rob
/
netflux-kubernetes
1
0
Fork 0
Code Issues 1 Pull Requests Projects Releases Wiki Activity

Add Kustomize-managed ClusterIssuer

This commit is contained in:
Rob Watson 2022-11-12 19:34:17 +01:00
parent 149dd3567b
commit e44e15c7cf
5 changed files with 60 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
cert-manager/issuer-production.yml
View File

@ -1,3 +1,5 @@
# Legacy issuer that is not managed by Kustomize.
# For new certificates, prefer prod/clusterissuer.yaml.
apiVersion: cert-manager.io/v1 apiVersion: cert-manager.io/v1
kind: ClusterIssuer kind: ClusterIssuer
metadata: metadata:

2
cert-manager/issuer-staging.yml
View File

@ -1,3 +1,5 @@
# Legacy issuer that is not managed by Kustomize.
# For new certificates, add staging/clusterissuer.yaml.
apiVersion: cert-manager.io/v1 apiVersion: cert-manager.io/v1
kind: ClusterIssuer kind: ClusterIssuer
metadata: metadata:

27
deploy/prod/clusterissuer-staging.yaml Normal file
View File

@ -0,0 +1,27 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: postmaster@netflux.io
privateKeySecretRef:
name: prod-letsencrypt-staging
solvers:
- http01:
ingress:
class: prod-nginx
- dns01:
route53:
region: eu-west-1
hostedZoneID: Z1OSEC2E6M9VER
accessKeyID: AKIARZPRT6YGHAENBEEX
secretAccessKeySecretRef:
# Using name reference transformers to manage this didn't work,
# probably because ClusterIssuer is a cluster-scoped resource.
#
# For now, this secret should be provisioned manually in the
# cert-manager namespace:
name: prod-aws-credentials
key: secret

27
deploy/prod/clusterissuer.yaml Normal file
View File

@ -0,0 +1,27 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: postmaster@netflux.io
privateKeySecretRef:
name: prod-letsencrypt
solvers:
- http01:
ingress:
class: prod-nginx
- dns01:
route53:
region: eu-west-1
hostedZoneID: Z1OSEC2E6M9VER
accessKeyID: AKIARZPRT6YGHAENBEEX
secretAccessKeySecretRef:
# Using name reference transformers to manage this didn't work,
# possibly because ClusterIssuer is a cluster-scoped resource.
#
# For now, this secret should be provisioned manually in the
# cert-manager namespace:
name: prod-aws-credentials
key: secret

7
deploy/prod/kustomization.yaml
View File

@ -4,7 +4,8 @@ resources:
- svc-db.yaml - svc-db.yaml
- svc-netflux.yaml - svc-netflux.yaml
- cm-ingress-nginx-tcp-services.yaml - cm-ingress-nginx-tcp-services.yaml
- clusterissuer.yaml
- clusterissuer-staging.yaml
configMapGenerator: configMapGenerator:
- name: prometheus-server - name: prometheus-server
behavior: merge behavior: merge
@ -98,10 +99,6 @@ secretGenerator:
options: options:
labels: labels:
app: solar-toolkit-gateway app: solar-toolkit-gateway
- name: aws-credentials
files:
- key=secrets/aws-access-key-id
- secret=secrets/aws-secret-access-key
patches: patches:
# Patch the ingress-nginx deployment to allow it to use a service with a # Patch the ingress-nginx deployment to allow it to use a service with a