From d7d81b39038fe0d932f39fdb0a1e2e81a19678a2 Mon Sep 17 00:00:00 2001 From: SeanOMik Date: Thu, 19 Sep 2024 20:28:32 -0400 Subject: [PATCH] feat: cert-manager ca for internal certs, enable tls for postgres also fix: incorrect namespace for wildcard cert --- .../cert-manager/certs/files/ca/ca-cert.yaml | 16 ++++++ .../certs/files/ca/ca-issuer.yaml | 7 +++ .../certs/files/ca/kustomization.yaml | 6 ++ .../certs/files/ca/self-signed-issuer.yaml | 6 ++ .../certs/files/kustomization.yaml | 2 +- kubernetes/common/apps/traefik/app/ks.yaml | 25 --------- kubernetes/common/apps/traefik/extra/ks.yaml | 30 ---------- .../main/apps/database/postgresql/cert.yaml | 17 ++++++ .../database/postgresql/helm-release.yaml | 9 ++- .../database/postgresql/kustomization.yaml | 1 + kubernetes/main/core/kustomization.yaml | 2 +- .../core/traefik/app}/dashboard-ingress.yaml | 0 .../core/traefik/app}/helm-release.yaml | 0 .../core/traefik/app}/helm-repository.yaml | 0 .../core/traefik/app}/kustomization.yaml | 0 .../core/traefik/app}/namespace.yaml | 0 .../main/core/traefik/app/wildcard-cert.yaml | 19 +++++++ .../traefik/extra}/default-tls-store.yaml | 0 .../core/traefik/extra}/kustomization.yaml | 0 kubernetes/main/core/traefik/ks.yaml | 56 +++++++++++++++++++ kubernetes/thin/apps/nginx/ks.yaml | 33 +++++++++++ .../nginx/wildcard-cert}/kustomization.yaml | 3 +- .../nginx/wildcard-cert}/wildcard-cert.yaml | 0 23 files changed, 172 insertions(+), 60 deletions(-) create mode 100644 kubernetes/common/apps/cert-manager/certs/files/ca/ca-cert.yaml create mode 100644 kubernetes/common/apps/cert-manager/certs/files/ca/ca-issuer.yaml create mode 100644 kubernetes/common/apps/cert-manager/certs/files/ca/kustomization.yaml create mode 100644 kubernetes/common/apps/cert-manager/certs/files/ca/self-signed-issuer.yaml delete mode 100644 kubernetes/common/apps/traefik/app/ks.yaml delete mode 100644 kubernetes/common/apps/traefik/extra/ks.yaml create mode 100644 kubernetes/main/apps/database/postgresql/cert.yaml rename kubernetes/{common/apps/traefik/app/files => main/core/traefik/app}/dashboard-ingress.yaml (100%) rename kubernetes/{common/apps/traefik/app/files => main/core/traefik/app}/helm-release.yaml (100%) rename kubernetes/{common/apps/traefik/app/files => main/core/traefik/app}/helm-repository.yaml (100%) rename kubernetes/{common/apps/traefik/app/files => main/core/traefik/app}/kustomization.yaml (100%) rename kubernetes/{common/apps/traefik/app/files => main/core/traefik/app}/namespace.yaml (100%) create mode 100644 kubernetes/main/core/traefik/app/wildcard-cert.yaml rename kubernetes/{common/apps/traefik/extra/files => main/core/traefik/extra}/default-tls-store.yaml (100%) rename kubernetes/{common/apps/traefik/extra/files => main/core/traefik/extra}/kustomization.yaml (100%) create mode 100644 kubernetes/main/core/traefik/ks.yaml rename kubernetes/{common/apps/traefik => thin/apps/nginx/wildcard-cert}/kustomization.yaml (69%) rename kubernetes/{common/apps/cert-manager/certs/files => thin/apps/nginx/wildcard-cert}/wildcard-cert.yaml (100%) diff --git a/kubernetes/common/apps/cert-manager/certs/files/ca/ca-cert.yaml b/kubernetes/common/apps/cert-manager/certs/files/ca/ca-cert.yaml new file mode 100644 index 0000000..45292c3 --- /dev/null +++ b/kubernetes/common/apps/cert-manager/certs/files/ca/ca-cert.yaml @@ -0,0 +1,16 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: ca-cert + namespace: cert-manager +spec: + isCA: true + commonName: cluster-ca + secretName: ca-cert-secret + privateKey: + algorithm: ECDSA + size: 256 + issuerRef: + name: self-signed-issuer + kind: ClusterIssuer + group: cert-manager.io \ No newline at end of file diff --git a/kubernetes/common/apps/cert-manager/certs/files/ca/ca-issuer.yaml b/kubernetes/common/apps/cert-manager/certs/files/ca/ca-issuer.yaml new file mode 100644 index 0000000..7abc7cd --- /dev/null +++ b/kubernetes/common/apps/cert-manager/certs/files/ca/ca-issuer.yaml @@ -0,0 +1,7 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: ca-issuer +spec: + ca: + secretName: ca-cert-secret \ No newline at end of file diff --git a/kubernetes/common/apps/cert-manager/certs/files/ca/kustomization.yaml b/kubernetes/common/apps/cert-manager/certs/files/ca/kustomization.yaml new file mode 100644 index 0000000..419570d --- /dev/null +++ b/kubernetes/common/apps/cert-manager/certs/files/ca/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./self-signed-issuer.yaml +- ./ca-cert.yaml +- ./ca-issuer.yaml \ No newline at end of file diff --git a/kubernetes/common/apps/cert-manager/certs/files/ca/self-signed-issuer.yaml b/kubernetes/common/apps/cert-manager/certs/files/ca/self-signed-issuer.yaml new file mode 100644 index 0000000..ffa851d --- /dev/null +++ b/kubernetes/common/apps/cert-manager/certs/files/ca/self-signed-issuer.yaml @@ -0,0 +1,6 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: self-signed-issuer +spec: + selfSigned: {} \ No newline at end of file diff --git a/kubernetes/common/apps/cert-manager/certs/files/kustomization.yaml b/kubernetes/common/apps/cert-manager/certs/files/kustomization.yaml index d721975..4b42983 100644 --- a/kubernetes/common/apps/cert-manager/certs/files/kustomization.yaml +++ b/kubernetes/common/apps/cert-manager/certs/files/kustomization.yaml @@ -4,4 +4,4 @@ resources: - ./cloudflare-cred.sops.yaml - ./letsencrypt-prod.yaml - ./letsencrypt-stage.yaml -- ./wildcard-cert.yaml \ No newline at end of file +- ./ca \ No newline at end of file diff --git a/kubernetes/common/apps/traefik/app/ks.yaml b/kubernetes/common/apps/traefik/app/ks.yaml deleted file mode 100644 index d514965..0000000 --- a/kubernetes/common/apps/traefik/app/ks.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: traefik - namespace: flux-system -spec: - timeout: 5m - interval: 10m - path: ./kubernetes/common/apps/traefik/app/files - prune: true - sourceRef: - kind: GitRepository - name: home-cluster - decryption: - provider: sops - secretRef: - name: sops-gpg - postBuild: - substitute: {} - substituteFrom: - - kind: ConfigMap - name: cluster-settings - - kind: Secret - name: cluster-secrets \ No newline at end of file diff --git a/kubernetes/common/apps/traefik/extra/ks.yaml b/kubernetes/common/apps/traefik/extra/ks.yaml deleted file mode 100644 index 53e157d..0000000 --- a/kubernetes/common/apps/traefik/extra/ks.yaml +++ /dev/null @@ -1,30 +0,0 @@ - ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: traefik-default-tls - namespace: flux-system -spec: - timeout: 5m - interval: 10m - path: ./kubernetes/common/apps/traefik/extra/files - prune: true - sourceRef: - kind: GitRepository - name: home-cluster - decryption: - provider: sops - secretRef: - name: sops-gpg - dependsOn: - - name: traefik - namespace: flux-system - postBuild: - substitute: {} - substituteFrom: - - kind: ConfigMap - name: cluster-settings - - kind: Secret - name: cluster-secrets \ No newline at end of file diff --git a/kubernetes/main/apps/database/postgresql/cert.yaml b/kubernetes/main/apps/database/postgresql/cert.yaml new file mode 100644 index 0000000..334c005 --- /dev/null +++ b/kubernetes/main/apps/database/postgresql/cert.yaml @@ -0,0 +1,17 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: postgres-cert + namespace: database +spec: + secretName: postgres-cert + + duration: 2160h # 90d + renewBefore: 360h # 15d + + issuerRef: + name: cluster-ca-issuer + kind: ClusterIssuer + + dnsNames: + - postgresql.database \ No newline at end of file diff --git a/kubernetes/main/apps/database/postgresql/helm-release.yaml b/kubernetes/main/apps/database/postgresql/helm-release.yaml index 7937f9b..169a68a 100644 --- a/kubernetes/main/apps/database/postgresql/helm-release.yaml +++ b/kubernetes/main/apps/database/postgresql/helm-release.yaml @@ -20,6 +20,12 @@ spec: adminPasswordKey: "adminPassword" replicationPasswordKey: "replicationPassword" + tls: + enabled: true + certificatesSecret: postgres-cert + certFilename: "tls.crt" + certKeyFilename: "tls.key" + serviceMonitor: enabled: true labels: @@ -39,4 +45,5 @@ spec: readReplicas: containerSecurityContext: enabled: true - runAsUser: 10000 \ No newline at end of file + runAsUser: 10000 + \ No newline at end of file diff --git a/kubernetes/main/apps/database/postgresql/kustomization.yaml b/kubernetes/main/apps/database/postgresql/kustomization.yaml index b52eb49..159f941 100644 --- a/kubernetes/main/apps/database/postgresql/kustomization.yaml +++ b/kubernetes/main/apps/database/postgresql/kustomization.yaml @@ -3,5 +3,6 @@ kind: Kustomization resources: - ./pgsql-pv.yaml - ./pgsql.sops.yaml +- ./cert.yaml - ./helm-release.yaml #- ./pgadmin4 \ No newline at end of file diff --git a/kubernetes/main/core/kustomization.yaml b/kubernetes/main/core/kustomization.yaml index d929528..2df2bd3 100644 --- a/kubernetes/main/core/kustomization.yaml +++ b/kubernetes/main/core/kustomization.yaml @@ -5,7 +5,7 @@ resources: - ./helm-repositories.yaml - ../../common/apps/cert-manager - ../../common/apps/metallb -- ../../common/apps/traefik +- ./traefik/ks.yaml # storage - ./longhorn - ./openebs diff --git a/kubernetes/common/apps/traefik/app/files/dashboard-ingress.yaml b/kubernetes/main/core/traefik/app/dashboard-ingress.yaml similarity index 100% rename from kubernetes/common/apps/traefik/app/files/dashboard-ingress.yaml rename to kubernetes/main/core/traefik/app/dashboard-ingress.yaml diff --git a/kubernetes/common/apps/traefik/app/files/helm-release.yaml b/kubernetes/main/core/traefik/app/helm-release.yaml similarity index 100% rename from kubernetes/common/apps/traefik/app/files/helm-release.yaml rename to kubernetes/main/core/traefik/app/helm-release.yaml diff --git a/kubernetes/common/apps/traefik/app/files/helm-repository.yaml b/kubernetes/main/core/traefik/app/helm-repository.yaml similarity index 100% rename from kubernetes/common/apps/traefik/app/files/helm-repository.yaml rename to kubernetes/main/core/traefik/app/helm-repository.yaml diff --git a/kubernetes/common/apps/traefik/app/files/kustomization.yaml b/kubernetes/main/core/traefik/app/kustomization.yaml similarity index 100% rename from kubernetes/common/apps/traefik/app/files/kustomization.yaml rename to kubernetes/main/core/traefik/app/kustomization.yaml diff --git a/kubernetes/common/apps/traefik/app/files/namespace.yaml b/kubernetes/main/core/traefik/app/namespace.yaml similarity index 100% rename from kubernetes/common/apps/traefik/app/files/namespace.yaml rename to kubernetes/main/core/traefik/app/namespace.yaml diff --git a/kubernetes/main/core/traefik/app/wildcard-cert.yaml b/kubernetes/main/core/traefik/app/wildcard-cert.yaml new file mode 100644 index 0000000..dba312e --- /dev/null +++ b/kubernetes/main/core/traefik/app/wildcard-cert.yaml @@ -0,0 +1,19 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: wildcard-main-cert + namespace: traefik +spec: + secretName: wildcard-main-tls + + duration: 2160h # 90d + renewBefore: 360h # 15d + + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + + dnsNames: + - "${SECRET_NEW_DOMAIN}" + - "*.${SECRET_NEW_DOMAIN}" + - "*.internal.${SECRET_NEW_DOMAIN}" \ No newline at end of file diff --git a/kubernetes/common/apps/traefik/extra/files/default-tls-store.yaml b/kubernetes/main/core/traefik/extra/default-tls-store.yaml similarity index 100% rename from kubernetes/common/apps/traefik/extra/files/default-tls-store.yaml rename to kubernetes/main/core/traefik/extra/default-tls-store.yaml diff --git a/kubernetes/common/apps/traefik/extra/files/kustomization.yaml b/kubernetes/main/core/traefik/extra/kustomization.yaml similarity index 100% rename from kubernetes/common/apps/traefik/extra/files/kustomization.yaml rename to kubernetes/main/core/traefik/extra/kustomization.yaml diff --git a/kubernetes/main/core/traefik/ks.yaml b/kubernetes/main/core/traefik/ks.yaml new file mode 100644 index 0000000..6086f23 --- /dev/null +++ b/kubernetes/main/core/traefik/ks.yaml @@ -0,0 +1,56 @@ +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: traefik + namespace: flux-system +spec: + timeout: 5m + interval: 10m + path: ./kubernetes/main/core/traefik/app + prune: true + sourceRef: + kind: GitRepository + name: home-cluster + decryption: + provider: sops + secretRef: + name: sops-gpg + dependsOn: + - name: cert-manager-certificates + postBuild: + substitute: {} + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: traefik-extra + namespace: flux-system +spec: + timeout: 5m + interval: 10m + path: ./kubernetes/main/core/traefik/extra + prune: true + sourceRef: + kind: GitRepository + name: home-cluster + decryption: + provider: sops + secretRef: + name: sops-gpg + dependsOn: + - name: traefik + namespace: flux-system + postBuild: + substitute: {} + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets \ No newline at end of file diff --git a/kubernetes/thin/apps/nginx/ks.yaml b/kubernetes/thin/apps/nginx/ks.yaml index 889e45e..9280326 100644 --- a/kubernetes/thin/apps/nginx/ks.yaml +++ b/kubernetes/thin/apps/nginx/ks.yaml @@ -1,6 +1,35 @@ # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization +metadata: + name: nginx-wildcard-cert + namespace: flux-system +spec: + targetNamespace: nginx + timeout: 5m + interval: 10m + path: ./kubernetes/thin/apps/nginx/wildcard-cert + prune: true + sourceRef: + kind: GitRepository + name: home-cluster + decryption: + provider: sops + secretRef: + name: sops-gpg + dependsOn: + - name: cert-manager-certificates + postBuild: + substitute: {} + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization metadata: name: nginx-external namespace: flux-system @@ -17,6 +46,8 @@ spec: provider: sops secretRef: name: sops-gpg + dependsOn: + - name: nginx-wildcard-cert postBuild: substitute: {} substituteFrom: @@ -44,6 +75,8 @@ spec: provider: sops secretRef: name: sops-gpg + dependsOn: + - name: nginx-wildcard-cert postBuild: substitute: {} substituteFrom: diff --git a/kubernetes/common/apps/traefik/kustomization.yaml b/kubernetes/thin/apps/nginx/wildcard-cert/kustomization.yaml similarity index 69% rename from kubernetes/common/apps/traefik/kustomization.yaml rename to kubernetes/thin/apps/nginx/wildcard-cert/kustomization.yaml index c2d4a00..83a0bfa 100644 --- a/kubernetes/common/apps/traefik/kustomization.yaml +++ b/kubernetes/thin/apps/nginx/wildcard-cert/kustomization.yaml @@ -1,5 +1,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- ./app/ks.yaml -- ./extra/ks.yaml \ No newline at end of file +- ./wildcard-cert.yaml \ No newline at end of file diff --git a/kubernetes/common/apps/cert-manager/certs/files/wildcard-cert.yaml b/kubernetes/thin/apps/nginx/wildcard-cert/wildcard-cert.yaml similarity index 100% rename from kubernetes/common/apps/cert-manager/certs/files/wildcard-cert.yaml rename to kubernetes/thin/apps/nginx/wildcard-cert/wildcard-cert.yaml