From 667cd48c88423a9b0ac4dc9dce96bf85fabb88a4 Mon Sep 17 00:00:00 2001 From: Paul-Henri Froidmont Date: Wed, 10 Apr 2019 02:18:00 +0200 Subject: [PATCH] Let's encrypt certificates issuer and searx --- group_vars/k8s-cluster.yml | 1 + inventories/prod/group_vars/k8s-cluster.yml | 1 + inventories/test/group_vars/k8s-cluster.yml | 1 + k8s.yml | 1 + manifests.yml | 4 ++ roles/k8s-manifests/defaults/main.yml | 3 ++ roles/k8s-manifests/tasks/main.yml | 37 +++++++++++++++++++ .../letsencrypt-production-issuer.yml.j2 | 18 +++++++++ .../letsencrypt-staging-issuer.yml.j2 | 18 +++++++++ .../templates/searx-deployment.yml.j2 | 29 +++++++++++++++ .../templates/searx-ingress.yml.j2 | 21 +++++++++++ .../k8s-manifests/templates/searx-svc.yml.j2 | 12 ++++++ 12 files changed, 146 insertions(+) create mode 100644 manifests.yml create mode 100644 roles/k8s-manifests/defaults/main.yml create mode 100644 roles/k8s-manifests/tasks/main.yml create mode 100644 roles/k8s-manifests/templates/letsencrypt-production-issuer.yml.j2 create mode 100644 roles/k8s-manifests/templates/letsencrypt-staging-issuer.yml.j2 create mode 100644 roles/k8s-manifests/templates/searx-deployment.yml.j2 create mode 100644 roles/k8s-manifests/templates/searx-ingress.yml.j2 create mode 100644 roles/k8s-manifests/templates/searx-svc.yml.j2 diff --git a/group_vars/k8s-cluster.yml b/group_vars/k8s-cluster.yml index ba90f39..0f502eb 100644 --- a/group_vars/k8s-cluster.yml +++ b/group_vars/k8s-cluster.yml @@ -2,6 +2,7 @@ ip: "{{vpn_ip}}" kube_network_plugin: flannel bin_dir: /usr/local/bin +kube_config_dir: "/etc/kubernetes" kube_api_anonymous_auth: true ingress_nginx_enabled: true diff --git a/inventories/prod/group_vars/k8s-cluster.yml b/inventories/prod/group_vars/k8s-cluster.yml index e94579e..cc3970a 100644 --- a/inventories/prod/group_vars/k8s-cluster.yml +++ b/inventories/prod/group_vars/k8s-cluster.yml @@ -1,3 +1,4 @@ --- cluster_name: banditlair dns_domain: banditlair.com +default_issuer: letsencrypt-production diff --git a/inventories/test/group_vars/k8s-cluster.yml b/inventories/test/group_vars/k8s-cluster.yml index 51cd684..e534b04 100644 --- a/inventories/test/group_vars/k8s-cluster.yml +++ b/inventories/test/group_vars/k8s-cluster.yml @@ -1,3 +1,4 @@ --- cluster_name: banditlair-test dns_domain: test.k8s.banditlair.com +default_issuer: letsencrypt-staging diff --git a/k8s.yml b/k8s.yml index 29efcc9..b01ca11 100644 --- a/k8s.yml +++ b/k8s.yml @@ -7,6 +7,7 @@ - name: Include kubespray tasks import_playbook: kubespray.yml + # - hosts: k8s_proxy:k8s_masters:k8s_workers # roles: # - role: proxy diff --git a/manifests.yml b/manifests.yml new file mode 100644 index 0000000..8f2c3b9 --- /dev/null +++ b/manifests.yml @@ -0,0 +1,4 @@ +- hosts: k8s-cluster + roles: + - role: k8s-manifests + diff --git a/roles/k8s-manifests/defaults/main.yml b/roles/k8s-manifests/defaults/main.yml new file mode 100644 index 0000000..08d0959 --- /dev/null +++ b/roles/k8s-manifests/defaults/main.yml @@ -0,0 +1,3 @@ +--- +letsencrypt_email: letsencrypt.account@banditlair.com +searx_issuer: "{{default_issuer}}" diff --git a/roles/k8s-manifests/tasks/main.yml b/roles/k8s-manifests/tasks/main.yml new file mode 100644 index 0000000..77ef477 --- /dev/null +++ b/roles/k8s-manifests/tasks/main.yml @@ -0,0 +1,37 @@ +--- +- name: Kubernetes manifests | Lay down letsencrypt templates + template: + src: "{{ item }}.j2" + dest: "{{ kube_config_dir }}/{{ item }}" + loop: + - letsencrypt-production-issuer.yml + - letsencrypt-staging-issuer.yml + register: manifests + when: inventory_hostname == groups['kube-master'][0] + +- name: Kubernetes manifests | Start letsencrypt issuers + kube: + kubectl: "{{ bin_dir }}/kubectl" + filename: "{{ kube_config_dir }}/{{ item.item }}" + state: latest + loop: "{{ manifests.results }}" + when: inventory_hostname == groups['kube-master'][0] + +- name: Kubernetes manifests | Lay down searx templates + template: + src: "{{ item }}.j2" + dest: "{{ kube_config_dir }}/{{ item }}" + loop: + - searx-deployment.yml + - searx-svc.yml + - searx-ingress.yml + register: manifests + when: inventory_hostname == groups['kube-master'][0] + +- name: Kubernetes manifests | Start searx + kube: + kubectl: "{{ bin_dir }}/kubectl" + filename: "{{ kube_config_dir }}/{{ item.item }}" + state: latest + loop: "{{ manifests.results }}" + when: inventory_hostname == groups['kube-master'][0] diff --git a/roles/k8s-manifests/templates/letsencrypt-production-issuer.yml.j2 b/roles/k8s-manifests/templates/letsencrypt-production-issuer.yml.j2 new file mode 100644 index 0000000..39343f1 --- /dev/null +++ b/roles/k8s-manifests/templates/letsencrypt-production-issuer.yml.j2 @@ -0,0 +1,18 @@ +apiVersion: certmanager.k8s.io/v1alpha1 +kind: ClusterIssuer +metadata: + name: letsencrypt-production +spec: + acme: + # The ACME production api URL + server: https://acme-v02.api.letsencrypt.org/directory + + # Email address used for ACME registration + email: "{{letsencrypt_email}}" + + # Name of a secret used to store the ACME account private key + privateKeySecretRef: + name: letsencrypt-production + + # Enable the HTTP-01 challenge provider + http01: {} \ No newline at end of file diff --git a/roles/k8s-manifests/templates/letsencrypt-staging-issuer.yml.j2 b/roles/k8s-manifests/templates/letsencrypt-staging-issuer.yml.j2 new file mode 100644 index 0000000..1d457fd --- /dev/null +++ b/roles/k8s-manifests/templates/letsencrypt-staging-issuer.yml.j2 @@ -0,0 +1,18 @@ +apiVersion: certmanager.k8s.io/v1alpha1 +kind: ClusterIssuer +metadata: + name: letsencrypt-staging +spec: + acme: + # The ACME server URL + server: https://acme-staging-v02.api.letsencrypt.org/directory + + # Email address used for ACME registration + email: "{{letsencrypt_email}}" + + # Name of a secret used to store the ACME account private key + privateKeySecretRef: + name: letsencrypt-staging + + # Enable the HTTP-01 challenge provider + http01: {} diff --git a/roles/k8s-manifests/templates/searx-deployment.yml.j2 b/roles/k8s-manifests/templates/searx-deployment.yml.j2 new file mode 100644 index 0000000..8980ee2 --- /dev/null +++ b/roles/k8s-manifests/templates/searx-deployment.yml.j2 @@ -0,0 +1,29 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: searx +spec: + replicas: 2 + selector: + matchLabels: + app: searx + template: + metadata: + labels: + app: searx + spec: + containers: + - name: searx + image: wonderfall/searx:latest + imagePullPolicy: IfNotPresent + ports: + - containerPort: 8888 + livenessProbe: + httpGet: + path: / + port: 8888 + readinessProbe: + httpGet: + path: / + port: 8888 diff --git a/roles/k8s-manifests/templates/searx-ingress.yml.j2 b/roles/k8s-manifests/templates/searx-ingress.yml.j2 new file mode 100644 index 0000000..d49c1df --- /dev/null +++ b/roles/k8s-manifests/templates/searx-ingress.yml.j2 @@ -0,0 +1,21 @@ +--- +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: searx-ingress + annotations: + ingress.kubernetes.io/ssl-redirect: "true" + certmanager.k8s.io/cluster-issuer: "{{searx_issuer}}" + kubernetes.io/ingress.class: "nginx" +spec: + tls: + - hosts: + - searx.{{dns_domain}} + secretName: searx-{{searx_issuer}} + rules: + - host: searx.{{dns_domain}} + http: + paths: + - backend: + serviceName: searx + servicePort: 80 diff --git a/roles/k8s-manifests/templates/searx-svc.yml.j2 b/roles/k8s-manifests/templates/searx-svc.yml.j2 new file mode 100644 index 0000000..41ddbae --- /dev/null +++ b/roles/k8s-manifests/templates/searx-svc.yml.j2 @@ -0,0 +1,12 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: searx +spec: + type: ClusterIP + ports: + - port: 80 + targetPort: 8888 + selector: + app: searx