install cert-manager

Makefile

@@ -3,7 +3,7 @@ KUSTOMIZEFLAGS = --enable_alpha_plugins
 
 KUBECTL = kubectl
 KUBECTLFLAGS = 
-KUBECTLDIFFFLAGS = --server-side
+KUBECTLDIFFFLAGS =
 KUBECTLAPPLYFLAGS = -l managed-by=kustomize --prune
 
 SRC := $(shell find kustomize/ -type f)
@@ -33,7 +33,7 @@ clean:
 
 $(KUSTOMIZEOUT): $(SRC)
 	@mkdir -p $(dir $(KUSTOMIZEOUT))
-	$(KUSTOMIZE) build $(KUSTOMIZEFLAGS) $(KUSTOMIZEDIR) >$(KUSTOMIZEOUT) || rm $(KUSTOMIZEOUT)
+	$(KUSTOMIZE) build $(KUSTOMIZEFLAGS) $(KUSTOMIZEDIR) >$(KUSTOMIZEOUT) || (rm $(KUSTOMIZEOUT); exit 1)
 
 diff: $(KUSTOMIZEOUT)
 	$(KUBECTL) $(KUBECTLFLAGS) diff $(KUBECTLDIFFFLAGS) -f $(KUSTOMIZEOUT)

kustomize/base/cert-manager/cert-manager.yaml

@@ -0,0 +1,7 @@
+apiVersion: badjware/v1
+kind: RemoteResources
+metadata:
+  name: cert-manager
+resources:
+  - url: https://github.com/jetstack/cert-manager/releases/download/v0.15.0/cert-manager.yaml
+    sha256: 255a558beaa4009f43aaf7f9aeadac9beca7b4e0d58c9c92cdf5aece3b3f2b2c

kustomize/base/cert-manager/kustomization.yaml

@@ -0,0 +1,5 @@
+generators:
+  - cert-manager.yaml
+
+commonlabels:
+  app: cert-manager

kustomize/base/gitea/drone-server-deployment.yaml

@@ -67,7 +67,12 @@ metadata:
     app: drone
   annotations:
     nginx.ingress.kubernetes.io/rewrite-target: /
+    cert-manager.io/cluster-issuer: letsencrypt
 spec:
+  tls:
+    - hosts:
+        - drone.127.0.0.1.nip.io
+      secretName: letsencrypt-cert
   rules:
   - host: drone.127.0.0.1.nip.io
     http:

kustomize/base/gitea/gitea-deployment.yaml

@@ -118,7 +118,12 @@ metadata:
     app: gitea
   annotations:
     nginx.ingress.kubernetes.io/rewrite-target: /
+    cert-manager.io/cluster-issuer: letsencrypt
 spec:
+  tls:
+    - hosts:
+        - gitea.127.0.0.1.nip.io
+      secretName: letsencrypt-cert
   rules:
   - host: gitea.127.0.0.1.nip.io
     http:

kustomize/base/kubernetes-dashboard/ingress.yaml

@@ -0,0 +1,23 @@
+apiVersion: networking.k8s.io/v1beta1
+kind: Ingress
+metadata:
+  name: kubernetes-dashboard-ingress
+  labels:
+    app: kubernetes-dashboard
+  annotations:
+    nginx.ingress.kubernetes.io/rewrite-target: /
+    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+    cert-manager.io/cluster-issuer: letsencrypt
+spec:
+  tls:
+    - hosts:
+        - kubernetes-dashboard.127.0.0.1.nip.io
+      secretName: letsencrypt-cert
+  rules:
+    - host: kubernetes-dashboard.127.0.0.1.nip.io
+      http:
+        paths:
+        - path: /
+          backend:
+            serviceName: kubernetes-dashboard
+            servicePort: 443

kustomize/base/kubernetes-dashboard/kustomization.yaml

@@ -1,5 +1,6 @@
 resources:
   - admin-user.yaml
+  - ingress.yaml
 
 generators:
   - kubernetes-dashboard.yaml

kustomize/base/nextcloud/nextcloud-deployment.yaml

@@ -83,7 +83,12 @@ metadata:
     app: nextcloud
   annotations:
     nginx.ingress.kubernetes.io/rewrite-target: /
+    cert-manager.io/cluster-issuer: letsencrypt
 spec:
+  tls:
+    - hosts:
+        - nextcloud.127.0.0.1.nip.io
+      secretName: letsencrypt-cert
   rules:
   - host: nextcloud.127.0.0.1.nip.io
     http:

kustomize/environment/dev/cert-manager/clusterissuer.yaml

@@ -0,0 +1,25 @@
+apiVersion: cert-manager.io/v1alpha2
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt
+  namespace: cert-manager
+spec:
+  acme:
+    # You must replace this email address with your own.
+    # Let's Encrypt will use this to contact you about expiring
+    # certificates, and issues related to your account.
+    email: marchambault@badjware.dev
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      # Secret resource that will be used to store the account's private key.
+      name: letsencrypt-cert
+    solvers:
+      - selector:
+          dnsZones:
+          - badjware.dev
+        dns01: 
+          cnameStrategy: Follow
+          digitalocean:
+            tokenSecretRef:
+              name: digitalocean-api-key
+              key: access-token

kustomize/environment/dev/kubernetes-dashboard/ingress.yaml

@@ -1,17 +0,0 @@
-apiVersion: networking.k8s.io/v1beta1
-kind: Ingress
-metadata:
-  name: kubernetes-dashboard-ingress
-  labels:
-    app: kubernetes-dashboard
-  annotations:
-    nginx.ingress.kubernetes.io/rewrite-target: /
-spec:
-  rules:
-  - host: kubernetes-dashboard.staging.massaki.ca
-    http:
-      paths:
-      - path: /
-        backend:
-          serviceName: kubernetes-dashboard
-          servicePort: http

kustomize/environment/dev/kustomization.yaml

@@ -1,38 +1,20 @@
 bases:
   - ../../base/ingress-nginx
+  - ../../base/cert-manager
   - ../../base/kubernetes-dashboard
   - ../../base/gitea
   - ../../base/nextcloud
 
 resources:
-  - kubernetes-dashboard/ingress.yaml
+  - cert-manager/clusterissuer.yaml
 
-patchesJson6902:
-  - target: &ingress_target
-      group: networking.k8s.io
-      version: v1beta1
-      kind: Ingress
-      name: nextcloud-ingress
-    patch: |-
-      - op: replace
-        path: /spec/rules/0/host
-        value: nextcloud.staging.massaki.ca
-  - target:
-      <<: *ingress_target
-      name: gitea-ingress
-    patch: |-
-      - op: replace
-        path: /spec/rules/0/host
-        value: gitea.staging.massaki.ca
-  - target:
-      <<: *ingress_target
-      name: drone-ingress
-    patch: |-
-      - op: replace
-        path: /spec/rules/0/host
-        value: drone.staging.massaki.ca
+secretGenerator:
+  - name: digitalocean-api-key
+    type: Opaque
+    namespace: cert-manager
+    literals:
+      - 'access-token=${ssm:/prod/digitalocean/api_token}'
 
-# secretGenerator:
 #   - name: drone-gitea-oauth-secret
 #     type: Opaque
 #     namespace: gitea
@@ -41,9 +23,56 @@ patchesJson6902:
 #       - client_id=749cde98-9b3b-4e19-8933-2937e12625f2
 #       - client_secret=12wTErChjQQW3CGEzbDMiSxEt08i-abeB0pbRbXEKKg=
 
+patchesJson6902:
+  - target: &ingress_target
+      group: networking.k8s.io
+      version: v1beta1
+      kind: Ingress
+      name: kubernetes-dashboard-ingress
+    patch: |-
+      - op: replace
+        path: /spec/tls/0/hosts/0
+        value: kubernetes-dashboard.staging.badjware.dev
+      - op: replace
+        path: /spec/rules/0/host
+        value: kubernetes-dashboard.staging.badjware.dev
+  - target:
+      <<: *ingress_target
+      name: nextcloud-ingress
+    patch: |-
+      - op: replace
+        path: /spec/tls/0/hosts/0
+        value: nextcloud.staging.badjware.dev
+      - op: replace
+        path: /spec/rules/0/host
+        value: nextcloud.staging.badjware.dev
+  - target:
+      <<: *ingress_target
+      name: gitea-ingress
+    patch: |-
+      - op: replace
+        path: /spec/tls/0/hosts/0
+        value: gitea.staging.badjware.dev
+      - op: replace
+        path: /spec/rules/0/host
+        value: gitea.staging.badjware.dev
+  - target:
+      <<: *ingress_target
+      name: drone-ingress
+    patch: |-
+      - op: replace
+        path: /spec/tls/0/hosts/0
+        value: drone.staging.badjware.dev
+      - op: replace
+        path: /spec/rules/0/host
+        value: drone.staging.badjware.dev
+
 # allow "kubectl apply -l managed-by=kustomize --prune ..."
 commonlabels:
   managed-by: kustomize
 
-# transformers:
-#   - ssm-secrets.yaml
+transformers:
+  - ssm-secrets.yaml
+
+configurations:
+  - kustomizeconfig/clusterissuer.yaml

kustomize/environment/dev/kustomizeconfig/clusterissuer.yaml

@@ -0,0 +1,6 @@
+nameReference:
+  - version: v1
+    kind: Secret
+    fieldSpecs:
+      - kind: ClusterIssuer
+        path: spec/acme/solvers/dns01/digitalocean/tokenSecretRef/name