From ce1082e9894b386a60f815ca585db92ecc6062b3 Mon Sep 17 00:00:00 2001 From: auricom <27022259+auricom@users.noreply.github.com> Date: Thu, 20 Oct 2022 05:41:37 +0200 Subject: [PATCH] =?UTF-8?q?=F0=9F=94=A7=20use=20raw=20chart=20for=20cert-m?= =?UTF-8?q?anager?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../certificates/helm-release.yaml | 42 +++++++++++ .../certificates/kustomization.yaml | 5 ++ .../cert-manager/helm-release.yaml | 4 +- .../cert-manager/issuers/helm-release.yaml | 74 +++++++++++++++++++ .../cert-manager/issuers/kustomization.yaml | 5 ++ .../cert-manager/kustomization.yaml | 2 - .../networking}/cert-manager/namespace.yaml | 0 .../cert-manager/prometheus-rule.yaml | 17 +++-- .../networking}/cert-manager/secret.sops.yaml | 16 ++-- .../webhook-ovh/helm-release.yaml | 2 +- .../webhook-ovh/kustomization.yaml | 0 .../cert-manager/webhook-ovh/rbac.yaml | 6 +- .../networking/ingress-nginx/certificate.yaml | 15 ---- .../ingress-nginx/helm-release.yaml | 2 +- .../ingress-nginx/kustomization.yaml | 1 - cluster/apps/networking/kustomization.yaml | 1 + .../cert-manager/letsencrypt-production.yaml | 23 ------ .../cert-manager/letsencrypt-staging.yaml | 23 ------ cluster/core/kustomization.yaml | 1 - 19 files changed, 153 insertions(+), 86 deletions(-) create mode 100644 cluster/apps/networking/cert-manager/certificates/helm-release.yaml create mode 100644 cluster/apps/networking/cert-manager/certificates/kustomization.yaml rename cluster/{core => apps/networking}/cert-manager/helm-release.yaml (94%) create mode 100644 cluster/apps/networking/cert-manager/issuers/helm-release.yaml create mode 100644 cluster/apps/networking/cert-manager/issuers/kustomization.yaml rename cluster/{core => apps/networking}/cert-manager/kustomization.yaml (74%) rename cluster/{core => apps/networking}/cert-manager/namespace.yaml (100%) rename cluster/{core => apps/networking}/cert-manager/prometheus-rule.yaml (82%) rename cluster/{core => apps/networking}/cert-manager/secret.sops.yaml (62%) rename cluster/{core => apps/networking}/cert-manager/webhook-ovh/helm-release.yaml (93%) rename cluster/{core => apps/networking}/cert-manager/webhook-ovh/kustomization.yaml (100%) rename cluster/{core => apps/networking}/cert-manager/webhook-ovh/rbac.yaml (87%) delete mode 100644 cluster/apps/networking/ingress-nginx/certificate.yaml delete mode 100644 cluster/core/cert-manager/letsencrypt-production.yaml delete mode 100644 cluster/core/cert-manager/letsencrypt-staging.yaml diff --git a/cluster/apps/networking/cert-manager/certificates/helm-release.yaml b/cluster/apps/networking/cert-manager/certificates/helm-release.yaml new file mode 100644 index 000000000..1554bdee2 --- /dev/null +++ b/cluster/apps/networking/cert-manager/certificates/helm-release.yaml @@ -0,0 +1,42 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: cert-manager-certificates + namespace: default +spec: + interval: 15m + chart: + spec: + chart: raw + version: v0.3.1 + sourceRef: + kind: HelmRepository + name: dysnix-charts + namespace: flux-system + install: + createNamespace: true + remediation: + retries: 5 + upgrade: + remediation: + retries: 5 + dependsOn: + - name: cert-manager-issuers + namespace: default + values: + resources: + - apiVersion: cert-manager.io/v1 + kind: Certificate + metadata: + name: "${SECRET_CLUSTER_DOMAIN/./-}" + namespace: default + spec: + secretName: "${SECRET_CLUSTER_DOMAIN/./-}-tls" + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "${SECRET_CLUSTER_DOMAIN}" + dnsNames: + - "${SECRET_CLUSTER_DOMAIN}" + - "*.${SECRET_CLUSTER_DOMAIN}" diff --git a/cluster/apps/networking/cert-manager/certificates/kustomization.yaml b/cluster/apps/networking/cert-manager/certificates/kustomization.yaml new file mode 100644 index 000000000..2fa2de20c --- /dev/null +++ b/cluster/apps/networking/cert-manager/certificates/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - helm-release.yaml diff --git a/cluster/core/cert-manager/helm-release.yaml b/cluster/apps/networking/cert-manager/helm-release.yaml similarity index 94% rename from cluster/core/cert-manager/helm-release.yaml rename to cluster/apps/networking/cert-manager/helm-release.yaml index 62d266d25..7e5f3627a 100644 --- a/cluster/core/cert-manager/helm-release.yaml +++ b/cluster/apps/networking/cert-manager/helm-release.yaml @@ -3,7 +3,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: name: cert-manager - namespace: cert-manager + namespace: default spec: interval: 15m chart: @@ -14,7 +14,7 @@ spec: kind: HelmRepository name: jetstack-charts namespace: flux-system - interval: 5m + interval: 15m install: createNamespace: true crds: CreateReplace diff --git a/cluster/apps/networking/cert-manager/issuers/helm-release.yaml b/cluster/apps/networking/cert-manager/issuers/helm-release.yaml new file mode 100644 index 000000000..672b3ef38 --- /dev/null +++ b/cluster/apps/networking/cert-manager/issuers/helm-release.yaml @@ -0,0 +1,74 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: cert-manager-issuers + namespace: cert-manager +spec: + interval: 15m + chart: + spec: + chart: raw + version: v0.3.1 + sourceRef: + kind: HelmRepository + name: dysnix-charts + namespace: flux-system + install: + createNamespace: true + remediation: + retries: 5 + upgrade: + remediation: + retries: 5 + dependsOn: + - name: cert-manager + namespace: default + - name: cert-manager-webhook-ovh + namespace: default + values: + resources: + - apiVersion: cert-manager.io/v1 + kind: ClusterIssuer + metadata: + name: letsencrypt-production + spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + email: "${SECRET_CLUSTER_DOMAIN_EMAIL}" + privateKeySecretRef: + name: letsencrypt-production + solvers: + - dns01: + webhook: + groupName: "${SECRET_DOMAIN}" + solverName: ovh + config: + endpoint: ovh-eu + applicationKey: "${SECRET_CLUSTER_OVH_APPLICATION_KEY}" + applicationSecretRef: + key: applicationSecret + name: ovh-credentials + consumerKey: "${SECRET_CLUSTER_OVH_CONSUMER_KEY}" + - apiVersion: cert-manager.io/v1 + kind: ClusterIssuer + metadata: + name: letsencrypt-staging + spec: + acme: + server: https://acme-staging-v02.api.letsencrypt.org/directory + email: "${SECRET_CLUSTER_DOMAIN_EMAIL}" + privateKeySecretRef: + name: letsencrypt-production + solvers: + - dns01: + webhook: + groupName: "${SECRET_DOMAIN}" + solverName: ovh + config: + endpoint: ovh-eu + applicationKey: "${SECRET_CLUSTER_OVH_APPLICATION_KEY}" + applicationSecretRef: + key: applicationSecret + name: ovh-credentials + consumerKey: "${SECRET_CLUSTER_OVH_CONSUMER_KEY}" diff --git a/cluster/apps/networking/cert-manager/issuers/kustomization.yaml b/cluster/apps/networking/cert-manager/issuers/kustomization.yaml new file mode 100644 index 000000000..2fa2de20c --- /dev/null +++ b/cluster/apps/networking/cert-manager/issuers/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - helm-release.yaml diff --git a/cluster/core/cert-manager/kustomization.yaml b/cluster/apps/networking/cert-manager/kustomization.yaml similarity index 74% rename from cluster/core/cert-manager/kustomization.yaml rename to cluster/apps/networking/cert-manager/kustomization.yaml index 93e836e18..eafa59a09 100644 --- a/cluster/core/cert-manager/kustomization.yaml +++ b/cluster/apps/networking/cert-manager/kustomization.yaml @@ -6,6 +6,4 @@ resources: - secret.sops.yaml - helm-release.yaml - webhook-ovh - - letsencrypt-production.yaml - - letsencrypt-staging.yaml - prometheus-rule.yaml diff --git a/cluster/core/cert-manager/namespace.yaml b/cluster/apps/networking/cert-manager/namespace.yaml similarity index 100% rename from cluster/core/cert-manager/namespace.yaml rename to cluster/apps/networking/cert-manager/namespace.yaml diff --git a/cluster/core/cert-manager/prometheus-rule.yaml b/cluster/apps/networking/cert-manager/prometheus-rule.yaml similarity index 82% rename from cluster/core/cert-manager/prometheus-rule.yaml rename to cluster/apps/networking/cert-manager/prometheus-rule.yaml index b20679262..e74f78143 100644 --- a/cluster/core/cert-manager/prometheus-rule.yaml +++ b/cluster/apps/networking/cert-manager/prometheus-rule.yaml @@ -3,7 +3,7 @@ apiVersion: monitoring.coreos.com/v1 kind: PrometheusRule metadata: name: cert-manager.rules - namespace: cert-manager + namespace: default spec: groups: - name: cert-manager @@ -15,7 +15,8 @@ spec: labels: severity: critical annotations: - description: "New certificates will not be able to be minted, and existing + description: + "New certificates will not be able to be minted, and existing ones can't be renewed until cert-manager is back." runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagerabsent summary: "Cert Manager has dissapeared from Prometheus service discovery." @@ -30,11 +31,13 @@ spec: labels: severity: warning annotations: - description: "The domain that this cert covers will be unavailable after + description: + "The domain that this cert covers will be unavailable after {{ $value | humanizeDuration }}. Clients using endpoints that this cert protects will start to fail in {{ $value | humanizeDuration }}." runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagercertexpirysoon - summary: "The cert {{ $labels.name }} is {{ $value | humanizeDuration }} + summary: + "The cert {{ $labels.name }} is {{ $value | humanizeDuration }} from expiry, it should have renewed over a week ago." - alert: CertManagerCertNotReady expr: | @@ -44,7 +47,8 @@ spec: labels: severity: critical annotations: - description: "This certificate has not been ready to serve traffic for at least + description: + "This certificate has not been ready to serve traffic for at least 10m. If the cert is being renewed or there is another valid cert, the ingress controller _may_ be able to serve that instead." runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagercertnotready @@ -57,7 +61,8 @@ spec: labels: severity: critical annotations: - description: "Depending on the rate limit, cert-manager may be unable to generate + description: + "Depending on the rate limit, cert-manager may be unable to generate certificates for up to a week." runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagerhittingratelimits summary: "Cert manager hitting LetsEncrypt rate limits." diff --git a/cluster/core/cert-manager/secret.sops.yaml b/cluster/apps/networking/cert-manager/secret.sops.yaml similarity index 62% rename from cluster/core/cert-manager/secret.sops.yaml rename to cluster/apps/networking/cert-manager/secret.sops.yaml index c33c77c99..845d70f8e 100644 --- a/cluster/core/cert-manager/secret.sops.yaml +++ b/cluster/apps/networking/cert-manager/secret.sops.yaml @@ -2,7 +2,7 @@ kind: Secret apiVersion: v1 metadata: name: ovh-credentials - namespace: cert-manager + namespace: default stringData: applicationSecret: ENC[AES256_GCM,data:9vWD0QZ5mSIVhTOg5BinGUhEdJW0Tv6/CzoJor2FO5I=,iv:ymVqh3DKnvTzKi8nWW6ULDLyJLfXE/HDGLmTmLuo9WE=,tag:Aoy6ClqB1K4HVNn6d8H94w==,type:str] type: Opaque @@ -14,13 +14,13 @@ sops: age: - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDcGV1NGhhY3hOa0pjSThx - ZGt5Y2FPNVcrN0d1SCtCS2NjMHFjM2Y0QUJ3CncvUzB2QlpDL0xxZTQ4NVFyNm51 - bFovMHhXRDVwSmpGaDR2YnBlTUQzTEkKLS0tIGx6bjRQNHQ4enJZN1UydEtiSkxP - d0Vid3lIQ0NPSmxicFlBN2NCRnE5ZFUKo1l3ST2oUmaWBgbjub/BWPpRzB588ZoJ - NvB6P1YivKsDZf/fsRT0gf1GPx9gZgql/w3g/9mggKANW4rFrMH1Mg== - -----END AGE ENCRYPTED FILE----- + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDcGV1NGhhY3hOa0pjSThx + ZGt5Y2FPNVcrN0d1SCtCS2NjMHFjM2Y0QUJ3CncvUzB2QlpDL0xxZTQ4NVFyNm51 + bFovMHhXRDVwSmpGaDR2YnBlTUQzTEkKLS0tIGx6bjRQNHQ4enJZN1UydEtiSkxP + d0Vid3lIQ0NPSmxicFlBN2NCRnE5ZFUKo1l3ST2oUmaWBgbjub/BWPpRzB588ZoJ + NvB6P1YivKsDZf/fsRT0gf1GPx9gZgql/w3g/9mggKANW4rFrMH1Mg== + -----END AGE ENCRYPTED FILE----- lastmodified: "2022-07-03T14:42:43Z" mac: ENC[AES256_GCM,data:shI/qzyWbCozb7CH4KgwZStp21+c/CsT5y+TtdzI+O5Xbbg4WHwUIw73DEqvOD8Rrj39Ym53L8f6G7apvAToU1nv23POs/e4ew2yMOhypfsw19hq93IDLmon6jmj7C2DCSwLWukzCX3/Ot+OELm8t8svZYDD+xE1wtYidmfiZdo=,iv:tURq+EP7UqMKaKHkWD4K3E4lLKFNqBLFut1Se8sC9No=,tag:RAbjiVPIEtkOoAFWE+/l7A==,type:str] pgp: [] diff --git a/cluster/core/cert-manager/webhook-ovh/helm-release.yaml b/cluster/apps/networking/cert-manager/webhook-ovh/helm-release.yaml similarity index 93% rename from cluster/core/cert-manager/webhook-ovh/helm-release.yaml rename to cluster/apps/networking/cert-manager/webhook-ovh/helm-release.yaml index 5d1021b94..7540b08a9 100644 --- a/cluster/core/cert-manager/webhook-ovh/helm-release.yaml +++ b/cluster/apps/networking/cert-manager/webhook-ovh/helm-release.yaml @@ -3,7 +3,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: name: cert-manager-webhook-ovh - namespace: cert-manager + namespace: default spec: interval: 15m chart: diff --git a/cluster/core/cert-manager/webhook-ovh/kustomization.yaml b/cluster/apps/networking/cert-manager/webhook-ovh/kustomization.yaml similarity index 100% rename from cluster/core/cert-manager/webhook-ovh/kustomization.yaml rename to cluster/apps/networking/cert-manager/webhook-ovh/kustomization.yaml diff --git a/cluster/core/cert-manager/webhook-ovh/rbac.yaml b/cluster/apps/networking/cert-manager/webhook-ovh/rbac.yaml similarity index 87% rename from cluster/core/cert-manager/webhook-ovh/rbac.yaml rename to cluster/apps/networking/cert-manager/webhook-ovh/rbac.yaml index 03a05fd3a..2ae84e404 100644 --- a/cluster/core/cert-manager/webhook-ovh/rbac.yaml +++ b/cluster/apps/networking/cert-manager/webhook-ovh/rbac.yaml @@ -3,7 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: cert-manager-webhook-ovh:secret-reader - namespace: cert-manager + namespace: default rules: - apiGroups: [""] resources: ["secrets"] @@ -14,7 +14,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: cert-manager-webhook-ovh:secret-reader - namespace: cert-manager + namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -23,4 +23,4 @@ subjects: - apiGroup: "" kind: ServiceAccount name: cert-manager-webhook-ovh - namespace: cert-manager + namespace: default diff --git a/cluster/apps/networking/ingress-nginx/certificate.yaml b/cluster/apps/networking/ingress-nginx/certificate.yaml deleted file mode 100644 index 4520402c2..000000000 --- a/cluster/apps/networking/ingress-nginx/certificate.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: "${SECRET_CLUSTER_DOMAIN/./-}" - namespace: default -spec: - secretName: "${SECRET_CLUSTER_DOMAIN/./-}-tls" - issuerRef: - name: letsencrypt-production - kind: ClusterIssuer - commonName: "${SECRET_CLUSTER_DOMAIN}" - dnsNames: - - "${SECRET_CLUSTER_DOMAIN}" - - "*.${SECRET_CLUSTER_DOMAIN}" diff --git a/cluster/apps/networking/ingress-nginx/helm-release.yaml b/cluster/apps/networking/ingress-nginx/helm-release.yaml index 6e886b07e..7929a26f6 100644 --- a/cluster/apps/networking/ingress-nginx/helm-release.yaml +++ b/cluster/apps/networking/ingress-nginx/helm-release.yaml @@ -23,7 +23,7 @@ spec: retries: 5 dependsOn: - name: cert-manager - namespace: cert-manager + namespace: default values: controller: replicaCount: 1 diff --git a/cluster/apps/networking/ingress-nginx/kustomization.yaml b/cluster/apps/networking/ingress-nginx/kustomization.yaml index b2e0fefe4..2fa2de20c 100644 --- a/cluster/apps/networking/ingress-nginx/kustomization.yaml +++ b/cluster/apps/networking/ingress-nginx/kustomization.yaml @@ -2,5 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - certificate.yaml - helm-release.yaml diff --git a/cluster/apps/networking/kustomization.yaml b/cluster/apps/networking/kustomization.yaml index 1c7009a47..bdc186bce 100644 --- a/cluster/apps/networking/kustomization.yaml +++ b/cluster/apps/networking/kustomization.yaml @@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: + - cert-manager - external-dns - ingress-nginx - k8s-gateway diff --git a/cluster/core/cert-manager/letsencrypt-production.yaml b/cluster/core/cert-manager/letsencrypt-production.yaml deleted file mode 100644 index 6ffe1cba7..000000000 --- a/cluster/core/cert-manager/letsencrypt-production.yaml +++ /dev/null @@ -1,23 +0,0 @@ ---- -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: letsencrypt-production -spec: - acme: - server: https://acme-v02.api.letsencrypt.org/directory - email: "${SECRET_CLUSTER_DOMAIN_EMAIL}" - privateKeySecretRef: - name: letsencrypt-production - solvers: - - dns01: - webhook: - groupName: "${SECRET_DOMAIN}" - solverName: ovh - config: - endpoint: ovh-eu - applicationKey: "${SECRET_CLUSTER_OVH_APPLICATION_KEY}" - applicationSecretRef: - key: applicationSecret - name: ovh-credentials - consumerKey: "${SECRET_CLUSTER_OVH_CONSUMER_KEY}" diff --git a/cluster/core/cert-manager/letsencrypt-staging.yaml b/cluster/core/cert-manager/letsencrypt-staging.yaml deleted file mode 100644 index a4fc234e6..000000000 --- a/cluster/core/cert-manager/letsencrypt-staging.yaml +++ /dev/null @@ -1,23 +0,0 @@ ---- -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: letsencrypt-staging -spec: - acme: - server: https://acme-staging-v02.api.letsencrypt.org/directory - email: "${SECRET_CLUSTER_DOMAIN_EMAIL}" - privateKeySecretRef: - name: letsencrypt-staging - solvers: - - dns01: - webhook: - groupName: "${SECRET_DOMAIN}" - solverName: ovh - config: - endpoint: ovh-eu - applicationKey: "${SECRET_CLUSTER_OVH_APPLICATION_KEY}" - applicationSecretRef: - key: applicationSecret - name: ovh-credentials - consumerKey: "${SECRET_CLUSTER_OVH_CONSUMER_KEY}" diff --git a/cluster/core/kustomization.yaml b/cluster/core/kustomization.yaml index 35d0ac83f..f1a01c6ae 100644 --- a/cluster/core/kustomization.yaml +++ b/cluster/core/kustomization.yaml @@ -1,7 +1,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - cert-manager - flux-system - k10 - rook-ceph