226 lines
5.2 KiB
YAML
226 lines
5.2 KiB
YAML
---
|
|
apiVersion: cert-manager.io/v1
|
|
kind: ClusterIssuer
|
|
metadata:
|
|
annotations:
|
|
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
|
|
name: letsencrypt-production
|
|
spec:
|
|
acme:
|
|
# The ACME server URL
|
|
server: https://acme-v02.api.letsencrypt.org/directory
|
|
# Email address used for ACME registration
|
|
email: {{ .Values.clusterConfig.acme_email }}
|
|
# Name of a secret used to store the ACME account private key
|
|
privateKeySecretRef:
|
|
name: letsencrypt-production
|
|
solvers:
|
|
- http01:
|
|
ingress:
|
|
class: nginx
|
|
---
|
|
apiVersion: cert-manager.io/v1
|
|
kind: ClusterIssuer
|
|
metadata:
|
|
annotations:
|
|
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
|
|
name: letsencrypt-staging
|
|
spec:
|
|
acme:
|
|
# The ACME server URL
|
|
server: https://acme-staging-v02.api.letsencrypt.org/directory
|
|
# Email address used for ACME registration
|
|
email: {{ .Values.clusterConfig.acme_email }}
|
|
# Name of a secret used to store the ACME account private key
|
|
privateKeySecretRef:
|
|
name: letsencrypt-staging
|
|
solvers:
|
|
- http01:
|
|
ingress:
|
|
class: nginx
|
|
---
|
|
apiVersion: cert-manager.io/v1
|
|
kind: ClusterIssuer
|
|
metadata:
|
|
annotations:
|
|
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
|
|
name: ca-issuer
|
|
spec:
|
|
ca:
|
|
secretName: cluster-ca
|
|
---
|
|
apiVersion: cert-manager.io/v1
|
|
kind: ClusterIssuer
|
|
metadata:
|
|
annotations:
|
|
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
|
|
name: selfsigning-issuer
|
|
spec:
|
|
selfSigned: {}
|
|
---
|
|
kind: ClusterRoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: front-proxy-client
|
|
subjects:
|
|
- kind: User
|
|
name: front-proxy-client
|
|
apiGroup: rbac.authorization.k8s.io
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: front-proxy-client
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: front-proxy-client
|
|
rules:
|
|
- apiGroups:
|
|
- "webhook.cert-manager.io"
|
|
resources:
|
|
- mutations
|
|
- validations
|
|
verbs: [ "*" ]
|
|
- apiGroups:
|
|
- metrics.k8s.io
|
|
resources:
|
|
- pods
|
|
- nodes
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
---
|
|
|
|
{{ if .Values.clusterConfig.initca }}
|
|
|
|
# Pod to update certificates from master nodes
|
|
# only runs on control plane nodes (etcd)
|
|
# Mounts cert files rotatet by nixos service.mgr and uses it to update cert-manager secret
|
|
# Always create certs on initial creation,
|
|
# Otherwise, cert creation would not happen until cronJob runs
|
|
apiVersion: batch/v1
|
|
kind: Job
|
|
metadata:
|
|
name: cert-create
|
|
namespace: cert-manager
|
|
spec:
|
|
backoffLimit: 1
|
|
template:
|
|
metadata:
|
|
labels:
|
|
block-egress: "true"
|
|
annotations:
|
|
linkerd.io/inject: disabled
|
|
spec:
|
|
restartPolicy: Never
|
|
serviceAccountName: cert-secret-updater
|
|
securityContext:
|
|
runAsUser: 12000
|
|
runAsGroup: 13000
|
|
fsGroup: 10000
|
|
affinity:
|
|
nodeAffinity:
|
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|
nodeSelectorTerms:
|
|
- matchExpressions:
|
|
- key: node-role.kubernetes.io
|
|
operator: In
|
|
values:
|
|
- control-plane
|
|
tolerations:
|
|
- key: unschedulable
|
|
value: "true"
|
|
effect: NoSchedule
|
|
containers:
|
|
- image: bitnami/kubectl:1.24
|
|
name: kubectl
|
|
resources: {}
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
command:
|
|
- "/bin/sh"
|
|
- -c
|
|
- /tmp/renew-certs/renew-certs.sh
|
|
volumeMounts:
|
|
- name: ca-pem
|
|
mountPath: /tmp/ca.pem
|
|
- name: ca-key-pem
|
|
mountPath: /tmp/ca-key.pem
|
|
- name: certs-script
|
|
mountPath: /tmp/renew-certs
|
|
volumes:
|
|
- name: ca-pem
|
|
hostPath:
|
|
path: {{.Values.clusterConfig.initca}}/ca.pem
|
|
type: File
|
|
- name: ca-key-pem
|
|
hostPath:
|
|
path: {{.Values.clusterConfig.initca}}/ca-key.pem
|
|
type: File
|
|
- name: certs-script
|
|
configMap:
|
|
name: renew-certs-script
|
|
defaultMode: 0755
|
|
---
|
|
apiVersion: v1
|
|
data:
|
|
renew-certs.sh: |
|
|
#! /bin/bash
|
|
kubectl create secret tls -n cert-manager cluster-ca --cert=/tmp/ca.pem --key=/tmp/ca-key.pem --dry-run=client -o yaml > /tmp/new-secret.yaml
|
|
kubectl apply -f /tmp/new-secret.yaml
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: renew-certs-script
|
|
namespace: cert-manager
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: cert-secret-updater
|
|
namespace: cert-manager
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: cert-secret-updater-role
|
|
namespace: cert-manager
|
|
rules:
|
|
- apiGroups:
|
|
- ""
|
|
resourceNames:
|
|
- cluster-ca
|
|
resources:
|
|
- secrets
|
|
verbs:
|
|
- '*'
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: cert-secret-updater-rbinding
|
|
namespace: cert-manager
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: cert-secret-updater-role
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: cert-secret-updater
|
|
namespace: cert-manager
|
|
---
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: default-deny-egress
|
|
namespace: cert-manager
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
block-egress: "true"
|
|
policyTypes:
|
|
- Egress
|
|
---
|
|
{{ end }}
|