From ba79286ce69e1a5b122f3adaf512c0fec9202e7c Mon Sep 17 00:00:00 2001 From: DeveloperDurp Date: Wed, 26 Feb 2025 04:49:40 -0600 Subject: [PATCH] add cert manager to dmz --- dmz/cert-manager/Chart.yaml | 11 +++++++ dmz/cert-manager/templates/issuer.yaml | 6 ++++ dmz/cert-manager/templates/letsencrypt.yaml | 35 +++++++++++++++++++++ dmz/cert-manager/templates/secretvault.yaml | 23 ++++++++++++++ dmz/cert-manager/values.yaml | 26 +++++++++++++++ infra/argocd/templates/cert-manager.yaml | 23 ++++++++++++++ 6 files changed, 124 insertions(+) create mode 100644 dmz/cert-manager/Chart.yaml create mode 100644 dmz/cert-manager/templates/issuer.yaml create mode 100644 dmz/cert-manager/templates/letsencrypt.yaml create mode 100644 dmz/cert-manager/templates/secretvault.yaml create mode 100644 dmz/cert-manager/values.yaml diff --git a/dmz/cert-manager/Chart.yaml b/dmz/cert-manager/Chart.yaml new file mode 100644 index 0000000..ecf60fa --- /dev/null +++ b/dmz/cert-manager/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: cert-manager +description: A Helm chart for Kubernetes +type: application +version: 0.0.1 +appVersion: 0.0.1 + +dependencies: +- name: cert-manager + repository: https://charts.jetstack.io + version: v1.16.3 diff --git a/dmz/cert-manager/templates/issuer.yaml b/dmz/cert-manager/templates/issuer.yaml new file mode 100644 index 0000000..6b889c7 --- /dev/null +++ b/dmz/cert-manager/templates/issuer.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: issuer +secrets: + - name: issuer-token-lmzpj \ No newline at end of file diff --git a/dmz/cert-manager/templates/letsencrypt.yaml b/dmz/cert-manager/templates/letsencrypt.yaml new file mode 100644 index 0000000..0203412 --- /dev/null +++ b/dmz/cert-manager/templates/letsencrypt.yaml @@ -0,0 +1,35 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-production +spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + privateKeySecretRef: + name: letsencrypt-production + solvers: + - dns01: + cloudflare: + email: developerdurp@durp.info + apiTokenSecretRef: + name: cloudflare-api-token-secret + key: cloudflare-api-token-secret + +--- + +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: vault-issuer +spec: + vault: + server: https://vault.infra.durp.info + caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVzekNDQTV1Z0F3SUJBZ0lVWkV6enhxRXVZaUtIa0wxZGYrQ2IyMk5SUkpNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZERVNNQkFHQTFVRUF4TUpaSFZ5Y0M1cGJtWnZNQjRYRFRJMU1ERXlNekl5TXpRME1sb1hEVE0xTURFeQpNVEV4TVRVMU5Wb3dJREVlTUJ3R0ExVUVBeE1WZG1GMWJIUXVhVzVtY21FdVpIVnljQzVwYm1adk1JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQWtaTTB1ZTRiTWNtbUFUcytrR1lTcFIyaExVenEKc2NHSXdDdHFtYUtDTWJkMXhobWdqbklSM3p2U1JwdExSMkdWR3ZjMXRpNnFieTBqWFl2Y3FieGtIdmF5MDB6VwoyellOK00ybTRsWHB1V3pnMXQ2TkVvTzZYR0FzR2oydjB2Y1ZrdFBQVTl1ajByR1VWR1dXZnN2am9YcVFGZzVJCmpkeHN4SzlTdk12dzJYdEUzRmdLeHB6Q3l3OTRJbklIbGNQd0ZUTyszWmRLU3RabE1iVURJa21zekxCcldGY3IKWE9zUERmTHhxTXkwQ2svL0xLSXQ4ZGpoMzI1NEZIQjFHRzUra0krSlNXMW8rdFVjTDJOeW12SUlOd20vMmFjUwoxdVRtK2o5VzdpRVhhdjBwSk5tbSsvZHpTc2tjM1kwZnRNMGgySENYZ2l0QklhRVpuVVZuZU5IT0x3SURBUUFCCm80SUI3ekNDQWVzd0RnWURWUjBQQVFIL0JBUURBZ0VHTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME8KQkJZRUZDYVEycTdqN0x5QkdFVEVaNXFhSkFkbElTS0NNQjhHQTFVZEl3UVlNQmFBRk8xakN5R2twRk8rUWlSMgpkZkJNV1ZZZVdyUTJNSUgwQmdnckJnRUZCUWNCQVFTQjV6Q0I1REF6QmdnckJnRUZCUWN3QVlZbmFIUjBjSE02Ckx5OHhPVEl1TVRZNExqSXdMakkxTXpvNE1qQXhMM1l4TDNCcmFTOXZZM053TUQwR0NDc0dBUVVGQnpBQmhqRm8KZEhSd2N6b3ZMM0p2YjNRdGRtRjFiSFF1YVc1MFpYSnVZV3d1WkhWeWNDNXBibVp2TDNZeEwzQnJhUzl2WTNOdwpNREVHQ0NzR0FRVUZCekFDaGlWb2RIUndjem92THpFNU1pNHhOamd1TWpBdU1qVXpPamd5TURFdmRqRXZjR3RwCkwyTmhNRHNHQ0NzR0FRVUZCekFDaGk5b2RIUndjem92TDNKdmIzUXRkbUYxYkhRdWFXNTBaWEp1WVd3dVpIVnkKY0M1cGJtWnZMM1l4TDNCcmFTOWpZVEFnQmdOVkhSRUVHVEFYZ2hWMllYVnNkQzVwYm1aeVlTNWtkWEp3TG1sdQpabTh3YndZRFZSMGZCR2d3WmpBc29DcWdLSVltYUhSMGNITTZMeTh4T1RJdU1UWTRMakl3TGpJMU16bzRNakF4CkwzWXhMM0JyYVM5amNtd3dOcUEwb0RLR01HaDBkSEJ6T2k4dmNtOXZkQzEyWVhWc2RDNXBiblJsY201aGJDNWsKZFhKd0xtbHVabTh2ZGpFdmNHdHBMMk55YkRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQXVKK2xwbFkvK0E1TAo1THprbGpiS0RUeTNVNlBMdjFMdHhxVkNPRkdpSlhCblhNanRWVzA3YkJFVWFkekZSTlc4R0hRM3c1UXpPRzZrCi92RS9UcnJKaG83bDA1Si91YytCVXJQU05qZWZMbVFWNmhuNGpyUDg2UFIwdnpSZmJTcUtLQklJRDlNNyt6aTYKR0Z2SGxWa1NIc1F5TVFwN0pPb2F4OUtWelcyWStPSWd3N0xndzJ0UDEyMldDdDJTSUYwUWVub1pIc29XMGd1agp0elRKUm1KRGpuNlhlSjdMM0ZQa2YzN0g2dWIwSmczekJHcjZlb3JFRmZZWk5ONUNYZXpqcU1GQnBSZHE0VUlvCjFNM0E3bzN1eVpGY0ZzcC92R0RjTUJrd2FDc0JWOWlkdS9Id2t2R2FUVU5JMjg1aWxCT1JQRDBiTVpuQUNxLzkKK1EvY2RzTzVsZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVtekNDQTRPZ0F3SUJBZ0lVUXdDQXM4MnNnU3VpYVZiakFOSFNjTzJEU2ZBd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZERVNNQkFHQTFVRUF4TUpaSFZ5Y0M1cGJtWnZNQjRYRFRJMU1ERXlNekV4TWpFeU5Wb1hEVE0xTURFeQpNVEV4TVRVMU5Wb3dGREVTTUJBR0ExVUVBeE1KWkhWeWNDNXBibVp2TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGCkFBT0NBUThBTUlJQkNnS0NBUUVBbjlmakdScXFGc3FndXo1Nlg2Y1had0VNdEQ5d0Vsd1NGQ2I0RmM4WVR6bEgKNGZWMTNRd1hLRVNMRS9RKzdidzR5NEZKUThCaUdOYnh4YlFPT2dXaGZHR2xReUZhMWxmaEp0WUxmcVJONUMyLwpTN25yMFl4REI5ZHVjNE9BRXhWTDZQcjQvS29jK3ZEWlkwM2w3Unp3bkYyQU9NOURqRlRBU3cwMVRwaENRalJrClUrdXBpTjJUVWhVUGVqVi9nTVIrelhNNnBuOThVQktHMWROdWJTMEh6QU13QUVYQVBtMTQxTkR5V1VDUFQ5KzMKNlAwM0thOG1VVHgzWDQ5T0N0dkpFR0VRYnRsblRGUWFPU2tQMXlMVytYUk1IdzNzUWFWMlBXWHU1ZkluYkVwWgorU3V6bWdMT1h0bVFObUhMYXY5cTFxZVRWa3BCR1BXdmZoMlZoMUpKaFFJREFRQUJvNElCNHpDQ0FkOHdEZ1lEClZSMFBBUUgvQkFRREFnRUdNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdIUVlEVlIwT0JCWUVGSmFQMTdmMVp3MFYKNTVLczlVZjBVU1ZXbDBCUE1COEdBMVVkSXdRWU1CYUFGTzFqQ3lHa3BGTytRaVIyZGZCTVdWWWVXclEyTUlIMApCZ2dyQmdFRkJRY0JBUVNCNXpDQjVEQXpCZ2dyQmdFRkJRY3dBWVluYUhSMGNITTZMeTh4T1RJdU1UWTRMakl3CkxqSTFNem80TWpBeEwzWXhMM0JyYVM5dlkzTndNRDBHQ0NzR0FRVUZCekFCaGpGb2RIUndjem92TDNKdmIzUXQKZG1GMWJIUXVhVzUwWlhKdVlXd3VaSFZ5Y0M1cGJtWnZMM1l4TDNCcmFTOXZZM053TURFR0NDc0dBUVVGQnpBQwpoaVZvZEhSd2N6b3ZMekU1TWk0eE5qZ3VNakF1TWpVek9qZ3lNREV2ZGpFdmNHdHBMMk5oTURzR0NDc0dBUVVGCkJ6QUNoaTlvZEhSd2N6b3ZMM0p2YjNRdGRtRjFiSFF1YVc1MFpYSnVZV3d1WkhWeWNDNXBibVp2TDNZeEwzQnIKYVM5allUQVVCZ05WSFJFRURUQUxnZ2xrZFhKd0xtbHVabTh3YndZRFZSMGZCR2d3WmpBc29DcWdLSVltYUhSMApjSE02THk4eE9USXVNVFk0TGpJd0xqSTFNem80TWpBeEwzWXhMM0JyYVM5amNtd3dOcUEwb0RLR01HaDBkSEJ6Ck9pOHZjbTl2ZEMxMllYVnNkQzVwYm5SbGNtNWhiQzVrZFhKd0xtbHVabTh2ZGpFdmNHdHBMMk55YkRBTkJna3EKaGtpRzl3MEJBUXNGQUFPQ0FRRUFpcUFaNHpOSUVrQ1djdnBEUnEwVnlKdWs1OXNWdEpyNVg0RnNjSFExNzluRQpRYmJ2TWUrRUJERlM2WFFtbDFFbGo4amlQYS9ENU85T2M2SWlzbm01K3dlWkt3QXB6L2xRK1hWa1dMQ29FcGxCClpaOWZjV1ZDYk1MdDB4bHQ4cW41ei9tWUtmYkNUN1pDcURPK3ByUVp0K0FESmNRYmlrbmZyb0FBcUViTkt4d04KWTl1VXlPV05GM1N4SkVjaDR3MmR0WCtJRVZteGVabmhNeThPdVAwU1FLbDhhVzQwdWdpRzBaRDV5VEJCZk9EOQp6c3JHU1UvaVNhdG4wYjdiZXZCaGFMOTZoejEvck5SMWNMKzQvYWxiWDJocnI4UnYzL1NCMkRMdE5RbFFXMGxzCkFmaFhBcVA1ekwrWXRnZjFPZi9wVmRnbmh4cllVWTdSS0NTR1k1SGFndz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURMekNDQWhlZ0F3SUJBZ0lVTkhkdk96YW0ySFBWZHdYcE1IVXk0d2w4WlJZd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZERVNNQkFHQTFVRUF4TUpaSFZ5Y0M1cGJtWnZNQjRYRFRJMU1ERXlNekV4TVRVeU5Wb1hEVE0xTURFeQpNVEV4TVRVMU5Wb3dGREVTTUJBR0ExVUVBeE1KWkhWeWNDNXBibVp2TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGCkFBT0NBUThBTUlJQkNnS0NBUUVBOFhEVFZFdFJJMytrNHl1dnFWcWZJaUxSUUpjWGJtaGZWdEFlWWsrNWo5T3gKcDF3OVlIZG5QTHFMRnJEMVB6YWRqcVllQXAvZndsRUZmczZscXdvVFM4Uzl2aGFGcWNnQjU3blZNYjc3ZFRCYgovMDhYSFhPVTZGUFJqZEZLbTVRTXBTN3RuMVhhY1BNeS9vMGJLcVJSRVFlaXVGREdWUnl1RjVQVWd2V2MxZHZKCmwyN0p2dmdZa3RnamZwTlM0RGxDeGc0bEdYVDVhYnZhS2YyaG5yNjVlZ2FJby95UldOOXdudkF6UmlZN29jaTcKR0Exb0t6ODdZYzF0ZkwyZ2N5bnJ3Y2NPT0NGL2VVS2VzSlIxSTZHWE5rTi9hMWZjcitMZDlaOU5oSEJ0Tyt2RQpOOERzWlkra0c3REUzTTRCQ0NURlV6bGxjWUhqYVc0SGFGOXZaVytQWXdJREFRQUJvM2t3ZHpBT0JnTlZIUThCCkFmOEVCQU1DQVFZd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVTdXTUxJYVNrVTc1Q0pIWjEKOEV4WlZoNWF0RFl3SHdZRFZSMGpCQmd3Rm9BVTdXTUxJYVNrVTc1Q0pIWjE4RXhaVmg1YXREWXdGQVlEVlIwUgpCQTB3QzRJSlpIVnljQzVwYm1adk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQVMvcVVJLzFZdjA3eFVUSzVrCnI5M2tDN0dTUHBtcGtYSXNmakNoQWw5M3NlYk4xNDNmdTcwTlVQNzRqakNjMFdrYjhoUm9mR2cxMEUrLzI0cjEKQUkwS3NMaHpLemZJQVN4VVZRQW44UlRwdExydWFhUExib1NBNE1VWjhJQjV5OFZ5OEUzL0t0RDBnRDgwajY0WQpybTlYR0hBMEhUSkhiUFVUYi9SdXgyZzBFN1d0aXlXU1dIOG1xemJlZ1U4SXJrTTNlVlQ0K3lsQkU3WWtmV0RECmR3NDRzQjcxdGZtREtweldnNlhRNllNaDBZZm55RzFmWUNqOUxodWVjTlk5VXVvNmNqRGFBdmt6TWV3V3dxRHgKUTJFa2FzOThEaTZpdENQOHZFVCtnQkRqZUNjK1hSNkh4NnZ6V214bFpod0R1eEVLTDFhMi9EYWJVeEp5TU56dgo1NUZuCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + path: pki/sign/issue-homelab-certs + auth: + kubernetes: + mountPath: /v1/auth/kubernetes + role: issuer + secretRef: + name: issuer-token-lmzpj + key: token diff --git a/dmz/cert-manager/templates/secretvault.yaml b/dmz/cert-manager/templates/secretvault.yaml new file mode 100644 index 0000000..0a5da62 --- /dev/null +++ b/dmz/cert-manager/templates/secretvault.yaml @@ -0,0 +1,23 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: cloudflare-api-token-secret +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: cloudflare-api-token-secret + data: + - secretKey: cloudflare-api-token-secret + remoteRef: + key: kv/cert-manager + property: cloudflare-api-token-secret + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault + diff --git a/dmz/cert-manager/values.yaml b/dmz/cert-manager/values.yaml new file mode 100644 index 0000000..0cec0b9 --- /dev/null +++ b/dmz/cert-manager/values.yaml @@ -0,0 +1,26 @@ +cert-manager: + crds: + enabled: true + image: + registry: registry.internal.durp.info + repository: jetstack/cert-manager-controller + pullPolicy: Always + replicaCount: 3 + #extraArgs: + # - --dns01-recursive-nameservers=1.1.1.1:53,1.0.0.1:53 + # - --dns01-recursive-nameservers-only + #podDnsPolicy: None + #podDnsConfig: + # nameservers: + # - "1.1.1.1" + # - "1.0.0.1" + webhook: + image: + registry: registry.internal.durp.info + repository: jetstack/cert-manager-webhook + pullPolicy: Always + cainjector: + image: + registry: registry.internal.durp.info + repository: jetstack/cert-manager-cainjector + pullPolicy: Always diff --git a/infra/argocd/templates/cert-manager.yaml b/infra/argocd/templates/cert-manager.yaml index 68ac622..e7ac95d 100644 --- a/infra/argocd/templates/cert-manager.yaml +++ b/infra/argocd/templates/cert-manager.yaml @@ -19,3 +19,26 @@ spec: syncOptions: - CreateNamespace=true +--- + +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: cert-manager-dmz + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.com/developerdurp/homelab.git + targetRevision: main + path: dmz/cert-manager + destination: + namespace: cert-manager + name: dmz + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true +