Add cert-manager

2025-12-22 16:44:24 +00:00 · 2024-09-17 22:43:27 +02:00
parent 536738f2e8
commit af3a547813
14 changed files with 135 additions and 85 deletions
--- a/infrastructure/base/cert-manager/kustomization.yaml
+++ b/infrastructure/base/cert-manager/kustomization.yaml
@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: cert-manager
+
+resources:
+  - namespace.yaml
+  - repository.yaml
+  - release.yaml
--- a/infrastructure/base/cert-manager/namespace.yaml
+++ b/infrastructure/base/cert-manager/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cert-manager
--- a/infrastructure/base/cert-manager/release.yaml
+++ b/infrastructure/base/cert-manager/release.yaml
@@ -0,0 +1,18 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: cert-manager
+  namespace: cert-manager
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: cert-manager
+      version: "1.x"
+      sourceRef:
+        kind: HelmRepository
+        name: cert-manager
+        namespace: cert-manager
+      interval: 12h
+  values:
+    installCRDs: true
--- a/infrastructure/base/cert-manager/repository.yaml
+++ b/infrastructure/base/cert-manager/repository.yaml
@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: cert-manager
+  namespace: cert-manager
+spec:
+  interval: 24h
+  url: https://charts.jetstack.io
--- a/infrastructure/base/traefik/kustomization.yaml
+++ b/infrastructure/base/traefik/kustomization.yaml
@@ -1,7 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: kube-system
+namespace: traefik

 resources:
+  - namespace.yaml
  - repository.yaml
-  - release.yaml
+  - release.yaml
--- a/infrastructure/base/traefik/namespace.yaml
+++ b/infrastructure/base/traefik/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: traefik
--- a/infrastructure/base/traefik/release.yaml
+++ b/infrastructure/base/traefik/release.yaml
@@ -2,7 +2,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: traefik
-  namespace: kube-system
+  namespace: traefik
 spec:
  interval: 10m
  chart:
@@ -11,7 +11,5 @@ spec:
      version: 28.2.0
      sourceRef:
        kind: HelmRepository
-        name: traefik
+        name: traefik-helm-repo
      interval: 10m
-  values:
-    replicaCount: 2
--- a/infrastructure/base/traefik/repository.yaml
+++ b/infrastructure/base/traefik/repository.yaml
@@ -2,7 +2,7 @@ apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
  name: traefik-helm-repo
-  namespace: kube-system
+  namespace: traefik
 spec:
-  interval: 10m
+  interval: 24h
  url: https://helm.traefik.io/traefik
--- a/infrastructure/prod/cert-manager/issuer.yaml
+++ b/infrastructure/prod/cert-manager/issuer.yaml
@@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    email: admin@example.com
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    solvers:
+    - dns01:
+        cloudflare:
+          apiTokenSecretRef:
+            name: cloudflare-api-token-secret
+            key: api-token
--- a/infrastructure/prod/cert-manager/kustomization.yaml
+++ b/infrastructure/prod/cert-manager/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../../base/cert-manager
--- a/infrastructure/prod/cert-manager/secret.yaml
+++ b/infrastructure/prod/cert-manager/secret.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cloudflare-api-token-secret
+  namespace: cert-manager
+type: Opaque
+stringData:
+  api-token: your-cloudflare-api-token
--- a/infrastructure/prod/traefik/kustomization.yaml
+++ b/infrastructure/prod/traefik/kustomization.yaml
@@ -1,8 +1,11 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ../../base/podinfo
-patches:
-  - path: podinfo-values.yaml
-    target:
-      kind: HelmRelease
+  - ../../base/traefik
+  - traefik-values.yaml
+
+configMapGenerator:
+  - name: traefik-prod-values
+    namespace: traefik
+    files:
+      - values.yaml
--- a/infrastructure/prod/traefik/release.yaml
+++ b/infrastructure/prod/traefik/release.yaml
@@ -0,0 +1,18 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: traefik
+  namespace: traefik
+spec:
+  interval: 10m
+  chart:
+    spec:
+      chart: traefik
+      version: 28.2.0
+      sourceRef:
+        kind: HelmRepository
+        name: traefik-helm-repo
+      interval: 10m
+  valuesFrom:
+    - kind: ConfigMap
+      name: traefik-prod-values
--- a/infrastructure/prod/traefik/values.yaml
+++ b/infrastructure/prod/traefik/values.yaml
@@ -1,73 +1,35 @@
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: traefik
-  namespace: kube-system
-spec:
-  values:        
-    deployment:
-      initContainers:
-      - name: volume-permissions
-        image: busybox:1.36@sha256:34b191d63fbc93e25e275bfccf1b5365664e5ac28f06d974e8d50090fbb49f41
-        command: ["sh", "-c", "touch /data/acme.json; chown 65532:65532 /data/acme.json; chmod -v 600 /data/acme.json; chown -R 65532:65532 /var/log/traefik"]
-        securityContext:
-          runAsNonRoot: false
-          runAsGroup: 0
-          runAsUser: 0
-        volumeMounts:
-          - name: data
-            mountPath: /data
-          - name: access-log
-            mountPath: /var/log/traefik
-      additionalVolumes:
-      - name: access-log
-        hostPath:
-          path:  /var/log/traefik/
-    certResolvers:
-      letsencrypt:
-        email: admin@example.com
-        dnsChallenge:
-          provider: cloudflare
-          delayBeforeCheck: 30
-          resolvers:
-          - 1.1.1.1
-          - 8.8.8.8
-        storage: /data/acme.json
-    envFrom:
-    - secretRef:
-        name: traefik-cf-secret
-    additionalVolumeMounts:
-    - name: access-log
-      mountPath: /var/log/traefik/
-    logs:
-      access:
-        enabled: true
-        filePath: /var/log/traefik/access.log
-    ingressRoute:
-      dashboard:
-        enabled: true
-        matchRule: Host(`traefik.namesny.com`)
-        entryPoints: ["websecure"]
-        middlewares:
-          - name: "auth-authelia@kubernetescrd"
-    providers:
-      kubernetesCRD:
-        allowCrossNamespace: true
-    persistence:
+deployment:
+  additionalVolumes:
+  - name: access-log
+    hostPath:
+      path:  /var/log/traefik/
+additionalVolumeMounts:
+- name: access-log
+  mountPath: /var/log/traefik/
+logs:
+  access:
+    enabled: true
+    filePath: /var/log/traefik/access.log
+ingressRoute:
+  dashboard:
+    enabled: true
+    matchRule: Host(`traefik.namesny.com`)
+    entryPoints: ["websecure"]
+    middlewares:
+      - name: "auth-authelia@kubernetescrd"
+providers:
+  kubernetesCRD:
+    allowCrossNamespace: true
+persistence:
+  enabled: true
+  storageClass: retain-local-path
+ports:
+  websecure:
+    tls:
      enabled: true
-      storageClass: retain-local-path
-    ports:
-      websecure:
-        tls:
-          enabled: true
-          certResolver: letsencrypt
-          domains:
-          - main: namesny.com
-            sans:
-            - "*.namesny.com"
-      web:
-        redirectTo:
-          port: websecure
-    service:
-      spec:
-        externalTrafficPolicy: Local
+  web:
+    redirectTo:
+      port: websecure
+service:
+  spec:
+    externalTrafficPolicy: Local