-
Notifications
You must be signed in to change notification settings - Fork 374
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Use cert manager instead of lego for k8s SSL certificates (#1924)
- Loading branch information
1 parent
d945690
commit 441e5df
Showing
9 changed files
with
95 additions
and
11 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -188,16 +188,15 @@ export async function redeployTiller() { | |
| } | ||
| } | ||
|
|
||
| export async function installLegoAndNginx() { | ||
| const legoReleaseExists = await outputIncludes( | ||
| export async function installCertManagerAndNginx() { | ||
| // Cert Manager is the newer version of lego | ||
| const certManagerExists = await outputIncludes( | ||
| `helm list`, | ||
| `kube-lego-release`, | ||
| `kube-lego-release exists, skipping install` | ||
| `cert-manager-cluster-issuers`, | ||
| `cert-manager-cluster-issuers exists, skipping install` | ||
| ) | ||
| if (!legoReleaseExists) { | ||
| await execCmdWithExitOnFailure( | ||
| `helm install --name kube-lego-release stable/kube-lego --set [email protected] --set rbac.create=true --set rbac.serviceAccountName=kube-lego --set config.LEGO_URL=https://acme-v01.api.letsencrypt.org/directory` | ||
| ) | ||
| if (!certManagerExists) { | ||
| await installCertManager() | ||
| } | ||
| const nginxIngressReleaseExists = await outputIncludes( | ||
| `helm list`, | ||
|
|
@@ -209,6 +208,21 @@ export async function installLegoAndNginx() { | |
| } | ||
| } | ||
|
|
||
| export async function installCertManager() { | ||
| const clusterIssuersHelmChartPath = `../helm-charts/cert-manager-cluster-issuers` | ||
|
|
||
| console.info('Installing cert-manager CustomResourceDefinitions') | ||
| await execCmdWithExitOnFailure( | ||
| `kubectl apply --validate=false -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.11/deploy/manifests/00-crds.yaml` | ||
| ) | ||
| console.info('Updating cert-manager-cluster-issuers dependencies') | ||
| await execCmdWithExitOnFailure(`helm dependency update ${clusterIssuersHelmChartPath}`) | ||
| console.info('Installing cert-manager-cluster-issuers') | ||
| await execCmdWithExitOnFailure( | ||
| `helm install --name cert-manager-cluster-issuers ${clusterIssuersHelmChartPath}` | ||
| ) | ||
| } | ||
|
|
||
| export async function installAndEnableMetricsDeps() { | ||
| const kubeStateMetricsReleaseExists = await outputIncludes( | ||
| `helm list`, | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| name: cert-manager-issuers | ||
| version: 0.0.1 | ||
| description: Chart which is used to deploy let's encrypt issuers | ||
| keywords: | ||
| - "let's encrypt" | ||
| - cert-manager | ||
| appVersion: v1.7.3 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| # cert-manager-cluster-issuers | ||
|
|
||
| This is the newer version of kube-lego that automatically gets SSL certificates. | ||
| This specifies staging & production ClusterIssuers. |
6 changes: 6 additions & 0 deletions
6
packages/helm-charts/cert-manager-cluster-issuers/requirements.lock
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| dependencies: | ||
| - name: cert-manager | ||
| repository: https://charts.jetstack.io | ||
| version: v0.11.0 | ||
| digest: sha256:f9f50143931633a76f08ced3a20e0002606f935d71a852620b33432bd33e46ff | ||
| generated: 2019-10-18T11:07:03.460006781-07:00 |
4 changes: 4 additions & 0 deletions
4
packages/helm-charts/cert-manager-cluster-issuers/requirements.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| dependencies: | ||
| - name: cert-manager | ||
| version: v0.11.0 | ||
| repository: https://charts.jetstack.io |
18 changes: 18 additions & 0 deletions
18
packages/helm-charts/cert-manager-cluster-issuers/templates/prod.clusterissuer.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| apiVersion: cert-manager.io/v1alpha2 | ||
| kind: ClusterIssuer | ||
| metadata: | ||
| name: letsencrypt-prod | ||
| spec: | ||
| acme: | ||
| # The ACME server URL | ||
| server: https://acme-v02.api.letsencrypt.org/directory | ||
| # Email address used for ACME registration | ||
| email: [email protected] | ||
| # Name of a secret used to store the ACME account private key | ||
| privateKeySecretRef: | ||
| name: letsencrypt-prod | ||
| # Enable the HTTP-01 challenge provider | ||
| solvers: | ||
| - http01: | ||
| ingress: | ||
| class: nginx |
18 changes: 18 additions & 0 deletions
18
packages/helm-charts/cert-manager-cluster-issuers/templates/staging.clusterissuer.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| apiVersion: cert-manager.io/v1alpha2 | ||
| kind: ClusterIssuer | ||
| metadata: | ||
| name: letsencrypt-staging | ||
| spec: | ||
| acme: | ||
| # The ACME server URL | ||
| server: https://acme-staging-v02.api.letsencrypt.org/directory | ||
| # Email address used for ACME registration | ||
| email: [email protected] | ||
| # Name of a secret used to store the ACME account private key | ||
| privateKeySecretRef: | ||
| name: letsencrypt-staging | ||
| # Enable the HTTP-01 challenge provider | ||
| solvers: | ||
| - http01: | ||
| ingress: | ||
| class: nginx |
9 changes: 9 additions & 0 deletions
9
packages/helm-charts/cert-manager-cluster-issuers/values.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| imagePullPolicy: IfNotPresent | ||
|
|
||
| # Values that are used for the dependency `cert-manager` | ||
| cert-manager: | ||
| ingressShim: | ||
| defaultIssuerKind: ClusterIssuer | ||
| defaultIssuerName: letsencrypt-prod | ||
| webhook: | ||
| enabled: false |