mirror of
https://github.com/phfroidmont/self-hosting.git
synced 2025-12-25 13:46:59 +01:00
Let's encrypt certificates issuer and searx
This commit is contained in:
Paul-Henri Froidmont
parent
f34742ddea
commit
667cd48c88
12 changed files with 146 additions and 0 deletions
|
|
@ -2,6 +2,7 @@
|
|||
ip: "{{vpn_ip}}"
|
||||
kube_network_plugin: flannel
|
||||
bin_dir: /usr/local/bin
|
||||
kube_config_dir: "/etc/kubernetes"
|
||||
|
||||
kube_api_anonymous_auth: true
|
||||
ingress_nginx_enabled: true
|
||||
|
|
|
|||
|
|
@ -1,3 +1,4 @@
|
|||
---
|
||||
cluster_name: banditlair
|
||||
dns_domain: banditlair.com
|
||||
default_issuer: letsencrypt-production
|
||||
|
|
|
|||
|
|
@ -1,3 +1,4 @@
|
|||
---
|
||||
cluster_name: banditlair-test
|
||||
dns_domain: test.k8s.banditlair.com
|
||||
default_issuer: letsencrypt-staging
|
||||
|
|
|
|||
1
k8s.yml
1
k8s.yml
|
|
@ -7,6 +7,7 @@
|
|||
- name: Include kubespray tasks
|
||||
import_playbook: kubespray.yml
|
||||
|
||||
|
||||
# - hosts: k8s_proxy:k8s_masters:k8s_workers
|
||||
# roles:
|
||||
# - role: proxy
|
||||
|
|
|
|||
4
manifests.yml
Normal file
4
manifests.yml
Normal file
|
|
@ -0,0 +1,4 @@
|
|||
- hosts: k8s-cluster
|
||||
roles:
|
||||
- role: k8s-manifests
|
||||
|
||||
3
roles/k8s-manifests/defaults/main.yml
Normal file
3
roles/k8s-manifests/defaults/main.yml
Normal file
|
|
@ -0,0 +1,3 @@
|
|||
---
|
||||
letsencrypt_email: letsencrypt.account@banditlair.com
|
||||
searx_issuer: "{{default_issuer}}"
|
||||
37
roles/k8s-manifests/tasks/main.yml
Normal file
37
roles/k8s-manifests/tasks/main.yml
Normal file
|
|
@ -0,0 +1,37 @@
|
|||
---
|
||||
- name: Kubernetes manifests | Lay down letsencrypt templates
|
||||
template:
|
||||
src: "{{ item }}.j2"
|
||||
dest: "{{ kube_config_dir }}/{{ item }}"
|
||||
loop:
|
||||
- letsencrypt-production-issuer.yml
|
||||
- letsencrypt-staging-issuer.yml
|
||||
register: manifests
|
||||
when: inventory_hostname == groups['kube-master'][0]
|
||||
|
||||
- name: Kubernetes manifests | Start letsencrypt issuers
|
||||
kube:
|
||||
kubectl: "{{ bin_dir }}/kubectl"
|
||||
filename: "{{ kube_config_dir }}/{{ item.item }}"
|
||||
state: latest
|
||||
loop: "{{ manifests.results }}"
|
||||
when: inventory_hostname == groups['kube-master'][0]
|
||||
|
||||
- name: Kubernetes manifests | Lay down searx templates
|
||||
template:
|
||||
src: "{{ item }}.j2"
|
||||
dest: "{{ kube_config_dir }}/{{ item }}"
|
||||
loop:
|
||||
- searx-deployment.yml
|
||||
- searx-svc.yml
|
||||
- searx-ingress.yml
|
||||
register: manifests
|
||||
when: inventory_hostname == groups['kube-master'][0]
|
||||
|
||||
- name: Kubernetes manifests | Start searx
|
||||
kube:
|
||||
kubectl: "{{ bin_dir }}/kubectl"
|
||||
filename: "{{ kube_config_dir }}/{{ item.item }}"
|
||||
state: latest
|
||||
loop: "{{ manifests.results }}"
|
||||
when: inventory_hostname == groups['kube-master'][0]
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
apiVersion: certmanager.k8s.io/v1alpha1
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
name: letsencrypt-production
|
||||
spec:
|
||||
acme:
|
||||
# The ACME production api URL
|
||||
server: https://acme-v02.api.letsencrypt.org/directory
|
||||
|
||||
# Email address used for ACME registration
|
||||
email: "{{letsencrypt_email}}"
|
||||
|
||||
# Name of a secret used to store the ACME account private key
|
||||
privateKeySecretRef:
|
||||
name: letsencrypt-production
|
||||
|
||||
# Enable the HTTP-01 challenge provider
|
||||
http01: {}
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
apiVersion: certmanager.k8s.io/v1alpha1
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
name: letsencrypt-staging
|
||||
spec:
|
||||
acme:
|
||||
# The ACME server URL
|
||||
server: https://acme-staging-v02.api.letsencrypt.org/directory
|
||||
|
||||
# Email address used for ACME registration
|
||||
email: "{{letsencrypt_email}}"
|
||||
|
||||
# Name of a secret used to store the ACME account private key
|
||||
privateKeySecretRef:
|
||||
name: letsencrypt-staging
|
||||
|
||||
# Enable the HTTP-01 challenge provider
|
||||
http01: {}
|
||||
29
roles/k8s-manifests/templates/searx-deployment.yml.j2
Normal file
29
roles/k8s-manifests/templates/searx-deployment.yml.j2
Normal file
|
|
@ -0,0 +1,29 @@
|
|||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: searx
|
||||
spec:
|
||||
replicas: 2
|
||||
selector:
|
||||
matchLabels:
|
||||
app: searx
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: searx
|
||||
spec:
|
||||
containers:
|
||||
- name: searx
|
||||
image: wonderfall/searx:latest
|
||||
imagePullPolicy: IfNotPresent
|
||||
ports:
|
||||
- containerPort: 8888
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /
|
||||
port: 8888
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /
|
||||
port: 8888
|
||||
21
roles/k8s-manifests/templates/searx-ingress.yml.j2
Normal file
21
roles/k8s-manifests/templates/searx-ingress.yml.j2
Normal file
|
|
@ -0,0 +1,21 @@
|
|||
---
|
||||
apiVersion: extensions/v1beta1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: searx-ingress
|
||||
annotations:
|
||||
ingress.kubernetes.io/ssl-redirect: "true"
|
||||
certmanager.k8s.io/cluster-issuer: "{{searx_issuer}}"
|
||||
kubernetes.io/ingress.class: "nginx"
|
||||
spec:
|
||||
tls:
|
||||
- hosts:
|
||||
- searx.{{dns_domain}}
|
||||
secretName: searx-{{searx_issuer}}
|
||||
rules:
|
||||
- host: searx.{{dns_domain}}
|
||||
http:
|
||||
paths:
|
||||
- backend:
|
||||
serviceName: searx
|
||||
servicePort: 80
|
||||
12
roles/k8s-manifests/templates/searx-svc.yml.j2
Normal file
12
roles/k8s-manifests/templates/searx-svc.yml.j2
Normal file
|
|
@ -0,0 +1,12 @@
|
|||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: searx
|
||||
spec:
|
||||
type: ClusterIP
|
||||
ports:
|
||||
- port: 80
|
||||
targetPort: 8888
|
||||
selector:
|
||||
app: searx
|
||||
Loading…
Add table
Add a link
Reference in a new issue