Create a wildcard cert with cert-manager and replicate with kubernetes-replicator
This commit is contained in:
parent
5e0d596da7
commit
1ac757aca4
GPG Key ID:
568F326C7EB33ACB
|
|
@ -5,7 +5,7 @@ metadata:
|
||||||
namespace: cert-manager
|
namespace: cert-manager
|
||||||
type: Opaque
|
type: Opaque
|
||||||
stringData:
|
stringData:
|
||||||
api-token: ENC[AES256_GCM,data:qA+gnSJHnGx+4IpoAHVzMx2oDfYl9n4cgK9TTEABynDITUYUSkxgnw==,iv:sumwgvvxupp+aDfbS0QrOgLIV5ncivO8dh9sWzZkROI=,tag:c2nOAIZPD1XMEozPNFoayQ==,type:str]
|
api-token: ENC[AES256_GCM,data:UDkGVrLnMC6LvGmkkp9q+oMVTinYOgz/MArlXMWegGlyRM7Yt/fmaw==,iv:yZ/wrJOvHosLcdZRwGPrDZBBgbgKtNbVZsqauFo0VoM=,tag:eNoU5sGm1xWbVy+BMG1C3A==,type:str]
|
||||||
email: ENC[AES256_GCM,data:hd9vZ3ubTLMxJbbR38LjGHQQ,iv:9BvLfefAvzjd1aGLaTe/U3R1NLw/gdeNMF0yu/kDRH8=,tag:V40IrOkyTuUVawrl03p+qw==,type:str]
|
email: ENC[AES256_GCM,data:hd9vZ3ubTLMxJbbR38LjGHQQ,iv:9BvLfefAvzjd1aGLaTe/U3R1NLw/gdeNMF0yu/kDRH8=,tag:V40IrOkyTuUVawrl03p+qw==,type:str]
|
||||||
sops:
|
sops:
|
||||||
kms: []
|
kms: []
|
||||||
|
|
@ -13,8 +13,8 @@ sops:
|
||||||
azure_kv: []
|
azure_kv: []
|
||||||
hc_vault: []
|
hc_vault: []
|
||||||
age: []
|
age: []
|
||||||
lastmodified: "2023-04-05T02:16:12Z"
|
lastmodified: "2023-04-13T02:13:59Z"
|
||||||
mac: ENC[AES256_GCM,data:DiCXc5CB3mjhM4EsnOWgPYlCyGOU+J1LNSNZ2dbisOy945G/9usANnljLu30gk0KE9TYyMeVxj2mHvp8Q05TgRJwU8g9sJvD2GEqokWxuVPpaWxK/CG7KEBLRGtdcpt8++vulT3/Npo4EwQsqIFzVreIOJ17kBpBtTTJZ51O+Ms=,iv:B1/NVCvx0SnC6k50TeLlyhi4z6cUHGff0R/+WMdGDEA=,tag:8C68isdbGpXuyGJFsnQkDA==,type:str]
|
mac: ENC[AES256_GCM,data:Fh2L1VgWrJ8YZz/+TLcwzbc10WF2zPaFZ7QqCwOv2QQmPEH1Nf37Vvzm6dsVpeVW1GnL8/8bK7bnE9c9p4cRaBs2iYeypuBqILTce/3bd7Ml8fMNeORzPdfCbDrRy8KgdLcKzxJ3M2dTlp9U9RF0jqKhGANav7LX0DwarB4d0iE=,iv:rMvOeb+es19b88KD6F9IBGY572TnyIvVXh/gUw2rB3c=,tag:evCsvh/BHsIX27WvtjXKGQ==,type:str]
|
||||||
pgp:
|
pgp:
|
||||||
- created_at: "2023-04-05T02:16:11Z"
|
- created_at: "2023-04-05T02:16:11Z"
|
||||||
enc: |
|
enc: |
|
||||||
|
|
|
||||||
|
|
@ -15,14 +15,14 @@ spec:
|
||||||
namespace: flux-system
|
namespace: flux-system
|
||||||
values:
|
values:
|
||||||
installCRDs: false
|
installCRDs: false
|
||||||
webhook:
|
# webhook:
|
||||||
enabled: true
|
# enabled: true
|
||||||
extraArgs:
|
# extraArgs:
|
||||||
- --dns01-recursive-nameservers=1.1.1.1:53,9.9.9.9:53
|
# - --dns01-recursive-nameservers=1.1.1.1:53,9.9.9.9:53
|
||||||
- --dns01-recursive-nameservers-only
|
# - --dns01-recursive-nameservers-only
|
||||||
replicaCount: 1
|
# replicaCount: 1
|
||||||
podDnsPolicy: "None"
|
# podDnsPolicy: "None"
|
||||||
podDnsConfig:
|
# podDnsConfig:
|
||||||
nameservers:
|
# nameservers:
|
||||||
- "1.1.1.1"
|
# - "1.1.1.1"
|
||||||
- "9.9.9.9"
|
# - "9.9.9.9"
|
||||||
|
|
@ -7,4 +7,4 @@ resources:
|
||||||
- ./helm-release.yaml
|
- ./helm-release.yaml
|
||||||
- ./letsencrypt-prod.yaml
|
- ./letsencrypt-prod.yaml
|
||||||
- ./letsencrypt-stage.yaml
|
- ./letsencrypt-stage.yaml
|
||||||
#- ./dashboard-ingress.yaml
|
- ./wildcard-cert.yaml
|
||||||
|
|
@ -17,8 +17,8 @@ spec:
|
||||||
cloudflare:
|
cloudflare:
|
||||||
email: "${SECRET_MY_EMAIL}"
|
email: "${SECRET_MY_EMAIL}"
|
||||||
apiTokenSecretRef:
|
apiTokenSecretRef:
|
||||||
name: cloudflare-api-token-secret
|
name: cloudflare-credentials
|
||||||
key: api-token
|
key: api-token
|
||||||
selector:
|
selector:
|
||||||
dnsZones:
|
dnsZones:
|
||||||
- "***REMOVED***"
|
- "${SECRET_NEW_DOMAIN}"
|
||||||
|
|
@ -17,8 +17,8 @@ spec:
|
||||||
cloudflare:
|
cloudflare:
|
||||||
email: "${SECRET_MY_EMAIL}"
|
email: "${SECRET_MY_EMAIL}"
|
||||||
apiTokenSecretRef:
|
apiTokenSecretRef:
|
||||||
name: cloudflare-api-token-secret
|
name: cloudflare-credentials
|
||||||
key: api-token
|
key: api-token
|
||||||
selector:
|
selector:
|
||||||
dnsZones:
|
dnsZones:
|
||||||
- "***REMOVED***"
|
- "${SECRET_NEW_DOMAIN}"
|
||||||
|
|
@ -0,0 +1,22 @@
|
||||||
|
apiVersion: cert-manager.io/v1
|
||||||
|
kind: Certificate
|
||||||
|
metadata:
|
||||||
|
name: wildcard-main-cert
|
||||||
|
namespace: cert-manager
|
||||||
|
spec:
|
||||||
|
secretName: wildcard-main-tls
|
||||||
|
|
||||||
|
secretTemplate:
|
||||||
|
annotations:
|
||||||
|
replicator.v1.mittwald.de/replicate-to: "traefik"
|
||||||
|
|
||||||
|
duration: 2160h # 90d
|
||||||
|
renewBefore: 360h # 15d
|
||||||
|
|
||||||
|
issuerRef:
|
||||||
|
name: letsencrypt-staging
|
||||||
|
kind: ClusterIssuer
|
||||||
|
|
||||||
|
dnsNames:
|
||||||
|
- "*.${SECRET_NEW_DOMAIN}"
|
||||||
|
- "*.k3s.${SECRET_NEW_DOMAIN}"
|
||||||
|
|
@ -0,0 +1,16 @@
|
||||||
|
apiVersion: helm.toolkit.fluxcd.io/v2beta1
|
||||||
|
kind: HelmRelease
|
||||||
|
metadata:
|
||||||
|
name: kube-replicator
|
||||||
|
namespace: kube-replicator
|
||||||
|
spec:
|
||||||
|
interval: 5m
|
||||||
|
chart:
|
||||||
|
spec:
|
||||||
|
chart: kubernetes-replicator
|
||||||
|
version: '2.7.x'
|
||||||
|
sourceRef:
|
||||||
|
kind: HelmRepository
|
||||||
|
name: mittwald-charts
|
||||||
|
namespace: flux-system
|
||||||
|
interval: 1m
|
||||||
|
|
@ -0,0 +1,8 @@
|
||||||
|
apiVersion: source.toolkit.fluxcd.io/v1beta2
|
||||||
|
kind: HelmRepository
|
||||||
|
metadata:
|
||||||
|
name: mittwald-charts
|
||||||
|
namespace: flux-system
|
||||||
|
spec:
|
||||||
|
interval: 1m
|
||||||
|
url: https://helm.mittwald.de
|
||||||
|
|
@ -0,0 +1,6 @@
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
resources:
|
||||||
|
- ./namespace.yaml
|
||||||
|
- ./helm-release.yaml
|
||||||
|
- ./helm-repository.yaml
|
||||||
|
|
@ -0,0 +1,4 @@
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Namespace
|
||||||
|
metadata:
|
||||||
|
name: kube-replicator
|
||||||
|
|
@ -4,4 +4,5 @@ resources:
|
||||||
- ./helm-repositories.yaml
|
- ./helm-repositories.yaml
|
||||||
- ./cert-manager
|
- ./cert-manager
|
||||||
- ./networking
|
- ./networking
|
||||||
- ./storage
|
- ./storage
|
||||||
|
- ./kube-replicator
|
||||||
|
|
@ -0,0 +1,25 @@
|
||||||
|
apiVersion: networking.k8s.io/v1
|
||||||
|
kind: Ingress
|
||||||
|
metadata:
|
||||||
|
name: traefik-dash-ingress
|
||||||
|
namespace: traefik
|
||||||
|
annotations:
|
||||||
|
traefik.ingress.kubernetes.io/router.entrypoints: websecure
|
||||||
|
traefik.ingress.kubernetes.io/router.middlewares: traefik-authentik@kubernetescrd
|
||||||
|
spec:
|
||||||
|
rules:
|
||||||
|
- host: "traefik.${SECRET_DOMAIN}"
|
||||||
|
http:
|
||||||
|
paths:
|
||||||
|
- path: /
|
||||||
|
pathType: Prefix
|
||||||
|
backend:
|
||||||
|
service:
|
||||||
|
name: traefik
|
||||||
|
port:
|
||||||
|
number: 9000
|
||||||
|
tls:
|
||||||
|
- hosts:
|
||||||
|
- "${SECRET_DOMAIN}"
|
||||||
|
- "traefik.${SECRET_DOMAIN}"
|
||||||
|
secretName: wildcard-main-tls
|
||||||
|
|
@ -84,12 +84,14 @@ spec:
|
||||||
# Disable Dashboard
|
# Disable Dashboard
|
||||||
ingressRoute:
|
ingressRoute:
|
||||||
dashboard:
|
dashboard:
|
||||||
enabled: true
|
enabled: false
|
||||||
annotations:
|
# annotations:
|
||||||
cert-manager.io/cluster-issuer: "letsencrypt-production"
|
# cert-manager.io/cluster-issuer: "letsencrypt-production"
|
||||||
traefik.ingress.kubernetes.io/router.middlewares: "traefik-authentik@kubernetescrd"
|
# entryPoints:
|
||||||
entryPoints: [ "websecure" ]
|
# - websecure
|
||||||
matchRule: Host(`traefik.${SECRET_DOMAIN}`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
|
# middlewares:
|
||||||
|
# - traefik-authentik@kubernetescrd
|
||||||
|
# matchRule: Host(`traefik.${SECRET_DOMAIN}`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
|
||||||
|
|
||||||
# Set Traefik as your default Ingress Controller, according to Kubernetes 1.19+ changes.
|
# Set Traefik as your default Ingress Controller, according to Kubernetes 1.19+ changes.
|
||||||
ingressClass:
|
ingressClass:
|
||||||
|
|
|
||||||
|
|
@ -4,3 +4,4 @@ resources:
|
||||||
- ./namespace.yaml
|
- ./namespace.yaml
|
||||||
- ./helm-repository.yaml
|
- ./helm-repository.yaml
|
||||||
- ./helm-release.yaml
|
- ./helm-release.yaml
|
||||||
|
- ./dashboard-ingress.yaml
|
||||||
Loading…
Reference in New Issue