Skip to content

Commit

Permalink
cert-manager tidying
Browse files Browse the repository at this point in the history
  • Loading branch information
@szinn
szinn committed Jun 1, 2024
1 parent c4adfe3 commit 57e3646
Show file tree
Hide file tree
Showing 16 changed files with 159 additions and 105 deletions.
1 change: 0 additions & 1 deletion kubernetes/main/apps/cert-manager/cert-manager/app/helm-release.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,6 @@ spec:
interval: 15m
maxHistory: 3
install:
createNamespace: false
crds: CreateReplace
remediation:
retries: 3
Expand Down
4 changes: 2 additions & 2 deletions kubernetes/main/apps/cert-manager/cert-manager/install.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ spec:
targetNamespace: cert-manager
commonMetadata:
labels:
app.kubernetes.io/name: &app cert-manager
app.kubernetes.io/name: cert-manager
path: ./kubernetes/main/apps/cert-manager/cert-manager/app
sourceRef:
kind: GitRepository
Expand All @@ -30,7 +30,7 @@ spec:
targetNamespace: cert-manager
commonMetadata:
labels:
app.kubernetes.io/name: &app cert-manager
app.kubernetes.io/name: cert-manager
path: ./kubernetes/main/apps/cert-manager/cert-manager/issuers
sourceRef:
kind: GitRepository
Expand Down
1 change: 0 additions & 1 deletion kubernetes/staging/apps/cert-manager/cert-manager/app/helm-release.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,6 @@ spec:
interval: 15m
maxHistory: 3
install:
createNamespace: false
crds: CreateReplace
remediation:
retries: 3
Expand Down
1 change: 0 additions & 1 deletion kubernetes/staging/apps/cert-manager/cert-manager/app/kustomization.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,4 +5,3 @@ kind: Kustomization
namespace: cert-manager
resources:
- helm-release.yaml
- prometheus-rules.yaml
68 changes: 0 additions & 68 deletions kubernetes/staging/apps/cert-manager/cert-manager/app/prometheus-rules.yaml
View file

This file was deleted.

16 changes: 11 additions & 5 deletions kubernetes/staging/apps/cert-manager/cert-manager/install.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,12 +1,15 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.zinn.ca/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: cert-manager
namespace: flux-system
labels:
substitution.flux.home.arpa/enabled: "true"
spec:
targetNamespace: cert-manager
commonMetadata:
labels:
app.kubernetes.io/name: cert-manager
path: ./kubernetes/staging/apps/cert-manager/cert-manager/app
sourceRef:
kind: GitRepository
Expand All @@ -17,14 +20,17 @@ spec:
retryInterval: 2m
timeout: 1m
---
# yaml-language-server: $schema=https://kubernetes-schemas.zinn.ca/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: cert-manager-issuers
namespace: flux-system
labels:
substitution.flux.home.arpa/enabled: "true"
spec:
targetNamespace: cert-manager
commonMetadata:
labels:
app.kubernetes.io/name: cert-manager
path: ./kubernetes/staging/apps/cert-manager/cert-manager/issuers
sourceRef:
kind: GitRepository
Expand All @@ -33,7 +39,7 @@ spec:
- name: cert-manager
- name: security-external-secrets-stores
prune: true
wait: true
wait: false
interval: 30m
retryInterval: 2m
timeout: 1m
1 change: 0 additions & 1 deletion kubernetes/staging/apps/cert-manager/cert-manager/issuers/kustomization.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,4 +5,3 @@ kind: Kustomization
resources:
- cloudflare-secrets.yaml
- letsencrypt-prod.yaml
- letsencrypt-staging.yaml
18 changes: 0 additions & 18 deletions kubernetes/staging/apps/cert-manager/cert-manager/issuers/letsencrypt-staging.yaml
View file

This file was deleted.

12 changes: 5 additions & 7 deletions ...gress-nginx/app/wildcard-certificate.yaml → ...ager/certificates/export/certificate.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,15 +3,13 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: wildcard-certificate
namespace: networking
name: ${CERT_NAME}
spec:
secretName: wildcard-tls
secretName: ${CERT_NAME}-tls
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
commonName: "${SECRET_MAIN_DOMAIN_NAME}"
commonName: "${CERT_DOMAIN_NAME}"
dnsNames:
- "${SECRET_MAIN_DOMAIN_NAME}"
- "*.${SECRET_MAIN_DOMAIN_NAME}"
- "*.${SECRET_DOMAIN_NAME}"
- "${CERT_DOMAIN_NAME}"
- "*.${CERT_DOMAIN_NAME}"
7 changes: 7 additions & 0 deletions kubernetes/staging/apps/cert-manager/certificates/export/kustomization.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- certificate.yaml
- push-secret.yaml
30 changes: 30 additions & 0 deletions kubernetes/staging/apps/cert-manager/certificates/export/push-secret.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/pushsecret_v1alpha1.json
apiVersion: external-secrets.io/v1alpha1
kind: PushSecret
metadata:
name: ${CERT_NAME}-tls
spec:
refreshInterval: 1h
secretStoreRefs:
- name: onepassword-connect
kind: ClusterSecretStore
selector:
secret:
name: ${CERT_NAME}-tls
template:
engineVersion: v2
data:
tls.crt: '{{ index . "tls.crt" | b64enc }}'
tls.key: '{{ index . "tls.key" | b64enc }}'
data:
- match:
secretKey: &key tls.crt
remoteRef:
remoteKey: ${CONFIG_CLUSTER_NAME}-${CERT_NAME}-tls
property: *key
- match:
secretKey: &key tls.key
remoteRef:
remoteKey: ${CONFIG_CLUSTER_NAME}-${CERT_NAME}-tls
property: *key
40 changes: 40 additions & 0 deletions kubernetes/staging/apps/cert-manager/certificates/import/cluster-external-secret.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/clusterexternalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ClusterExternalSecret
metadata:
name: ${CERT_NAME}-tls
spec:
externalSecretName: ${CONFIG_CLUSTER_NAME}-${CERT_NAME}-tls
namespaceSelector:
matchExpressions:
- key: kubernetes.io/metadata.name
operator: In
values: ${CERT_TARGET_NAMESPACES}
refreshTime: 1m
externalSecretSpec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: ${CERT_NAME}-tls
creationPolicy: Orphan
template:
engineVersion: v2
type: kubernetes.io/tls
metadata:
annotations:
cert-manager.io/alt-names: "*.${CERT_DOMAIN_NAME},${CERT_DOMAIN_NAME}"
cert-manager.io/certificate-name: ${CERT_NAME}
cert-manager.io/common-name: ${CERT_DOMAIN_NAME}
cert-manager.io/ip-sans: ""
cert-manager.io/issuer-group: ""
cert-manager.io/issuer-kind: ClusterIssuer
cert-manager.io/issuer-name: letsencrypt-prod
cert-manager.io/uri-sans: ""
labels:
controller.cert-manager.io/fao: "true"
dataFrom:
- extract:
key: ${CONFIG_CLUSTER_NAME}-${CERT_NAME}-tls
decodingStrategy: Auto
6 changes: 6 additions & 0 deletions kubernetes/staging/apps/cert-manager/certificates/import/kustomization.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- cluster-external-secret.yaml
57 changes: 57 additions & 0 deletions kubernetes/staging/apps/cert-manager/certificates/install.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.zinn.ca/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: cert-manager-import-wildcard
namespace: flux-system
spec:
targetNamespace: cert-manager
commonMetadata:
labels:
app.kubernetes.io/name: cert-manager
path: ./kubernetes/staging/apps/cert-manager/certificates/import
sourceRef:
kind: GitRepository
name: homelab-kubernetes
dependsOn:
- name: security-external-secrets-stores
prune: true
wait: true
interval: 30m
retryInterval: 1m
timeout: 5m
postBuild:
substitute:
CERT_NAME: wildcard
CERT_TARGET_NAMESPACES: '["cert-manager","networking"]'
CERT_DOMAIN_NAME: ${SECRET_DOMAIN_NAME}
---
# yaml-language-server: $schema=https://kubernetes-schemas.zinn.ca/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: cert-manager-export-wildcard
namespace: flux-system
spec:
targetNamespace: cert-manager
commonMetadata:
labels:
app.kubernetes.io/name: cert-manager
path: ./kubernetes/staging/apps/cert-manager/certificates/export
sourceRef:
kind: GitRepository
name: homelab-kubernetes
dependsOn:
- name: cert-manager
- name: cert-manager-import-wildcard
- name: security-external-secrets-stores
prune: true
wait: true
interval: 30m
retryInterval: 1m
timeout: 5m
postBuild:
substitute:
CERT_NAME: wildcard
CERT_DOMAIN_NAME: ${SECRET_DOMAIN_NAME}
1 change: 1 addition & 0 deletions kubernetes/staging/apps/cert-manager/kustomization.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,3 +5,4 @@ kind: Kustomization
resources:
- namespace.yaml
- cert-manager/install.yaml
- certificates/install.yaml
1 change: 0 additions & 1 deletion kubernetes/staging/apps/networking/ingress-nginx/app/kustomization.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,4 +5,3 @@ kind: Kustomization
namespace: networking
resources:
- helm-release.yaml
- wildcard-certificate.yaml

0 comments on commit 57e3646

Please sign in to comment.