refactor(cert-manager): add tls ks #3302
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/nginx-certificates
+++ kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/nginx-certificates
@@ -1,38 +0,0 @@
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
- labels:
- kustomize.toolkit.fluxcd.io/name: cluster-apps
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: nginx-certificates
- namespace: flux-system
-spec:
- commonMetadata:
- labels:
- app.kubernetes.io/name: nginx-certificates
- decryption:
- provider: sops
- secretRef:
- name: sops-age
- dependsOn:
- - name: cert-manager-issuers
- interval: 30m
- path: ./kubernetes/apps/networking/nginx/certificates
- postBuild:
- substituteFrom:
- - kind: ConfigMap
- name: cluster-settings
- optional: true
- - kind: Secret
- name: cluster-secrets
- optional: true
- prune: true
- retryInterval: 1m
- sourceRef:
- kind: GitRepository
- name: flux-system
- targetNamespace: networking
- timeout: 5m
- wait: true
-
--- kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/nginx-external
+++ kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/nginx-external
@@ -13,13 +13,13 @@
app.kubernetes.io/name: nginx-external
decryption:
provider: sops
secretRef:
name: sops-age
dependsOn:
- - name: nginx-certificates
+ - name: cert-manager-tls
interval: 30m
path: ./kubernetes/apps/networking/nginx/external
postBuild:
substituteFrom:
- kind: ConfigMap
name: cluster-settings
--- kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/nginx-internal
+++ kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/nginx-internal
@@ -13,13 +13,13 @@
app.kubernetes.io/name: nginx-internal
decryption:
provider: sops
secretRef:
name: sops-age
dependsOn:
- - name: nginx-certificates
+ - name: cert-manager-tls
interval: 30m
path: ./kubernetes/apps/networking/nginx/internal
postBuild:
substituteFrom:
- kind: ConfigMap
name: cluster-settings
--- kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/cert-manager-tls
+++ kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/cert-manager-tls
@@ -0,0 +1,38 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: cluster-apps
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: cert-manager-tls
+ namespace: flux-system
+spec:
+ commonMetadata:
+ labels:
+ app.kubernetes.io/name: cert-manager-tls
+ decryption:
+ provider: sops
+ secretRef:
+ name: sops-age
+ dependsOn:
+ - name: cert-manager-issuers
+ interval: 30m
+ path: ./kubernetes/apps/cert-manager/cert-manager/tls
+ postBuild:
+ substituteFrom:
+ - kind: ConfigMap
+ name: cluster-settings
+ optional: true
+ - kind: Secret
+ name: cluster-secrets
+ optional: true
+ prune: true
+ retryInterval: 1m
+ sourceRef:
+ kind: GitRepository
+ name: flux-system
+ targetNamespace: cert-manager
+ timeout: 5m
+ wait: true
+
--- kubernetes/apps/cert-manager/cert-manager/issuers Kustomization: flux-system/cert-manager-issuers ExternalSecret: cert-manager/cloudflare
+++ kubernetes/apps/cert-manager/cert-manager/issuers Kustomization: flux-system/cert-manager-issuers ExternalSecret: cert-manager/cloudflare
@@ -1,25 +0,0 @@
----
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
- labels:
- app.kubernetes.io/name: cert-manager-issuers
- kustomize.toolkit.fluxcd.io/name: cert-manager-issuers
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: cloudflare
- namespace: cert-manager
-spec:
- dataFrom:
- - extract:
- key: cloudflare
- secretStoreRef:
- kind: ClusterSecretStore
- name: onepassword-connect
- target:
- creationPolicy: Owner
- name: cloudflare-secret
- template:
- data:
- CLOUDFLARE_API_TOKEN: '{{ .CLOUDFLARE_API_TOKEN }}'
- engineVersion: v2
-
--- kubernetes/apps/cert-manager/cert-manager/issuers Kustomization: flux-system/cert-manager-issuers ClusterIssuer: cert-manager/letsencrypt-production
+++ kubernetes/apps/cert-manager/cert-manager/issuers Kustomization: flux-system/cert-manager-issuers ClusterIssuer: cert-manager/letsencrypt-production
@@ -16,12 +16,12 @@
server: https://acme-v02.api.letsencrypt.org/directory
solvers:
- dns01:
cloudflare:
apiTokenSecretRef:
key: CLOUDFLARE_API_TOKEN
- name: cloudflare-secret
+ name: cloudflare-issuer-secret
email: skre@skre.me
selector:
dnsZones:
- ktwo.io
--- kubernetes/apps/cert-manager/cert-manager/issuers Kustomization: flux-system/cert-manager-issuers ClusterIssuer: cert-manager/letsencrypt-staging
+++ kubernetes/apps/cert-manager/cert-manager/issuers Kustomization: flux-system/cert-manager-issuers ClusterIssuer: cert-manager/letsencrypt-staging
@@ -1,27 +0,0 @@
----
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
- labels:
- app.kubernetes.io/name: cert-manager-issuers
- kustomize.toolkit.fluxcd.io/name: cert-manager-issuers
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: letsencrypt-staging
- namespace: cert-manager
-spec:
- acme:
- email: skre@skre.me
- privateKeySecretRef:
- name: letsencrypt-staging
- server: https://acme-staging-v02.api.letsencrypt.org/directory
- solvers:
- - dns01:
- cloudflare:
- apiTokenSecretRef:
- key: CLOUDFLARE_API_TOKEN
- name: cloudflare-secret
- email: skre@skre.me
- selector:
- dnsZones:
- - ktwo.io
-
--- kubernetes/apps/cert-manager/cert-manager/issuers Kustomization: flux-system/cert-manager-issuers ExternalSecret: cert-manager/cloudflare-issuer
+++ kubernetes/apps/cert-manager/cert-manager/issuers Kustomization: flux-system/cert-manager-issuers ExternalSecret: cert-manager/cloudflare-issuer
@@ -0,0 +1,25 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+ labels:
+ app.kubernetes.io/name: cert-manager-issuers
+ kustomize.toolkit.fluxcd.io/name: cert-manager-issuers
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: cloudflare-issuer
+ namespace: cert-manager
+spec:
+ dataFrom:
+ - extract:
+ key: cloudflare
+ secretStoreRef:
+ kind: ClusterSecretStore
+ name: onepassword-connect
+ target:
+ creationPolicy: Owner
+ name: cloudflare-issuer-secret
+ template:
+ data:
+ CLOUDFLARE_API_TOKEN: '{{ .CLOUDFLARE_API_TOKEN }}'
+ engineVersion: v2
+
--- kubernetes/apps/networking/nginx/certificates Kustomization: flux-system/nginx-certificates Certificate: networking/wildcard
+++ kubernetes/apps/networking/nginx/certificates Kustomization: flux-system/nginx-certificates Certificate: networking/wildcard
@@ -1,20 +0,0 @@
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
- labels:
- app.kubernetes.io/name: nginx-certificates
- kustomize.toolkit.fluxcd.io/name: nginx-certificates
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: wildcard
- namespace: networking
-spec:
- commonName: ktwo.io
- dnsNames:
- - ktwo.io
- - '*.ktwo.io'
- issuerRef:
- kind: ClusterIssuer
- name: letsencrypt-production
- secretName: wildcard-tls
-
--- kubernetes/apps/networking/nginx/internal Kustomization: flux-system/nginx-internal HelmRelease: networking/nginx-internal
+++ kubernetes/apps/networking/nginx/internal Kustomization: flux-system/nginx-internal HelmRelease: networking/nginx-internal
@@ -55,13 +55,13 @@
{"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", "request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer", "http_user_agent": "$http_user_agent"}
proxy-body-size: 0
proxy-buffer-size: 16k
ssl-early-data: true
ssl-protocols: TLSv1.3 TLSv1.2
extraArgs:
- default-ssl-certificate: networking/wildcard-tls
+ default-ssl-certificate: cert-manager/ktwo-io-tls
publish-status-address: internal.ktwo.io
ingressClass: internal
ingressClassResource:
controllerValue: k8s.io/internal
default: true
name: internal
--- kubernetes/apps/networking/nginx/external Kustomization: flux-system/nginx-external HelmRelease: networking/nginx-external
+++ kubernetes/apps/networking/nginx/external Kustomization: flux-system/nginx-external HelmRelease: networking/nginx-external
@@ -56,13 +56,13 @@
proxy-body-size: 0
proxy-buffer-size: 16k
ssl-early-data: true
ssl-protocols: TLSv1.3 TLSv1.2
use-forwarded-headers: true
extraArgs:
- default-ssl-certificate: networking/wildcard-tls
+ default-ssl-certificate: cert-manager/ktwo-io-tls
publish-status-address: external.ktwo.io
ingressClass: external
ingressClassResource:
controllerValue: k8s.io/external
default: false
name: external
--- kubernetes/apps/cert-manager/cert-manager/tls Kustomization: flux-system/cert-manager-tls Certificate: cert-manager/ktwo-io
+++ kubernetes/apps/cert-manager/cert-manager/tls Kustomization: flux-system/cert-manager-tls Certificate: cert-manager/ktwo-io
@@ -0,0 +1,20 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ labels:
+ app.kubernetes.io/name: cert-manager-tls
+ kustomize.toolkit.fluxcd.io/name: cert-manager-tls
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: ktwo-io
+ namespace: cert-manager
+spec:
+ commonName: ktwo.io
+ dnsNames:
+ - ktwo.io
+ - '*.ktwo.io'
+ issuerRef:
+ kind: ClusterIssuer
+ name: letsencrypt-production
+ secretName: ktwo-io-tls
+ |
--- HelmRelease: networking/nginx-external Deployment: networking/nginx-external-controller
+++ HelmRelease: networking/nginx-external Deployment: networking/nginx-external-controller
@@ -45,13 +45,13 @@
- --ingress-class=external
- --configmap=$(POD_NAMESPACE)/nginx-external-controller
- --validating-webhook=:8443
- --validating-webhook-certificate=/usr/local/certificates/cert
- --validating-webhook-key=/usr/local/certificates/key
- --enable-metrics=true
- - --default-ssl-certificate=networking/wildcard-tls
+ - --default-ssl-certificate=cert-manager/ktwo-io-tls
- --publish-status-address=external.ktwo.io
securityContext:
runAsNonRoot: true
runAsUser: 101
runAsGroup: 82
allowPrivilegeEscalation: false
--- HelmRelease: networking/nginx-internal Deployment: networking/nginx-internal-controller
+++ HelmRelease: networking/nginx-internal Deployment: networking/nginx-internal-controller
@@ -45,13 +45,13 @@
- --ingress-class=internal
- --configmap=$(POD_NAMESPACE)/nginx-internal-controller
- --validating-webhook=:8443
- --validating-webhook-certificate=/usr/local/certificates/cert
- --validating-webhook-key=/usr/local/certificates/key
- --enable-metrics=true
- - --default-ssl-certificate=networking/wildcard-tls
+ - --default-ssl-certificate=cert-manager/ktwo-io-tls
- --publish-status-address=internal.ktwo.io
securityContext:
runAsNonRoot: true
runAsUser: 101
runAsGroup: 82
allowPrivilegeEscalation: false |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.