From 36b2781ddc2faa05cafca01445e634caf07dc007 Mon Sep 17 00:00:00 2001 From: Edward Cheng Date: Fri, 14 Jun 2024 00:00:40 +1000 Subject: [PATCH] cert-manager rework --- .../apps/cert-manager-old/cert-manager.yaml | 65 --------------- .../apps/cert-manager/app/namespace.yaml | 0 kubernetes/apps/cert-manager/app/release.yaml | 41 +++++++--- .../apps/cert-manager/app/repository.yaml | 0 .../apps/cert-manager/cert-manager.yaml | 50 ++++++++++- .../clusterissuer-cloudflare.yaml | 20 +++++ .../apps/clusterissuer/app/namespace.yaml | 4 - .../apps/clusterissuer/app/release.yaml | 82 ------------------- .../apps/clusterissuer/clusterissuer.yaml | 44 ---------- .../apps/cert-manager/app/release.yaml | 44 ---------- .../issuers/letsencrypt-dns01.yaml | 17 ---- .../issuers/letsencrypt-http01.yaml | 15 ---- 12 files changed, 99 insertions(+), 283 deletions(-) delete mode 100644 kubernetes/apps/cert-manager-old/cert-manager.yaml rename kubernetes/{templates => }/apps/cert-manager/app/namespace.yaml (100%) rename kubernetes/{templates => }/apps/cert-manager/app/repository.yaml (100%) create mode 100644 kubernetes/apps/cert-manager/clusterissuer/clusterissuer-cloudflare.yaml delete mode 100644 kubernetes/apps/clusterissuer/app/namespace.yaml delete mode 100644 kubernetes/apps/clusterissuer/app/release.yaml delete mode 100644 kubernetes/apps/clusterissuer/clusterissuer.yaml delete mode 100644 kubernetes/templates/apps/cert-manager/app/release.yaml delete mode 100644 kubernetes/templates/apps/cert-manager/issuers/letsencrypt-dns01.yaml delete mode 100644 kubernetes/templates/apps/cert-manager/issuers/letsencrypt-http01.yaml diff --git a/kubernetes/apps/cert-manager-old/cert-manager.yaml b/kubernetes/apps/cert-manager-old/cert-manager.yaml deleted file mode 100644 index ed80b93..0000000 --- a/kubernetes/apps/cert-manager-old/cert-manager.yaml +++ /dev/null @@ -1,65 +0,0 @@ -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: cert-manager-secrets - namespace: flux-system -spec: - suspend: true - interval: 1h - path: ./cert-manager - prune: true - sourceRef: - kind: GitRepository - namespace: flux-system - name: home-cluster-ops-secrets - dependsOn: - - name: repositories - namespace: flux-system - - name: cert-manager - namespace: flux-system - decryption: - provider: sops - secretRef: - name: sops-age ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: cert-manager - namespace: flux-system -spec: - suspend: true - interval: 1h - targetNamespace: cert-manager - path: ./kubernetes/templates/apps/cert-manager/app - prune: true - sourceRef: - kind: GitRepository - namespace: flux-system - name: flux-system - postBuild: - substituteFrom: - - kind: Secret - name: cert-manager-secrets ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: cert-manager-issuers - namespace: flux-system -spec: - suspend: true - interval: 1h - targetNamespace: cert-manager - path: ./kubernetes/templates/apps/cert-manager/issuers - prune: true - sourceRef: - kind: GitRepository - namespace: flux-system - name: flux-system - dependsOn: - - name: cert-manager-secrets - postBuild: - substituteFrom: - - kind: Secret - name: cert-manager-secrets diff --git a/kubernetes/templates/apps/cert-manager/app/namespace.yaml b/kubernetes/apps/cert-manager/app/namespace.yaml similarity index 100% rename from kubernetes/templates/apps/cert-manager/app/namespace.yaml rename to kubernetes/apps/cert-manager/app/namespace.yaml diff --git a/kubernetes/apps/cert-manager/app/release.yaml b/kubernetes/apps/cert-manager/app/release.yaml index 43a85a8..c4efb8e 100644 --- a/kubernetes/apps/cert-manager/app/release.yaml +++ b/kubernetes/apps/cert-manager/app/release.yaml @@ -4,20 +4,41 @@ metadata: name: cert-manager namespace: cert-manager spec: - releaseName: cert-manager + interval: 1h + driftDetection: + mode: enabled chart: spec: chart: cert-manager + version: v1.15.0 sourceRef: kind: HelmRepository - name: truecharts - namespace: flux-system - interval: 5m + namespace: cert-manager + name: cert-manager + interval: 1h install: - remediation: - retries: 3 + crds: Create + upgrade: + crds: CreateReplace values: - certmanager: - prometheus: - servicemonitor: - enabled: false \ No newline at end of file + installCRDs: true + + podLabels: + rpi5.cluster.policy/egress-kubeapi: "true" + rpi5.cluster.policy/egress-namespace: "true" + rpi5.cluster.policy/egress-world: "true" + rpi5.cluster.policy/ingress-namespace: "true" + webhook: + podLabels: + rpi5.cluster.policy/egress-kubeapi: "true" + cainjector: + podLabels: + rpi5.cluster.policy/egress-kubeapi: "true" + + global: + priorityClassName: system-cluster-critical + + podDnsConfig: + nameservers: + - 1.1.1.1 + - 1.0.0.1 diff --git a/kubernetes/templates/apps/cert-manager/app/repository.yaml b/kubernetes/apps/cert-manager/app/repository.yaml similarity index 100% rename from kubernetes/templates/apps/cert-manager/app/repository.yaml rename to kubernetes/apps/cert-manager/app/repository.yaml diff --git a/kubernetes/apps/cert-manager/cert-manager.yaml b/kubernetes/apps/cert-manager/cert-manager.yaml index 6d97791..64fd16b 100644 --- a/kubernetes/apps/cert-manager/cert-manager.yaml +++ b/kubernetes/apps/cert-manager/cert-manager.yaml @@ -6,9 +6,55 @@ metadata: spec: interval: 1h targetNamespace: cert-manager - path: ./kubernetes/templates/apps/cert-manager/app + path: ./kubernetes/apps/cert-manager/app prune: true sourceRef: kind: GitRepository namespace: flux-system - name: flux-system \ No newline at end of file + name: flux-system +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: clusterissuer-secrets + namespace: flux-system +spec: + interval: 1h + path: ./clusterissuer + prune: true + sourceRef: + kind: GitRepository + namespace: flux-system + name: home-cluster-ops-secrets + dependsOn: + - name: repositories + namespace: flux-system + decryption: + provider: sops + secretRef: + name: sops-age +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: clusterissuer + namespace: flux-system +spec: + suspend: true + interval: 1h + targetNamespace: cert-manager + path: ./kubernetes/apps/cert-manager/clusterissuers + prune: true + sourceRef: + kind: GitRepository + namespace: flux-system + name: flux-system + dependsOn: + - name: clusterissuer-secrets + namespace: flux-system + - name: cert-manager + namespace: flux-system + postBuild: + substituteFrom: + - kind: Secret + name: clusterissuer-secrets \ No newline at end of file diff --git a/kubernetes/apps/cert-manager/clusterissuer/clusterissuer-cloudflare.yaml b/kubernetes/apps/cert-manager/clusterissuer/clusterissuer-cloudflare.yaml new file mode 100644 index 0000000..0059cee --- /dev/null +++ b/kubernetes/apps/cert-manager/clusterissuer/clusterissuer-cloudflare.yaml @@ -0,0 +1,20 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: clusterissuer + namespace: cert-manager +spec: + acme: + email: ${email} + server: https://acme-v02.api.letsencrypt.org/directory + solvers: + - dns01: + cloudflare: + email: ${email} + apiKeySecretRef: + name: clusterissuer-secrets + key: cloudflare_api_token + selector: + dnsNames: + - "${cluster_cert_domain}" + - "*.${cluster_cert_domain}" \ No newline at end of file diff --git a/kubernetes/apps/clusterissuer/app/namespace.yaml b/kubernetes/apps/clusterissuer/app/namespace.yaml deleted file mode 100644 index 81088dd..0000000 --- a/kubernetes/apps/clusterissuer/app/namespace.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: clusterissuer diff --git a/kubernetes/apps/clusterissuer/app/release.yaml b/kubernetes/apps/clusterissuer/app/release.yaml deleted file mode 100644 index 2fb117a..0000000 --- a/kubernetes/apps/clusterissuer/app/release.yaml +++ /dev/null @@ -1,82 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: clusterissuer - namespace: clusterissuer -spec: - releaseName: clusterissuer - chart: - spec: - chart: clusterissuer - sourceRef: - kind: HelmRepository - name: truecharts - namespace: flux-system - interval: 5m - install: - remediation: - retries: 3 - dependsOn: - - name: cert-manager - namespace: cert-manager - - name: repositories - namespace: flux-system - values: - image: - repository: hello-world - tag: latest@sha256:266b191e926f65542fa8daaec01a192c4d292bff79426f47300a046e1bc576fd - pullPolicy: IfNotPresent - manifestManager: - enabled: true - workload: - main: - enabled: true - podSpec: - containers: - main: - enabled: true - probes: - liveness: - enabled: false - readiness: - enabled: false - startup: - enabled: false - service: - main: - enabled: true - ports: - main: - enabled: true - port: 9999 - portal: - open: - enabled: true - operator: - cert-manager: - namespace: flux-system - - clusterIssuer: - ACME: - - name: letsencrypt - # Used for both logging in to the DNS provider AND ACME registration - email: "${email}" - server: 'https://acme-v02.api.letsencrypt.org/directory' - # Used primarily for the SCALE GUI - customServer: 'https://acme-v02.api.letsencrypt.org/directory' - # Options: HTTP01, cloudflare, route53, akamai, digitalocean, rfc2136, acmedns - type: "cloudflare" - # for cloudflare - cfapitoken: "${cloudflare_api_token}" - - clusterCertificates: - # Namespaces in which the certificates must be available - # Accepts comma-separated regex expressions - # replicationNamespaces: 'ix-.*' - certificates: - - name: cluster-certificate - enabled: true - certificateIssuer: ACME - hosts: - - "${cluster_cert_domain}" - - "*.${cluster_cert_domain}" \ No newline at end of file diff --git a/kubernetes/apps/clusterissuer/clusterissuer.yaml b/kubernetes/apps/clusterissuer/clusterissuer.yaml deleted file mode 100644 index afa479d..0000000 --- a/kubernetes/apps/clusterissuer/clusterissuer.yaml +++ /dev/null @@ -1,44 +0,0 @@ -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: clusterissuer-secrets - namespace: flux-system -spec: - interval: 1h - path: ./clusterissuer - prune: true - sourceRef: - kind: GitRepository - namespace: flux-system - name: home-cluster-ops-secrets - dependsOn: - - name: repositories - namespace: flux-system - - name: cert-manager - namespace: flux-system - decryption: - provider: sops - secretRef: - name: sops-age ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: clusterissuer - namespace: flux-system -spec: - suspend: false - interval: 1h - targetNamespace: clusterissuer - path: ./kubernetes/apps/clusterissuer/app - prune: true - sourceRef: - kind: GitRepository - namespace: flux-system - name: flux-system - dependsOn: - - name: clusterissuer-secrets - postBuild: - substituteFrom: - - kind: Secret - name: clusterissuer-secrets \ No newline at end of file diff --git a/kubernetes/templates/apps/cert-manager/app/release.yaml b/kubernetes/templates/apps/cert-manager/app/release.yaml deleted file mode 100644 index c4efb8e..0000000 --- a/kubernetes/templates/apps/cert-manager/app/release.yaml +++ /dev/null @@ -1,44 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: cert-manager - namespace: cert-manager -spec: - interval: 1h - driftDetection: - mode: enabled - chart: - spec: - chart: cert-manager - version: v1.15.0 - sourceRef: - kind: HelmRepository - namespace: cert-manager - name: cert-manager - interval: 1h - install: - crds: Create - upgrade: - crds: CreateReplace - values: - installCRDs: true - - podLabels: - rpi5.cluster.policy/egress-kubeapi: "true" - rpi5.cluster.policy/egress-namespace: "true" - rpi5.cluster.policy/egress-world: "true" - rpi5.cluster.policy/ingress-namespace: "true" - webhook: - podLabels: - rpi5.cluster.policy/egress-kubeapi: "true" - cainjector: - podLabels: - rpi5.cluster.policy/egress-kubeapi: "true" - - global: - priorityClassName: system-cluster-critical - - podDnsConfig: - nameservers: - - 1.1.1.1 - - 1.0.0.1 diff --git a/kubernetes/templates/apps/cert-manager/issuers/letsencrypt-dns01.yaml b/kubernetes/templates/apps/cert-manager/issuers/letsencrypt-dns01.yaml deleted file mode 100644 index 7087180..0000000 --- a/kubernetes/templates/apps/cert-manager/issuers/letsencrypt-dns01.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: letsencrypt-dns01 - namespace: cert-manager -spec: - acme: - email: ${email} - server: https://acme-v02.api.letsencrypt.org/directory - privateKeySecretRef: - name: letsencrypt-dns01 - solvers: - - dns01: - cloudflare: - apiTokenSecretRef: - name: cert-manager-secrets - key: cert_manager_dns01 diff --git a/kubernetes/templates/apps/cert-manager/issuers/letsencrypt-http01.yaml b/kubernetes/templates/apps/cert-manager/issuers/letsencrypt-http01.yaml deleted file mode 100644 index 657c3a5..0000000 --- a/kubernetes/templates/apps/cert-manager/issuers/letsencrypt-http01.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: letsencrypt-http01 - namespace: cert-manager -spec: - acme: - email: ${email} - server: https://acme-v02.api.letsencrypt.org/directory - privateKeySecretRef: - name: letsencrypt-http01 - solvers: - - http01: - ingress: - class: nginx