Add Kustomize-managed ClusterIssuer
This commit is contained in:
Rob Watson
parent
149dd3567b
commit
e44e15c7cf
|
|
@ -1,3 +1,5 @@
|
|||
# Legacy issuer that is not managed by Kustomize.
|
||||
# For new certificates, prefer prod/clusterissuer.yaml.
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
|
|
|
|||
|
|
@ -1,3 +1,5 @@
|
|||
# Legacy issuer that is not managed by Kustomize.
|
||||
# For new certificates, add staging/clusterissuer.yaml.
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
|
|
|
|||
|
|
@ -0,0 +1,27 @@
|
|||
apiVersion: cert-manager.io/v1
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
name: letsencrypt-staging
|
||||
spec:
|
||||
acme:
|
||||
server: https://acme-staging-v02.api.letsencrypt.org/directory
|
||||
email: postmaster@netflux.io
|
||||
privateKeySecretRef:
|
||||
name: prod-letsencrypt-staging
|
||||
solvers:
|
||||
- http01:
|
||||
ingress:
|
||||
class: prod-nginx
|
||||
- dns01:
|
||||
route53:
|
||||
region: eu-west-1
|
||||
hostedZoneID: Z1OSEC2E6M9VER
|
||||
accessKeyID: AKIARZPRT6YGHAENBEEX
|
||||
secretAccessKeySecretRef:
|
||||
# Using name reference transformers to manage this didn't work,
|
||||
# probably because ClusterIssuer is a cluster-scoped resource.
|
||||
#
|
||||
# For now, this secret should be provisioned manually in the
|
||||
# cert-manager namespace:
|
||||
name: prod-aws-credentials
|
||||
key: secret
|
||||
|
|
@ -0,0 +1,27 @@
|
|||
apiVersion: cert-manager.io/v1
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
name: letsencrypt
|
||||
spec:
|
||||
acme:
|
||||
server: https://acme-v02.api.letsencrypt.org/directory
|
||||
email: postmaster@netflux.io
|
||||
privateKeySecretRef:
|
||||
name: prod-letsencrypt
|
||||
solvers:
|
||||
- http01:
|
||||
ingress:
|
||||
class: prod-nginx
|
||||
- dns01:
|
||||
route53:
|
||||
region: eu-west-1
|
||||
hostedZoneID: Z1OSEC2E6M9VER
|
||||
accessKeyID: AKIARZPRT6YGHAENBEEX
|
||||
secretAccessKeySecretRef:
|
||||
# Using name reference transformers to manage this didn't work,
|
||||
# possibly because ClusterIssuer is a cluster-scoped resource.
|
||||
#
|
||||
# For now, this secret should be provisioned manually in the
|
||||
# cert-manager namespace:
|
||||
name: prod-aws-credentials
|
||||
key: secret
|
||||
|
|
@ -4,7 +4,8 @@ resources:
|
|||
- svc-db.yaml
|
||||
- svc-netflux.yaml
|
||||
- cm-ingress-nginx-tcp-services.yaml
|
||||
|
||||
- clusterissuer.yaml
|
||||
- clusterissuer-staging.yaml
|
||||
configMapGenerator:
|
||||
- name: prometheus-server
|
||||
behavior: merge
|
||||
|
|
@ -98,10 +99,6 @@ secretGenerator:
|
|||
options:
|
||||
labels:
|
||||
app: solar-toolkit-gateway
|
||||
- name: aws-credentials
|
||||
files:
|
||||
- key=secrets/aws-access-key-id
|
||||
- secret=secrets/aws-secret-access-key
|
||||
|
||||
patches:
|
||||
# Patch the ingress-nginx deployment to allow it to use a service with a
|
||||
|
|
|
|||
Loading…
Reference in New Issue