From 22369b4f02e13e21fe7fa5a531baf73f832badb3 Mon Sep 17 00:00:00 2001 From: holden093 Date: Sun, 29 Jun 2025 21:05:35 +0200 Subject: [PATCH] added cert manager --- README.md | 1 + helm-deploy.sh | 27 ++++++++++++++++--- manifests/certmanager/issuer-secret.yaml | 8 ++++++ manifests/certmanager/issuer.yaml | 16 +++++++++++ manifests/certmanager/values.yaml | 5 ++++ manifests/longhorn/certificate.yaml | 13 +++++++++ .../{longhorn-ingress.yaml => ingress.yaml} | 4 +++ 7 files changed, 70 insertions(+), 4 deletions(-) create mode 100644 manifests/certmanager/issuer-secret.yaml create mode 100644 manifests/certmanager/issuer.yaml create mode 100644 manifests/certmanager/values.yaml create mode 100644 manifests/longhorn/certificate.yaml rename manifests/longhorn/{longhorn-ingress.yaml => ingress.yaml} (82%) diff --git a/README.md b/README.md index ff8192a..018fe07 100644 --- a/README.md +++ b/README.md @@ -19,6 +19,7 @@ This setup will create a Kubernetes cluster with the following topology and comp - **Calico** as the CNI (Container Network Interface) - **MetalLB** as the cloud load balancer for bare metal services (change the configmap to adapt it to your network) - **Traefik** as the ingress controller on IP 10.50.3.30 (change it in the values.yaml to adapt it to your network) +- **Cert-Manager** to manage the internal certificates. Remember to update the API key! - **Longhorn** as the persistent storage provider (change the host to adapt it to your network) ## 🚀 How to Deploy diff --git a/helm-deploy.sh b/helm-deploy.sh index 94c372a..1930668 100755 --- a/helm-deploy.sh +++ b/helm-deploy.sh @@ -18,9 +18,27 @@ kubectl apply -f manifests/metallb/metallb-config.yaml ## Setup traefik repo helm repo add traefik https://traefik.github.io/charts helm repo update -helm install traefik traefik/traefik -n traefik -f ./manifests/traefik/values.yaml --create-namespace +helm install \ + traefik traefik/traefik \ + -n traefik \ + -f ./manifests/traefik/values.yaml \ + --create-namespace -## Setup MetalLb repo +## Setup certmanager repo +helm repo add jetstack https://charts.jetstack.io +helm repo update +helm install \ + cert-manager jetstack/cert-manager \ + -n cert-manager \ + -f ./manifests/certmanager/values.yaml \ + --create-namespace + +## Set up the cloudflare API token. + +kubectl apply -f ./manifests/certmanager/issuer-secret.yaml +kubectl apply -f ./manifests/certmanager/issuer.yaml + +## Setup longhorn repo helm repo add longhorn https://charts.longhorn.io helm repo update helm install longhorn longhorn/longhorn -n longhorn-system --create-namespace @@ -32,5 +50,6 @@ kubectl wait --namespace longhorn-system \ --all \ --timeout=120s -## Apply ingress rule -kubectl apply -f manifests/longhorn/longhorn-ingress.yaml \ No newline at end of file +## Apply ingress rule and certificate +kubectl apply -f manifests/longhorn/certificate.yaml +kubectl apply -f manifests/longhorn/ingress.yaml \ No newline at end of file diff --git a/manifests/certmanager/issuer-secret.yaml b/manifests/certmanager/issuer-secret.yaml new file mode 100644 index 0000000..3e2aaa6 --- /dev/null +++ b/manifests/certmanager/issuer-secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +metadata: + name: cloudflare-api-token-secret + namespace: cert-manager +type: Opaque +stringData: + api-token: \ No newline at end of file diff --git a/manifests/certmanager/issuer.yaml b/manifests/certmanager/issuer.yaml new file mode 100644 index 0000000..6c54208 --- /dev/null +++ b/manifests/certmanager/issuer.yaml @@ -0,0 +1,16 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: cloudflare-clusterissuer +spec: + acme: + email: kevin@nixit.it + server: https://acme-v02.api.letsencrypt.org/directory + privateKeySecretRef: + name: cloudflare-clusterissuer-key + solvers: + - dns01: + cloudflare: + apiTokenSecretRef: + name: cloudflare-api-token-secret + key: api-token \ No newline at end of file diff --git a/manifests/certmanager/values.yaml b/manifests/certmanager/values.yaml new file mode 100644 index 0000000..1e02ddf --- /dev/null +++ b/manifests/certmanager/values.yaml @@ -0,0 +1,5 @@ +crds: + enabled: true +extraArgs: + - --dns01-recursive-nameservers-only + - --dns01-recursive-nameservers=1.1.1.1:53,1.0.0.1:53 \ No newline at end of file diff --git a/manifests/longhorn/certificate.yaml b/manifests/longhorn/certificate.yaml new file mode 100644 index 0000000..3bec05e --- /dev/null +++ b/manifests/longhorn/certificate.yaml @@ -0,0 +1,13 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: longhorn-ssl-certificate + namespace: longhorn-system +spec: + # Secret names are always required. + secretName: longhorn-ssl-certificate + issuerRef: + name: cloudflare-clusterissuer + kind: ClusterIssuer + dnsNames: + - longhorn.nixit.it \ No newline at end of file diff --git a/manifests/longhorn/longhorn-ingress.yaml b/manifests/longhorn/ingress.yaml similarity index 82% rename from manifests/longhorn/longhorn-ingress.yaml rename to manifests/longhorn/ingress.yaml index 78ad79f..ce21d39 100644 --- a/manifests/longhorn/longhorn-ingress.yaml +++ b/manifests/longhorn/ingress.yaml @@ -6,6 +6,10 @@ metadata: annotations: traefik.ingress.kubernetes.io/router.entrypoints: websecure spec: + tls: + - hosts: + - longhorn.nixit.it + secretName: longhorn-ssl-certificate rules: - host: longhorn.nixit.it http: