diff --git a/cluster/cert-manager/_namespace.yaml b/cluster/cert-manager/_namespace.yaml new file mode 100644 index 000000000..f56d668a9 --- /dev/null +++ b/cluster/cert-manager/_namespace.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager + labels: + goldilocks.fairwinds.com/enabled: "true" diff --git a/cluster/cert-manager/cert-manager-webhook-ovh.yaml b/cluster/cert-manager/cert-manager-webhook-ovh.yaml new file mode 100644 index 000000000..4075e6f76 --- /dev/null +++ b/cluster/cert-manager/cert-manager-webhook-ovh.yaml @@ -0,0 +1,60 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: GitRepository +metadata: + name: cert-manager-webhook-ovh + namespace: flux-system +spec: + interval: 1440m + url: https://github.com/baarde/cert-manager-webhook-ovh + ref: + branch: master + ignore: | + # exclude all + /* + # include charts directory + !/deploy/ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: cert-manager-webhook-ovh + namespace: cert-manager +spec: + interval: 5m + chart: + spec: + chart: ./deploy/cert-manager-webhook-ovh + version: 0.2.0 + sourceRef: + kind: GitRepository + name: cert-manager-webhook-ovh + namespace: flux-system + interval: 1440m + values: + groupName: xpander.ovh +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: cert-manager-webhook-ovh:secret-reader + namespace: cert-manager +rules: + - apiGroups: [""] + resources: ["secrets"] + resourceNames: ["ovh-credentials"] + verbs: ["get", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: cert-manager-webhook-ovh:secret-reader + namespace: cert-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cert-manager-webhook-ovh:secret-reader +subjects: + - apiGroup: "" + kind: ServiceAccount + name: cert-manager-webhook-ovh diff --git a/cluster/cert-manager/cert-manager.yaml b/cluster/cert-manager/cert-manager.yaml new file mode 100644 index 000000000..d092d06ea --- /dev/null +++ b/cluster/cert-manager/cert-manager.yaml @@ -0,0 +1,37 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: cert-manager + namespace: cert-manager +spec: + interval: 5m + chart: + spec: + # renovate: registryUrl=https://charts.jetstack.io/ + chart: cert-manager + version: v1.2.0 + sourceRef: + kind: HelmRepository + name: jetstack-charts + namespace: flux-system + interval: 5m + values: + installCRDs: true + webhook: + enabled: true + extraArgs: + - --dns01-recursive-nameservers=ns15.ovh.net:53,dns15.ovh.net:53 + - --dns01-recursive-nameservers-only + cainjector: + replicaCount: 1 + podDnsPolicy: "None" + podDnsConfig: + nameservers: + - "9.9.9.9" + - "149.112.112.112" + prometheus: + enabled: true + servicemonitor: + enabled: true + prometheusInstance: monitoring diff --git a/cluster/cert-manager/default-cert.yaml b/cluster/cert-manager/default-cert.yaml new file mode 100644 index 000000000..c07f14fbf --- /dev/null +++ b/cluster/cert-manager/default-cert.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: letsencrypt-default-cert + namespace: kube-system +spec: + dnsNames: + - "*.k3s.xpander.ovh" + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + secretName: letsencrypt-default-cert diff --git a/cluster/cert-manager/letsencrypt-production.yaml b/cluster/cert-manager/letsencrypt-production.yaml new file mode 100644 index 000000000..d3d3eccf3 --- /dev/null +++ b/cluster/cert-manager/letsencrypt-production.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-staging +spec: + acme: + server: https://acme-staging-v02.api.letsencrypt.org/directory + email: "webmaster@xpander.ovh" + privateKeySecretRef: + name: letsencrypt-staging + solvers: + - dns01: + webhook: + groupName: "xpander.ovh" + solverName: ovh + config: + endpoint: ovh-eu + applicationKey: "uzxdE4oiGPNFytxJ" + applicationSecretRef: + key: applicationSecret + name: ovh-credentials + consumerKey: "YOCz0SF2miVVyzzCnrTbZ7ZK9rycXK3p" diff --git a/cluster/cert-manager/letsencrypt-staging.yaml b/cluster/cert-manager/letsencrypt-staging.yaml new file mode 100644 index 000000000..321651333 --- /dev/null +++ b/cluster/cert-manager/letsencrypt-staging.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-production +spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + email: "webmaster@xpander.ovh" + privateKeySecretRef: + name: letsencrypt-production + solvers: + - dns01: + webhook: + groupName: "xpander.ovh" + solverName: ovh + config: + endpoint: ovh-eu + applicationKey: "uzxdE4oiGPNFytxJ" + applicationSecretRef: + key: applicationSecret + name: ovh-credentials + consumerKey: "YOCz0SF2miVVyzzCnrTbZ7ZK9rycXK3p" diff --git a/cluster/flux-system-custom/helm-charts-repositories/jetstack-charts.yaml b/cluster/flux-system-custom/helm-charts-repositories/jetstack-charts.yaml new file mode 100644 index 000000000..8d4c92a7c --- /dev/null +++ b/cluster/flux-system-custom/helm-charts-repositories/jetstack-charts.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: HelmRepository +metadata: + name: jetstack-charts + namespace: flux-system +spec: + interval: 10m + url: https://charts.jetstack.io/ + timeout: 3m diff --git a/cluster/kube-system/ingress-nginx.yaml b/cluster/kube-system/ingress-nginx.yaml index 388e95cd8..70e0d8d39 100644 --- a/cluster/kube-system/ingress-nginx.yaml +++ b/cluster/kube-system/ingress-nginx.yaml @@ -28,8 +28,9 @@ spec: enabled: true config: ssl-protocols: "TLSv1.3 TLSv1.2" - #custom-http-errors: 400,403,404,422,500,503 + custom-http-errors: 404,401,403,500,503 enable-vts-status: "false" + hsts-max-age: "31449600" metrics: enabled: true serviceMonitor: @@ -38,7 +39,7 @@ spec: namespaceSelector: any: true extraArgs: - default-ssl-certificate: "kube-system/letsencrypt-k3s-wildcard" + default-ssl-certificate: "kube-system/letsencrypt-default-cert" resources: requests: memory: 250Mi @@ -55,16 +56,16 @@ spec: values: - ingress-nginx-external topologyKey: "kubernetes.io/hostname" - #defaultBackend: - # enabled: true - # image: - # repository: registry.k3s.xpander.ovh/homelab/custom-error-pages - # tag: 1.0.1 - # resources: - # requests: - # memory: 50Mi - # cpu: 25m - # limits: - # memory: 100Mi - tcp: - 8086: monitoring/influxdb:8086 + defaultBackend: + enabled: true + image: + repository: billimek/custom-error-pages + tag: 0.4.4 + resources: + requests: + memory: 250Mi + cpu: 25m + limits: + memory: 350Mi + #tcp: + # 8086: monitoring/influxdb:8086 diff --git a/secrets/cert-manager/application-secret.yaml b/secrets/cert-manager/application-secret.yaml new file mode 100644 index 000000000..753e76fb3 --- /dev/null +++ b/secrets/cert-manager/application-secret.yaml @@ -0,0 +1,36 @@ +kind: Secret +apiVersion: v1 +metadata: + name: ovh-credentials + namespace: cert-manager +data: + applicationSecret: ENC[AES256_GCM,data:X4hjfpunm2ZtlRzVYHRv+Kjfsls52wYdnpnJOD4YPP6eRcGawY8ia7EsuLo=,iv:JoclyUjFFhG0+czwj+5sCyMzecPfaC9o1mhfGljVQHM=,tag:iiXFsIbpkf07BXVMXUwJSQ==,type:str] +type: Opaque +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + lastmodified: "2021-04-07T11:49:29Z" + mac: ENC[AES256_GCM,data:cFRZ3m676CMTSvslEvSWxndFohaO7NhRJodkoSiTDgvPklvwp8OBFuohCgYnOZssuIJ8NXXN1Pgh1zXZxAqmEIXNzAXadsMtvs20ebr/wNdp0OAxyNlchDnhFDvCUA9mAcYUhcjQwsYuO27gr3N1D1cDMziRwWdOZnoEGjP796o=,iv:uZBoevfg1UhA5aDFpr6lZdCsqCsEwiraTB9VSz5Qh/4=,tag:VTZnfA9rAjQYgGTPihmPFw==,type:str] + pgp: + - created_at: "2021-04-07T11:49:29Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQGMA/JorPHm1g9XAQv+Kp+vRs3Vyt5J5VVkeXeuKktwfP9diLkfeuNtvpA+iyA+ + gpRjydvXWit4/CPG5Hvsv7K2OzV4yPv5uXEDrTv9R2e/0Xs4E0tAjInCAJLXIOcn + ngg7VNmP6wXkKaSChnpbcB7oMHL/oSNH/ADmaJn9eMtmJG0nZdalYoZ4ul3gpfq+ + KTuVIJaAhpbTlnZK4mVbEXCSIoXoJcqGlYxfFk9lCiyfNq8VarTDCE+8kwNDcxyU + 7HkLEjNiT2iXpmz/k0CK/OST1Mk7lDmrThAPcOF8E2hrvN52JKBAxJELYdqGDFVm + tq47fWtMY4sMIeGtRXOOb0Cx/APmCg0d2jgu330PucYLDxJ2UYew/OZJi7+o7zuN + zptDc1QbLt9ve0I9rcXb+KixsII/1b5xaBNiYdxWfE8Nq+9ZZv5IyP+lWHDkCAoJ + fjuxDvVswD22kGzyBb6TMSQdDQm2x75QoPsBW/HSbvawSxFuXOiNzAaI+SMtvdYw + QC8CGcNor1Nt3TcskLC80lwBsVNicd/dIP07J3uv+aXM/ejUTYjT3zgTDler7TRb + PhAW60r9rFQYT3AgRpXOkOpdv2Ev/MdA4tWtJILID1egehlmsGIW/OxVM90EQekE + SghN+1kp+BcQpajO1g== + =4XwJ + -----END PGP MESSAGE----- + fp: C8F8A49D04A1AB639F8EA21CDBA4B1DCB1FA5BDD + encrypted_regex: ^(data|stringData)$ + version: 3.6.1