K3S-Cluster/home-cluster-ops
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

cert-manager rework

Browse Source
This commit is contained in:
Edward Cheng
2024-06-14 00:00:40 +10:00
parent bba1e71189
commit 36b2781ddc
12 changed files with 99 additions and 283 deletions
Download Patch File Download Diff File Expand all files Collapse all files

65
kubernetes/apps/cert-manager-old/cert-manager.yaml
View File

@@ -1,65 +0,0 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: cert-manager-secrets
namespace: flux-system
spec:
suspend: true
interval: 1h
path: ./cert-manager
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: home-cluster-ops-secrets
dependsOn:
- name: repositories
namespace: flux-system
- name: cert-manager
namespace: flux-system
decryption:
provider: sops
secretRef:
name: sops-age
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: cert-manager
namespace: flux-system
spec:
suspend: true
interval: 1h
targetNamespace: cert-manager
path: ./kubernetes/templates/apps/cert-manager/app
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system
postBuild:
substituteFrom:
- kind: Secret
name: cert-manager-secrets
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: cert-manager-issuers
namespace: flux-system
spec:
suspend: true
interval: 1h
targetNamespace: cert-manager
path: ./kubernetes/templates/apps/cert-manager/issuers
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system
dependsOn:
- name: cert-manager-secrets
postBuild:
substituteFrom:
- kind: Secret
name: cert-manager-secrets

0
kubernetes/templates/apps/cert-manager/app/namespace.yaml → kubernetes/apps/cert-manager/app/namespace.yaml
View File

41
kubernetes/apps/cert-manager/app/release.yaml
View File

@@ -4,20 +4,41 @@ metadata:
name: cert-manager name: cert-manager
namespace: cert-manager namespace: cert-manager
spec: spec:
releaseName: cert-manager interval: 1h
driftDetection:
mode: enabled
chart: chart:
spec: spec:
chart: cert-manager chart: cert-manager
version: v1.15.0
sourceRef: sourceRef:
kind: HelmRepository kind: HelmRepository
name: truecharts namespace: cert-manager
namespace: flux-system name: cert-manager
interval: 5m interval: 1h
install: install:
remediation: crds: Create
retries: 3 upgrade:
crds: CreateReplace
values: values:
certmanager: installCRDs: true
prometheus:
servicemonitor: podLabels:
enabled: false rpi5.cluster.policy/egress-kubeapi: "true"
rpi5.cluster.policy/egress-namespace: "true"
rpi5.cluster.policy/egress-world: "true"
rpi5.cluster.policy/ingress-namespace: "true"
webhook:
podLabels:
rpi5.cluster.policy/egress-kubeapi: "true"
cainjector:
podLabels:
rpi5.cluster.policy/egress-kubeapi: "true"
global:
priorityClassName: system-cluster-critical
podDnsConfig:
nameservers:
- 1.1.1.1
- 1.0.0.1

0
kubernetes/templates/apps/cert-manager/app/repository.yaml → kubernetes/apps/cert-manager/app/repository.yaml
View File

48
kubernetes/apps/cert-manager/cert-manager.yaml
View File

@@ -6,9 +6,55 @@ metadata:
spec: spec:
interval: 1h interval: 1h
targetNamespace: cert-manager targetNamespace: cert-manager
path: ./kubernetes/templates/apps/cert-manager/app path: ./kubernetes/apps/cert-manager/app
prune: true prune: true
sourceRef: sourceRef:
kind: GitRepository kind: GitRepository
namespace: flux-system namespace: flux-system
name: flux-system name: flux-system
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: clusterissuer-secrets
namespace: flux-system
spec:
interval: 1h
path: ./clusterissuer
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: home-cluster-ops-secrets
dependsOn:
- name: repositories
namespace: flux-system
decryption:
provider: sops
secretRef:
name: sops-age
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: clusterissuer
namespace: flux-system
spec:
suspend: true
interval: 1h
targetNamespace: cert-manager
path: ./kubernetes/apps/cert-manager/clusterissuers
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system
dependsOn:
- name: clusterissuer-secrets
namespace: flux-system
- name: cert-manager
namespace: flux-system
postBuild:
substituteFrom:
- kind: Secret
name: clusterissuer-secrets

20
kubernetes/apps/cert-manager/clusterissuer/clusterissuer-cloudflare.yaml Normal file
View File

@@ -0,0 +1,20 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: clusterissuer
namespace: cert-manager
spec:
acme:
email: ${email}
server: https://acme-v02.api.letsencrypt.org/directory
solvers:
- dns01:
cloudflare:
email: ${email}
apiKeySecretRef:
name: clusterissuer-secrets
key: cloudflare_api_token
selector:
dnsNames:
- "${cluster_cert_domain}"
- "*.${cluster_cert_domain}"

4
kubernetes/apps/clusterissuer/app/namespace.yaml
View File

@@ -1,4 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: clusterissuer

82
kubernetes/apps/clusterissuer/app/release.yaml
View File

@@ -1,82 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: clusterissuer
namespace: clusterissuer
spec:
releaseName: clusterissuer
chart:
spec:
chart: clusterissuer
sourceRef:
kind: HelmRepository
name: truecharts
namespace: flux-system
interval: 5m
install:
remediation:
retries: 3
dependsOn:
- name: cert-manager
namespace: cert-manager
- name: repositories
namespace: flux-system
values:
image:
repository: hello-world
tag: latest@sha256:266b191e926f65542fa8daaec01a192c4d292bff79426f47300a046e1bc576fd
pullPolicy: IfNotPresent
manifestManager:
enabled: true
workload:
main:
enabled: true
podSpec:
containers:
main:
enabled: true
probes:
liveness:
enabled: false
readiness:
enabled: false
startup:
enabled: false
service:
main:
enabled: true
ports:
main:
enabled: true
port: 9999
portal:
open:
enabled: true
operator:
cert-manager:
namespace: flux-system
clusterIssuer:
ACME:
- name: letsencrypt
# Used for both logging in to the DNS provider AND ACME registration
email: "${email}"
server: 'https://acme-v02.api.letsencrypt.org/directory'
# Used primarily for the SCALE GUI
customServer: 'https://acme-v02.api.letsencrypt.org/directory'
# Options: HTTP01, cloudflare, route53, akamai, digitalocean, rfc2136, acmedns
type: "cloudflare"
# for cloudflare
cfapitoken: "${cloudflare_api_token}"
clusterCertificates:
# Namespaces in which the certificates must be available
# Accepts comma-separated regex expressions
# replicationNamespaces: 'ix-.*'
certificates:
- name: cluster-certificate
enabled: true
certificateIssuer: ACME
hosts:
- "${cluster_cert_domain}"
- "*.${cluster_cert_domain}"

44
kubernetes/apps/clusterissuer/clusterissuer.yaml
View File

@@ -1,44 +0,0 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: clusterissuer-secrets
namespace: flux-system
spec:
interval: 1h
path: ./clusterissuer
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: home-cluster-ops-secrets
dependsOn:
- name: repositories
namespace: flux-system
- name: cert-manager
namespace: flux-system
decryption:
provider: sops
secretRef:
name: sops-age
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: clusterissuer
namespace: flux-system
spec:
suspend: false
interval: 1h
targetNamespace: clusterissuer
path: ./kubernetes/apps/clusterissuer/app
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system
dependsOn:
- name: clusterissuer-secrets
postBuild:
substituteFrom:
- kind: Secret
name: clusterissuer-secrets

44
kubernetes/templates/apps/cert-manager/app/release.yaml
View File

@@ -1,44 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: cert-manager
namespace: cert-manager
spec:
interval: 1h
driftDetection:
mode: enabled
chart:
spec:
chart: cert-manager
version: v1.15.0
sourceRef:
kind: HelmRepository
namespace: cert-manager
name: cert-manager
interval: 1h
install:
crds: Create
upgrade:
crds: CreateReplace
values:
installCRDs: true
podLabels:
rpi5.cluster.policy/egress-kubeapi: "true"
rpi5.cluster.policy/egress-namespace: "true"
rpi5.cluster.policy/egress-world: "true"
rpi5.cluster.policy/ingress-namespace: "true"
webhook:
podLabels:
rpi5.cluster.policy/egress-kubeapi: "true"
cainjector:
podLabels:
rpi5.cluster.policy/egress-kubeapi: "true"
global:
priorityClassName: system-cluster-critical
podDnsConfig:
nameservers:
- 1.1.1.1
- 1.0.0.1

17
kubernetes/templates/apps/cert-manager/issuers/letsencrypt-dns01.yaml
View File

@@ -1,17 +0,0 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-dns01
namespace: cert-manager
spec:
acme:
email: ${email}
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-dns01
solvers:
- dns01:
cloudflare:
apiTokenSecretRef:
name: cert-manager-secrets
key: cert_manager_dns01

15
kubernetes/templates/apps/cert-manager/issuers/letsencrypt-http01.yaml
View File

@@ -1,15 +0,0 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-http01
namespace: cert-manager
spec:
acme:
email: ${email}
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-http01
solvers:
- http01:
ingress:
class: nginx