From 0281aa0aca38210601498e840ee2c9e90035f832 Mon Sep 17 00:00:00 2001 From: Edward Cheng Date: Wed, 12 Jun 2024 17:51:55 +1000 Subject: [PATCH] add app clusterissuer --- .../apps/clusterissuer/clusterissuer.yaml | 21 +++++ .../apps/clusterissuer/kustomization.yaml | 5 ++ kubernetes/apps/clusterissuer/release.yaml | 82 +++++++++++++++++++ kubernetes/apps/clusterissuer/secret.yaml | 21 +++++ .../apps/prometheus-operator/release.yaml | 12 --- .../repos/home-cluster-ops-secrets.yaml | 2 +- .../repositories/repositories.yaml | 2 +- 7 files changed, 131 insertions(+), 14 deletions(-) create mode 100644 kubernetes/apps/clusterissuer/clusterissuer.yaml create mode 100644 kubernetes/apps/clusterissuer/kustomization.yaml create mode 100644 kubernetes/apps/clusterissuer/release.yaml create mode 100644 kubernetes/apps/clusterissuer/secret.yaml diff --git a/kubernetes/apps/clusterissuer/clusterissuer.yaml b/kubernetes/apps/clusterissuer/clusterissuer.yaml new file mode 100644 index 0000000..b7c3614 --- /dev/null +++ b/kubernetes/apps/clusterissuer/clusterissuer.yaml @@ -0,0 +1,21 @@ +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: clusterissuers + namespace: flux-system +spec: + suspend: true + interval: 1h + targetNamespace: cert-manager + path: ./kubernetes/templates/apps/cert-manager/issuers + prune: true + sourceRef: + kind: GitRepository + namespace: flux-system + name: flux-system + dependsOn: + - name: clusterissuer-secrets + postBuild: + substituteFrom: + - kind: Secret + name: clusterissuer-secrets \ No newline at end of file diff --git a/kubernetes/apps/clusterissuer/kustomization.yaml b/kubernetes/apps/clusterissuer/kustomization.yaml new file mode 100644 index 0000000..54443a1 --- /dev/null +++ b/kubernetes/apps/clusterissuer/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - secret.yaml + - clusterissuer.yaml diff --git a/kubernetes/apps/clusterissuer/release.yaml b/kubernetes/apps/clusterissuer/release.yaml new file mode 100644 index 0000000..aaac1f3 --- /dev/null +++ b/kubernetes/apps/clusterissuer/release.yaml @@ -0,0 +1,82 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: clusterissuer + namespace: clusterissuer +spec: + releaseName: clusterissuer + chart: + spec: + chart: clusterissuer + sourceRef: + kind: HelmRepository + name: truecharts + namespace: flux-system + interval: 5m + install: + remediation: + retries: 3 + dependsOn: + - name: cert-manager + namespace: flux-system + - name: repositories + namespace: flux-system + values: + image: + repository: hello-world + tag: latest@sha256:266b191e926f65542fa8daaec01a192c4d292bff79426f47300a046e1bc576fd + pullPolicy: IfNotPresent + manifestManager: + enabled: true + workload: + main: + enabled: true + podSpec: + containers: + main: + enabled: true + probes: + liveness: + enabled: false + readiness: + enabled: false + startup: + enabled: false + service: + main: + enabled: true + ports: + main: + enabled: true + port: 9999 + portal: + open: + enabled: true + operator: + cert-manager: + namespace: cert-manager + + clusterIssuer: + ACME: + - name: letsencrypt + # Used for both logging in to the DNS provider AND ACME registration + email: ${email} + server: 'https://acme-v02.api.letsencrypt.org/directory' + # Used primarily for the SCALE GUI + customServer: 'https://acme-v02.api.letsencrypt.org/directory' + # Options: HTTP01, cloudflare, route53, akamai, digitalocean, rfc2136, acmedns + type: "cloudflare" + # for cloudflare + cfapitoken: ${cloudflare_api_token} + + clusterCertificates: + # Namespaces in which the certificates must be available + # Accepts comma-separated regex expressions + # replicationNamespaces: 'ix-.*' + certificates: + - name: cluster-certificate + enabled: true + certificateIssuer: ACME + hosts: + - ${cluster_cert_domain} + - ${cluster_cert_domain_wildcard} \ No newline at end of file diff --git a/kubernetes/apps/clusterissuer/secret.yaml b/kubernetes/apps/clusterissuer/secret.yaml new file mode 100644 index 0000000..dc23af4 --- /dev/null +++ b/kubernetes/apps/clusterissuer/secret.yaml @@ -0,0 +1,21 @@ +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: clusterissuer-secrets + namespace: flux-system +spec: + suspend: true + interval: 1d + path: ./clusterissuer + prune: true + sourceRef: + kind: GitRepository + namespace: flux-system + name: home-cluster-ops-secrets + dependsOn: + - name: repositories + namespace: flux-system + decryption: + provider: sops + secretRef: + name: sops-age \ No newline at end of file diff --git a/kubernetes/apps/prometheus-operator/release.yaml b/kubernetes/apps/prometheus-operator/release.yaml index 053ba45..60cb075 100644 --- a/kubernetes/apps/prometheus-operator/release.yaml +++ b/kubernetes/apps/prometheus-operator/release.yaml @@ -44,16 +44,4 @@ spec: ## Manages Prometheus and Alertmanager components ## prometheusOperator: - enabled: true - - #### - ## - ## Everything down here, explicitly disables everything BUT the operator itself - ## - #### - - - ## dont Deploy a Prometheus instance - ## - prometheus: enabled: true \ No newline at end of file diff --git a/kubernetes/infrastructure/repositories/repos/home-cluster-ops-secrets.yaml b/kubernetes/infrastructure/repositories/repos/home-cluster-ops-secrets.yaml index d0167f1..586d926 100644 --- a/kubernetes/infrastructure/repositories/repos/home-cluster-ops-secrets.yaml +++ b/kubernetes/infrastructure/repositories/repos/home-cluster-ops-secrets.yaml @@ -4,7 +4,7 @@ metadata: name: home-cluster-ops-secrets namespace: flux-system spec: - interval: 6h + interval: 5m ref: branch: main secretRef: diff --git a/kubernetes/infrastructure/repositories/repositories.yaml b/kubernetes/infrastructure/repositories/repositories.yaml index f175ba8..d80562f 100644 --- a/kubernetes/infrastructure/repositories/repositories.yaml +++ b/kubernetes/infrastructure/repositories/repositories.yaml @@ -5,7 +5,7 @@ metadata: name: repositories namespace: flux-system spec: - interval: 6h + interval: 5m path: ./kubernetes/infrastructure/repositories/repos prune: true sourceRef: