Mathis/dev-cluster
1
0
Fork 0
mirror of https://github.com/lordmathis/dev-cluster.git synced 2025-12-22 16:44:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

Set up cert-manager wildcard certs

Browse Source
This commit is contained in:
Matúš Námešný
2024-09-23 22:00:49 +02:00
parent 9a393e1326
commit 4adb9cd9ee
9 changed files with 53 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
infrastructure/prod/authelia/forward-auth-middleware.yaml
View File

@@ -5,7 +5,7 @@ metadata:
namespace: auth
spec:
forwardAuth:
address: 'http://authelia.auth.svc.cluster.local/api/verify?rd=https://auth.namesny.com'
address: 'http://authelia.auth.svc.cluster.local/api/verify?rd=https://auth.example.com'
trustForwardHeader: true
authResponseHeaders:
- "Remote-User"

2
infrastructure/prod/authelia/ingress.yaml
View File

@@ -7,7 +7,7 @@ spec:
entryPoints:
- websecure
routes:
- match: Host(`auth.namesny.com`)
- match: Host(`auth.example.com`)
kind: Rule
services:
- name: authelia

4
infrastructure/prod/authelia/values.yaml
View File

@@ -1,4 +1,4 @@
domain: 'namesny.com'
domain: 'example.com'
configMap:
authentication_backend:
file:
@@ -13,7 +13,7 @@ configMap:
enabled: false
access_control:
rules:
- domain: '*.namesny.com'
- domain: '*.example.com'
policy: one_factor
session:
redis:

2
infrastructure/prod/cert-manager/issuer.yaml
View File

@@ -1,7 +1,7 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
name: cloudflare-prod
spec:
acme:
email: admin@example.com

2
infrastructure/prod/cert-manager/kustomization.yaml
View File

@@ -2,3 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../base/cert-manager
- secret.enc.yaml
- issuer.yaml

28
infrastructure/prod/cert-manager/secret.enc.yaml Normal file
View File

@@ -0,0 +1,28 @@
apiVersion: v1
kind: Secret
metadata:
name: cloudflare-api-token-secret
namespace: cert-manager
type: Opaque
stringData:
api-token: ENC[AES256_GCM,data:Urnj7HrYPocHC+h2k75e/H9WDxmh8iF9mReyeWyuB+oOlGKn534SdA==,iv:TTKtIJa4ixQhq9Mh3KeB1VcqoTHFceQJzkSm1gqg3So=,tag:RnckzpR2BRcp8U/J+qX5Lg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1jk99rtxq3ep2xj2w886cchddf7jypqpwkr3dszg5dzq93gn8cy9qyc786m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEZWprTlZDbUhFdU12bkc3
RVlFVjk0dHNyc21ZVHRzaTZlSTlENDB4MVJjCkFWV1RKcXU2Nk1jeSt4eG9nV0or
UVJmcHNMdnNGd2Jxc2h4M0FoY0RyTmMKLS0tIE9SZ2R3OFZOTVBncVAyUDFyS2Jz
THljamdxWFVpaVdtZFpiQXV0SjdicE0KgvRRtxMKub4V0xQTDU7De+7Es7vLbHn+
BkIKFMqJRnFk32vcPdoXqMlKIncZ3SV0/DSo0L0A/8gKYDN5uQlKVA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-09-23T19:59:37Z"
mac: ENC[AES256_GCM,data:6gM7IN2Ktv/ckSLXdexX19GgbnRnQHAreRzcTdwgW0ptuW05zjW6sZXT3OBg6RyQ1Ua8d33XgNcIgz9w/mB80UsB2oudCdOTOcvxclS/oIts+4Bs0cCsEPpP57LjG68RCyRZAEetnSr7q/0urbTqWxIX8kK5nV4NaumZrfAqqN8=,iv:Swsc8oEgw/4GFBeRmbELq+VIJBxqiE1TPAvi3F+Dpng=,tag:lRKnB0v4atLreLlCg5QX0Q==,type:str]
pgp: []
unencrypted_regex: ^(apiVersion|metadata|kind|type)$
version: 3.9.0

8
infrastructure/prod/cert-manager/secret.yaml
View File

@@ -1,8 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: cloudflare-api-token-secret
namespace: cert-manager
type: Opaque
stringData:
api-token: your-cloudflare-api-token

13
infrastructure/prod/traefik/certificate.yaml Normal file
View File

@@ -0,0 +1,13 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: wildcard-nmsny-dev
namespace: traefik
spec:
secretName: wildcard-nmsny-dev-tls
dnsNames:
- "example.com"
- "*.example.com"
issuerRef:
name: cloudflare-prod
kind: Issuer

6
infrastructure/prod/traefik/values.yaml
View File

@@ -13,7 +13,7 @@ logs:
ingressRoute:
dashboard:
enabled: true
matchRule: Host(`traefik.namesny.com`)
matchRule: Host(`traefik.example.com`)
entryPoints: ["websecure"]
middlewares:
- name: "auth-authelia@kubernetescrd"
@@ -33,3 +33,7 @@ ports:
service:
spec:
externalTrafficPolicy: Local
tlsStore:
default:
defaultCertificate:
secretName: wildcard-nmsny-dev-tls