Create a wildcard cert with cert-manager and replicate with kubernetes-replicator

2023-04-13 00:52:05 -04:00 · 2023-04-13 00:52:05 -04:00 · 1ac757aca4
parent 5e0d596da7
commit 1ac757aca4
14 changed files with 111 additions and 26 deletions
--- a/cluster/core/cert-manager/cloudflare-cred.sops.yaml
+++ b/cluster/core/cert-manager/cloudflare-cred.sops.yaml
@ -5,7 +5,7 @@ metadata:
    namespace: cert-manager
 type: Opaque
 stringData:
-    api-token: ENC[AES256_GCM,data:qA+gnSJHnGx+4IpoAHVzMx2oDfYl9n4cgK9TTEABynDITUYUSkxgnw==,iv:sumwgvvxupp+aDfbS0QrOgLIV5ncivO8dh9sWzZkROI=,tag:c2nOAIZPD1XMEozPNFoayQ==,type:str]
+    api-token: ENC[AES256_GCM,data:UDkGVrLnMC6LvGmkkp9q+oMVTinYOgz/MArlXMWegGlyRM7Yt/fmaw==,iv:yZ/wrJOvHosLcdZRwGPrDZBBgbgKtNbVZsqauFo0VoM=,tag:eNoU5sGm1xWbVy+BMG1C3A==,type:str]
    email: ENC[AES256_GCM,data:hd9vZ3ubTLMxJbbR38LjGHQQ,iv:9BvLfefAvzjd1aGLaTe/U3R1NLw/gdeNMF0yu/kDRH8=,tag:V40IrOkyTuUVawrl03p+qw==,type:str]
 sops:
    kms: []
@ -13,8 +13,8 @@ sops:
    azure_kv: []
    hc_vault: []
    age: []
-    lastmodified: "2023-04-05T02:16:12Z"
-    mac: ENC[AES256_GCM,data:DiCXc5CB3mjhM4EsnOWgPYlCyGOU+J1LNSNZ2dbisOy945G/9usANnljLu30gk0KE9TYyMeVxj2mHvp8Q05TgRJwU8g9sJvD2GEqokWxuVPpaWxK/CG7KEBLRGtdcpt8++vulT3/Npo4EwQsqIFzVreIOJ17kBpBtTTJZ51O+Ms=,iv:B1/NVCvx0SnC6k50TeLlyhi4z6cUHGff0R/+WMdGDEA=,tag:8C68isdbGpXuyGJFsnQkDA==,type:str]
+    lastmodified: "2023-04-13T02:13:59Z"
+    mac: ENC[AES256_GCM,data:Fh2L1VgWrJ8YZz/+TLcwzbc10WF2zPaFZ7QqCwOv2QQmPEH1Nf37Vvzm6dsVpeVW1GnL8/8bK7bnE9c9p4cRaBs2iYeypuBqILTce/3bd7Ml8fMNeORzPdfCbDrRy8KgdLcKzxJ3M2dTlp9U9RF0jqKhGANav7LX0DwarB4d0iE=,iv:rMvOeb+es19b88KD6F9IBGY572TnyIvVXh/gUw2rB3c=,tag:evCsvh/BHsIX27WvtjXKGQ==,type:str]
    pgp:
        - created_at: "2023-04-05T02:16:11Z"
          enc: |
--- a/cluster/core/cert-manager/helm-release.yaml
+++ b/cluster/core/cert-manager/helm-release.yaml
@ -15,14 +15,14 @@ spec:
        namespace: flux-system
  values:
    installCRDs: false
-    webhook:
-      enabled: true
-    extraArgs:
-      - --dns01-recursive-nameservers=1.1.1.1:53,9.9.9.9:53
-      - --dns01-recursive-nameservers-only
-    replicaCount: 1
-    podDnsPolicy: "None"
-    podDnsConfig:
-      nameservers:
-        - "1.1.1.1"
-        - "9.9.9.9"
+#    webhook:
+#      enabled: true
+#    extraArgs:
+#      - --dns01-recursive-nameservers=1.1.1.1:53,9.9.9.9:53
+#      - --dns01-recursive-nameservers-only
+#    replicaCount: 1
+#    podDnsPolicy: "None"
+#    podDnsConfig:
+#      nameservers:
+#        - "1.1.1.1"
+#        - "9.9.9.9"
--- a/cluster/core/cert-manager/kustomization.yaml
+++ b/cluster/core/cert-manager/kustomization.yaml
@ -7,4 +7,4 @@ resources:
 - ./helm-release.yaml
 - ./letsencrypt-prod.yaml
 - ./letsencrypt-stage.yaml
-#- ./dashboard-ingress.yaml
+- ./wildcard-cert.yaml
--- a/cluster/core/cert-manager/letsencrypt-prod.yaml
+++ b/cluster/core/cert-manager/letsencrypt-prod.yaml
@ -17,8 +17,8 @@ spec:
          cloudflare:
            email: "${SECRET_MY_EMAIL}"
            apiTokenSecretRef:
-              name: cloudflare-api-token-secret
+              name: cloudflare-credentials
              key: api-token
        selector:
          dnsZones:
-            - "***REMOVED***"
+            - "${SECRET_NEW_DOMAIN}"
--- a/cluster/core/cert-manager/letsencrypt-stage.yaml
+++ b/cluster/core/cert-manager/letsencrypt-stage.yaml
@ -17,8 +17,8 @@ spec:
          cloudflare:
            email: "${SECRET_MY_EMAIL}"
            apiTokenSecretRef:
-              name: cloudflare-api-token-secret
+              name: cloudflare-credentials
              key: api-token
        selector:
          dnsZones:
-            - "***REMOVED***"
+            - "${SECRET_NEW_DOMAIN}"
--- a/cluster/core/cert-manager/wildcard-cert.yaml
+++ b/cluster/core/cert-manager/wildcard-cert.yaml
@ -0,0 +1,22 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: wildcard-main-cert
+  namespace: cert-manager
+spec:
+  secretName: wildcard-main-tls
+
+  secretTemplate:
+    annotations:
+      replicator.v1.mittwald.de/replicate-to: "traefik"
+
+  duration: 2160h # 90d
+  renewBefore: 360h # 15d
+
+  issuerRef:
+    name: letsencrypt-staging
+    kind: ClusterIssuer
+
+  dnsNames:
+    - "*.${SECRET_NEW_DOMAIN}"
+    - "*.k3s.${SECRET_NEW_DOMAIN}"
--- a/cluster/core/kube-replicator/helm-release.yaml
+++ b/cluster/core/kube-replicator/helm-release.yaml
@ -0,0 +1,16 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: kube-replicator
+  namespace: kube-replicator
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: kubernetes-replicator
+      version: '2.7.x'
+      sourceRef:
+        kind: HelmRepository
+        name: mittwald-charts
+        namespace: flux-system
+      interval: 1m
--- a/cluster/core/kube-replicator/helm-repository.yaml
+++ b/cluster/core/kube-replicator/helm-repository.yaml
@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: mittwald-charts
+  namespace: flux-system
+spec:
+  interval: 1m
+  url: https://helm.mittwald.de
--- a/cluster/core/kube-replicator/kustomization.yaml
+++ b/cluster/core/kube-replicator/kustomization.yaml
@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ./namespace.yaml
+- ./helm-release.yaml
+- ./helm-repository.yaml
--- a/cluster/core/kube-replicator/namespace.yaml
+++ b/cluster/core/kube-replicator/namespace.yaml
@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kube-replicator
--- a/cluster/core/kustomization.yaml
+++ b/cluster/core/kustomization.yaml
@ -4,4 +4,5 @@ resources:
 - ./helm-repositories.yaml
 - ./cert-manager
 - ./networking
- ./storage
+- ./storage
+- ./kube-replicator
--- a/cluster/core/networking/traefik/dashboard-ingress.yaml
+++ b/cluster/core/networking/traefik/dashboard-ingress.yaml
@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: traefik-dash-ingress
+  namespace: traefik
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.middlewares: traefik-authentik@kubernetescrd
+spec:
+  rules:
+    - host: "traefik.${SECRET_DOMAIN}"
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: traefik
+                port:
+                  number: 9000
+  tls:
+    - hosts:
+      - "${SECRET_DOMAIN}"
+      - "traefik.${SECRET_DOMAIN}"
+      secretName: wildcard-main-tls
--- a/cluster/core/networking/traefik/helm-release.yaml
+++ b/cluster/core/networking/traefik/helm-release.yaml
@ -84,12 +84,14 @@ spec:
    # Disable Dashboard
    ingressRoute:
      dashboard:
-        enabled: true
-        annotations:
-          cert-manager.io/cluster-issuer: "letsencrypt-production"
-          traefik.ingress.kubernetes.io/router.middlewares: "traefik-authentik@kubernetescrd"
-        entryPoints: [ "websecure" ]
-        matchRule: Host(`traefik.${SECRET_DOMAIN}`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
+        enabled: false
+#        annotations:
+#          cert-manager.io/cluster-issuer: "letsencrypt-production"
+#        entryPoints:
+#          - websecure
+#        middlewares:
+#          - traefik-authentik@kubernetescrd
+#        matchRule: Host(`traefik.${SECRET_DOMAIN}`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))

    # Set Traefik as your default Ingress Controller, according to Kubernetes 1.19+ changes.
    ingressClass:
--- a/cluster/core/networking/traefik/kustomization.yaml
+++ b/cluster/core/networking/traefik/kustomization.yaml
@ -4,3 +4,4 @@ resources:
 - ./namespace.yaml
 - ./helm-repository.yaml
 - ./helm-release.yaml
+- ./dashboard-ingress.yaml