Installer: migrate internal services to *.p.{domain}
diff --git a/charts/certificate-issuer/templates/gandi-credentials.yaml b/charts/certificate-issuer/templates/gandi-credentials.yaml
new file mode 100644
index 0000000..c14d298
--- /dev/null
+++ b/charts/certificate-issuer/templates/gandi-credentials.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+ name: gandi-credentials
+ namespace: {{ .Release.Namespace }}
+data:
+ api-token: {{ .Values.private.gandiAPIToken | b64enc }}
diff --git a/charts/certificate-issuer/templates/gandi-webhook-secret-reader.yaml b/charts/certificate-issuer/templates/gandi-webhook-secret-reader.yaml
new file mode 100644
index 0000000..b3d1491
--- /dev/null
+++ b/charts/certificate-issuer/templates/gandi-webhook-secret-reader.yaml
@@ -0,0 +1,26 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: cert-manager-gandi-webhook-secret-reader
+ namespace: {{ .Release.Namespace }}
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - secrets
+ verbs:
+ - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: cert-manager-gandi-webhook-secret-reader
+ namespace: {{ .Release.Namespace }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: cert-manager-gandi-webhook-secret-reader
+subjects:
+- kind: ServiceAccount
+ name: {{ .Values.certManager.gandiWebhookSecretReader }}
+ namespace: {{ .Values.certManager.namespace }}
diff --git a/charts/certificate-issuer/templates/private.yaml b/charts/certificate-issuer/templates/private.yaml
index 1b5c06d..1ab6e90 100644
--- a/charts/certificate-issuer/templates/private.yaml
+++ b/charts/certificate-issuer/templates/private.yaml
@@ -1,33 +1,20 @@
apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
- name: {{ .Values.private.name }}-bootstrap
- namespace: {{ .Release.Namespace }}
-spec:
- selfSigned: {}
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
- name: {{ .Values.private.name }}-ca-root
- namespace: {{ .Release.Namespace }}
-spec:
- isCA: true
- commonName: {{ .Values.private.name }}-ca-root
- secretName: {{ .Values.private.name }}-ca-root
- privateKey:
- algorithm: ECDSA
- size: 256
- issuerRef:
- name: {{ .Values.private.name }}-bootstrap
- kind: ClusterIssuer
- group: cert-manager.io
----
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
+kind: Issuer
metadata:
name: {{ .Values.private.name }}
namespace: {{ .Release.Namespace }}
spec:
- ca:
- secretName: {{ .Values.private.name }}-ca-root
+ acme:
+ server: {{ .Values.private.server }}
+ email: {{ .Values.private.contactEmail }}
+ privateKeySecretRef:
+ name: issuer-{{ .Values.private.name }}-account-key
+ solvers:
+ - dns01:
+ webhook:
+ groupName: acme.bwolf.me
+ solverName: gandi
+ config:
+ apiKeySecretRef:
+ key: api-token
+ name: gandi-credentials
diff --git a/charts/certificate-issuer/templates/public-staging.yaml b/charts/certificate-issuer/templates/public-staging.yaml
deleted file mode 100644
index 888b350..0000000
--- a/charts/certificate-issuer/templates/public-staging.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
- name: {{ .Values.public.name }}-staging
- namespace: {{ .Release.Namespace }}
-spec:
- acme:
- server: {{ .Values.public.stagingServer }}
- email: {{ .Values.public.contactEmail }}
- privateKeySecretRef:
- name: cluster-issuer-{{ .Values.public.name }}-account-key
- solvers:
- - selector: {}
- http01:
- ingress:
- class: {{ .Values.public.ingressClass }}
diff --git a/charts/certificate-issuer/templates/root-ca-server.yaml b/charts/certificate-issuer/templates/root-ca-server.yaml
deleted file mode 100644
index 06f38d8..0000000
--- a/charts/certificate-issuer/templates/root-ca-server.yaml
+++ /dev/null
@@ -1,85 +0,0 @@
-# TODO(giolekva): move to ingerss-nginx-private namespace
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: {{ .Values.private.name }}-root-ca
- namespace: {{ .Release.Namespace }}
-spec:
- selector:
- matchLabels:
- app: {{ .Values.private.name }}-root-ca
- replicas: 1
- template:
- metadata:
- labels:
- app: {{ .Values.private.name }}-root-ca
- spec:
- volumes:
- - name: root-ca-secret
- secret:
- secretName: {{ .Values.private.name }}-ca-root
- items:
- - key: ca.crt
- path: private-root-ca.crt
- containers:
- - name: file-server
- image: giolekva/static-file-server:latest
- imagePullPolicy: Always
- ports:
- - name: http
- containerPort: 80
- command: ["static-file-server"]
- args: ["-port=80", "-dir=/etc/static-file-server/data"]
- volumeMounts:
- - name: root-ca-secret
- mountPath: /etc/static-file-server/data/
- readOnly: true
- resources:
- requests:
- memory: "10Mi"
- cpu: "10m"
- limits:
- memory: "20Mi"
- cpu: "100m"
- tolerations:
- - key: "pcloud"
- operator: "Equal"
- value: "role"
- effect: "NoSchedule"
----
-apiVersion: v1
-kind: Service
-metadata:
- name: {{ .Values.private.name }}-root-ca
- namespace: {{ .Release.Namespace }}
-spec:
- type: ClusterIP
- selector:
- app: {{ .Values.private.name }}-root-ca
- ports:
- - name: http
- port: 80
- targetPort: http
- protocol: TCP
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- name: {{ .Values.private.name }}-root-ca
- namespace: {{ .Release.Namespace }}
- annotations:
- nginx.ingress.kubernetes.io/ssl-redirect: "false"
-spec:
- ingressClassName: {{ .Values.private.ingressClassName }}
- rules:
- - host: root-ca.{{ .Values.private.domain }}
- http:
- paths:
- - pathType: Prefix
- path: "/"
- backend:
- service:
- name: {{ .Values.private.name }}-root-ca
- port:
- name: http
diff --git a/charts/certificate-issuer/templates/wildcard-certificate-private.yaml b/charts/certificate-issuer/templates/wildcard-certificate-private.yaml
new file mode 100644
index 0000000..f869875
--- /dev/null
+++ b/charts/certificate-issuer/templates/wildcard-certificate-private.yaml
@@ -0,0 +1,12 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: wildcard-{{ .Values.private.domain }}
+ namespace: {{ .Release.Namespace }}
+spec:
+ dnsNames:
+ - '*.{{ .Values.private.domain }}'
+ issuerRef:
+ name: {{ .Values.private.name }}
+ kind: Issuer
+ secretName: cert-wildcard.{{ .Values.private.domain }}
diff --git a/charts/certificate-issuer/values.yaml b/charts/certificate-issuer/values.yaml
index 57a0d43..904b5ac 100644
--- a/charts/certificate-issuer/values.yaml
+++ b/charts/certificate-issuer/values.yaml
@@ -1,3 +1,6 @@
+certManager:
+ namespace: cert-manager
+ gandiWebhookSecretReader: cert-manager-webhook-gandi
public:
name: letsencrypt-prod
server: https://acme-v02.api.letsencrypt.org/directory
@@ -5,5 +8,8 @@
ingressClass: ingress-nginx
private:
name: selfsigned-private
- domain: pcloud
+ server: https://acme-v02.api.letsencrypt.org/directory
+ contactEmail: admin@example.com
+ gandiAPIToken: token
+ domain: p.example.com
diff --git a/charts/matrix/templates/matrix.yaml b/charts/matrix/templates/matrix.yaml
index 6770c91..49c97ac 100644
--- a/charts/matrix/templates/matrix.yaml
+++ b/charts/matrix/templates/matrix.yaml
@@ -47,9 +47,9 @@
metadata:
name: ingress
namespace: {{ .Release.Namespace }}
- annotations:
- cert-manager.io/cluster-issuer: {{ .Values.certificateIssuer }}
- acme.cert-manager.io/http01-edit-in-place: "true"
+ # annotations:
+ # cert-manager.io/cluster-issuer: {{ .Values.certificateIssuer }}
+ # acme.cert-manager.io/http01-edit-in-place: "true"
spec:
ingressClassName: {{ .Values.ingressClassName }}
tls: