First version of TLS configuration

2019-10-09 10:16:31 +02:00 · 2019-10-09 10:16:31 +02:00 · a026d83261
commit a026d83261
parent 39724eb627
5 changed files with 160 additions and 5 deletions
--- a/kubernetes/reverse-proxy/Certificates.yaml
+++ b/kubernetes/reverse-proxy/Certificates.yaml
@ -0,0 +1,49 @@
+# -- staging ---------------
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: Certificate
+metadata:
+  name: results-staging-tls-cert
+  namespace: cert-manager
+spec:
+  commonName: results.staging.llvm-merge-guard.org
+  secretName: results-staging-tls
+  issuerRef:
+    name: letsencrypt-staging
+
+---
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: Certificate
+metadata:
+  name: jenkins-staging-tls-cert
+  namespace: cert-manager
+spec:
+  commonName: jenkins.staging.llvm-merge-guard.org
+  secretName: jenkins-staging-tls
+  issuerRef:
+    name: letsencrypt-staging
+
+---
+# -- prod ---------------
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: Certificate
+metadata:
+  name: results-prod-tls-cert
+  namespace: cert-manager
+spec:
+  commonName: results.llvm-merge-guard.org
+  secretName: results-prod-tls
+  issuerRef:
+    name: letsencrypt-prod
+
+---
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: Certificate
+metadata:
+  name: jenkins-prod-tls-cert
+  namespace: cert-manager
+spec:
+  commonName: jenkins.llvm-merge-guard.org
+  secretName: jenkins-prod-tls
+  issuerRef:
+    name: letsencrypt-prod
+---
--- a/kubernetes/reverse-proxy/Ingress.yaml
+++ b/kubernetes/reverse-proxy/Ingress.yaml
@ -0,0 +1,54 @@
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: nginx-ingress
+  namespace: jenkins
+  annotations:
+    kubernetes.io/ingress.class: "nginx"    
+    cert-manager.io/issuer: "letsencrypt-staging"
+spec:
+  tls:
+  # -- staging ------------------  
+  - secretName: results-staging-tls
+    hosts:
+    - results.staging.llvm-merge-guard.org
+  - secretName: results-staging-tls
+    hosts:
+    - jenkins.staging.llvm-merge-guard.org
+
+  # -- prod ------------------  
+  - secretName: results-prod-tls
+    hosts:
+    - results.llvm-merge-guard.org    
+  - secretName: jenkins-prod-tls
+    hosts:
+    - jenkins.llvm-merge-guard.org    
+
+  rules:
+  # -- prod ------------------  
+  - host: results.llvm-merge-guard.org
+    http:
+      paths:
+      - backend:
+          serviceName: nginx-results
+          servicePort: 80
+  - host: jenkins.llvm-merge-guard.org
+    http:
+      paths:
+      - backend:
+          serviceName: jenkins-ui
+          servicePort: 8080
+
+  # -- staging ------------------  
+  - host: jenkins.staging.llvm-merge-guard.org
+    http:
+      paths:
+      - backend:
+          serviceName: jenkins-ui
+          servicePort: 8080
+  - host: results.staging.llvm-merge-guard.org
+    http:
+      paths:
+      - backend:
+          serviceName: nginx-results
+          servicePort: 80
--- a/kubernetes/reverse-proxy/Issuer.yaml
+++ b/kubernetes/reverse-proxy/Issuer.yaml
@ -0,0 +1,42 @@
+# based on documentation on
+# https://github.com/jetstack/cert-manager/blob/master/docs/tutorials/acme/quick-start/index.rst
+
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: Issuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    # The ACME server URL
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    # Email address used for ACME registration
+    email: kuhnel@google.com
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: letsencrypt-staging
+    # Enable the HTTP-01 challenge provider
+    solvers:
+    - http01:
+        ingress:
+          class:  nginx
+
+
+---
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: Issuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    # The ACME server URL
+    server: https://acme-v02.api.letsencrypt.org/directory
+    # Email address used for ACME registration
+    email: kuhnel@google.com
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: letsencrypt-prod
+    # Enable the HTTP-01 challenge provider
+    solvers:
+    - http01:
+        ingress:
+          class: nginx
--- a/kubernetes/reverse-proxy/basic.sh
+++ b/kubernetes/reverse-proxy/basic.sh
@ -6,9 +6,13 @@ set -eux
 kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/mandatory.yaml
 kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/cloud-generic.yaml

-# install jetstack based on
-# https://www.digitalocean.com/community/tutorials/how-to-set-up-an-nginx-ingress-with-cert-manager-on-digitalocean-kubernetes
-kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.8/deploy/manifests/00-crds.yaml
+# install certmanager based on
+# http://docs.cert-manager.io/en/latest/getting-started/install/kubernetes.html
+
+kubectl create namespace cert-manager
 kubectl label namespace kube-system certmanager.k8s.io/disable-validation="true"
-helm repo add jetstack https://charts.jetstack.io
-helm install --name cert-manager --namespace kube-system jetstack/cert-manager --version v0.8.0
+kubectl create clusterrolebinding cluster-admin-binding \
+  --clusterrole=cluster-admin \
+  --user=$(gcloud config get-value core/account)
+kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v0.10.1/cert-manager.yaml
+
--- a/kubernetes/reverse-proxy/kustomization.yaml
+++ b/kubernetes/reverse-proxy/kustomization.yaml
@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - Issuer.yaml
+  - Certificates.yaml
+  - Ingress.yaml