Implement wildcard certificate

helm/cluster-issuer/chart/Chart.yaml

@@ -21,4 +21,4 @@ version: 0.1.0
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.16.0"
+appVersion: "0.1.0"

helm/cluster-issuer/chart/templates/cluster-issuer.yaml

@@ -9,6 +9,8 @@ spec:
     privateKeySecretRef:
       name: {{ .Values.privateKeySecretName }}
     solvers:
-      - http01:
-          ingress:
-            ingressClassName: {{ .Values.ingressClass }}
+      - dns01:
+          digitalocean:
+            tokenSecretRef:
+              name: {{ .Values.secretName }}
+              key: {{ .Values.secretKey }}

helm/cluster-issuer/chart/values.yaml

@@ -1,4 +1,5 @@
 name: letsencrypt
 server: https://acme-v02.api.letsencrypt.org/directory
 privateKeySecretName: letsencrypt-account-key
-ingressClass: nginx
+secretName: do-dns-secret
+secretKey: password

helm/gitlab/values.yaml

@@ -18,8 +18,7 @@ global:
     class: nginx
     tls:
       enabled: true
-    annotations:
-      cert-manager.io/cluster-issuer: letsencrypt
+      secretName: "wildcard-certificate"
 
   psql:
     host: ${postgres_host}

helm/wildcard-certificate/chart/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

helm/wildcard-certificate/chart/Chart.yaml

@@ -0,0 +1,24 @@
+apiVersion: v2
+name: wildcard-certificate
+description: Wildcard Certificate
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "0.1.0"

helm/wildcard-certificate/chart/templates/_helpers.tpl

@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "wildcard-certificate.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "wildcard-certificate.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "wildcard-certificate.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "wildcard-certificate.labels" -}}
+helm.sh/chart: {{ include "wildcard-certificate.chart" . }}
+{{ include "wildcard-certificate.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "wildcard-certificate.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "wildcard-certificate.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "wildcard-certificate.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "wildcard-certificate.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

helm/wildcard-certificate/chart/templates/wildcard-certificate.yaml

@@ -0,0 +1,21 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ .Values.name }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  secretName: {{ .Values.secretName }}
+  issuerRef:
+    name: {{ .Values.issuer }}
+    kind: ClusterIssuer
+  commonName: {{ .Values.domain }}
+  dnsNames:
+    - {{ .Values.domain }}
+    - "*.{{ .Values.domain }}"
+  secretTemplate:
+    annotations:
+    {{- if .Values.reflectNamespaces }}
+      reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
+      reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
+      reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "{{ .Values.reflectNamespaces }}"
+    {{- end}}

helm/wildcard-certificate/chart/values.yaml

@@ -0,0 +1,3 @@
+name: wildcard-certificate
+secretName: wildcard-certificate
+issuer: letsencrypt

helm/wildcard-certificate/values.yaml

@@ -0,0 +1,2 @@
+domain: ${domain}
+reflectNamespaces: "${reflectNamespaces}"

terraform/dns.tf

@@ -1,17 +1,20 @@
 locals {
     lb_ip = try(data.kubernetes_service_v1.ingress_nginx.status[0].load_balancer[0].ingress[0].ip, null)
+    records = toset([
+        var.gitlab_host, var.registry_host
+    ])
 }
 
 resource "digitalocean_domain" "main" {
     name = var.domain_name
 }
 
-resource "digitalocean_record" "gitlab" {
-    count = 1
+resource "digitalocean_record" "main" {
+    for_each = local.records
 
     domain = digitalocean_domain.main.name
     type = "A"
-    name = var.gitlab_host
+    name = each.key
     value = local.lb_ip
     ttl = 300
 }

terraform/helm.tf

@@ -1,18 +1,26 @@
-resource "helm_release" "external_dns" {
-    name = "external-dns"
-    namespace = kubernetes_namespace_v1.external_dns.metadata[0].name
-    repository = "https://kubernetes-sigs.github.io/external-dns"
-    chart = "external-dns"
-    version = "1.20.0"
+# resource "helm_release" "external_dns" {
+#     name = "external-dns"
+#     namespace = kubernetes_namespace_v1.external_dns.metadata[0].name
+#     repository = "https://kubernetes-sigs.github.io/external-dns"
+#     chart = "external-dns"
+#     version = "1.20.0"
 
-    values = [
-        file("${path.module}/../helm/external-dns/values.yaml")
-    ]
+#     values = [
+#         file("${path.module}/../helm/external-dns/values.yaml")
+#     ]
 
-    depends_on = [
-        kubernetes_namespace_v1.external_dns, 
-        kubernetes_secret_v1.external_dns_do_secret 
-    ]
+#     depends_on = [
+#         kubernetes_namespace_v1.external_dns, 
+#         kubernetes_secret_v1.external_dns_do_secret 
+#     ]
+# }
+
+resource "helm_release" "reflector" {
+    name = "reflector"
+    namespace = "kube-system"
+    repository = "https://emberstack.github.io/helm-charts"
+    chart = "reflector"
+    version = "10.0.35"
 }
 
 resource "helm_release" "cert_manager" {
@@ -42,6 +50,22 @@ resource "helm_release" "cluster_issuer" {
     depends_on = [helm_release.cert_manager]
 }
 
+resource "helm_release" "wildcard_certificate" {
+    name = "wildcard-certificate"
+    namespace = kubernetes_namespace_v1.cert_manager.metadata[0].name
+    chart = "${path.module}/../helm/wildcard-certificate/chart"
+
+    values = [
+        templatefile("${path.module}/../helm/wildcard-certificate/values.yaml", 
+        {
+            domain = var.domain_name
+            reflectNamespaces = kubernetes_namespace_v1.gitlab.metadata[0].name
+        })
+    ]
+
+    depends_on = [helm_release.cert_manager, helm_release.cluster_issuer, helm_release.reflector]
+}
+
 resource "helm_release" "ingress_nginx" {
     name = "ingress-nginx"
     namespace = kubernetes_namespace_v1.ingress_nginx.metadata[0].name
@@ -88,9 +112,11 @@ resource "helm_release" "gitlab" {
         digitalocean_database_connection_pool.main,
         digitalocean_database_cluster.valkey,
         helm_release.cert_manager,
+        helm_release.wildcard_certificate,
+        helm_release.reflector,
         helm_release.cluster_issuer,
         helm_release.ingress_nginx,
-        digitalocean_record.gitlab,
+        digitalocean_record.main,
         kubernetes_secret_v1.gitlab_initial_root_password,
         kubernetes_secret_v1.gitlab_postgres,
         kubernetes_secret_v1.gitlab_redis,

terraform/kubernetes.tf

@@ -1,10 +1,10 @@
-resource "kubernetes_namespace_v1" "external_dns" {
-    metadata {
-      name = "external-dns"
-    }
+# resource "kubernetes_namespace_v1" "external_dns" {
+#     metadata {
+#       name = "external-dns"
+#     }
 
-    depends_on = [ digitalocean_kubernetes_cluster.main ]
-}
+#     depends_on = [ digitalocean_kubernetes_cluster.main ]
+# }
 
 resource "kubernetes_namespace_v1" "ingress_nginx" {
     metadata {
@@ -34,10 +34,10 @@ resource "random_password" "gitlab_root" {
     length = 64
 }
 
-resource "kubernetes_secret_v1" "external_dns_do_secret" {
+resource "kubernetes_secret_v1" "do_dns_secret" {
     metadata {
-        name = "external-dns-do-secret"
-        namespace = kubernetes_namespace_v1.external_dns.metadata[0].name
+        name = "do-dns-secret"
+        namespace = kubernetes_namespace_v1.cert_manager.metadata[0].name
     }
 
     data = {