Updates to certificate issuer / load balancer

2022-09-23 10:40:52 +02:00 · 2022-09-23 10:40:52 +02:00 · ed757c3d37
commit ed757c3d37
parent 2a4f65cf9b
3 changed files with 25 additions and 7 deletions
--- a/docs/development.md
+++ b/docs/development.md
@ -102,8 +102,16 @@ HTTP authentication and forwards all requests from load balancer to
 Follow up to date docs to install [reverse
 proxy](https://kubernetes.github.io/ingress-nginx/deploy/#gce-gke).
 
-We also have [certificate manager](
-http://docs.cert-manager.io/en/latest/getting-started/install/kubernetes.html) and 
+[cert-manager] is installed with helm https://cert-manager.io/docs/installation/helm/ 
+
+helm install \
+  cert-manager jetstack/cert-manager \
+  --namespace cert-manager \
+  --create-namespace \
+  --version v1.9.1 \
+  --set installCRDs=true 
+  
+We also have [certificate manager](https://cert-manager.io/docs/) and 
 [lets-encrypt configuration](../kubernetes/cert-issuer.yaml) in place, but they are
 not used at the moment and should be removed if we decide to live with static IP.

--- a/kubernetes/cert-issuer.yaml
+++ b/kubernetes/cert-issuer.yaml
@ -15,14 +15,14 @@
 # based on documentation on
 # https://github.com/jetstack/cert-manager/blob/master/docs/tutorials/acme/quick-start/index.rst

-apiVersion: cert-manager.io/v1alpha2
+apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
  name: letsencrypt-staging
 spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
-    email: kuhnel@google.com
+    email: goncharov@google.com
    privateKeySecretRef:
      name: letsencrypt-staging
    solvers:
@ -30,14 +30,14 @@ spec:
        ingress:
          class: nginx
 ---
-apiVersion: cert-manager.io/v1alpha2
+apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
  name: letsencrypt-prod
 spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
-    email: kuhnel@google.com
+    email: goncharov@google.com
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
--- a/kubernetes/phabricator-proxy/Ingress.yaml
+++ b/kubernetes/phabricator-proxy/Ingress.yaml
@ -1,5 +1,5 @@
 # This ingress matches ALL requests to nginx.
-apiVersion: extensions/v1beta1
+apiVersion: networking.k8s.io/v1beta1
 kind: Ingress
 metadata:
  name: nginx-ingress-all
@ -10,7 +10,17 @@ metadata:
    nginx.ingress.kubernetes.io/auth-type: basic
    nginx.ingress.kubernetes.io/auth-secret: http-auth
    nginx.ingress.kubernetes.io/auth-realm: "LLVM pre-merge checks"
+    # cert-manager
+    cert-manager.io/cluster-issuer: letsencrypt-staging
+    acme.cert-manager.io/http01-edit-in-place: "true"
+    # ^ cert-manager
 spec:
+  # cert-manager
+  tls:
+  - secretName: llvm-premerge-staging-cert
+    hosts:
+    - llvm-premerge.org
+  # ^ cert-manager
  rules:
  - http:
      paths: