refactor(cert-manager): add tls ks (#3302)

buroa · Jan 13, 2025 · f3c9772 · f3c9772
1 parent 6c60861
commit f3c9772
Show file tree

Hide file tree

Showing 10 changed files with 53 additions and 77 deletions.
diff --git a/kubernetes/apps/cert-manager/cert-manager/issuers/clusterissuer.yaml b/kubernetes/apps/cert-manager/cert-manager/issuers/clusterissuer.yaml
@@ -0,0 +1,20 @@
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-production
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: &email [email protected]
+    privateKeySecretRef:
+      name: letsencrypt-production
+    solvers:
+      - dns01:
+          cloudflare:
+            email: *email
+            apiTokenSecretRef:
+              name: cloudflare-issuer-secret
+              key: CLOUDFLARE_API_TOKEN
+        selector:
+          dnsZones: ["ktwo.io"]
diff --git a/kubernetes/apps/cert-manager/cert-manager/issuers/externalsecret.yaml b/kubernetes/apps/cert-manager/cert-manager/issuers/externalsecret.yaml
@@ -2,13 +2,13 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
-  name: cloudflare
+  name: cloudflare-issuer
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
     name: onepassword-connect
   target:
-    name: cloudflare-secret
+    name: cloudflare-issuer-secret
     creationPolicy: Owner
     template:
       engineVersion: v2

diff --git a/kubernetes/apps/cert-manager/cert-manager/issuers/kustomization.yaml b/kubernetes/apps/cert-manager/cert-manager/issuers/kustomization.yaml
@@ -2,5 +2,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+  - ./clusterissuer.yaml
   - ./externalsecret.yaml
-  - ./letsencrypt.yaml
diff --git a/kubernetes/apps/cert-manager/cert-manager/issuers/letsencrypt.yaml b/kubernetes/apps/cert-manager/cert-manager/issuers/letsencrypt.yaml
diff --git a/kubernetes/apps/cert-manager/cert-manager/ks.yaml b/kubernetes/apps/cert-manager/cert-manager/ks.yaml
@@ -41,3 +41,25 @@ spec:
   interval: 30m
   retryInterval: 1m
   timeout: 5m
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app cert-manager-tls
+  namespace: flux-system
+spec:
+  targetNamespace: cert-manager
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  dependsOn:
+    - name: cert-manager-issuers
+  path: ./kubernetes/apps/cert-manager/cert-manager/tls
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  wait: true
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m
diff --git a/...tworking/nginx/certificates/wildcard.yaml → ...anager/cert-manager/tls/certificates.yaml b/...tworking/nginx/certificates/wildcard.yaml → ...anager/cert-manager/tls/certificates.yaml
@@ -2,13 +2,11 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: wildcard
+  name: ktwo-io
 spec:
-  secretName: wildcard-tls
+  secretName: ktwo-io-tls
   issuerRef:
     name: letsencrypt-production
     kind: ClusterIssuer
   commonName: ktwo.io
-  dnsNames:
-    - ktwo.io
-    - "*.ktwo.io"
+  dnsNames: ["ktwo.io", "*.ktwo.io"]
diff --git a/...ing/nginx/certificates/kustomization.yaml → ...nager/cert-manager/tls/kustomization.yaml b/...ing/nginx/certificates/kustomization.yaml → ...nager/cert-manager/tls/kustomization.yaml
@@ -2,4 +2,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ./wildcard.yaml
+  - ./certificates.yaml
diff --git a/kubernetes/apps/networking/nginx/external/helmrelease.yaml b/kubernetes/apps/networking/nginx/external/helmrelease.yaml
@@ -60,7 +60,7 @@ spec:
         ssl-protocols: TLSv1.3 TLSv1.2
         use-forwarded-headers: true
       extraArgs:
-        default-ssl-certificate: networking/wildcard-tls
+        default-ssl-certificate: cert-manager/ktwo-io-tls
         publish-status-address: &hostname external.ktwo.io
       ingressClass: external
       ingressClassResource:

diff --git a/kubernetes/apps/networking/nginx/internal/helmrelease.yaml b/kubernetes/apps/networking/nginx/internal/helmrelease.yaml
@@ -59,7 +59,7 @@ spec:
         ssl-early-data: true
         ssl-protocols: TLSv1.3 TLSv1.2
       extraArgs:
-        default-ssl-certificate: networking/wildcard-tls
+        default-ssl-certificate: cert-manager/ktwo-io-tls
         publish-status-address: &hostname internal.ktwo.io
       ingressClass: internal
       ingressClassResource:

diff --git a/kubernetes/apps/networking/nginx/ks.yaml b/kubernetes/apps/networking/nginx/ks.yaml
@@ -1,28 +1,6 @@
 ---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
-metadata:
-  name: &app nginx-certificates
-  namespace: flux-system
-spec:
-  targetNamespace: networking
-  commonMetadata:
-    labels:
-      app.kubernetes.io/name: *app
-  dependsOn:
-    - name: cert-manager-issuers
-  path: ./kubernetes/apps/networking/nginx/certificates
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: flux-system
-  wait: true
-  interval: 30m
-  retryInterval: 1m
-  timeout: 5m
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
 metadata:
   name: &app nginx-external
   namespace: flux-system
@@ -32,7 +10,7 @@ spec:
     labels:
       app.kubernetes.io/name: *app
   dependsOn:
-    - name: nginx-certificates
+    - name: cert-manager-tls
   path: ./kubernetes/apps/networking/nginx/external
   prune: true
   sourceRef:
@@ -54,7 +32,7 @@ spec:
     labels:
       app.kubernetes.io/name: *app
   dependsOn:
-    - name: nginx-certificates
+    - name: cert-manager-tls
   path: ./kubernetes/apps/networking/nginx/internal
   prune: true
   sourceRef: