feat: add stub dns01 issuer and refactor cert-manager manifests
This commit is contained in:
@@ -0,0 +1,78 @@
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
|
||||
name: letsencrypt-production
|
||||
spec:
|
||||
acme:
|
||||
server: https://acme-v02.api.letsencrypt.org/directory
|
||||
email: {{ .Values.clusterConfig.acme.email }}
|
||||
privateKeySecretRef:
|
||||
name: letsencrypt-production
|
||||
solvers:
|
||||
- http01:
|
||||
ingress:
|
||||
class: nginx
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
|
||||
name: letsencrypt-staging
|
||||
spec:
|
||||
acme:
|
||||
server: https://acme-staging-v02.api.letsencrypt.org/directory
|
||||
email: {{ .Values.clusterConfig.acme.email }}
|
||||
privateKeySecretRef:
|
||||
name: letsencrypt-staging
|
||||
solvers:
|
||||
- http01:
|
||||
ingress:
|
||||
class: nginx
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
|
||||
name: ca-issuer
|
||||
spec:
|
||||
ca:
|
||||
secretName: cluster-ca
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
|
||||
name: selfsigning-issuer
|
||||
spec:
|
||||
selfSigned: {}
|
||||
---
|
||||
{{- if .Values.clusterConfig.acme.dns01 }}
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
name: letsencrypt-dns01-prod
|
||||
spec:
|
||||
acme:
|
||||
email: {{ .Values.clusterConfig.acme.email }}
|
||||
server: https://acme-v02.api.letsencrypt.org/directory
|
||||
privateKeySecretRef:
|
||||
name: letsencrypt-dns01-prod
|
||||
solvers:
|
||||
- dns01:
|
||||
webhook:
|
||||
groupName: acme.namecheap.com
|
||||
solverName: namecheap
|
||||
config:
|
||||
apiKeySecretRef:
|
||||
name: {{ .Values.clusterConfig.dns01 }}
|
||||
key: apiKey
|
||||
apiUserSecretRef:
|
||||
name: {{ .Values.clusterConfig.dns01 }}
|
||||
key: apiUser
|
||||
{{- end }}
|
||||
@@ -1,98 +1,4 @@
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
|
||||
name: letsencrypt-production
|
||||
spec:
|
||||
acme:
|
||||
# The ACME server URL
|
||||
server: https://acme-v02.api.letsencrypt.org/directory
|
||||
# Email address used for ACME registration
|
||||
email: {{ .Values.clusterConfig.acme_email }}
|
||||
# Name of a secret used to store the ACME account private key
|
||||
privateKeySecretRef:
|
||||
name: letsencrypt-production
|
||||
solvers:
|
||||
- http01:
|
||||
ingress:
|
||||
class: nginx
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
|
||||
name: letsencrypt-staging
|
||||
spec:
|
||||
acme:
|
||||
# The ACME server URL
|
||||
server: https://acme-staging-v02.api.letsencrypt.org/directory
|
||||
# Email address used for ACME registration
|
||||
email: {{ .Values.clusterConfig.acme_email }}
|
||||
# Name of a secret used to store the ACME account private key
|
||||
privateKeySecretRef:
|
||||
name: letsencrypt-staging
|
||||
solvers:
|
||||
- http01:
|
||||
ingress:
|
||||
class: nginx
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
|
||||
name: ca-issuer
|
||||
spec:
|
||||
ca:
|
||||
secretName: cluster-ca
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
|
||||
name: selfsigning-issuer
|
||||
spec:
|
||||
selfSigned: {}
|
||||
---
|
||||
kind: ClusterRoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: front-proxy-client
|
||||
subjects:
|
||||
- kind: User
|
||||
name: front-proxy-client
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: front-proxy-client
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: front-proxy-client
|
||||
rules:
|
||||
- apiGroups:
|
||||
- "webhook.cert-manager.io"
|
||||
resources:
|
||||
- mutations
|
||||
- validations
|
||||
verbs: [ "*" ]
|
||||
- apiGroups:
|
||||
- metrics.k8s.io
|
||||
resources:
|
||||
- pods
|
||||
- nodes
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
---
|
||||
|
||||
{{ if .Values.clusterConfig.initca }}
|
||||
# Pod to update certificates from master nodes
|
||||
# only runs on control plane nodes (etcd)
|
||||
|
||||
@@ -0,0 +1,35 @@
|
||||
---
|
||||
kind: ClusterRoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: front-proxy-client
|
||||
subjects:
|
||||
- kind: User
|
||||
name: front-proxy-client
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: front-proxy-client
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: front-proxy-client
|
||||
rules:
|
||||
- apiGroups:
|
||||
- "webhook.cert-manager.io"
|
||||
resources:
|
||||
- mutations
|
||||
- validations
|
||||
verbs: [ "*" ]
|
||||
- apiGroups:
|
||||
- metrics.k8s.io
|
||||
resources:
|
||||
- pods
|
||||
- nodes
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
---
|
||||
@@ -14,7 +14,9 @@ clusterConfig:
|
||||
ingress_nodes: ["ekman , ekman-manage" ]
|
||||
ingress_replica_count: 2
|
||||
fileserver: "10.255.241.100"
|
||||
acme_email: "acme@oceanbox.io"
|
||||
acme:
|
||||
email: "acme@oceanbox.io"
|
||||
dns01: "namecheap-apikey"
|
||||
oidc:
|
||||
- name: oceanbox
|
||||
provider: azuread
|
||||
|
||||
@@ -12,7 +12,9 @@ clusterConfig:
|
||||
ingress_nodes: ["oceanbox-controlplane-1, oceanbox-controlplane-2, oceanbox-controlplane-3" ]
|
||||
ingress_replica_count: 3
|
||||
fileserver: "10.255.241.210"
|
||||
acme_email: "acme@oceanbox.io"
|
||||
acme:
|
||||
email: "acme@oceanbox.io"
|
||||
dns01: "namecheap-apikey"
|
||||
oidc:
|
||||
- name: oceanbox
|
||||
provider: azuread
|
||||
|
||||
@@ -20,7 +20,9 @@ clusterConfig:
|
||||
ingress_hostport: false
|
||||
ingress_nodeport: false
|
||||
fileserver: "172.16.239.222"
|
||||
acme_email: "acme@oceanbox.io"
|
||||
acme:
|
||||
email: "acme@oceanbox.io"
|
||||
dns01: "namecheap-apikey"
|
||||
oidc:
|
||||
- name: oceanbox
|
||||
provider: azuread
|
||||
|
||||
+3
-1
@@ -11,7 +11,9 @@ clusterConfig:
|
||||
ingress_nodes: []
|
||||
ingress_replica_count: 3
|
||||
fileserver: ""
|
||||
acme_email: ""
|
||||
acme:
|
||||
email: "acme@oceanbox.io"
|
||||
dns01: ""
|
||||
nodenames: []
|
||||
nodes: []
|
||||
ingress_clusterissuer: "letsencrypt-production"
|
||||
|
||||
Reference in New Issue
Block a user