feat(cert-manager): enable certificate import and export (yoink) #2078
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ro-bott
bot
added
area/kubernetes
--- HelmRelease: networking/nginx-external ConfigMap: networking/nginx-external-controller
+++ HelmRelease: networking/nginx-external ConfigMap: networking/nginx-external-controller
@@ -16,19 +16,20 @@
client-body-buffer-size: 100M
client-body-timeout: '120'
client-header-timeout: '120'
enable-brotli: 'true'
enable-ocsp: 'true'
enable-real-ip: 'true'
+ force-ssl-redirect: 'true'
hide-headers: Server,X-Powered-By
hsts-max-age: '3.14496e+07'
keep-alive: '120'
keep-alive-requests: '10000'
log-format-escape-json: 'true'
log-format-upstream: |
- {"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", "request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer", "http_user_agent": "$http_user_agent"}
+ {"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", "request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer", "http_user_agent": "$http_user_agent", "country_code": "$geoip2_city_country_code", "country_name": "$geoip2_city_country_name"}
proxy-body-size: '0'
proxy-buffer-size: 16k
ssl-protocols: TLSv1.3 TLSv1.2
use-forwarded-headers: 'true'
- use-geoip2: 'false'
+ use-geoip2: 'true'
--- HelmRelease: networking/nginx-external Deployment: networking/nginx-external-controller
+++ HelmRelease: networking/nginx-external Deployment: networking/nginx-external-controller
@@ -45,12 +45,13 @@
- --controller-class=k8s.io/external
- --ingress-class=nginx
- --configmap=$(POD_NAMESPACE)/nginx-external-controller
- --validating-webhook=:8443
- --validating-webhook-certificate=/usr/local/certificates/cert
- --validating-webhook-key=/usr/local/certificates/key
+ - --maxmind-license-key=..PLACEHOLDER..
- --default-ssl-certificate=networking/rodent-cc-tls
securityContext:
runAsNonRoot: true
runAsUser: 101
allowPrivilegeEscalation: false
seccompProfile:
--- HelmRelease: networking/nginx-internal ConfigMap: networking/nginx-internal-controller
+++ HelmRelease: networking/nginx-internal ConfigMap: networking/nginx-internal-controller
@@ -16,12 +16,13 @@
client-body-buffer-size: 100M
client-body-timeout: '120'
client-header-timeout: '120'
enable-brotli: 'true'
enable-ocsp: 'true'
enable-real-ip: 'true'
+ force-ssl-redirect: 'true'
hide-headers: Server,X-Powered-By
hsts-max-age: '3.14496e+07'
keep-alive: '120'
keep-alive-requests: '10000'
log-format-escape-json: 'true'
log-format-upstream: | |
--- kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/nginx-certificates
+++ kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/nginx-certificates
@@ -13,23 +13,22 @@
app.kubernetes.io/name: nginx-certificates
decryption:
provider: sops
secretRef:
name: sops-age
dependsOn:
- - name: cert-manager-issuers
+ - name: external-secrets-stores
interval: 30m
path: ./kubernetes/main/apps/networking/nginx/certificates
postBuild:
substituteFrom:
- kind: ConfigMap
name: cluster-settings
- kind: Secret
name: cluster-secrets
prune: false
- retryInterval: 1m
sourceRef:
kind: GitRepository
name: home-kubernetes
targetNamespace: networking
timeout: 5m
wait: true
--- kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/nginx-external
+++ kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/nginx-external
@@ -13,13 +13,13 @@
app.kubernetes.io/name: nginx-external
decryption:
provider: sops
secretRef:
name: sops-age
dependsOn:
- - name: external-secrets-stores
+ - name: nginx-certificates
interval: 30m
path: ./kubernetes/main/apps/networking/nginx/external
postBuild:
substituteFrom:
- kind: ConfigMap
name: cluster-settings
--- kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/nginx-internal
+++ kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/nginx-internal
@@ -13,13 +13,13 @@
app.kubernetes.io/name: nginx-internal
decryption:
provider: sops
secretRef:
name: sops-age
dependsOn:
- - name: external-secrets-stores
+ - name: nginx-certificates
interval: 30m
path: ./kubernetes/main/apps/networking/nginx/internal
postBuild:
substituteFrom:
- kind: ConfigMap
name: cluster-settings
--- kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/certificates-import
+++ kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/certificates-import
@@ -0,0 +1,35 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: cluster-apps
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: certificates-import
+ namespace: flux-system
+spec:
+ commonMetadata:
+ labels:
+ app.kubernetes.io/name: certificates-import
+ decryption:
+ provider: sops
+ secretRef:
+ name: sops-age
+ dependsOn:
+ - name: external-secrets-stores
+ interval: 30m
+ path: ./kubernetes/main/apps/cert-manager/certificates/import
+ postBuild:
+ substituteFrom:
+ - kind: ConfigMap
+ name: cluster-settings
+ - kind: Secret
+ name: cluster-secrets
+ prune: false
+ sourceRef:
+ kind: GitRepository
+ name: home-kubernetes
+ targetNamespace: cert-manager
+ timeout: 5m
+ wait: true
+
--- kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/certificates-export
+++ kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/certificates-export
@@ -0,0 +1,37 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: cluster-apps
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: certificates-export
+ namespace: flux-system
+spec:
+ commonMetadata:
+ labels:
+ app.kubernetes.io/name: certificates-export
+ decryption:
+ provider: sops
+ secretRef:
+ name: sops-age
+ dependsOn:
+ - name: certificates-import
+ - name: cert-manager-issuers
+ - name: external-secrets-stores
+ interval: 30m
+ path: ./kubernetes/main/apps/cert-manager/certificates/export
+ postBuild:
+ substituteFrom:
+ - kind: ConfigMap
+ name: cluster-settings
+ - kind: Secret
+ name: cluster-secrets
+ prune: false
+ sourceRef:
+ kind: GitRepository
+ name: home-kubernetes
+ targetNamespace: cert-manager
+ timeout: 5m
+ wait: false
+
--- kubernetes/main/apps/networking/nginx/external Kustomization: flux-system/nginx-external HelmRelease: networking/nginx-external
+++ kubernetes/main/apps/networking/nginx/external Kustomization: flux-system/nginx-external HelmRelease: networking/nginx-external
@@ -41,24 +41,25 @@
client-body-buffer-size: 100M
client-body-timeout: 120
client-header-timeout: 120
enable-brotli: 'true'
enable-ocsp: 'true'
enable-real-ip: 'true'
+ force-ssl-redirect: 'true'
hide-headers: Server,X-Powered-By
hsts-max-age: 31449600
keep-alive: 120
keep-alive-requests: 10000
log-format-escape-json: 'true'
log-format-upstream: |
- {"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", "request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer", "http_user_agent": "$http_user_agent"}
+ {"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", "request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer", "http_user_agent": "$http_user_agent", "country_code": "$geoip2_city_country_code", "country_name": "$geoip2_city_country_name"}
proxy-body-size: 0
proxy-buffer-size: 16k
ssl-protocols: TLSv1.3 TLSv1.2
use-forwarded-headers: 'true'
- use-geoip2: false
+ use-geoip2: true
extraArgs:
default-ssl-certificate: networking/rodent-cc-tls
ingressClassResource:
controllerValue: k8s.io/external
default: false
name: external
@@ -88,7 +89,12 @@
maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: DoNotSchedule
defaultBackend:
enabled: false
fullnameOverride: nginx-external
+ valuesFrom:
+ - kind: Secret
+ name: nginx-external-maxmind-secret
+ targetPath: controller.maxmindLicenseKey
+ valuesKey: MAXMIND_LICENSE_KEY
--- kubernetes/main/apps/networking/nginx/certificates Kustomization: flux-system/nginx-certificates Certificate: networking/rodent-cc
+++ kubernetes/main/apps/networking/nginx/certificates Kustomization: flux-system/nginx-certificates Certificate: networking/rodent-cc
@@ -1,20 +0,0 @@
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
- labels:
- app.kubernetes.io/name: nginx-certificates
- kustomize.toolkit.fluxcd.io/name: nginx-certificates
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: rodent-cc
- namespace: networking
-spec:
- commonName: rodent.cc
- dnsNames:
- - rodent.cc
- - '*.rodent.cc'
- issuerRef:
- kind: ClusterIssuer
- name: letsencrypt-production
- secretName: rodent-cc-tls
-
--- kubernetes/main/apps/networking/nginx/certificates Kustomization: flux-system/nginx-certificates Certificate: networking/stianrs-dev
+++ kubernetes/main/apps/networking/nginx/certificates Kustomization: flux-system/nginx-certificates Certificate: networking/stianrs-dev
@@ -1,20 +0,0 @@
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
- labels:
- app.kubernetes.io/name: nginx-certificates
- kustomize.toolkit.fluxcd.io/name: nginx-certificates
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: stianrs-dev
- namespace: networking
-spec:
- commonName: stianrs.dev
- dnsNames:
- - stianrs.dev
- - '*.stianrs.dev'
- issuerRef:
- kind: ClusterIssuer
- name: letsencrypt-production
- secretName: stianrs-dev-tls
-
--- kubernetes/main/apps/networking/nginx/certificates Kustomization: flux-system/nginx-certificates ExternalSecret: networking/rodent-cc-tls
+++ kubernetes/main/apps/networking/nginx/certificates Kustomization: flux-system/nginx-certificates ExternalSecret: networking/rodent-cc-tls
@@ -0,0 +1,24 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+ labels:
+ app.kubernetes.io/name: nginx-certificates
+ kustomize.toolkit.fluxcd.io/name: nginx-certificates
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: rodent-cc-tls
+ namespace: networking
+spec:
+ dataFrom:
+ - extract:
+ decodingStrategy: Auto
+ key: rodent-cc-tls
+ secretStoreRef:
+ kind: ClusterSecretStore
+ name: onepassword-connect
+ target:
+ name: rodent-cc-tls
+ template:
+ engineVersion: v2
+ type: kubernetes.io/tls
+
--- kubernetes/main/apps/networking/nginx/internal Kustomization: flux-system/nginx-internal HelmRelease: networking/nginx-internal
+++ kubernetes/main/apps/networking/nginx/internal Kustomization: flux-system/nginx-internal HelmRelease: networking/nginx-internal
@@ -41,12 +41,13 @@
client-body-buffer-size: 100M
client-body-timeout: 120
client-header-timeout: 120
enable-brotli: 'true'
enable-ocsp: 'true'
enable-real-ip: 'true'
+ force-ssl-redirect: 'true'
hide-headers: Server,X-Powered-By
hsts-max-age: 31449600
keep-alive: 120
keep-alive-requests: 10000
log-format-escape-json: 'true'
log-format-upstream: |
--- kubernetes/main/apps/cert-manager/certificates/import Kustomization: flux-system/certificates-import ExternalSecret: cert-manager/rodent-cc-tls
+++ kubernetes/main/apps/cert-manager/certificates/import Kustomization: flux-system/certificates-import ExternalSecret: cert-manager/rodent-cc-tls
@@ -0,0 +1,38 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+ labels:
+ app.kubernetes.io/name: certificates-import
+ kustomize.toolkit.fluxcd.io/name: certificates-import
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: rodent-cc-tls
+ namespace: cert-manager
+spec:
+ dataFrom:
+ - extract:
+ decodingStrategy: Auto
+ key: rodent-cc-tls
+ refreshInterval: '0'
+ secretStoreRef:
+ kind: ClusterSecretStore
+ name: onepassword-connect
+ target:
+ creationPolicy: Orphan
+ name: rodent-cc-tls
+ template:
+ engineVersion: v2
+ metadata:
+ annotations:
+ cert-manager.io/alt-names: '*.rodent.cc,rodent.cc'
+ cert-manager.io/certificate-name: rodent-cc
+ cert-manager.io/common-name: rodent.cc
+ cert-manager.io/ip-sans: ''
+ cert-manager.io/issuer-group: ''
+ cert-manager.io/issuer-kind: ClusterIssuer
+ cert-manager.io/issuer-name: letsencrypt-production
+ cert-manager.io/uri-sans: ''
+ labels:
+ controller.cert-manager.io/fao: 'true'
+ type: kubernetes.io/tls
+
--- kubernetes/main/apps/cert-manager/certificates/export Kustomization: flux-system/certificates-export Certificate: cert-manager/rodent-cc
+++ kubernetes/main/apps/cert-manager/certificates/export Kustomization: flux-system/certificates-export Certificate: cert-manager/rodent-cc
@@ -0,0 +1,20 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ labels:
+ app.kubernetes.io/name: certificates-export
+ kustomize.toolkit.fluxcd.io/name: certificates-export
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: rodent-cc
+ namespace: cert-manager
+spec:
+ commonName: rodent.cc
+ dnsNames:
+ - rodent.cc
+ - '*.rodent.cc'
+ issuerRef:
+ kind: ClusterIssuer
+ name: letsencrypt-production
+ secretName: rodent-cc-tls
+
--- kubernetes/main/apps/cert-manager/certificates/export Kustomization: flux-system/certificates-export PushSecret: cert-manager/rodent-cc-tls
+++ kubernetes/main/apps/cert-manager/certificates/export Kustomization: flux-system/certificates-export PushSecret: cert-manager/rodent-cc-tls
@@ -0,0 +1,35 @@
+---
+apiVersion: external-secrets.io/v1alpha1
+kind: PushSecret
+metadata:
+ labels:
+ app.kubernetes.io/name: certificates-export
+ kustomize.toolkit.fluxcd.io/name: certificates-export
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: rodent-cc-tls
+ namespace: cert-manager
+spec:
+ data:
+ - match:
+ remoteRef:
+ property: tls.crt
+ remoteKey: rodent-cc-tls
+ secretKey: tls.crt
+ - match:
+ remoteRef:
+ property: tls.key
+ remoteKey: rodent-cc-tls
+ secretKey: tls.key
+ refreshInterval: 5m
+ secretStoreRefs:
+ - kind: ClusterSecretStore
+ name: onepassword-connect
+ selector:
+ secret:
+ name: rodent-cc-tls
+ template:
+ data:
+ tls.crt: '{{ index . "tls.crt" | b64enc }}'
+ tls.key: '{{ index . "tls.key" | b64enc }}'
+ engineVersion: v2
+ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.