From af3a547813aabd29ee876da847ded281187ad8cb Mon Sep 17 00:00:00 2001 From: LordMathis Date: Tue, 17 Sep 2024 22:43:27 +0200 Subject: [PATCH] Add cert-manager --- .../base/cert-manager/kustomization.yaml | 8 ++ .../base/cert-manager/namespace.yaml | 4 + infrastructure/base/cert-manager/release.yaml | 18 +++ .../base/cert-manager/repository.yaml | 8 ++ .../base/traefik/kustomization.yaml | 5 +- infrastructure/base/traefik/namespace.yaml | 4 + infrastructure/base/traefik/release.yaml | 6 +- infrastructure/base/traefik/repository.yaml | 4 +- infrastructure/prod/cert-manager/issuer.yaml | 14 +++ .../prod/cert-manager/kustomization.yaml | 4 + infrastructure/prod/cert-manager/secret.yaml | 8 ++ .../prod/traefik/kustomization.yaml | 13 ++- infrastructure/prod/traefik/release.yaml | 18 +++ infrastructure/prod/traefik/values.yaml | 106 ++++++------------ 14 files changed, 135 insertions(+), 85 deletions(-) create mode 100644 infrastructure/base/cert-manager/kustomization.yaml create mode 100644 infrastructure/base/cert-manager/namespace.yaml create mode 100644 infrastructure/base/cert-manager/release.yaml create mode 100644 infrastructure/base/cert-manager/repository.yaml create mode 100644 infrastructure/base/traefik/namespace.yaml create mode 100644 infrastructure/prod/cert-manager/issuer.yaml create mode 100644 infrastructure/prod/cert-manager/kustomization.yaml create mode 100644 infrastructure/prod/cert-manager/secret.yaml create mode 100644 infrastructure/prod/traefik/release.yaml diff --git a/infrastructure/base/cert-manager/kustomization.yaml b/infrastructure/base/cert-manager/kustomization.yaml new file mode 100644 index 0000000..17e8d1c --- /dev/null +++ b/infrastructure/base/cert-manager/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: cert-manager + +resources: + - namespace.yaml + - repository.yaml + - release.yaml \ No newline at end of file diff --git a/infrastructure/base/cert-manager/namespace.yaml b/infrastructure/base/cert-manager/namespace.yaml new file mode 100644 index 0000000..c90416f --- /dev/null +++ b/infrastructure/base/cert-manager/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager diff --git a/infrastructure/base/cert-manager/release.yaml b/infrastructure/base/cert-manager/release.yaml new file mode 100644 index 0000000..c571dc5 --- /dev/null +++ b/infrastructure/base/cert-manager/release.yaml @@ -0,0 +1,18 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: cert-manager + namespace: cert-manager +spec: + interval: 30m + chart: + spec: + chart: cert-manager + version: "1.x" + sourceRef: + kind: HelmRepository + name: cert-manager + namespace: cert-manager + interval: 12h + values: + installCRDs: true \ No newline at end of file diff --git a/infrastructure/base/cert-manager/repository.yaml b/infrastructure/base/cert-manager/repository.yaml new file mode 100644 index 0000000..4649dcf --- /dev/null +++ b/infrastructure/base/cert-manager/repository.yaml @@ -0,0 +1,8 @@ +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: cert-manager + namespace: cert-manager +spec: + interval: 24h + url: https://charts.jetstack.io diff --git a/infrastructure/base/traefik/kustomization.yaml b/infrastructure/base/traefik/kustomization.yaml index 50ca97a..316dfc6 100644 --- a/infrastructure/base/traefik/kustomization.yaml +++ b/infrastructure/base/traefik/kustomization.yaml @@ -1,7 +1,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: kube-system +namespace: traefik resources: + - namespace.yaml - repository.yaml - - release.yaml + - release.yaml \ No newline at end of file diff --git a/infrastructure/base/traefik/namespace.yaml b/infrastructure/base/traefik/namespace.yaml new file mode 100644 index 0000000..c088a91 --- /dev/null +++ b/infrastructure/base/traefik/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: traefik diff --git a/infrastructure/base/traefik/release.yaml b/infrastructure/base/traefik/release.yaml index 5f97447..f7015fa 100644 --- a/infrastructure/base/traefik/release.yaml +++ b/infrastructure/base/traefik/release.yaml @@ -2,7 +2,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: traefik - namespace: kube-system + namespace: traefik spec: interval: 10m chart: @@ -11,7 +11,5 @@ spec: version: 28.2.0 sourceRef: kind: HelmRepository - name: traefik + name: traefik-helm-repo interval: 10m - values: - replicaCount: 2 \ No newline at end of file diff --git a/infrastructure/base/traefik/repository.yaml b/infrastructure/base/traefik/repository.yaml index 0790e65..333b0f8 100644 --- a/infrastructure/base/traefik/repository.yaml +++ b/infrastructure/base/traefik/repository.yaml @@ -2,7 +2,7 @@ apiVersion: source.toolkit.fluxcd.io/v1 kind: HelmRepository metadata: name: traefik-helm-repo - namespace: kube-system + namespace: traefik spec: - interval: 10m + interval: 24h url: https://helm.traefik.io/traefik \ No newline at end of file diff --git a/infrastructure/prod/cert-manager/issuer.yaml b/infrastructure/prod/cert-manager/issuer.yaml new file mode 100644 index 0000000..6dcfeed --- /dev/null +++ b/infrastructure/prod/cert-manager/issuer.yaml @@ -0,0 +1,14 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-prod +spec: + acme: + email: admin@example.com + server: https://acme-staging-v02.api.letsencrypt.org/directory + solvers: + - dns01: + cloudflare: + apiTokenSecretRef: + name: cloudflare-api-token-secret + key: api-token \ No newline at end of file diff --git a/infrastructure/prod/cert-manager/kustomization.yaml b/infrastructure/prod/cert-manager/kustomization.yaml new file mode 100644 index 0000000..79a86a0 --- /dev/null +++ b/infrastructure/prod/cert-manager/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ../../base/cert-manager diff --git a/infrastructure/prod/cert-manager/secret.yaml b/infrastructure/prod/cert-manager/secret.yaml new file mode 100644 index 0000000..efe8777 --- /dev/null +++ b/infrastructure/prod/cert-manager/secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +metadata: + name: cloudflare-api-token-secret + namespace: cert-manager +type: Opaque +stringData: + api-token: your-cloudflare-api-token \ No newline at end of file diff --git a/infrastructure/prod/traefik/kustomization.yaml b/infrastructure/prod/traefik/kustomization.yaml index f17f2c1..bb941d7 100644 --- a/infrastructure/prod/traefik/kustomization.yaml +++ b/infrastructure/prod/traefik/kustomization.yaml @@ -1,8 +1,11 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ../../base/podinfo -patches: - - path: podinfo-values.yaml - target: - kind: HelmRelease \ No newline at end of file + - ../../base/traefik + - traefik-values.yaml + +configMapGenerator: + - name: traefik-prod-values + namespace: traefik + files: + - values.yaml \ No newline at end of file diff --git a/infrastructure/prod/traefik/release.yaml b/infrastructure/prod/traefik/release.yaml new file mode 100644 index 0000000..ea86ae3 --- /dev/null +++ b/infrastructure/prod/traefik/release.yaml @@ -0,0 +1,18 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: traefik + namespace: traefik +spec: + interval: 10m + chart: + spec: + chart: traefik + version: 28.2.0 + sourceRef: + kind: HelmRepository + name: traefik-helm-repo + interval: 10m + valuesFrom: + - kind: ConfigMap + name: traefik-prod-values \ No newline at end of file diff --git a/infrastructure/prod/traefik/values.yaml b/infrastructure/prod/traefik/values.yaml index 7694ffc..83ee781 100644 --- a/infrastructure/prod/traefik/values.yaml +++ b/infrastructure/prod/traefik/values.yaml @@ -1,73 +1,35 @@ -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: traefik - namespace: kube-system -spec: - values: - deployment: - initContainers: - - name: volume-permissions - image: busybox:1.36@sha256:34b191d63fbc93e25e275bfccf1b5365664e5ac28f06d974e8d50090fbb49f41 - command: ["sh", "-c", "touch /data/acme.json; chown 65532:65532 /data/acme.json; chmod -v 600 /data/acme.json; chown -R 65532:65532 /var/log/traefik"] - securityContext: - runAsNonRoot: false - runAsGroup: 0 - runAsUser: 0 - volumeMounts: - - name: data - mountPath: /data - - name: access-log - mountPath: /var/log/traefik - additionalVolumes: - - name: access-log - hostPath: - path: /var/log/traefik/ - certResolvers: - letsencrypt: - email: admin@example.com - dnsChallenge: - provider: cloudflare - delayBeforeCheck: 30 - resolvers: - - 1.1.1.1 - - 8.8.8.8 - storage: /data/acme.json - envFrom: - - secretRef: - name: traefik-cf-secret - additionalVolumeMounts: - - name: access-log - mountPath: /var/log/traefik/ - logs: - access: - enabled: true - filePath: /var/log/traefik/access.log - ingressRoute: - dashboard: - enabled: true - matchRule: Host(`traefik.namesny.com`) - entryPoints: ["websecure"] - middlewares: - - name: "auth-authelia@kubernetescrd" - providers: - kubernetesCRD: - allowCrossNamespace: true - persistence: +deployment: + additionalVolumes: + - name: access-log + hostPath: + path: /var/log/traefik/ +additionalVolumeMounts: +- name: access-log + mountPath: /var/log/traefik/ +logs: + access: + enabled: true + filePath: /var/log/traefik/access.log +ingressRoute: + dashboard: + enabled: true + matchRule: Host(`traefik.namesny.com`) + entryPoints: ["websecure"] + middlewares: + - name: "auth-authelia@kubernetescrd" +providers: + kubernetesCRD: + allowCrossNamespace: true +persistence: + enabled: true + storageClass: retain-local-path +ports: + websecure: + tls: enabled: true - storageClass: retain-local-path - ports: - websecure: - tls: - enabled: true - certResolver: letsencrypt - domains: - - main: namesny.com - sans: - - "*.namesny.com" - web: - redirectTo: - port: websecure - service: - spec: - externalTrafficPolicy: Local + web: + redirectTo: + port: websecure +service: + spec: + externalTrafficPolicy: Local