add cert-manager

2024-09-21 22:26:30 +01:00 · 2024-09-21 22:26:30 +01:00 · 09d137b092
commit 09d137b092
parent 2bdf2de9d1
12 changed files with 90 additions and 37 deletions
--- a/apps/base/traefik/kustomization.yaml
+++ b/apps/base/traefik/kustomization.yaml
@ -1,7 +0,0 @@
---
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - rbac.yaml
-  - traefik.yaml
-  - svc.yaml
--- a/apps/production/cert-manager/certificates/fascinated-cc.yml
+++ b/apps/production/cert-manager/certificates/fascinated-cc.yml
@ -0,0 +1,15 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: fascinated-cc
+  namespace: traefik
+spec:
+  secretName: fascinated-cc
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "*.fascinated.cc"
+  dnsNames:
+    - "fascinated.cc"
+    - "*.fascinated.cc"
--- a/apps/production/cert-manager/certificates/local-fascinated-cc.yml
+++ b/apps/production/cert-manager/certificates/local-fascinated-cc.yml
@ -0,0 +1,14 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: local-fascinated-cc
+  namespace: traefik
+spec:
+  secretName: local-fascinated-cc
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "*.local.fascinated.cc"
+  dnsNames:
+    - "*.local.fascinated.cc"
--- a/apps/production/cert-manager/certificates/mcutils-xyz.yml
+++ b/apps/production/cert-manager/certificates/mcutils-xyz.yml
@ -0,0 +1,15 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: mcutils-xyz
+  namespace: traefik
+spec:
+  secretName: mcutils-xyz
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "*.mcutils.xyz"
+  dnsNames:
+    - "mcutils.xyz"
+    - "*.mcutils.xyz"
--- a/apps/production/cert-manager/issuer.yml
+++ b/apps/production/cert-manager/issuer.yml
@ -0,0 +1,23 @@
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-production
+  namespace: cert-manager
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: liam@fascinated.cc
+    privateKeySecretRef:
+      name: letsencrypt-production
+    solvers:
+      - dns01:
+          cloudflare:
+            email: liam@fascinated.cc
+            apiTokenSecretRef:
+              name: cloudflare-token-secret
+              key: cloudflare-token
+        selector:
+          dnsZones:
+            - "fascinated.cc"
+            - "mcutils.xyz"
--- a/apps/production/cert-manager/kustomization.yaml
+++ b/apps/production/cert-manager/kustomization.yaml
@ -0,0 +1,8 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: cert-manager
+resources:
+  - namespace.yaml
+  - certificates/*.yaml
+  - issuers.yaml
--- a/apps/production/cert-manager/namespace.yaml
+++ b/apps/production/cert-manager/namespace.yaml
@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cert-manager
--- a/apps/production/traefik/kustomization.yaml
+++ b/apps/production/traefik/kustomization.yaml
@ -4,7 +4,6 @@ kind: Kustomization
 namespace: traefik-production
 resources:
  - namespace.yaml
-  - ../../base/traefik
-
-patchesStrategicMerge:
-  - traefik-patch.yaml
+  - rbac.yaml
+  - traefik.yaml
+  - service.yaml
--- a/apps/production/traefik/rbac.yaml
+++ b/apps/production/traefik/rbac.yaml
--- a/apps/production/traefik/service.yaml
+++ b/apps/production/traefik/service.yaml
@ -12,7 +12,6 @@ spec:
    app.kubernetes.io/name: traefik
  type: LoadBalancer
  loadBalancerIP: 10.0.69.250
-  externalTrafficPolicy: Local
  ports:
    - port: 80
      name: web
--- a/apps/production/traefik/traefik-patch.yaml
+++ b/apps/production/traefik/traefik-patch.yaml
@ -1,23 +0,0 @@
---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: traefik
-spec:
-  template:
-    spec:
-      containers:
-        - name: traefik
-          args:
-            - "--entryPoints.web.address=:8000/tcp"
-            - "--entryPoints.websecure.address=:8443/tcp"
-            - "--ping=true"
-            - "--global.sendanonymoususage=false"
-            - "--global.checknewversion=false"
-            - "--serversTransport.insecureSkipVerify=true"
-            - "--log.level=INFO"
-            - "--providers.kubernetescrd"
-            - "--providers.kubernetescrd.allowCrossNamespace=true"
-            - "--providers.kubernetescrd.allowExternalNameServices=true"
-            - "--providers.kubernetesingress.allowCrossNamespace=true"
-            - "--providers.kubernetesingress.allowExternalNameServices=true"
--- a/apps/production/traefik/traefik.yaml
+++ b/apps/production/traefik/traefik.yaml
@ -26,11 +26,16 @@ spec:
          args:
            - "--entryPoints.web.address=:8000/tcp"
            - "--entryPoints.websecure.address=:8443/tcp"
-            - "--api=true"
-            - "--api.dashboard=true"
            - "--ping=true"
+            - "--global.sendanonymoususage=false"
+            - "--global.checknewversion=false"
+            - "--serversTransport.insecureSkipVerify=true"
+            - "--log.level=INFO"
            - "--providers.kubernetescrd"
            - "--providers.kubernetescrd.allowCrossNamespace=true"
+            - "--providers.kubernetescrd.allowExternalNameServices=true"
+            - "--providers.kubernetesingress.allowCrossNamespace=true"
+            - "--providers.kubernetesingress.allowExternalNameServices=true"
          readinessProbe:
            httpGet:
              path: /ping