K3S-Cluster/home-cluster-ops
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #135 from 3dwardch3ng/app/cert-manager

Browse Source 
cert-manager rework
This commit is contained in:
Edward Cheng
2024-06-14 00:03:55 +10:00
committed by GitHub
parent bba1e71189 36b2781ddc
commit 90a210eda3
12 changed files with 99 additions and 283 deletions
Download Patch File Download Diff File Expand all files Collapse all files

65
kubernetes/apps/cert-manager-old/cert-manager.yaml
View File

@@ -1,65 +0,0 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: cert-manager-secrets
namespace: flux-system
spec:
suspend: true
interval: 1h
path: ./cert-manager
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: home-cluster-ops-secrets
dependsOn:
- name: repositories
namespace: flux-system
- name: cert-manager
namespace: flux-system
decryption:
provider: sops
secretRef:
name: sops-age
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: cert-manager
namespace: flux-system
spec:
suspend: true
interval: 1h
targetNamespace: cert-manager
path: ./kubernetes/templates/apps/cert-manager/app
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system
postBuild:
substituteFrom:
- kind: Secret
name: cert-manager-secrets
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: cert-manager-issuers
namespace: flux-system
spec:
suspend: true
interval: 1h
targetNamespace: cert-manager
path: ./kubernetes/templates/apps/cert-manager/issuers
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system
dependsOn:
- name: cert-manager-secrets
postBuild:
substituteFrom:
- kind: Secret
name: cert-manager-secrets

0
kubernetes/templates/apps/cert-manager/app/namespace.yaml → kubernetes/apps/cert-manager/app/namespace.yaml
View File

41
kubernetes/apps/cert-manager/app/release.yaml
View File

@@ -4,20 +4,41 @@ metadata:
name: cert-manager
namespace: cert-manager
spec:
releaseName: cert-manager
interval: 1h
driftDetection:
mode: enabled
chart:
spec:
chart: cert-manager
version: v1.15.0
sourceRef:
kind: HelmRepository
name: truecharts
namespace: flux-system
interval: 5m
namespace: cert-manager
name: cert-manager
interval: 1h
install:
remediation:
retries: 3
crds: Create
upgrade:
crds: CreateReplace
values:
certmanager:
prometheus:
servicemonitor:
enabled: false
installCRDs: true
podLabels:
rpi5.cluster.policy/egress-kubeapi: "true"
rpi5.cluster.policy/egress-namespace: "true"
rpi5.cluster.policy/egress-world: "true"
rpi5.cluster.policy/ingress-namespace: "true"
webhook:
podLabels:
rpi5.cluster.policy/egress-kubeapi: "true"
cainjector:
podLabels:
rpi5.cluster.policy/egress-kubeapi: "true"
global:
priorityClassName: system-cluster-critical
podDnsConfig:
nameservers:
- 1.1.1.1
- 1.0.0.1

0
kubernetes/templates/apps/cert-manager/app/repository.yaml → kubernetes/apps/cert-manager/app/repository.yaml
View File

50
kubernetes/apps/cert-manager/cert-manager.yaml
View File

@@ -6,9 +6,55 @@ metadata:
spec:
interval: 1h
targetNamespace: cert-manager
path: ./kubernetes/templates/apps/cert-manager/app
path: ./kubernetes/apps/cert-manager/app
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system
name: flux-system
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: clusterissuer-secrets
namespace: flux-system
spec:
interval: 1h
path: ./clusterissuer
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: home-cluster-ops-secrets
dependsOn:
- name: repositories
namespace: flux-system
decryption:
provider: sops
secretRef:
name: sops-age
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: clusterissuer
namespace: flux-system
spec:
suspend: true
interval: 1h
targetNamespace: cert-manager
path: ./kubernetes/apps/cert-manager/clusterissuers
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system
dependsOn:
- name: clusterissuer-secrets
namespace: flux-system
- name: cert-manager
namespace: flux-system
postBuild:
substituteFrom:
- kind: Secret
name: clusterissuer-secrets

20
kubernetes/apps/cert-manager/clusterissuer/clusterissuer-cloudflare.yaml Normal file
View File

@@ -0,0 +1,20 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: clusterissuer
namespace: cert-manager
spec:
acme:
email: ${email}
server: https://acme-v02.api.letsencrypt.org/directory
solvers:
- dns01:
cloudflare:
email: ${email}
apiKeySecretRef:
name: clusterissuer-secrets
key: cloudflare_api_token
selector:
dnsNames:
- "${cluster_cert_domain}"
- "*.${cluster_cert_domain}"

4
kubernetes/apps/clusterissuer/app/namespace.yaml
View File

@@ -1,4 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: clusterissuer

82
kubernetes/apps/clusterissuer/app/release.yaml
View File

@@ -1,82 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: clusterissuer
namespace: clusterissuer
spec:
releaseName: clusterissuer
chart:
spec:
chart: clusterissuer
sourceRef:
kind: HelmRepository
name: truecharts
namespace: flux-system
interval: 5m
install:
remediation:
retries: 3
dependsOn:
- name: cert-manager
namespace: cert-manager
- name: repositories
namespace: flux-system
values:
image:
repository: hello-world
tag: latest@sha256:266b191e926f65542fa8daaec01a192c4d292bff79426f47300a046e1bc576fd
pullPolicy: IfNotPresent
manifestManager:
enabled: true
workload:
main:
enabled: true
podSpec:
containers:
main:
enabled: true
probes:
liveness:
enabled: false
readiness:
enabled: false
startup:
enabled: false
service:
main:
enabled: true
ports:
main:
enabled: true
port: 9999
portal:
open:
enabled: true
operator:
cert-manager:
namespace: flux-system
clusterIssuer:
ACME:
- name: letsencrypt
# Used for both logging in to the DNS provider AND ACME registration
email: "${email}"
server: 'https://acme-v02.api.letsencrypt.org/directory'
# Used primarily for the SCALE GUI
customServer: 'https://acme-v02.api.letsencrypt.org/directory'
# Options: HTTP01, cloudflare, route53, akamai, digitalocean, rfc2136, acmedns
type: "cloudflare"
# for cloudflare
cfapitoken: "${cloudflare_api_token}"
clusterCertificates:
# Namespaces in which the certificates must be available
# Accepts comma-separated regex expressions
# replicationNamespaces: 'ix-.*'
certificates:
- name: cluster-certificate
enabled: true
certificateIssuer: ACME
hosts:
- "${cluster_cert_domain}"
- "*.${cluster_cert_domain}"

44
kubernetes/apps/clusterissuer/clusterissuer.yaml
View File

@@ -1,44 +0,0 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: clusterissuer-secrets
namespace: flux-system
spec:
interval: 1h
path: ./clusterissuer
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: home-cluster-ops-secrets
dependsOn:
- name: repositories
namespace: flux-system
- name: cert-manager
namespace: flux-system
decryption:
provider: sops
secretRef:
name: sops-age
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: clusterissuer
namespace: flux-system
spec:
suspend: false
interval: 1h
targetNamespace: clusterissuer
path: ./kubernetes/apps/clusterissuer/app
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: flux-system
dependsOn:
- name: clusterissuer-secrets
postBuild:
substituteFrom:
- kind: Secret
name: clusterissuer-secrets

44
kubernetes/templates/apps/cert-manager/app/release.yaml
View File

@@ -1,44 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: cert-manager
namespace: cert-manager
spec:
interval: 1h
driftDetection:
mode: enabled
chart:
spec:
chart: cert-manager
version: v1.15.0
sourceRef:
kind: HelmRepository
namespace: cert-manager
name: cert-manager
interval: 1h
install:
crds: Create
upgrade:
crds: CreateReplace
values:
installCRDs: true
podLabels:
rpi5.cluster.policy/egress-kubeapi: "true"
rpi5.cluster.policy/egress-namespace: "true"
rpi5.cluster.policy/egress-world: "true"
rpi5.cluster.policy/ingress-namespace: "true"
webhook:
podLabels:
rpi5.cluster.policy/egress-kubeapi: "true"
cainjector:
podLabels:
rpi5.cluster.policy/egress-kubeapi: "true"
global:
priorityClassName: system-cluster-critical
podDnsConfig:
nameservers:
- 1.1.1.1
- 1.0.0.1

17
kubernetes/templates/apps/cert-manager/issuers/letsencrypt-dns01.yaml
View File

@@ -1,17 +0,0 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-dns01
namespace: cert-manager
spec:
acme:
email: ${email}
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-dns01
solvers:
- dns01:
cloudflare:
apiTokenSecretRef:
name: cert-manager-secrets
key: cert_manager_dns01

15
kubernetes/templates/apps/cert-manager/issuers/letsencrypt-http01.yaml
View File

@@ -1,15 +0,0 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-http01
namespace: cert-manager
spec:
acme:
email: ${email}
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-http01
solvers:
- http01:
ingress:
class: nginx