Add cert-manager

infrastructure/base/cert-manager/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: cert-manager
+
+resources:
+  - namespace.yaml
+  - repository.yaml
+  - release.yaml

infrastructure/base/cert-manager/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cert-manager

infrastructure/base/cert-manager/release.yaml

@@ -0,0 +1,18 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: cert-manager
+  namespace: cert-manager
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: cert-manager
+      version: "1.x"
+      sourceRef:
+        kind: HelmRepository
+        name: cert-manager
+        namespace: cert-manager
+      interval: 12h
+  values:
+    installCRDs: true

infrastructure/base/cert-manager/repository.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: cert-manager
+  namespace: cert-manager
+spec:
+  interval: 24h
+  url: https://charts.jetstack.io

infrastructure/base/traefik/kustomization.yaml

@@ -1,7 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: kube-system
+namespace: traefik
 
 resources:
+  - namespace.yaml
   - repository.yaml
-  - release.yaml
+  - release.yaml

infrastructure/base/traefik/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: traefik

infrastructure/base/traefik/release.yaml

@@ -2,7 +2,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
   name: traefik
-  namespace: kube-system
+  namespace: traefik
 spec:
   interval: 10m
   chart:
@@ -11,7 +11,5 @@ spec:
       version: 28.2.0
       sourceRef:
         kind: HelmRepository
-        name: traefik
+        name: traefik-helm-repo
       interval: 10m
-  values:
-    replicaCount: 2

infrastructure/base/traefik/repository.yaml

@@ -2,7 +2,7 @@ apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
   name: traefik-helm-repo
-  namespace: kube-system
+  namespace: traefik
 spec:
-  interval: 10m
+  interval: 24h
   url: https://helm.traefik.io/traefik

infrastructure/prod/cert-manager/issuer.yaml

@@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    email: admin@example.com
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    solvers:
+    - dns01:
+        cloudflare:
+          apiTokenSecretRef:
+            name: cloudflare-api-token-secret
+            key: api-token

infrastructure/prod/cert-manager/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../../base/cert-manager

infrastructure/prod/cert-manager/secret.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cloudflare-api-token-secret
+  namespace: cert-manager
+type: Opaque
+stringData:
+  api-token: your-cloudflare-api-token

infrastructure/prod/traefik/kustomization.yaml

@@ -1,8 +1,11 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ../../base/podinfo
+  - ../../base/traefik
-patches:
+  - traefik-values.yaml
-  - path: podinfo-values.yaml
+
-    target:
+configMapGenerator:
-      kind: HelmRelease
+  - name: traefik-prod-values
+    namespace: traefik
+    files:
+      - values.yaml

infrastructure/prod/traefik/release.yaml

@@ -0,0 +1,18 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: traefik
+  namespace: traefik
+spec:
+  interval: 10m
+  chart:
+    spec:
+      chart: traefik
+      version: 28.2.0
+      sourceRef:
+        kind: HelmRepository
+        name: traefik-helm-repo
+      interval: 10m
+  valuesFrom:
+    - kind: ConfigMap
+      name: traefik-prod-values

infrastructure/prod/traefik/values.yaml

@@ -1,73 +1,35 @@
-apiVersion: helm.toolkit.fluxcd.io/v2
+deployment:
-kind: HelmRelease
+  additionalVolumes:
-metadata:
+  - name: access-log
-  name: traefik
+    hostPath:
-  namespace: kube-system
+      path:  /var/log/traefik/
-spec:
+additionalVolumeMounts:
-  values:        
+- name: access-log
-    deployment:
+  mountPath: /var/log/traefik/
-      initContainers:
+logs:
-      - name: volume-permissions
+  access:
-        image: busybox:1.36@sha256:34b191d63fbc93e25e275bfccf1b5365664e5ac28f06d974e8d50090fbb49f41
+    enabled: true
-        command: ["sh", "-c", "touch /data/acme.json; chown 65532:65532 /data/acme.json; chmod -v 600 /data/acme.json; chown -R 65532:65532 /var/log/traefik"]
+    filePath: /var/log/traefik/access.log
-        securityContext:
+ingressRoute:
-          runAsNonRoot: false
+  dashboard:
-          runAsGroup: 0
+    enabled: true
-          runAsUser: 0
+    matchRule: Host(`traefik.namesny.com`)
-        volumeMounts:
+    entryPoints: ["websecure"]
-          - name: data
+    middlewares:
-            mountPath: /data
+      - name: "auth-authelia@kubernetescrd"
-          - name: access-log
+providers:
-            mountPath: /var/log/traefik
+  kubernetesCRD:
-      additionalVolumes:
+    allowCrossNamespace: true
-      - name: access-log
+persistence:
-        hostPath:
+  enabled: true
-          path:  /var/log/traefik/
+  storageClass: retain-local-path
-    certResolvers:
+ports:
-      letsencrypt:
+  websecure:
-        email: admin@example.com
+    tls:
-        dnsChallenge:
-          provider: cloudflare
-          delayBeforeCheck: 30
-          resolvers:
-          - 1.1.1.1
-          - 8.8.8.8
-        storage: /data/acme.json
-    envFrom:
-    - secretRef:
-        name: traefik-cf-secret
-    additionalVolumeMounts:
-    - name: access-log
-      mountPath: /var/log/traefik/
-    logs:
-      access:
-        enabled: true
-        filePath: /var/log/traefik/access.log
-    ingressRoute:
-      dashboard:
-        enabled: true
-        matchRule: Host(`traefik.namesny.com`)
-        entryPoints: ["websecure"]
-        middlewares:
-          - name: "auth-authelia@kubernetescrd"
-    providers:
-      kubernetesCRD:
-        allowCrossNamespace: true
-    persistence:
       enabled: true
-      storageClass: retain-local-path
+  web:
-    ports:
+    redirectTo:
-      websecure:
+      port: websecure
-        tls:
+service:
-          enabled: true
+  spec:
-          certResolver: letsencrypt
+    externalTrafficPolicy: Local
-          domains:
-          - main: namesny.com
-            sans:
-            - "*.namesny.com"
-      web:
-        redirectTo:
-          port: websecure
-    service:
-      spec:
-        externalTrafficPolicy: Local