🔧 use raw chart for cert-manager

cluster/apps/networking/cert-manager/certificates/helm-release.yaml

@@ -0,0 +1,42 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: cert-manager-certificates
+  namespace: default
+spec:
+  interval: 15m
+  chart:
+    spec:
+      chart: raw
+      version: v0.3.1
+      sourceRef:
+        kind: HelmRepository
+        name: dysnix-charts
+        namespace: flux-system
+  install:
+    createNamespace: true
+    remediation:
+      retries: 5
+  upgrade:
+    remediation:
+      retries: 5
+  dependsOn:
+    - name: cert-manager-issuers
+      namespace: default
+  values:
+    resources:
+      - apiVersion: cert-manager.io/v1
+        kind: Certificate
+        metadata:
+          name: "${SECRET_CLUSTER_DOMAIN/./-}"
+          namespace: default
+        spec:
+          secretName: "${SECRET_CLUSTER_DOMAIN/./-}-tls"
+          issuerRef:
+            name: letsencrypt-production
+            kind: ClusterIssuer
+          commonName: "${SECRET_CLUSTER_DOMAIN}"
+          dnsNames:
+            - "${SECRET_CLUSTER_DOMAIN}"
+            - "*.${SECRET_CLUSTER_DOMAIN}"

cluster/apps/networking/cert-manager/certificates/kustomization.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - helm-release.yaml

cluster/apps/networking/cert-manager/helm-release.yaml

@@ -3,7 +3,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
   name: cert-manager
-  namespace: cert-manager
+  namespace: default
 spec:
   interval: 15m
   chart:
@@ -14,7 +14,7 @@ spec:
         kind: HelmRepository
         name: jetstack-charts
         namespace: flux-system
-      interval: 5m
+      interval: 15m
   install:
     createNamespace: true
     crds: CreateReplace

cluster/apps/networking/cert-manager/issuers/helm-release.yaml

@@ -0,0 +1,74 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: cert-manager-issuers
+  namespace: cert-manager
+spec:
+  interval: 15m
+  chart:
+    spec:
+      chart: raw
+      version: v0.3.1
+      sourceRef:
+        kind: HelmRepository
+        name: dysnix-charts
+        namespace: flux-system
+  install:
+    createNamespace: true
+    remediation:
+      retries: 5
+  upgrade:
+    remediation:
+      retries: 5
+  dependsOn:
+    - name: cert-manager
+      namespace: default
+    - name: cert-manager-webhook-ovh
+      namespace: default
+  values:
+    resources:
+      - apiVersion: cert-manager.io/v1
+        kind: ClusterIssuer
+        metadata:
+          name: letsencrypt-production
+        spec:
+          acme:
+            server: https://acme-v02.api.letsencrypt.org/directory
+            email: "${SECRET_CLUSTER_DOMAIN_EMAIL}"
+            privateKeySecretRef:
+              name: letsencrypt-production
+            solvers:
+              - dns01:
+                  webhook:
+                    groupName: "${SECRET_DOMAIN}"
+                    solverName: ovh
+                    config:
+                      endpoint: ovh-eu
+                      applicationKey: "${SECRET_CLUSTER_OVH_APPLICATION_KEY}"
+                      applicationSecretRef:
+                        key: applicationSecret
+                        name: ovh-credentials
+                      consumerKey: "${SECRET_CLUSTER_OVH_CONSUMER_KEY}"
+      - apiVersion: cert-manager.io/v1
+        kind: ClusterIssuer
+        metadata:
+          name: letsencrypt-staging
+        spec:
+          acme:
+            server: https://acme-staging-v02.api.letsencrypt.org/directory
+            email: "${SECRET_CLUSTER_DOMAIN_EMAIL}"
+            privateKeySecretRef:
+              name: letsencrypt-production
+            solvers:
+              - dns01:
+                  webhook:
+                    groupName: "${SECRET_DOMAIN}"
+                    solverName: ovh
+                    config:
+                      endpoint: ovh-eu
+                      applicationKey: "${SECRET_CLUSTER_OVH_APPLICATION_KEY}"
+                      applicationSecretRef:
+                        key: applicationSecret
+                        name: ovh-credentials
+                      consumerKey: "${SECRET_CLUSTER_OVH_CONSUMER_KEY}"

cluster/apps/networking/cert-manager/issuers/kustomization.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - helm-release.yaml

cluster/apps/networking/cert-manager/kustomization.yaml

@@ -6,6 +6,4 @@ resources:
   - secret.sops.yaml
   - helm-release.yaml
   - webhook-ovh
-  - letsencrypt-production.yaml
-  - letsencrypt-staging.yaml
   - prometheus-rule.yaml

cluster/apps/networking/cert-manager/prometheus-rule.yaml

@@ -3,7 +3,7 @@ apiVersion: monitoring.coreos.com/v1
 kind: PrometheusRule
 metadata:
   name: cert-manager.rules
-  namespace: cert-manager
+  namespace: default
 spec:
   groups:
     - name: cert-manager
@@ -15,7 +15,8 @@ spec:
           labels:
             severity: critical
           annotations:
-            description: "New certificates will not be able to be minted, and existing
+            description:
+              "New certificates will not be able to be minted, and existing
               ones can't be renewed until cert-manager is back."
             runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagerabsent
             summary: "Cert Manager has dissapeared from Prometheus service discovery."
@@ -30,11 +31,13 @@ spec:
           labels:
             severity: warning
           annotations:
-            description: "The domain that this cert covers will be unavailable after
+            description:
+              "The domain that this cert covers will be unavailable after
               {{ $value | humanizeDuration }}. Clients using endpoints that this cert
               protects will start to fail in {{ $value | humanizeDuration }}."
             runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagercertexpirysoon
-            summary: "The cert {{ $labels.name }} is {{ $value | humanizeDuration }}
+            summary:
+              "The cert {{ $labels.name }} is {{ $value | humanizeDuration }}
               from expiry, it should have renewed over a week ago."
         - alert: CertManagerCertNotReady
           expr: |
@@ -44,7 +47,8 @@ spec:
           labels:
             severity: critical
           annotations:
-            description: "This certificate has not been ready to serve traffic for at least
+            description:
+              "This certificate has not been ready to serve traffic for at least
               10m. If the cert is being renewed or there is another valid cert, the ingress
               controller _may_ be able to serve that instead."
             runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagercertnotready
@@ -57,7 +61,8 @@ spec:
           labels:
             severity: critical
           annotations:
-            description: "Depending on the rate limit, cert-manager may be unable to generate
+            description:
+              "Depending on the rate limit, cert-manager may be unable to generate
               certificates for up to a week."
             runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagerhittingratelimits
             summary: "Cert manager hitting LetsEncrypt rate limits."

cluster/apps/networking/cert-manager/secret.sops.yaml

@@ -2,7 +2,7 @@ kind: Secret
 apiVersion: v1
 metadata:
     name: ovh-credentials
-    namespace: cert-manager
+    namespace: default
 stringData:
     applicationSecret: ENC[AES256_GCM,data:9vWD0QZ5mSIVhTOg5BinGUhEdJW0Tv6/CzoJor2FO5I=,iv:ymVqh3DKnvTzKi8nWW6ULDLyJLfXE/HDGLmTmLuo9WE=,tag:Aoy6ClqB1K4HVNn6d8H94w==,type:str]
 type: Opaque
@@ -14,13 +14,13 @@ sops:
     age:
         - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
           enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDcGV1NGhhY3hOa0pjSThx
-            ZGt5Y2FPNVcrN0d1SCtCS2NjMHFjM2Y0QUJ3CncvUzB2QlpDL0xxZTQ4NVFyNm51
-            bFovMHhXRDVwSmpGaDR2YnBlTUQzTEkKLS0tIGx6bjRQNHQ4enJZN1UydEtiSkxP
-            d0Vid3lIQ0NPSmxicFlBN2NCRnE5ZFUKo1l3ST2oUmaWBgbjub/BWPpRzB588ZoJ
-            NvB6P1YivKsDZf/fsRT0gf1GPx9gZgql/w3g/9mggKANW4rFrMH1Mg==
-            -----END AGE ENCRYPTED FILE-----
+              -----BEGIN AGE ENCRYPTED FILE-----
+              YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDcGV1NGhhY3hOa0pjSThx
+              ZGt5Y2FPNVcrN0d1SCtCS2NjMHFjM2Y0QUJ3CncvUzB2QlpDL0xxZTQ4NVFyNm51
+              bFovMHhXRDVwSmpGaDR2YnBlTUQzTEkKLS0tIGx6bjRQNHQ4enJZN1UydEtiSkxP
+              d0Vid3lIQ0NPSmxicFlBN2NCRnE5ZFUKo1l3ST2oUmaWBgbjub/BWPpRzB588ZoJ
+              NvB6P1YivKsDZf/fsRT0gf1GPx9gZgql/w3g/9mggKANW4rFrMH1Mg==
+              -----END AGE ENCRYPTED FILE-----
     lastmodified: "2022-07-03T14:42:43Z"
     mac: ENC[AES256_GCM,data:shI/qzyWbCozb7CH4KgwZStp21+c/CsT5y+TtdzI+O5Xbbg4WHwUIw73DEqvOD8Rrj39Ym53L8f6G7apvAToU1nv23POs/e4ew2yMOhypfsw19hq93IDLmon6jmj7C2DCSwLWukzCX3/Ot+OELm8t8svZYDD+xE1wtYidmfiZdo=,iv:tURq+EP7UqMKaKHkWD4K3E4lLKFNqBLFut1Se8sC9No=,tag:RAbjiVPIEtkOoAFWE+/l7A==,type:str]
     pgp: []

cluster/apps/networking/cert-manager/webhook-ovh/helm-release.yaml

@@ -3,7 +3,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
   name: cert-manager-webhook-ovh
-  namespace: cert-manager
+  namespace: default
 spec:
   interval: 15m
   chart:

cluster/apps/networking/cert-manager/webhook-ovh/rbac.yaml

@@ -3,7 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: cert-manager-webhook-ovh:secret-reader
-  namespace: cert-manager
+  namespace: default
 rules:
   - apiGroups: [""]
     resources: ["secrets"]
@@ -14,7 +14,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: cert-manager-webhook-ovh:secret-reader
-  namespace: cert-manager
+  namespace: default
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
@@ -23,4 +23,4 @@ subjects:
   - apiGroup: ""
     kind: ServiceAccount
     name: cert-manager-webhook-ovh
-    namespace: cert-manager
+    namespace: default

cluster/apps/networking/ingress-nginx/certificate.yaml

@@ -1,15 +0,0 @@
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: "${SECRET_CLUSTER_DOMAIN/./-}"
-  namespace: default
-spec:
-  secretName: "${SECRET_CLUSTER_DOMAIN/./-}-tls"
-  issuerRef:
-    name: letsencrypt-production
-    kind: ClusterIssuer
-  commonName: "${SECRET_CLUSTER_DOMAIN}"
-  dnsNames:
-    - "${SECRET_CLUSTER_DOMAIN}"
-    - "*.${SECRET_CLUSTER_DOMAIN}"

cluster/apps/networking/ingress-nginx/helm-release.yaml

@@ -23,7 +23,7 @@ spec:
       retries: 5
   dependsOn:
     - name: cert-manager
-      namespace: cert-manager
+      namespace: default
   values:
     controller:
       replicaCount: 1

cluster/apps/networking/ingress-nginx/kustomization.yaml

@@ -2,5 +2,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - certificate.yaml
   - helm-release.yaml

cluster/apps/networking/kustomization.yaml

@@ -2,6 +2,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+  - cert-manager
   - external-dns
   - ingress-nginx
   - k8s-gateway

cluster/core/cert-manager/letsencrypt-production.yaml

@@ -1,23 +0,0 @@
----
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
-  name: letsencrypt-production
-spec:
-  acme:
-    server: https://acme-v02.api.letsencrypt.org/directory
-    email: "${SECRET_CLUSTER_DOMAIN_EMAIL}"
-    privateKeySecretRef:
-      name: letsencrypt-production
-    solvers:
-      - dns01:
-          webhook:
-            groupName: "${SECRET_DOMAIN}"
-            solverName: ovh
-            config:
-              endpoint: ovh-eu
-              applicationKey: "${SECRET_CLUSTER_OVH_APPLICATION_KEY}"
-              applicationSecretRef:
-                key: applicationSecret
-                name: ovh-credentials
-              consumerKey: "${SECRET_CLUSTER_OVH_CONSUMER_KEY}"

cluster/core/cert-manager/letsencrypt-staging.yaml

@@ -1,23 +0,0 @@
----
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
-  name: letsencrypt-staging
-spec:
-  acme:
-    server: https://acme-staging-v02.api.letsencrypt.org/directory
-    email: "${SECRET_CLUSTER_DOMAIN_EMAIL}"
-    privateKeySecretRef:
-      name: letsencrypt-staging
-    solvers:
-      - dns01:
-          webhook:
-            groupName: "${SECRET_DOMAIN}"
-            solverName: ovh
-            config:
-              endpoint: ovh-eu
-              applicationKey: "${SECRET_CLUSTER_OVH_APPLICATION_KEY}"
-              applicationSecretRef:
-                key: applicationSecret
-                name: ovh-credentials
-              consumerKey: "${SECRET_CLUSTER_OVH_CONSUMER_KEY}"

cluster/core/kustomization.yaml

@@ -1,7 +1,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - cert-manager
   - flux-system
   - k10
   - rook-ceph