added cert manager

README.md

@@ -19,6 +19,7 @@ This setup will create a Kubernetes cluster with the following topology and comp
 - **Calico** as the CNI (Container Network Interface)
 - **MetalLB** as the cloud load balancer for bare metal services (change the configmap to adapt it to your network)
 - **Traefik** as the ingress controller on IP 10.50.3.30 (change it in the values.yaml to adapt it to your network)
+- **Cert-Manager** to manage the internal certificates. Remember to update the API key!
 - **Longhorn** as the persistent storage provider (change the host to adapt it to your network)
 
 ## 🚀 How to Deploy

helm-deploy.sh

@@ -18,9 +18,27 @@ kubectl apply -f manifests/metallb/metallb-config.yaml
 ## Setup traefik repo
 helm repo add traefik https://traefik.github.io/charts
 helm repo update
-helm install traefik traefik/traefik -n traefik -f ./manifests/traefik/values.yaml --create-namespace
+helm install \
+  traefik traefik/traefik \
+  -n traefik \
+  -f ./manifests/traefik/values.yaml \
+  --create-namespace
 
-## Setup MetalLb repo
+## Setup certmanager repo
+helm repo add jetstack https://charts.jetstack.io
+helm repo update
+helm install \
+  cert-manager jetstack/cert-manager \
+  -n cert-manager \
+  -f ./manifests/certmanager/values.yaml \
+  --create-namespace
+
+## Set up the cloudflare API token.
+
+kubectl apply -f ./manifests/certmanager/issuer-secret.yaml
+kubectl apply -f ./manifests/certmanager/issuer.yaml
+
+## Setup longhorn repo
 helm repo add longhorn https://charts.longhorn.io
 helm repo update
 helm install longhorn longhorn/longhorn -n longhorn-system --create-namespace
@@ -32,5 +50,6 @@ kubectl wait --namespace longhorn-system \
   --all \
   --timeout=120s
 
-## Apply ingress rule
-kubectl apply -f manifests/longhorn/longhorn-ingress.yaml
+## Apply ingress rule and certificate
+kubectl apply -f manifests/longhorn/certificate.yaml
+kubectl apply -f manifests/longhorn/ingress.yaml

manifests/certmanager/issuer-secret.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cloudflare-api-token-secret
+  namespace: cert-manager
+type: Opaque
+stringData:
+  api-token: <API TOKEN>

manifests/certmanager/issuer.yaml

@@ -0,0 +1,16 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: cloudflare-clusterissuer
+spec:
+  acme:
+    email: kevin@nixit.it
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: cloudflare-clusterissuer-key
+    solvers:
+    - dns01:
+        cloudflare:
+          apiTokenSecretRef:
+            name: cloudflare-api-token-secret
+            key: api-token

manifests/certmanager/values.yaml

@@ -0,0 +1,5 @@
+crds:
+  enabled: true
+extraArgs:
+  - --dns01-recursive-nameservers-only
+  - --dns01-recursive-nameservers=1.1.1.1:53,1.0.0.1:53

manifests/longhorn/certificate.yaml

@@ -0,0 +1,13 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: longhorn-ssl-certificate
+  namespace: longhorn-system
+spec:
+  # Secret names are always required.
+  secretName: longhorn-ssl-certificate
+  issuerRef:
+    name: cloudflare-clusterissuer
+    kind: ClusterIssuer
+  dnsNames:
+    - longhorn.nixit.it

manifests/longhorn/ingress.yaml

@@ -6,6 +6,10 @@ metadata:
   annotations:
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
 spec:
+  tls:
+    - hosts:
+      - longhorn.nixit.it
+      secretName: longhorn-ssl-certificate
   rules:
     - host: longhorn.nixit.it
       http: