feat(infra): implement TLS

.github/workflows/deploy.yml

@@ -20,6 +20,11 @@ jobs:
     steps:
       - name: Deploy
         uses: appleboy/[email protected]
+        env:
+          secrets: '{
+              "s3SecretKey": "${{ secrets.S3_SECRET_KEY }}",
+              "resendKey": "${{ secrets.RESEND_KEY }}"
+            }'
         with:
           host: ${{ secrets.HOST }}
           username: ${{ secrets.USER }}
@@ -30,7 +35,8 @@ jobs:
               --untar \
               --destination /tmp
             helm upgrade --install capydemia \
-              /tmp/capydemia/capydemia-helm/ \
+              /tmp/capydemia-helm/ \
               --values /tmp/capydemia-helm/${{ vars.VALUES_FILE }} \
               --namespace ${{ vars.NAMESPACE }} \
-              --create-namespace
+              --create-namespace \
+              --set-json 'secrets=${{ env.secrets }}'

helm/templates/cert-manager.yaml

@@ -0,0 +1,26 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: acme
+spec:
+  acme:
+    email: [email protected]
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: acme
+    solvers:
+    - http01:
+        ingress:
+          class: traefik
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: capydemia-cert
+spec:
+  secretName: capydemia-cert
+  dnsNames:
+    - "{{ .Values.domain }}"
+  issuerRef:
+    name: acme
+    kind: Issuer

helm/templates/config-map.yaml

@@ -5,10 +5,10 @@ metadata:
 data:
   NODE_ENV: {{ .Values.nodeEnv }}
   DOMAIN: {{ .Values.domain }}
-  EMAIL_SENDER: {{ .Values.email.sender }}
-  RESEND_KEY: {{ .Values.email.resendKey }}
+  EMAIL_SENDER: {{ .Values.emailSender }}
+  RESEND_KEY: {{ .Values.secrets.resendKey }}
   POSTGRES_HOST: capydemia-postgres-rw
-  S3_ENDPOINT: {{ .Values.s3.endpoint }}
-  S3_ACCESS_KEY: {{ .Values.s3.accessKey }}
-  S3_SECRET_KEY: {{ .Values.s3.secretKey }}
-  S3_BUCKET: {{ .Values.s3.bucket }}
+  S3_ENDPOINT: {{ .Values.s3Endpoint }}
+  S3_BUCKET: {{ .Values.s3Bucket }}
+  S3_ACCESS_KEY: {{ .Values.s3AccessKey }}
+  S3_SECRET_KEY: {{ .Values.secrets.s3SecretKey }}

helm/templates/ingress.yaml

@@ -1,18 +1,37 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
 metadata:
   name: capydemia-ingress
-  labels:
-    app.kubernetes.io/part-of: capydemia
 spec:
-  rules:
-  - host: {{ .Values.domain }}
-    http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend:
-          service:
-            name: capydemia-web
-            port:
-              number: 3000
+  routes:
+    - kind: Rule
+      match: Host(`{{ .Values.domain }}`)
+      services:
+      - name: capydemia-web
+        port: 3000
+  tls:
+    secretName: capydemia-cert
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: capydemia-ingress-http
+spec:
+  entryPoints: [web]
+  routes:
+    - kind: Rule
+      match: Host(`{{ .Values.domain }}`)
+      middlewares:
+        - name: redirect-https
+      services:
+        - name: capydemia-web
+          port: 3000
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: redirect-https
+spec:
+  redirectScheme:
+    scheme: https
+    permanent: true

helm/values.yaml

@@ -3,12 +3,14 @@ domain: capydemia.clayenkitten.dev
 nodeEnv: production
 dockerTag: main
 
-email:
-  sender: "Capydemia <[email protected]>"
-  resendKey: example
-
-s3:
-  endpoint: s3.timeweb.cloud
-  bucket: 4f267831-capydemia
-  accessKey: EURCS9IDGC9WM9V1TPMH
-  secretKey: example
+emailSender: "Capydemia <[email protected]>"
+
+s3Endpoint: s3.timeweb.cloud
+s3Bucket: 4f267831-capydemia
+s3AccessKey: EURCS9IDGC9WM9V1TPMH
+
+# Secrets are set from deploy.yaml action and should never have non-example value there.
+# When new secret is created, update deploy.yaml file.
+secrets:
+  s3SecretKey: abcdefgh
+  resendKey: re_abcdefgh