Add private Nginx for internal ingress + private root CA
diff --git a/scripts/homelab/cluster-issuer.yaml b/scripts/homelab/cluster-issuer.yaml
index b408aef..9ea191b 100644
--- a/scripts/homelab/cluster-issuer.yaml
+++ b/scripts/homelab/cluster-issuer.yaml
@@ -58,6 +58,41 @@
key: api-token
name: gandi-credentials
---
+# TODO(giolekva): move to ingerss-nginx-private namespace
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+ name: selfsigned
+ namespace: cert-manager
+spec:
+ selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: selfsigned-ca-root
+ namespace: cert-manager
+spec:
+ isCA: true
+ commonName: selfsigned-ca-root
+ secretName: selfsigned-ca-root
+ privateKey:
+ algorithm: ECDSA
+ size: 256
+ issuerRef:
+ name: selfsigned
+ kind: ClusterIssuer
+ group: cert-manager.io
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+ name: selfsigned-ca
+ namespace: cert-manager
+spec:
+ ca:
+ secretName: selfsigned-ca-root
+---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
diff --git a/scripts/homelab/k3s-install.sh b/scripts/homelab/k3s-install.sh
index a4f6b8a..77b88fe 100755
--- a/scripts/homelab/k3s-install.sh
+++ b/scripts/homelab/k3s-install.sh
@@ -88,6 +88,13 @@
# --set controller.extraArgs.v=2 \
# --set controller.extraArgs.default-ssl-certificate=ingress-nginx/cert-wildcard.lekva.me
+helm install --create-namespace \
+ --namespace ingress-nginx-private \
+ nginx ingress-nginx/ingress-nginx \
+ --set fullnameOverride=nginx-private \
+ --set controller.service.type=LoadBalancer \
+ --set controller.setAsDefaultIngress=false \
+ --set controller.ingressClass=nginx-private
# helm install --create-namespace \
# --namespace cert-manager \
@@ -157,17 +164,17 @@
# --set prometheus.ingress.annotations."nginx\.ingress\.kubernetes\.io/ssl-redirect"="\"false\"" \
# --set prometheus.ingress.pathType=Prefix
-# kubectl apply -f ../../apps/pihole/install.yaml
-helm upgrade --create-namespace \
- --namespace pihole \
- pihole mojo2600/pihole \
- --set ingress.enabled=true \
- --set ingress.hosts={"pihole.pcloud"} \
- --set serviceDhcp.enabled=false \
- --set serviceDns.type=LoadBalancer \
- --set serviceWeb.type=ClusterIP \
- --set serviceWeb.https.enabled=false \
- --set virtualHost="pihole.pcloud"
+# # kubectl apply -f ../../apps/pihole/install.yaml
+# helm upgrade --create-namespace \
+# --namespace pihole \
+# pihole mojo2600/pihole \
+# --set ingress.enabled=true \
+# --set ingress.hosts={"pihole.pcloud"} \
+# --set serviceDhcp.enabled=false \
+# --set serviceDns.type=LoadBalancer \
+# --set serviceWeb.type=ClusterIP \
+# --set serviceWeb.https.enabled=false \
+# --set virtualHost="pihole.pcloud"
# kubectl apply -f cert-manager-webhook-gandi/rbac.yaml
# helm upgrade --namespace cert-manager \
@@ -179,5 +186,5 @@
# kubectl apply -f cluster-issuer.yaml
-kubectl apply -f ../../apps/maddy/install.yaml
-kubectl apply -f maddy-config.yaml
+# kubectl apply -f ../../apps/maddy/install.yaml
+# kubectl apply -f maddy-config.yaml
diff --git a/scripts/homelab/root-ca-server.yaml b/scripts/homelab/root-ca-server.yaml
new file mode 100644
index 0000000..e1f1664
--- /dev/null
+++ b/scripts/homelab/root-ca-server.yaml
@@ -0,0 +1,73 @@
+# TODO(giolekva): move to ingerss-nginx-private namespace
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: selfsigned-root-ca
+ namespace: cert-manager
+spec:
+ selector:
+ matchLabels:
+ app: selfsigned-root-ca
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: selfsigned-root-ca
+ spec:
+ volumes:
+ - name: root-ca-secret
+ secret:
+ secretName: selfsigned-ca-root
+ items:
+ - key: ca.crt
+ path: selfsigned-root-ca.crt
+ containers:
+ - name: maddy
+ image: giolekva/static-file-server:latest
+ imagePullPolicy: Always
+ ports:
+ - name: http
+ containerPort: 80
+ command: ["static-file-server"]
+ args: ["-port=80", "-dir=/etc/static-file-server/data"]
+ volumeMounts:
+ - name: root-ca-secret
+ mountPath: /etc/static-file-server/data/
+ readOnly: true
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: selfsigned-root-ca
+ namespace: cert-manager
+spec:
+ type: ClusterIP
+ selector:
+ app: selfsigned-root-ca
+ ports:
+ - name: http
+ port: 80
+ targetPort: http
+ protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: selfsigned-root-ca
+ namespace: cert-manager
+ annotations:
+ nginx.ingress.kubernetes.io/ssl-redirect: "false"
+spec:
+ ingressClassName: nginx-private
+ rules:
+ - host: root-ca.pcloud
+ http:
+ paths:
+ - pathType: Prefix
+ path: "/"
+ backend:
+ service:
+ name: selfsigned-root-ca
+ port:
+ name: http