Add Kustomize-managed ClusterIssuer

This commit is contained in:
Rob Watson 2022-11-12 19:34:17 +01:00
parent 149dd3567b
commit e44e15c7cf
5 changed files with 60 additions and 5 deletions

View File

@ -1,3 +1,5 @@
# Legacy issuer that is not managed by Kustomize.
# For new certificates, prefer prod/clusterissuer.yaml.
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:

View File

@ -1,3 +1,5 @@
# Legacy issuer that is not managed by Kustomize.
# For new certificates, add staging/clusterissuer.yaml.
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:

View File

@ -0,0 +1,27 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: postmaster@netflux.io
privateKeySecretRef:
name: prod-letsencrypt-staging
solvers:
- http01:
ingress:
class: prod-nginx
- dns01:
route53:
region: eu-west-1
hostedZoneID: Z1OSEC2E6M9VER
accessKeyID: AKIARZPRT6YGHAENBEEX
secretAccessKeySecretRef:
# Using name reference transformers to manage this didn't work,
# probably because ClusterIssuer is a cluster-scoped resource.
#
# For now, this secret should be provisioned manually in the
# cert-manager namespace:
name: prod-aws-credentials
key: secret

View File

@ -0,0 +1,27 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: postmaster@netflux.io
privateKeySecretRef:
name: prod-letsencrypt
solvers:
- http01:
ingress:
class: prod-nginx
- dns01:
route53:
region: eu-west-1
hostedZoneID: Z1OSEC2E6M9VER
accessKeyID: AKIARZPRT6YGHAENBEEX
secretAccessKeySecretRef:
# Using name reference transformers to manage this didn't work,
# possibly because ClusterIssuer is a cluster-scoped resource.
#
# For now, this secret should be provisioned manually in the
# cert-manager namespace:
name: prod-aws-credentials
key: secret

View File

@ -4,7 +4,8 @@ resources:
- svc-db.yaml
- svc-netflux.yaml
- cm-ingress-nginx-tcp-services.yaml
- clusterissuer.yaml
- clusterissuer-staging.yaml
configMapGenerator:
- name: prometheus-server
behavior: merge
@ -98,10 +99,6 @@ secretGenerator:
options:
labels:
app: solar-toolkit-gateway
- name: aws-credentials
files:
- key=secrets/aws-access-key-id
- secret=secrets/aws-secret-access-key
patches:
# Patch the ingress-nginx deployment to allow it to use a service with a