Add cert-manager

infrastructure/base/cert-manager/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: cert-manager
+
+resources:
+  - namespace.yaml
+  - repository.yaml
+  - release.yaml

infrastructure/base/cert-manager/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cert-manager

infrastructure/base/cert-manager/release.yaml

@@ -0,0 +1,18 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: cert-manager
+  namespace: cert-manager
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: cert-manager
+      version: "1.x"
+      sourceRef:
+        kind: HelmRepository
+        name: cert-manager
+        namespace: cert-manager
+      interval: 12h
+  values:
+    installCRDs: true

infrastructure/base/cert-manager/repository.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: cert-manager
+  namespace: cert-manager
+spec:
+  interval: 24h
+  url: https://charts.jetstack.io

infrastructure/base/traefik/kustomization.yaml

@@ -1,7 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: kube-system
+namespace: traefik
 
 resources:
+  - namespace.yaml
   - repository.yaml
   - release.yaml

infrastructure/base/traefik/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: traefik

infrastructure/base/traefik/release.yaml

@@ -2,7 +2,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
   name: traefik
-  namespace: kube-system
+  namespace: traefik
 spec:
   interval: 10m
   chart:
@@ -11,7 +11,5 @@ spec:
       version: 28.2.0
       sourceRef:
         kind: HelmRepository
-        name: traefik
+        name: traefik-helm-repo
       interval: 10m
-  values:
-    replicaCount: 2

infrastructure/base/traefik/repository.yaml

@@ -2,7 +2,7 @@ apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
   name: traefik-helm-repo
-  namespace: kube-system
+  namespace: traefik
 spec:
-  interval: 10m
+  interval: 24h
   url: https://helm.traefik.io/traefik

infrastructure/prod/cert-manager/issuer.yaml

@@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    email: admin@example.com
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    solvers:
+    - dns01:
+        cloudflare:
+          apiTokenSecretRef:
+            name: cloudflare-api-token-secret
+            key: api-token

infrastructure/prod/cert-manager/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../../base/cert-manager

infrastructure/prod/cert-manager/secret.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cloudflare-api-token-secret
+  namespace: cert-manager
+type: Opaque
+stringData:
+  api-token: your-cloudflare-api-token

infrastructure/prod/traefik/kustomization.yaml

@@ -1,8 +1,11 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ../../base/podinfo
+  - ../../base/traefik
-patches:
+  - traefik-values.yaml
-  - path: podinfo-values.yaml
+
-    target:
+configMapGenerator:
-      kind: HelmRelease
+  - name: traefik-prod-values
+    namespace: traefik
+    files:
+      - values.yaml

infrastructure/prod/traefik/release.yaml

@@ -0,0 +1,18 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: traefik
+  namespace: traefik
+spec:
+  interval: 10m
+  chart:
+    spec:
+      chart: traefik
+      version: 28.2.0
+      sourceRef:
+        kind: HelmRepository
+        name: traefik-helm-repo
+      interval: 10m
+  valuesFrom:
+    - kind: ConfigMap
+      name: traefik-prod-values

infrastructure/prod/traefik/values.yaml

@@ -1,73 +1,35 @@
-apiVersion: helm.toolkit.fluxcd.io/v2
+deployment:
-kind: HelmRelease
-metadata:
-  name: traefik
-  namespace: kube-system
-spec:
-  values:        
-    deployment:
-      initContainers:
-      - name: volume-permissions
-        image: busybox:1.36@sha256:34b191d63fbc93e25e275bfccf1b5365664e5ac28f06d974e8d50090fbb49f41
-        command: ["sh", "-c", "touch /data/acme.json; chown 65532:65532 /data/acme.json; chmod -v 600 /data/acme.json; chown -R 65532:65532 /var/log/traefik"]
-        securityContext:
-          runAsNonRoot: false
-          runAsGroup: 0
-          runAsUser: 0
-        volumeMounts:
-          - name: data
-            mountPath: /data
-          - name: access-log
-            mountPath: /var/log/traefik
   additionalVolumes:
   - name: access-log
     hostPath:
       path:  /var/log/traefik/
-    certResolvers:
+additionalVolumeMounts:
-      letsencrypt:
+- name: access-log
-        email: admin@example.com
-        dnsChallenge:
-          provider: cloudflare
-          delayBeforeCheck: 30
-          resolvers:
-          - 1.1.1.1
-          - 8.8.8.8
-        storage: /data/acme.json
-    envFrom:
-    - secretRef:
-        name: traefik-cf-secret
-    additionalVolumeMounts:
-    - name: access-log
   mountPath: /var/log/traefik/
-    logs:
+logs:
   access:
     enabled: true
     filePath: /var/log/traefik/access.log
-    ingressRoute:
+ingressRoute:
   dashboard:
     enabled: true
     matchRule: Host(`traefik.namesny.com`)
     entryPoints: ["websecure"]
     middlewares:
       - name: "auth-authelia@kubernetescrd"
-    providers:
+providers:
   kubernetesCRD:
     allowCrossNamespace: true
-    persistence:
+persistence:
   enabled: true
   storageClass: retain-local-path
-    ports:
+ports:
   websecure:
     tls:
       enabled: true
-          certResolver: letsencrypt
-          domains:
-          - main: namesny.com
-            sans:
-            - "*.namesny.com"
   web:
     redirectTo:
       port: websecure
-    service:
+service:
   spec:
     externalTrafficPolicy: Local