From 01b7e79e556e076e63e33e47ec6bc6df3b2b2c83 Mon Sep 17 00:00:00 2001 From: Paul-Henri Froidmont Date: Sat, 17 Aug 2019 18:44:58 +0200 Subject: [PATCH] Manage letsencrypt certificates with cert-manager --- group_vars/k8s-cluster.yml | 1 + inventories/prod/group_vars/k8s-cluster.yml | 3 +- inventories/test/group_vars/k8s-cluster.yml | 3 +- roles/k8s-manifests/defaults/main.yml | 3 +- roles/k8s-manifests/tasks/cert-manager.yml | 27 ++++++++ roles/k8s-manifests/tasks/main.yml | 9 ++- roles/k8s-manifests/tasks/searx.yml | 30 ++++++++- roles/k8s-manifests/tasks/traefik.yml | 69 ++++++++++++++++++++- 8 files changed, 137 insertions(+), 8 deletions(-) create mode 100644 roles/k8s-manifests/tasks/cert-manager.yml diff --git a/group_vars/k8s-cluster.yml b/group_vars/k8s-cluster.yml index 2231738..f1f11b9 100644 --- a/group_vars/k8s-cluster.yml +++ b/group_vars/k8s-cluster.yml @@ -9,4 +9,5 @@ upstream_dns_servers: #Addons kube_api_anonymous_auth: true +cert_manager_enabled: true metrics_server_enabled: true diff --git a/inventories/prod/group_vars/k8s-cluster.yml b/inventories/prod/group_vars/k8s-cluster.yml index 0138b20..4c6d0ab 100644 --- a/inventories/prod/group_vars/k8s-cluster.yml +++ b/inventories/prod/group_vars/k8s-cluster.yml @@ -1,2 +1,3 @@ --- -default_issuer: letsencrypt-production +cert_manager_issuer: letsencrypt-production +banditlair_domain: banditlair.com diff --git a/inventories/test/group_vars/k8s-cluster.yml b/inventories/test/group_vars/k8s-cluster.yml index c079edf..a6d95f8 100644 --- a/inventories/test/group_vars/k8s-cluster.yml +++ b/inventories/test/group_vars/k8s-cluster.yml @@ -1,2 +1,3 @@ --- -default_issuer: letsencrypt-staging +cert_manager_issuer: letsencrypt-staging +banditlair_domain: k8s.banditlair.com \ No newline at end of file diff --git a/roles/k8s-manifests/defaults/main.yml b/roles/k8s-manifests/defaults/main.yml index 08d0959..db79380 100644 --- a/roles/k8s-manifests/defaults/main.yml +++ b/roles/k8s-manifests/defaults/main.yml @@ -1,3 +1,4 @@ --- letsencrypt_email: letsencrypt.account@banditlair.com -searx_issuer: "{{default_issuer}}" +traefik_domain: "traefik.{{banditlair_domain}}" +searx_domain: "searx.{{banditlair_domain}}" \ No newline at end of file diff --git a/roles/k8s-manifests/tasks/cert-manager.yml b/roles/k8s-manifests/tasks/cert-manager.yml new file mode 100644 index 0000000..336ee82 --- /dev/null +++ b/roles/k8s-manifests/tasks/cert-manager.yml @@ -0,0 +1,27 @@ +- name: cert-manager issuers + k8s: + state: present + namespace: "{{item.1}}" + definition: + apiVersion: certmanager.k8s.io/v1alpha1 + kind: Issuer + metadata: + name: "{{item.0.name}}" + spec: + acme: + # The ACME server URL + server: "{{item.0.server}}" + # Email address used for ACME registration + email: "{{letsencrypt_email}}" + # Name of a secret used to store the ACME account private key + privateKeySecretRef: + name: "{{item.0.name}}" + # Enable HTTP01 validations + http01: {} + with_nested: + - - name: letsencrypt-production + server: https://acme-v02.api.letsencrypt.org/directory + - name: letsencrypt-staging + server: https://acme-staging-v02.api.letsencrypt.org/directory + - - default + - kube-system diff --git a/roles/k8s-manifests/tasks/main.yml b/roles/k8s-manifests/tasks/main.yml index b291edb..ec7b459 100644 --- a/roles/k8s-manifests/tasks/main.yml +++ b/roles/k8s-manifests/tasks/main.yml @@ -1,9 +1,12 @@ --- -- include: prerequisites.yml +- import_tasks: prerequisites.yml tags: prerequisites -- include: traefik.yml +- import_tasks: cert-manager.yml + tags: cert-manager + +- import_tasks: traefik.yml tags: traefik -- include: searx.yml +- import_tasks: searx.yml tags: searx diff --git a/roles/k8s-manifests/tasks/searx.yml b/roles/k8s-manifests/tasks/searx.yml index 094d60d..f500b05 100644 --- a/roles/k8s-manifests/tasks/searx.yml +++ b/roles/k8s-manifests/tasks/searx.yml @@ -58,12 +58,40 @@ kind: Ingress metadata: name: searx + annotation: + traefik.ingress.kubernetes.io/redirect-entry-point: https + traefik.ingress.kubernetes.io/redirect-permanent: "true" + ingress.kubernetes.io/ssl-redirect: "true" + ingress.kubernetes.io/ssl-temporary-redirect: "false" spec: rules: - - host: searx.k8s.banditlair.com + - host: "{{searx_domain}}" http: paths: - path: / backend: serviceName: searx servicePort: 80 + tls: + - secretName: searx-cert + +- name: Searx certificate + k8s: + namespace: default + state: present + definition: + apiVersion: certmanager.k8s.io/v1alpha1 + kind: Certificate + metadata: + name: searx-cert + spec: + secretName: traefik-cert + issuerRef: + name: "{{cert_manager_issuer}}" + commonName: "{{searx_domain}}" + acme: + config: + - http01: + ingressClass: traefik + domains: + - "{{searx_domain}}" \ No newline at end of file diff --git a/roles/k8s-manifests/tasks/traefik.yml b/roles/k8s-manifests/tasks/traefik.yml index 66898ce..fcb4dbc 100644 --- a/roles/k8s-manifests/tasks/traefik.yml +++ b/roles/k8s-manifests/tasks/traefik.yml @@ -53,6 +53,39 @@ name: traefik-ingress-controller namespace: kube-system +# - name: Traefik configuration +# k8s: +# state: present +# definition: +# apiVersion: v1 +# kind: ConfigMap +# metadata: +# name: traefik-conf +# namespace: kube-system +# data: +# traefik.toml: | +# defaultEntryPoints = ["http", "https"] + +# logLevel = "INFO" + +# [entryPoints] +# [entryPoints.http] +# address = ":80" +# [entryPoints.http.redirect] +# entryPoint = "https" +# [entryPoints.https] +# address = ":443" +# [entryPoints.https.tls] +# [entryPoints.api] +# address = ":8080" + +# [api] +# entryPoint = "api" +# dashboard = true +# debug = false + +# [kubernetes] + - name: Traefik daemon set k8s: state: present @@ -76,6 +109,9 @@ containers: - image: traefik name: traefik-ingress-lb + # volumeMounts: + # - mountPath: /config + # name: traefik-config ports: - name: http containerPort: 80 @@ -92,6 +128,10 @@ - --api - --kubernetes - --logLevel=INFO + # volumes: + # - name: traefik-config + # configMap: + # name: traefik-conf - name: Traefik service k8s: @@ -154,12 +194,39 @@ annotations: traefik.ingress.kubernetes.io/auth-type: "basic" traefik.ingress.kubernetes.io/auth-secret: "traefik-auth" + traefik.ingress.kubernetes.io/redirect-entry-point: https + traefik.ingress.kubernetes.io/redirect-permanent: "true" + ingress.kubernetes.io/ssl-redirect: "true" + ingress.kubernetes.io/ssl-temporary-redirect: "false" spec: rules: - - host: traefik.k8s.banditlair.com + - host: "{{traefik_domain}}" http: paths: - path: / backend: serviceName: traefik-web-ui servicePort: web + tls: + - secretName: traefik-cert + +- name: Traefik UI certificate + k8s: + state: present + definition: + apiVersion: certmanager.k8s.io/v1alpha1 + kind: Certificate + metadata: + name: traefik-cert + namespace: kube-system + spec: + secretName: traefik-cert + issuerRef: + name: "{{cert_manager_issuer}}" + commonName: "{{traefik_domain}}" + acme: + config: + - http01: + ingressClass: traefik + domains: + - "{{traefik_domain}}"