phfroidmont/self-hosting
1
0
Fork 0
mirror of https://github.com/phfroidmont/self-hosting.git synced 2025-12-25 13:46:59 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Manage letsencrypt certificates with cert-manager

Browse source
This commit is contained in:
Paul-Henri Froidmont 2019-08-17 18:44:58 +02:00
parent c6f69f614c
commit 01b7e79e55
8 changed files with 137 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

1
group_vars/k8s-cluster.yml
View file

@ -9,4 +9,5 @@ upstream_dns_servers:
#Addons #Addons
kube_api_anonymous_auth: true kube_api_anonymous_auth: true
cert_manager_enabled: true
metrics_server_enabled: true metrics_server_enabled: true

3
inventories/prod/group_vars/k8s-cluster.yml
View file

@ -1,2 +1,3 @@
--- ---
default_issuer: letsencrypt-production cert_manager_issuer: letsencrypt-production
banditlair_domain: banditlair.com

3
inventories/test/group_vars/k8s-cluster.yml
View file

@ -1,2 +1,3 @@
--- ---
default_issuer: letsencrypt-staging cert_manager_issuer: letsencrypt-staging
banditlair_domain: k8s.banditlair.com

3
roles/k8s-manifests/defaults/main.yml
View file

@ -1,3 +1,4 @@
--- ---
letsencrypt_email: letsencrypt.account@banditlair.com letsencrypt_email: letsencrypt.account@banditlair.com
searx_issuer: "{{default_issuer}}" traefik_domain: "traefik.{{banditlair_domain}}"
searx_domain: "searx.{{banditlair_domain}}"

27
roles/k8s-manifests/tasks/cert-manager.yml Normal file
View file

@ -0,0 +1,27 @@
- name: cert-manager issuers
k8s:
state: present
namespace: "{{item.1}}"
definition:
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
name: "{{item.0.name}}"
spec:
acme:
# The ACME server URL
server: "{{item.0.server}}"
# Email address used for ACME registration
email: "{{letsencrypt_email}}"
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: "{{item.0.name}}"
# Enable HTTP01 validations
http01: {}
with_nested:
- - name: letsencrypt-production
server: https://acme-v02.api.letsencrypt.org/directory
- name: letsencrypt-staging
server: https://acme-staging-v02.api.letsencrypt.org/directory
- - default
- kube-system

9
roles/k8s-manifests/tasks/main.yml
View file

@ -1,9 +1,12 @@
--- ---
- include: prerequisites.yml - import_tasks: prerequisites.yml
tags: prerequisites tags: prerequisites
- include: traefik.yml - import_tasks: cert-manager.yml
tags: cert-manager
- import_tasks: traefik.yml
tags: traefik tags: traefik
- include: searx.yml - import_tasks: searx.yml
tags: searx tags: searx

30
roles/k8s-manifests/tasks/searx.yml
View file

@ -58,12 +58,40 @@
kind: Ingress kind: Ingress
metadata: metadata:
name: searx name: searx
annotation:
traefik.ingress.kubernetes.io/redirect-entry-point: https
traefik.ingress.kubernetes.io/redirect-permanent: "true"
ingress.kubernetes.io/ssl-redirect: "true"
ingress.kubernetes.io/ssl-temporary-redirect: "false"
spec: spec:
rules: rules:
- host: searx.k8s.banditlair.com - host: "{{searx_domain}}"
http: http:
paths: paths:
- path: / - path: /
backend: backend:
serviceName: searx serviceName: searx
servicePort: 80 servicePort: 80
tls:
- secretName: searx-cert
- name: Searx certificate
k8s:
namespace: default
state: present
definition:
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: searx-cert
spec:
secretName: traefik-cert
issuerRef:
name: "{{cert_manager_issuer}}"
commonName: "{{searx_domain}}"
acme:
config:
- http01:
ingressClass: traefik
domains:
- "{{searx_domain}}"

69
roles/k8s-manifests/tasks/traefik.yml
View file

@ -53,6 +53,39 @@
name: traefik-ingress-controller name: traefik-ingress-controller
namespace: kube-system namespace: kube-system
# - name: Traefik configuration
# k8s:
# state: present
# definition:
# apiVersion: v1
# kind: ConfigMap
# metadata:
# name: traefik-conf
# namespace: kube-system
# data:
# traefik.toml: |
# defaultEntryPoints = ["http", "https"]
# logLevel = "INFO"
# [entryPoints]
# [entryPoints.http]
# address = ":80"
# [entryPoints.http.redirect]
# entryPoint = "https"
# [entryPoints.https]
# address = ":443"
# [entryPoints.https.tls]
# [entryPoints.api]
# address = ":8080"
# [api]
# entryPoint = "api"
# dashboard = true
# debug = false
# [kubernetes]
- name: Traefik daemon set - name: Traefik daemon set
k8s: k8s:
state: present state: present
@ -76,6 +109,9 @@
containers: containers:
- image: traefik - image: traefik
name: traefik-ingress-lb name: traefik-ingress-lb
# volumeMounts:
# - mountPath: /config
# name: traefik-config
ports: ports:
- name: http - name: http
containerPort: 80 containerPort: 80
@ -92,6 +128,10 @@
- --api - --api
- --kubernetes - --kubernetes
- --logLevel=INFO - --logLevel=INFO
# volumes:
# - name: traefik-config
# configMap:
# name: traefik-conf
- name: Traefik service - name: Traefik service
k8s: k8s:
@ -154,12 +194,39 @@
annotations: annotations:
traefik.ingress.kubernetes.io/auth-type: "basic" traefik.ingress.kubernetes.io/auth-type: "basic"
traefik.ingress.kubernetes.io/auth-secret: "traefik-auth" traefik.ingress.kubernetes.io/auth-secret: "traefik-auth"
traefik.ingress.kubernetes.io/redirect-entry-point: https
traefik.ingress.kubernetes.io/redirect-permanent: "true"
ingress.kubernetes.io/ssl-redirect: "true"
ingress.kubernetes.io/ssl-temporary-redirect: "false"
spec: spec:
rules: rules:
- host: traefik.k8s.banditlair.com - host: "{{traefik_domain}}"
http: http:
paths: paths:
- path: / - path: /
backend: backend:
serviceName: traefik-web-ui serviceName: traefik-web-ui
servicePort: web servicePort: web
tls:
- secretName: traefik-cert
- name: Traefik UI certificate
k8s:
state: present
definition:
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: traefik-cert
namespace: kube-system
spec:
secretName: traefik-cert
issuerRef:
name: "{{cert_manager_issuer}}"
commonName: "{{traefik_domain}}"
acme:
config:
- http01:
ingressClass: traefik
domains:
- "{{traefik_domain}}"