added cert manager

2025-06-29 21:05:35 +02:00
parent 268a82fea2
commit 22369b4f02
7 changed files with 70 additions and 4 deletions
--- a/README.md
+++ b/README.md
@ -19,6 +19,7 @@ This setup will create a Kubernetes cluster with the following topology and comp
 - **Calico** as the CNI (Container Network Interface)
 - **MetalLB** as the cloud load balancer for bare metal services (change the configmap to adapt it to your network)
 - **Traefik** as the ingress controller on IP 10.50.3.30 (change it in the values.yaml to adapt it to your network)
 - **Cert-Manager** to manage the internal certificates. Remember to update the API key!
 - **Longhorn** as the persistent storage provider (change the host to adapt it to your network)
 ## 🚀 How to Deploy
--- a/helm-deploy.sh
+++ b/helm-deploy.sh
@ -18,9 +18,27 @@ kubectl apply -f manifests/metallb/metallb-config.yaml
 ## Setup traefik repo
 helm repo add traefik https://traefik.github.io/charts
 helm repo update
-helm install traefik traefik/traefik -n traefik -f ./manifests/traefik/values.yaml --create-namespace
+helm install \
  traefik traefik/traefik \
  -n traefik \
  -f ./manifests/traefik/values.yaml \
  --create-namespace
-## Setup MetalLb repo
+## Setup certmanager repo
 helm repo add jetstack https://charts.jetstack.io
 helm repo update
 helm install \
  cert-manager jetstack/cert-manager \
  -n cert-manager \
  -f ./manifests/certmanager/values.yaml \
  --create-namespace
 ## Set up the cloudflare API token.
 kubectl apply -f ./manifests/certmanager/issuer-secret.yaml
 kubectl apply -f ./manifests/certmanager/issuer.yaml
 ## Setup longhorn repo
 helm repo add longhorn https://charts.longhorn.io
 helm repo update
 helm install longhorn longhorn/longhorn -n longhorn-system --create-namespace
@ -32,5 +50,6 @@ kubectl wait --namespace longhorn-system \
  --all \
  --timeout=120s
-## Apply ingress rule
+## Apply ingress rule and certificate
-kubectl apply -f manifests/longhorn/longhorn-ingress.yaml
+kubectl apply -f manifests/longhorn/certificate.yaml
 kubectl apply -f manifests/longhorn/ingress.yaml
--- a/manifests/certmanager/issuer-secret.yaml
+++ b/manifests/certmanager/issuer-secret.yaml
@ -0,0 +1,8 @@
 apiVersion: v1
 kind: Secret
 metadata:
  name: cloudflare-api-token-secret
  namespace: cert-manager
 type: Opaque
 stringData:
  api-token: <API TOKEN>
--- a/manifests/certmanager/issuer.yaml
+++ b/manifests/certmanager/issuer.yaml
@ -0,0 +1,16 @@
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
  name: cloudflare-clusterissuer
 spec:
  acme:
    email: kevin@nixit.it
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: cloudflare-clusterissuer-key
    solvers:
    - dns01:
        cloudflare:
          apiTokenSecretRef:
            name: cloudflare-api-token-secret
            key: api-token
--- a/manifests/certmanager/values.yaml
+++ b/manifests/certmanager/values.yaml
@ -0,0 +1,5 @@
 crds:
  enabled: true
 extraArgs:
  - --dns01-recursive-nameservers-only
  - --dns01-recursive-nameservers=1.1.1.1:53,1.0.0.1:53
--- a/manifests/longhorn/certificate.yaml
+++ b/manifests/longhorn/certificate.yaml
@ -0,0 +1,13 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: longhorn-ssl-certificate
  namespace: longhorn-system
 spec:
  # Secret names are always required.
  secretName: longhorn-ssl-certificate
  issuerRef:
    name: cloudflare-clusterissuer
    kind: ClusterIssuer
  dnsNames:
    - longhorn.nixit.it
--- a/manifests/longhorn/longhorn-ingress.yaml
+++ b/manifests/longhorn/longhorn-ingress.yaml
@ -6,6 +6,10 @@ metadata:
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
 spec:
  tls:
    - hosts:
      - longhorn.nixit.it
      secretName: longhorn-ssl-certificate
  rules:
    - host: longhorn.nixit.it
      http: