add cert-manager

cluster/cert-manager/_namespace.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cert-manager
+  labels:
+    goldilocks.fairwinds.com/enabled: "true"

cluster/cert-manager/cert-manager-webhook-ovh.yaml

@@ -0,0 +1,60 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: GitRepository
+metadata:
+  name: cert-manager-webhook-ovh
+  namespace: flux-system
+spec:
+  interval: 1440m
+  url: https://github.com/baarde/cert-manager-webhook-ovh
+  ref:
+    branch: master
+  ignore: |
+    # exclude all
+    /*
+    # include charts directory
+    !/deploy/
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: cert-manager-webhook-ovh
+  namespace: cert-manager
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: ./deploy/cert-manager-webhook-ovh
+      version: 0.2.0
+      sourceRef:
+        kind: GitRepository
+        name: cert-manager-webhook-ovh
+        namespace: flux-system
+      interval: 1440m
+  values:
+    groupName: xpander.ovh
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cert-manager-webhook-ovh:secret-reader
+  namespace: cert-manager
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    resourceNames: ["ovh-credentials"]
+    verbs: ["get", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  name: cert-manager-webhook-ovh:secret-reader
+  namespace: cert-manager
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cert-manager-webhook-ovh:secret-reader
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: cert-manager-webhook-ovh

cluster/cert-manager/cert-manager.yaml

@@ -0,0 +1,37 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: cert-manager
+  namespace: cert-manager
+spec:
+  interval: 5m
+  chart:
+    spec:
+      # renovate: registryUrl=https://charts.jetstack.io/
+      chart: cert-manager
+      version: v1.2.0
+      sourceRef:
+        kind: HelmRepository
+        name: jetstack-charts
+        namespace: flux-system
+      interval: 5m
+  values:
+    installCRDs: true
+    webhook:
+      enabled: true
+    extraArgs:
+      - --dns01-recursive-nameservers=ns15.ovh.net:53,dns15.ovh.net:53
+      - --dns01-recursive-nameservers-only
+    cainjector:
+      replicaCount: 1
+    podDnsPolicy: "None"
+    podDnsConfig:
+      nameservers:
+        - "9.9.9.9"
+        - "149.112.112.112"
+    prometheus:
+      enabled: true
+      servicemonitor:
+        enabled: true
+        prometheusInstance: monitoring

cluster/cert-manager/default-cert.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: letsencrypt-default-cert
+  namespace: kube-system
+spec:
+  dnsNames:
+    - "*.k3s.xpander.ovh"
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  secretName: letsencrypt-default-cert

cluster/cert-manager/letsencrypt-production.yaml

@@ -0,0 +1,23 @@
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    email: "webmaster@xpander.ovh"
+    privateKeySecretRef:
+      name: letsencrypt-staging
+    solvers:
+      - dns01:
+          webhook:
+            groupName: "xpander.ovh"
+            solverName: ovh
+            config:
+              endpoint: ovh-eu
+              applicationKey: "uzxdE4oiGPNFytxJ"
+              applicationSecretRef:
+                key: applicationSecret
+                name: ovh-credentials
+              consumerKey: "YOCz0SF2miVVyzzCnrTbZ7ZK9rycXK3p"

cluster/cert-manager/letsencrypt-staging.yaml

@@ -0,0 +1,23 @@
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-production
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: "webmaster@xpander.ovh"
+    privateKeySecretRef:
+      name: letsencrypt-production
+    solvers:
+      - dns01:
+          webhook:
+            groupName: "xpander.ovh"
+            solverName: ovh
+            config:
+              endpoint: ovh-eu
+              applicationKey: "uzxdE4oiGPNFytxJ"
+              applicationSecretRef:
+                key: applicationSecret
+                name: ovh-credentials
+              consumerKey: "YOCz0SF2miVVyzzCnrTbZ7ZK9rycXK3p"

cluster/flux-system-custom/helm-charts-repositories/jetstack-charts.yaml

@@ -0,0 +1,10 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: HelmRepository
+metadata:
+  name: jetstack-charts
+  namespace: flux-system
+spec:
+  interval: 10m
+  url: https://charts.jetstack.io/
+  timeout: 3m

cluster/kube-system/ingress-nginx.yaml

@@ -28,8 +28,9 @@ spec:
         enabled: true
       config:
         ssl-protocols: "TLSv1.3 TLSv1.2"
-        #custom-http-errors: 400,403,404,422,500,503
+        custom-http-errors: 404,401,403,500,503
         enable-vts-status: "false"
+        hsts-max-age: "31449600"
       metrics:
         enabled: true
         serviceMonitor:
@@ -38,7 +39,7 @@ spec:
           namespaceSelector:
             any: true
       extraArgs:
-        default-ssl-certificate: "kube-system/letsencrypt-k3s-wildcard"
+        default-ssl-certificate: "kube-system/letsencrypt-default-cert"
       resources:
         requests:
           memory: 250Mi
@@ -55,16 +56,16 @@ spec:
                     values:
                       - ingress-nginx-external
               topologyKey: "kubernetes.io/hostname"
-    #defaultBackend:
-    #  enabled: true
-    #  image:
-    #    repository: registry.k3s.xpander.ovh/homelab/custom-error-pages
-    #    tag: 1.0.1
-    #  resources:
-    #    requests:
-    #      memory: 50Mi
-    #      cpu: 25m
-    #    limits:
-    #      memory: 100Mi
-    tcp:
-      8086: monitoring/influxdb:8086
+    defaultBackend:
+      enabled: true
+      image:
+        repository: billimek/custom-error-pages
+        tag: 0.4.4
+      resources:
+        requests:
+          memory: 250Mi
+          cpu: 25m
+        limits:
+          memory: 350Mi
+    #tcp:
+    #  8086: monitoring/influxdb:8086

secrets/cert-manager/application-secret.yaml

@@ -0,0 +1,36 @@
+kind: Secret
+apiVersion: v1
+metadata:
+  name: ovh-credentials
+  namespace: cert-manager
+data:
+  applicationSecret: ENC[AES256_GCM,data:X4hjfpunm2ZtlRzVYHRv+Kjfsls52wYdnpnJOD4YPP6eRcGawY8ia7EsuLo=,iv:JoclyUjFFhG0+czwj+5sCyMzecPfaC9o1mhfGljVQHM=,tag:iiXFsIbpkf07BXVMXUwJSQ==,type:str]
+type: Opaque
+sops:
+  kms: []
+  gcp_kms: []
+  azure_kv: []
+  hc_vault: []
+  lastmodified: "2021-04-07T11:49:29Z"
+  mac: ENC[AES256_GCM,data:cFRZ3m676CMTSvslEvSWxndFohaO7NhRJodkoSiTDgvPklvwp8OBFuohCgYnOZssuIJ8NXXN1Pgh1zXZxAqmEIXNzAXadsMtvs20ebr/wNdp0OAxyNlchDnhFDvCUA9mAcYUhcjQwsYuO27gr3N1D1cDMziRwWdOZnoEGjP796o=,iv:uZBoevfg1UhA5aDFpr6lZdCsqCsEwiraTB9VSz5Qh/4=,tag:VTZnfA9rAjQYgGTPihmPFw==,type:str]
+  pgp:
+    - created_at: "2021-04-07T11:49:29Z"
+      enc: |
+        -----BEGIN PGP MESSAGE-----
+
+        hQGMA/JorPHm1g9XAQv+Kp+vRs3Vyt5J5VVkeXeuKktwfP9diLkfeuNtvpA+iyA+
+        gpRjydvXWit4/CPG5Hvsv7K2OzV4yPv5uXEDrTv9R2e/0Xs4E0tAjInCAJLXIOcn
+        ngg7VNmP6wXkKaSChnpbcB7oMHL/oSNH/ADmaJn9eMtmJG0nZdalYoZ4ul3gpfq+
+        KTuVIJaAhpbTlnZK4mVbEXCSIoXoJcqGlYxfFk9lCiyfNq8VarTDCE+8kwNDcxyU
+        7HkLEjNiT2iXpmz/k0CK/OST1Mk7lDmrThAPcOF8E2hrvN52JKBAxJELYdqGDFVm
+        tq47fWtMY4sMIeGtRXOOb0Cx/APmCg0d2jgu330PucYLDxJ2UYew/OZJi7+o7zuN
+        zptDc1QbLt9ve0I9rcXb+KixsII/1b5xaBNiYdxWfE8Nq+9ZZv5IyP+lWHDkCAoJ
+        fjuxDvVswD22kGzyBb6TMSQdDQm2x75QoPsBW/HSbvawSxFuXOiNzAaI+SMtvdYw
+        QC8CGcNor1Nt3TcskLC80lwBsVNicd/dIP07J3uv+aXM/ejUTYjT3zgTDler7TRb
+        PhAW60r9rFQYT3AgRpXOkOpdv2Ev/MdA4tWtJILID1egehlmsGIW/OxVM90EQekE
+        SghN+1kp+BcQpajO1g==
+        =4XwJ
+        -----END PGP MESSAGE-----
+      fp: C8F8A49D04A1AB639F8EA21CDBA4B1DCB1FA5BDD
+  encrypted_regex: ^(data|stringData)$
+  version: 3.6.1