernetes-dashboard/ingress.yaml
|
- cert-manager/clusterissuer.yaml
|
||||||
|
|
||||||
patchesJson6902:
|
secretGenerator:
|
||||||
- target: &ingress_target
|
- name: digitalocean-api-key
|
||||||
group: networking.k8s.io
|
type: Opaque
|
||||||
version: v1beta1
|
namespace: cert-manager
|
||||||
kind: Ingress
|
literals:
|
||||||
name: nextcloud-ingress
|
- 'access-token=${ssm:/prod/digitalocean/api_token}'
|
||||||
patch: |-
|
|
||||||
- op: replace
|
|
||||||
path: /spec/rules/0/host
|
|
||||||
value: nextcloud.staging.massaki.ca
|
|
||||||
- target:
|
|
||||||
<<: *ingress_target
|
|
||||||
name: gitea-ingress
|
|
||||||
patch: |-
|
|
||||||
- op: replace
|
|
||||||
path: /spec/rules/0/host
|
|
||||||
value: gitea.staging.massaki.ca
|
|
||||||
- target:
|
|
||||||
<<: *ingress_target
|
|
||||||
name: drone-ingress
|
|
||||||
patch: |-
|
|
||||||
- op: replace
|
|
||||||
path: /spec/rules/0/host
|
|
||||||
value: drone.staging.massaki.ca
|
|
||||||
|
|
||||||
# secretGenerator:
|
|
||||||
# - name: drone-gitea-oauth-secret
|
# - name: drone-gitea-oauth-secret
|
||||||
# type: Opaque
|
# type: Opaque
|
||||||
# namespace: gitea
|
# namespace: gitea
|
||||||
|
@ -41,9 +23,56 @@ patchesJson6902:
|
||||||
# - client_id=749cde98-9b3b-4e19-8933-2937e12625f2
|
# - client_id=749cde98-9b3b-4e19-8933-2937e12625f2
|
||||||
# - client_secret=12wTErChjQQW3CGEzbDMiSxEt08i-abeB0pbRbXEKKg=
|
# - client_secret=12wTErChjQQW3CGEzbDMiSxEt08i-abeB0pbRbXEKKg=
|
||||||
|
|
||||||
|
patchesJson6902:
|
||||||
|
- target: &ingress_target
|
||||||
|
group: networking.k8s.io
|
||||||
|
version: v1beta1
|
||||||
|
kind: Ingress
|
||||||
|
name: kubernetes-dashboard-ingress
|
||||||
|
patch: |-
|
||||||
|
- op: replace
|
||||||
|
path: /spec/tls/0/hosts/0
|
||||||
|
value: kubernetes-dashboard.staging.badjware.dev
|
||||||
|
- op: replace
|
||||||
|
path: /spec/rules/0/host
|
||||||
|
value: kubernetes-dashboard.staging.badjware.dev
|
||||||
|
- target:
|
||||||
|
<<: *ingress_target
|
||||||
|
name: nextcloud-ingress
|
||||||
|
patch: |-
|
||||||
|
- op: replace
|
||||||
|
path: /spec/tls/0/hosts/0
|
||||||
|
value: nextcloud.staging.badjware.dev
|
||||||
|
- op: replace
|
||||||
|
path: /spec/rules/0/host
|
||||||
|
value: nextcloud.staging.badjware.dev
|
||||||
|
- target:
|
||||||
|
<<: *ingress_target
|
||||||
|
name: gitea-ingress
|
||||||
|
patch: |-
|
||||||
|
- op: replace
|
||||||
|
path: /spec/tls/0/hosts/0
|
||||||
|
value: gitea.staging.badjware.dev
|
||||||
|
- op: replace
|
||||||
|
path: /spec/rules/0/host
|
||||||
|
value: gitea.staging.badjware.dev
|
||||||
|
- target:
|
||||||
|
<<: *ingress_target
|
||||||
|
name: drone-ingress
|
||||||
|
patch: |-
|
||||||
|
- op: replace
|
||||||
|
path: /spec/tls/0/hosts/0
|
||||||
|
value: drone.staging.badjware.dev
|
||||||
|
- op: replace
|
||||||
|
path: /spec/rules/0/host
|
||||||
|
value: drone.staging.badjware.dev
|
||||||
|
|
||||||
# allow "kubectl apply -l managed-by=kustomize --prune ..."
|
# allow "kubectl apply -l managed-by=kustomize --prune ..."
|
||||||
commonlabels:
|
commonlabels:
|
||||||
managed-by: kustomize
|
managed-by: kustomize
|
||||||
|
|
||||||
# transformers:
|
transformers:
|
||||||
# - ssm-secrets.yaml
|
- ssm-secrets.yaml
|
||||||
|
|
||||||
|
configurations:
|
||||||
|
- kustomizeconfig/clusterissuer.yaml
|
||||||
|
|
|
@ -0,0 +1,6 @@
|
||||||
|
nameReference:
|
||||||
|
- version: v1
|
||||||
|
kind: Secret
|
||||||
|
fieldSpecs:
|
||||||
|
- kind: ClusterIssuer
|
||||||
|
path: spec/acme/solvers/dns01/digitalocean/tokenSecretRef/name
|
Loading…
Reference in New Issue