SeanOMik
/
k3s-cluster
1
0
Fork 0
Code Issues 2 Pull Requests 33 Packages Projects Releases Wiki Activity

Create a wildcard cert with cert-manager and replicate with kubernetes-replicator

This commit is contained in:
SeanOMik 2023-04-13 00:52:05 -04:00
parent 5e0d596da7
commit 1ac757aca4
Signed by: SeanOMik
GPG Key ID: 568F326C7EB33ACB
14 changed files with 111 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
cluster/core/cert-manager/cloudflare-cred.sops.yaml
View File

@ -5,7 +5,7 @@ metadata:
namespace: cert-manager namespace: cert-manager
type: Opaque type: Opaque
stringData: stringData:
api-token: ENC[AES256_GCM,data:qA+gnSJHnGx+4IpoAHVzMx2oDfYl9n4cgK9TTEABynDITUYUSkxgnw==,iv:sumwgvvxupp+aDfbS0QrOgLIV5ncivO8dh9sWzZkROI=,tag:c2nOAIZPD1XMEozPNFoayQ==,type:str] api-token: ENC[AES256_GCM,data:UDkGVrLnMC6LvGmkkp9q+oMVTinYOgz/MArlXMWegGlyRM7Yt/fmaw==,iv:yZ/wrJOvHosLcdZRwGPrDZBBgbgKtNbVZsqauFo0VoM=,tag:eNoU5sGm1xWbVy+BMG1C3A==,type:str]
email: ENC[AES256_GCM,data:hd9vZ3ubTLMxJbbR38LjGHQQ,iv:9BvLfefAvzjd1aGLaTe/U3R1NLw/gdeNMF0yu/kDRH8=,tag:V40IrOkyTuUVawrl03p+qw==,type:str] email: ENC[AES256_GCM,data:hd9vZ3ubTLMxJbbR38LjGHQQ,iv:9BvLfefAvzjd1aGLaTe/U3R1NLw/gdeNMF0yu/kDRH8=,tag:V40IrOkyTuUVawrl03p+qw==,type:str]
sops: sops:
kms: [] kms: []
@ -13,8 +13,8 @@ sops:
azure_kv: [] azure_kv: []
hc_vault: [] hc_vault: []
age: [] age: []
lastmodified: "2023-04-05T02:16:12Z" lastmodified: "2023-04-13T02:13:59Z"
mac: ENC[AES256_GCM,data:DiCXc5CB3mjhM4EsnOWgPYlCyGOU+J1LNSNZ2dbisOy945G/9usANnljLu30gk0KE9TYyMeVxj2mHvp8Q05TgRJwU8g9sJvD2GEqokWxuVPpaWxK/CG7KEBLRGtdcpt8++vulT3/Npo4EwQsqIFzVreIOJ17kBpBtTTJZ51O+Ms=,iv:B1/NVCvx0SnC6k50TeLlyhi4z6cUHGff0R/+WMdGDEA=,tag:8C68isdbGpXuyGJFsnQkDA==,type:str] mac: ENC[AES256_GCM,data:Fh2L1VgWrJ8YZz/+TLcwzbc10WF2zPaFZ7QqCwOv2QQmPEH1Nf37Vvzm6dsVpeVW1GnL8/8bK7bnE9c9p4cRaBs2iYeypuBqILTce/3bd7Ml8fMNeORzPdfCbDrRy8KgdLcKzxJ3M2dTlp9U9RF0jqKhGANav7LX0DwarB4d0iE=,iv:rMvOeb+es19b88KD6F9IBGY572TnyIvVXh/gUw2rB3c=,tag:evCsvh/BHsIX27WvtjXKGQ==,type:str]
pgp: pgp:
- created_at: "2023-04-05T02:16:11Z" - created_at: "2023-04-05T02:16:11Z"
enc: | enc: |

22
cluster/core/cert-manager/helm-release.yaml
View File

@ -15,14 +15,14 @@ spec:
namespace: flux-system namespace: flux-system
values: values:
installCRDs: false installCRDs: false
webhook: # webhook:
enabled: true # enabled: true
extraArgs: # extraArgs:
- --dns01-recursive-nameservers=1.1.1.1:53,9.9.9.9:53 # - --dns01-recursive-nameservers=1.1.1.1:53,9.9.9.9:53
- --dns01-recursive-nameservers-only # - --dns01-recursive-nameservers-only
replicaCount: 1 # replicaCount: 1
podDnsPolicy: "None" # podDnsPolicy: "None"
podDnsConfig: # podDnsConfig:
nameservers: # nameservers:
- "1.1.1.1" # - "1.1.1.1"
- "9.9.9.9" # - "9.9.9.9"

2
cluster/core/cert-manager/kustomization.yaml
View File

@ -7,4 +7,4 @@ resources:
- ./helm-release.yaml - ./helm-release.yaml
- ./letsencrypt-prod.yaml - ./letsencrypt-prod.yaml
- ./letsencrypt-stage.yaml - ./letsencrypt-stage.yaml
#- ./dashboard-ingress.yaml - ./wildcard-cert.yaml

4
cluster/core/cert-manager/letsencrypt-prod.yaml
View File

@ -17,8 +17,8 @@ spec:
cloudflare: cloudflare:
email: "${SECRET_MY_EMAIL}" email: "${SECRET_MY_EMAIL}"
apiTokenSecretRef: apiTokenSecretRef:
name: cloudflare-api-token-secret name: cloudflare-credentials
key: api-token key: api-token
selector: selector:
dnsZones: dnsZones:
- "***REMOVED***" - "${SECRET_NEW_DOMAIN}"

4
cluster/core/cert-manager/letsencrypt-stage.yaml
View File

@ -17,8 +17,8 @@ spec:
cloudflare: cloudflare:
email: "${SECRET_MY_EMAIL}" email: "${SECRET_MY_EMAIL}"
apiTokenSecretRef: apiTokenSecretRef:
name: cloudflare-api-token-secret name: cloudflare-credentials
key: api-token key: api-token
selector: selector:
dnsZones: dnsZones:
- "***REMOVED***" - "${SECRET_NEW_DOMAIN}"

22
cluster/core/cert-manager/wildcard-cert.yaml Normal file
View File

@ -0,0 +1,22 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: wildcard-main-cert
namespace: cert-manager
spec:
secretName: wildcard-main-tls
secretTemplate:
annotations:
replicator.v1.mittwald.de/replicate-to: "traefik"
duration: 2160h # 90d
renewBefore: 360h # 15d
issuerRef:
name: letsencrypt-staging
kind: ClusterIssuer
dnsNames:
- "*.${SECRET_NEW_DOMAIN}"
- "*.k3s.${SECRET_NEW_DOMAIN}"

16
cluster/core/kube-replicator/helm-release.yaml Normal file
View File

@ -0,0 +1,16 @@
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: kube-replicator
namespace: kube-replicator
spec:
interval: 5m
chart:
spec:
chart: kubernetes-replicator
version: '2.7.x'
sourceRef:
kind: HelmRepository
name: mittwald-charts
namespace: flux-system
interval: 1m

8
cluster/core/kube-replicator/helm-repository.yaml Normal file
View File

@ -0,0 +1,8 @@
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: mittwald-charts
namespace: flux-system
spec:
interval: 1m
url: https://helm.mittwald.de

6
cluster/core/kube-replicator/kustomization.yaml Normal file
View File

@ -0,0 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./namespace.yaml
- ./helm-release.yaml
- ./helm-repository.yaml

4
cluster/core/kube-replicator/namespace.yaml Normal file
View File

@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: kube-replicator

1
cluster/core/kustomization.yaml
View File

@ -5,3 +5,4 @@ resources:
- ./cert-manager - ./cert-manager
- ./networking - ./networking
- ./storage - ./storage
- ./kube-replicator

25
cluster/core/networking/traefik/dashboard-ingress.yaml Normal file
View File

@ -0,0 +1,25 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: traefik-dash-ingress
namespace: traefik
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.middlewares: traefik-authentik@kubernetescrd
spec:
rules:
- host: "traefik.${SECRET_DOMAIN}"
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: traefik
port:
number: 9000
tls:
- hosts:
- "${SECRET_DOMAIN}"
- "traefik.${SECRET_DOMAIN}"
secretName: wildcard-main-tls

14
cluster/core/networking/traefik/helm-release.yaml
View File

@ -84,12 +84,14 @@ spec:
# Disable Dashboard # Disable Dashboard
ingressRoute: ingressRoute:
dashboard: dashboard:
enabled: true enabled: false
annotations: # annotations:
cert-manager.io/cluster-issuer: "letsencrypt-production" # cert-manager.io/cluster-issuer: "letsencrypt-production"
traefik.ingress.kubernetes.io/router.middlewares: "traefik-authentik@kubernetescrd" # entryPoints:
entryPoints: [ "websecure" ] # - websecure
matchRule: Host(`traefik.${SECRET_DOMAIN}`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`)) # middlewares:
# - traefik-authentik@kubernetescrd
# matchRule: Host(`traefik.${SECRET_DOMAIN}`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
# Set Traefik as your default Ingress Controller, according to Kubernetes 1.19+ changes. # Set Traefik as your default Ingress Controller, according to Kubernetes 1.19+ changes.
ingressClass: ingressClass:

1
cluster/core/networking/traefik/kustomization.yaml
View File

@ -4,3 +4,4 @@ resources:
- ./namespace.yaml - ./namespace.yaml
- ./helm-repository.yaml - ./helm-repository.yaml
- ./helm-release.yaml - ./helm-release.yaml
- ./dashboard-ingress.yaml