From d180b8998d153af4782d1f0e4151ae22a9521b8c Mon Sep 17 00:00:00 2001 From: SphericalKat Date: Tue, 29 Jun 2021 19:16:16 -0700 Subject: [PATCH] chore(deployment): create issuers and use them to provision TLS certs for katbin service Signed-off-by: SphericalKat --- deployment/ingress.yml | 7 +++++++ deployment/ingress_nginx_svc.yml | 31 +++++++++++++++++++++++++++++++ deployment/prod_issuer.yml | 19 +++++++++++++++++++ deployment/staging_issuer.yml | 19 +++++++++++++++++++ 4 files changed, 76 insertions(+) create mode 100644 deployment/ingress_nginx_svc.yml create mode 100644 deployment/prod_issuer.yml create mode 100644 deployment/staging_issuer.yml diff --git a/deployment/ingress.yml b/deployment/ingress.yml index 6f874f1..766c41f 100644 --- a/deployment/ingress.yml +++ b/deployment/ingress.yml @@ -2,7 +2,14 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: katbin-ingress + annotations: + cert-manager.io/cluster-issuer: "letsencrypt-prod" + spec: + tls: + - hosts: + - testapi.katb.in + secretName: katbin-tls rules: - host: testapi.katb.in http: diff --git a/deployment/ingress_nginx_svc.yml b/deployment/ingress_nginx_svc.yml new file mode 100644 index 0000000..c541408 --- /dev/null +++ b/deployment/ingress_nginx_svc.yml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: 'true' + service.beta.kubernetes.io/do-loadbalancer-hostname: "workaround.katb.in" + labels: + helm.sh/chart: ingress-nginx-3.23.0 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 0.44.0 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: controller + name: ingress-nginx-controller + namespace: ingress-nginx +spec: + type: LoadBalancer + externalTrafficPolicy: Local + ports: + - name: http + port: 80 + protocol: TCP + targetPort: http + - name: https + port: 443 + protocol: TCP + targetPort: https + selector: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/component: controller \ No newline at end of file diff --git a/deployment/prod_issuer.yml b/deployment/prod_issuer.yml new file mode 100644 index 0000000..3ac4a28 --- /dev/null +++ b/deployment/prod_issuer.yml @@ -0,0 +1,19 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-prod +spec: + acme: + # You must replace this email address with your own. + # Let's Encrypt will use this to contact you about expiring + # certificates, and issues related to your account. + email: amolele@gmail.com + server: https://acme-v02.api.letsencrypt.org/directory + privateKeySecretRef: + # Secret resource that will be used to store the account's private key. + name: letsencrypt-prod + # Add a single challenge solver, HTTP01 using nginx + solvers: + - http01: + ingress: + class: nginx \ No newline at end of file diff --git a/deployment/staging_issuer.yml b/deployment/staging_issuer.yml new file mode 100644 index 0000000..e8e1f40 --- /dev/null +++ b/deployment/staging_issuer.yml @@ -0,0 +1,19 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-staging +spec: + acme: + # You must replace this email address with your own. + # Let's Encrypt will use this to contact you about expiring + # certificates, and issues related to your account. + email: amolele@gmail.com + server: https://acme-staging-v02.api.letsencrypt.org/directory + privateKeySecretRef: + # Secret resource that will be used to store the account's private key. + name: letsencrypt-staging + # Add a single challenge solver, HTTP01 using nginx + solvers: + - http01: + ingress: + class: nginx \ No newline at end of file