feat(cert-manager): enable certificate import and export (yoink)

kubernetes/main/apps/cert-manager/certificates/export/certificates.yaml

@@ -0,0 +1,15 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/cert-manager.io/certificate_v1.json
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: rodent-cc
+spec:
+  secretName: rodent-cc-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: rodent.cc
+  dnsNames:
+    - rodent.cc
+    - "*.rodent.cc"

kubernetes/main/apps/cert-manager/certificates/app/pushsecret.yaml → kubernetes/main/apps/cert-manager/certificates/export/pushsecret.yaml

@@ -5,7 +5,7 @@ kind: PushSecret
 metadata:
   name: rodent-cc-tls
 spec:
-  refreshInterval: 1m
+  refreshInterval: 5m
   secretStoreRefs:
     - name: onepassword-connect
       kind: ClusterSecretStore

kubernetes/main/apps/cert-manager/certificates/import/externalsecret.yaml

@@ -0,0 +1,33 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: rodent-cc-tls
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-connect
+  refreshInterval: "0"
+  target:
+    name: rodent-cc-tls
+    creationPolicy: Orphan
+    template:
+      engineVersion: v2
+      type: kubernetes.io/tls
+      metadata:
+        annotations:
+          cert-manager.io/alt-names: "*.rodent.cc,rodent.cc"
+          cert-manager.io/certificate-name: rodent-cc
+          cert-manager.io/common-name: rodent.cc
+          cert-manager.io/ip-sans: ""
+          cert-manager.io/issuer-group: ""
+          cert-manager.io/issuer-kind: ClusterIssuer
+          cert-manager.io/issuer-name: letsencrypt-production
+          cert-manager.io/uri-sans: ""
+        labels:
+          controller.cert-manager.io/fao: "true"
+  dataFrom:
+    - extract:
+        key: rodent-cc-tls
+        decodingStrategy: Auto

kubernetes/main/apps/cert-manager/certificates/import/kustomization.yaml

@@ -3,4 +3,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ./clusterexternalsecret.yaml
+  - ./externalsecret.yaml

kubernetes/main/apps/cert-manager/certificates/ks.yaml

@@ -19,14 +19,13 @@ spec:
     name: home-kubernetes
   wait: true
   interval: 30m
-  retryInterval: 1m
   timeout: 5m
 ---
 # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
-  name: &app certificates
+  name: &app certificates-export
   namespace: flux-system
 spec:
   targetNamespace: cert-manager
@@ -37,12 +36,11 @@ spec:
     - name: certificates-import
     - name: cert-manager-issuers
     - name: external-secrets-stores
-  path: ./kubernetes/main/apps/cert-manager/certificates/app
+  path: ./kubernetes/main/apps/cert-manager/certificates/export
   prune: false
   sourceRef:
     kind: GitRepository
     name: home-kubernetes
-  wait: true
+  wait: false
   interval: 30m
-  retryInterval: 1m
   timeout: 5m

kubernetes/main/apps/cert-manager/kustomization.yaml

@@ -7,4 +7,4 @@ resources:
   - ./namespace.yaml
   # Flux-Kustomizations
   - ./cert-manager/ks.yaml
-  # - ./certificates/ks.yaml
+  - ./certificates/ks.yaml

kubernetes/main/apps/networking/nginx/certificates/externalsecret.yaml

@@ -0,0 +1,19 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: rodent-cc-tls
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-connect
+  target:
+    name: rodent-cc-tls
+    template:
+      engineVersion: v2
+      type: kubernetes.io/tls
+  dataFrom:
+    - extract:
+        key: rodent-cc-tls
+        decodingStrategy: Auto

kubernetes/main/apps/networking/nginx/certificates/kustomization.yaml

@@ -3,4 +3,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ./certificate.yaml
+  - ./externalsecret.yaml

kubernetes/main/apps/networking/nginx/external/helmrelease.yaml

@@ -22,11 +22,11 @@ spec:
     remediation:
       strategy: rollback
       retries: 3
-  # valuesFrom:
-  #   - targetPath: controller.maxmindLicenseKey
-  #     kind: Secret
-  #     name: nginx-external-maxmind-secret
-  #     valuesKey: MAXMIND_LICENSE_KEY
+  valuesFrom:
+    - targetPath: controller.maxmindLicenseKey
+      kind: Secret
+      name: nginx-external-maxmind-secret
+      valuesKey: MAXMIND_LICENSE_KEY
   values:
     fullnameOverride: nginx-external
     controller:
@@ -54,6 +54,7 @@ spec:
         enable-brotli: "true"
         enable-ocsp: "true"
         enable-real-ip: "true"
+        force-ssl-redirect: "true"
         hide-headers: Server,X-Powered-By
         hsts-max-age: 31449600
         keep-alive-requests: 10000
@@ -64,11 +65,11 @@ spec:
           "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time,
           "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args",
           "request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer",
-          "http_user_agent": "$http_user_agent"}
+          "http_user_agent": "$http_user_agent", "country_code": "$geoip2_city_country_code", "country_name": "$geoip2_city_country_name"}
         proxy-body-size: 0
         proxy-buffer-size: 16k
         ssl-protocols: TLSv1.3 TLSv1.2
-        use-geoip2: false
+        use-geoip2: true
         use-forwarded-headers: "true"
       metrics:
         enabled: true

kubernetes/main/apps/networking/nginx/internal/helmrelease.yaml

@@ -49,6 +49,7 @@ spec:
         enable-brotli: "true"
         enable-ocsp: "true"
         enable-real-ip: "true"
+        force-ssl-redirect: "true"
         hide-headers: Server,X-Powered-By
         hsts-max-age: 31449600
         keep-alive-requests: 10000

kubernetes/main/apps/networking/nginx/ks.yaml

@@ -1,5 +1,5 @@
 ---
-# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
@@ -11,15 +11,14 @@ spec:
     labels:
       app.kubernetes.io/name: *app
   dependsOn:
-    - name: cert-manager-issuers
+    - name: external-secrets-stores
   path: ./kubernetes/main/apps/networking/nginx/certificates
   prune: false
   sourceRef:
     kind: GitRepository
     name: home-kubernetes
   wait: true
   interval: 30m
-  retryInterval: 1m
   timeout: 5m
 ---
 # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
@@ -34,8 +33,7 @@ spec:
     labels:
       app.kubernetes.io/name: *app
   dependsOn:
-    # - name: nginx-certificates
-    - name: external-secrets-stores
+    - name: nginx-certificates
   path: ./kubernetes/main/apps/networking/nginx/external
   prune: false
   sourceRef:
@@ -58,8 +56,7 @@ spec:
     labels:
       app.kubernetes.io/name: *app
   dependsOn:
-    # - name: nginx-certificates
-    - name: external-secrets-stores
+    - name: nginx-certificates
   path: ./kubernetes/main/apps/networking/nginx/internal
   prune: false
   sourceRef: