From 1ac757aca44fb38048cf257841ee796ceffa3af3 Mon Sep 17 00:00:00 2001 From: SeanOMik Date: Thu, 13 Apr 2023 00:52:05 -0400 Subject: [PATCH] Create a wildcard cert with cert-manager and replicate with kubernetes-replicator --- .../cert-manager/cloudflare-cred.sops.yaml | 6 ++--- cluster/core/cert-manager/helm-release.yaml | 22 ++++++++-------- cluster/core/cert-manager/kustomization.yaml | 2 +- .../core/cert-manager/letsencrypt-prod.yaml | 4 +-- .../core/cert-manager/letsencrypt-stage.yaml | 4 +-- cluster/core/cert-manager/wildcard-cert.yaml | 22 ++++++++++++++++ .../core/kube-replicator/helm-release.yaml | 16 ++++++++++++ .../core/kube-replicator/helm-repository.yaml | 8 ++++++ .../core/kube-replicator/kustomization.yaml | 6 +++++ cluster/core/kube-replicator/namespace.yaml | 4 +++ cluster/core/kustomization.yaml | 3 ++- .../networking/traefik/dashboard-ingress.yaml | 25 +++++++++++++++++++ .../core/networking/traefik/helm-release.yaml | 14 ++++++----- .../networking/traefik/kustomization.yaml | 1 + 14 files changed, 111 insertions(+), 26 deletions(-) create mode 100644 cluster/core/cert-manager/wildcard-cert.yaml create mode 100644 cluster/core/kube-replicator/helm-release.yaml create mode 100644 cluster/core/kube-replicator/helm-repository.yaml create mode 100644 cluster/core/kube-replicator/kustomization.yaml create mode 100644 cluster/core/kube-replicator/namespace.yaml create mode 100644 cluster/core/networking/traefik/dashboard-ingress.yaml diff --git a/cluster/core/cert-manager/cloudflare-cred.sops.yaml b/cluster/core/cert-manager/cloudflare-cred.sops.yaml index d91418e..8b795f2 100644 --- a/cluster/core/cert-manager/cloudflare-cred.sops.yaml +++ b/cluster/core/cert-manager/cloudflare-cred.sops.yaml @@ -5,7 +5,7 @@ metadata: namespace: cert-manager type: Opaque stringData: - api-token: ENC[AES256_GCM,data:qA+gnSJHnGx+4IpoAHVzMx2oDfYl9n4cgK9TTEABynDITUYUSkxgnw==,iv:sumwgvvxupp+aDfbS0QrOgLIV5ncivO8dh9sWzZkROI=,tag:c2nOAIZPD1XMEozPNFoayQ==,type:str] + api-token: ENC[AES256_GCM,data:UDkGVrLnMC6LvGmkkp9q+oMVTinYOgz/MArlXMWegGlyRM7Yt/fmaw==,iv:yZ/wrJOvHosLcdZRwGPrDZBBgbgKtNbVZsqauFo0VoM=,tag:eNoU5sGm1xWbVy+BMG1C3A==,type:str] email: ENC[AES256_GCM,data:hd9vZ3ubTLMxJbbR38LjGHQQ,iv:9BvLfefAvzjd1aGLaTe/U3R1NLw/gdeNMF0yu/kDRH8=,tag:V40IrOkyTuUVawrl03p+qw==,type:str] sops: kms: [] @@ -13,8 +13,8 @@ sops: azure_kv: [] hc_vault: [] age: [] - lastmodified: "2023-04-05T02:16:12Z" - mac: ENC[AES256_GCM,data:DiCXc5CB3mjhM4EsnOWgPYlCyGOU+J1LNSNZ2dbisOy945G/9usANnljLu30gk0KE9TYyMeVxj2mHvp8Q05TgRJwU8g9sJvD2GEqokWxuVPpaWxK/CG7KEBLRGtdcpt8++vulT3/Npo4EwQsqIFzVreIOJ17kBpBtTTJZ51O+Ms=,iv:B1/NVCvx0SnC6k50TeLlyhi4z6cUHGff0R/+WMdGDEA=,tag:8C68isdbGpXuyGJFsnQkDA==,type:str] + lastmodified: "2023-04-13T02:13:59Z" + mac: ENC[AES256_GCM,data:Fh2L1VgWrJ8YZz/+TLcwzbc10WF2zPaFZ7QqCwOv2QQmPEH1Nf37Vvzm6dsVpeVW1GnL8/8bK7bnE9c9p4cRaBs2iYeypuBqILTce/3bd7Ml8fMNeORzPdfCbDrRy8KgdLcKzxJ3M2dTlp9U9RF0jqKhGANav7LX0DwarB4d0iE=,iv:rMvOeb+es19b88KD6F9IBGY572TnyIvVXh/gUw2rB3c=,tag:evCsvh/BHsIX27WvtjXKGQ==,type:str] pgp: - created_at: "2023-04-05T02:16:11Z" enc: | diff --git a/cluster/core/cert-manager/helm-release.yaml b/cluster/core/cert-manager/helm-release.yaml index 8b238f2..e5a02ba 100644 --- a/cluster/core/cert-manager/helm-release.yaml +++ b/cluster/core/cert-manager/helm-release.yaml @@ -15,14 +15,14 @@ spec: namespace: flux-system values: installCRDs: false - webhook: - enabled: true - extraArgs: - - --dns01-recursive-nameservers=1.1.1.1:53,9.9.9.9:53 - - --dns01-recursive-nameservers-only - replicaCount: 1 - podDnsPolicy: "None" - podDnsConfig: - nameservers: - - "1.1.1.1" - - "9.9.9.9" \ No newline at end of file +# webhook: +# enabled: true +# extraArgs: +# - --dns01-recursive-nameservers=1.1.1.1:53,9.9.9.9:53 +# - --dns01-recursive-nameservers-only +# replicaCount: 1 +# podDnsPolicy: "None" +# podDnsConfig: +# nameservers: +# - "1.1.1.1" +# - "9.9.9.9" \ No newline at end of file diff --git a/cluster/core/cert-manager/kustomization.yaml b/cluster/core/cert-manager/kustomization.yaml index 4ce6ec5..7589521 100644 --- a/cluster/core/cert-manager/kustomization.yaml +++ b/cluster/core/cert-manager/kustomization.yaml @@ -7,4 +7,4 @@ resources: - ./helm-release.yaml - ./letsencrypt-prod.yaml - ./letsencrypt-stage.yaml -#- ./dashboard-ingress.yaml +- ./wildcard-cert.yaml \ No newline at end of file diff --git a/cluster/core/cert-manager/letsencrypt-prod.yaml b/cluster/core/cert-manager/letsencrypt-prod.yaml index 84fbc43..cff18c2 100644 --- a/cluster/core/cert-manager/letsencrypt-prod.yaml +++ b/cluster/core/cert-manager/letsencrypt-prod.yaml @@ -17,8 +17,8 @@ spec: cloudflare: email: "${SECRET_MY_EMAIL}" apiTokenSecretRef: - name: cloudflare-api-token-secret + name: cloudflare-credentials key: api-token selector: dnsZones: - - "***REMOVED***" \ No newline at end of file + - "${SECRET_NEW_DOMAIN}" \ No newline at end of file diff --git a/cluster/core/cert-manager/letsencrypt-stage.yaml b/cluster/core/cert-manager/letsencrypt-stage.yaml index 4c6224a..63b7f44 100644 --- a/cluster/core/cert-manager/letsencrypt-stage.yaml +++ b/cluster/core/cert-manager/letsencrypt-stage.yaml @@ -17,8 +17,8 @@ spec: cloudflare: email: "${SECRET_MY_EMAIL}" apiTokenSecretRef: - name: cloudflare-api-token-secret + name: cloudflare-credentials key: api-token selector: dnsZones: - - "***REMOVED***" \ No newline at end of file + - "${SECRET_NEW_DOMAIN}" \ No newline at end of file diff --git a/cluster/core/cert-manager/wildcard-cert.yaml b/cluster/core/cert-manager/wildcard-cert.yaml new file mode 100644 index 0000000..58ceafe --- /dev/null +++ b/cluster/core/cert-manager/wildcard-cert.yaml @@ -0,0 +1,22 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: wildcard-main-cert + namespace: cert-manager +spec: + secretName: wildcard-main-tls + + secretTemplate: + annotations: + replicator.v1.mittwald.de/replicate-to: "traefik" + + duration: 2160h # 90d + renewBefore: 360h # 15d + + issuerRef: + name: letsencrypt-staging + kind: ClusterIssuer + + dnsNames: + - "*.${SECRET_NEW_DOMAIN}" + - "*.k3s.${SECRET_NEW_DOMAIN}" \ No newline at end of file diff --git a/cluster/core/kube-replicator/helm-release.yaml b/cluster/core/kube-replicator/helm-release.yaml new file mode 100644 index 0000000..301eac2 --- /dev/null +++ b/cluster/core/kube-replicator/helm-release.yaml @@ -0,0 +1,16 @@ +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: kube-replicator + namespace: kube-replicator +spec: + interval: 5m + chart: + spec: + chart: kubernetes-replicator + version: '2.7.x' + sourceRef: + kind: HelmRepository + name: mittwald-charts + namespace: flux-system + interval: 1m \ No newline at end of file diff --git a/cluster/core/kube-replicator/helm-repository.yaml b/cluster/core/kube-replicator/helm-repository.yaml new file mode 100644 index 0000000..eafa99b --- /dev/null +++ b/cluster/core/kube-replicator/helm-repository.yaml @@ -0,0 +1,8 @@ +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: mittwald-charts + namespace: flux-system +spec: + interval: 1m + url: https://helm.mittwald.de \ No newline at end of file diff --git a/cluster/core/kube-replicator/kustomization.yaml b/cluster/core/kube-replicator/kustomization.yaml new file mode 100644 index 0000000..ae13c79 --- /dev/null +++ b/cluster/core/kube-replicator/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./namespace.yaml +- ./helm-release.yaml +- ./helm-repository.yaml \ No newline at end of file diff --git a/cluster/core/kube-replicator/namespace.yaml b/cluster/core/kube-replicator/namespace.yaml new file mode 100644 index 0000000..a09247b --- /dev/null +++ b/cluster/core/kube-replicator/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: kube-replicator \ No newline at end of file diff --git a/cluster/core/kustomization.yaml b/cluster/core/kustomization.yaml index 12ab434..c01b427 100644 --- a/cluster/core/kustomization.yaml +++ b/cluster/core/kustomization.yaml @@ -4,4 +4,5 @@ resources: - ./helm-repositories.yaml - ./cert-manager - ./networking -- ./storage \ No newline at end of file +- ./storage +- ./kube-replicator \ No newline at end of file diff --git a/cluster/core/networking/traefik/dashboard-ingress.yaml b/cluster/core/networking/traefik/dashboard-ingress.yaml new file mode 100644 index 0000000..c6b4a16 --- /dev/null +++ b/cluster/core/networking/traefik/dashboard-ingress.yaml @@ -0,0 +1,25 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: traefik-dash-ingress + namespace: traefik + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: websecure + traefik.ingress.kubernetes.io/router.middlewares: traefik-authentik@kubernetescrd +spec: + rules: + - host: "traefik.${SECRET_DOMAIN}" + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: traefik + port: + number: 9000 + tls: + - hosts: + - "${SECRET_DOMAIN}" + - "traefik.${SECRET_DOMAIN}" + secretName: wildcard-main-tls \ No newline at end of file diff --git a/cluster/core/networking/traefik/helm-release.yaml b/cluster/core/networking/traefik/helm-release.yaml index 8a7963e..7c393fa 100644 --- a/cluster/core/networking/traefik/helm-release.yaml +++ b/cluster/core/networking/traefik/helm-release.yaml @@ -84,12 +84,14 @@ spec: # Disable Dashboard ingressRoute: dashboard: - enabled: true - annotations: - cert-manager.io/cluster-issuer: "letsencrypt-production" - traefik.ingress.kubernetes.io/router.middlewares: "traefik-authentik@kubernetescrd" - entryPoints: [ "websecure" ] - matchRule: Host(`traefik.${SECRET_DOMAIN}`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`)) + enabled: false +# annotations: +# cert-manager.io/cluster-issuer: "letsencrypt-production" +# entryPoints: +# - websecure +# middlewares: +# - traefik-authentik@kubernetescrd +# matchRule: Host(`traefik.${SECRET_DOMAIN}`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`)) # Set Traefik as your default Ingress Controller, according to Kubernetes 1.19+ changes. ingressClass: diff --git a/cluster/core/networking/traefik/kustomization.yaml b/cluster/core/networking/traefik/kustomization.yaml index ba84a55..191a565 100644 --- a/cluster/core/networking/traefik/kustomization.yaml +++ b/cluster/core/networking/traefik/kustomization.yaml @@ -4,3 +4,4 @@ resources: - ./namespace.yaml - ./helm-repository.yaml - ./helm-release.yaml +- ./dashboard-ingress.yaml \ No newline at end of file