feat: Add cert manager to dolo

2025-02-04 17:57:24 -08:00 · 2025-02-04 17:57:24 -08:00 · 9bb2d65b25
commit 9bb2d65b25
parent 87cda5fe35
12 changed files with 183 additions and 28 deletions
--- a/k8s/clusters/dolo/apps.yaml
+++ b/k8s/clusters/dolo/apps.yaml
@ -0,0 +1,52 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: infra-controllers
+  namespace: flux-system
+spec:
+  interval: 1h
+  retryInterval: 1m
+  timeout: 5m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./k8s/infrastructure/controllers
+  prune: true
+  wait: true
+
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: infra-configs
+  namespace: flux-system
+spec:
+  dependsOn:
+    - name: infra-controllers
+  interval: 1h
+  retryInterval: 1m
+  timeout: 5m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./k8s/infrastructure/configs
+  prune: true
+
+# ---
+# apiVersion: kustomize.toolkit.fluxcd.io/v1
+# kind: Kustomization
+# metadata:
+  # name: apps
+  # namespace: flux-system
+# spec:
+  # interval: 10m0s
+  # dependsOn:
+    # - name: infra-configs
+  # sourceRef:
+    # kind: GitRepository
+    # name: flux-system
+  # path: ./apps/production
+  # prune: true
+  # wait: true
+  # timeout: 5m0s
--- a/k8s/clusters/dolo/external-secrets/namespace.yaml
+++ b/k8s/clusters/dolo/external-secrets/namespace.yaml
@ -1,4 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: external-secrets
--- a/k8s/clusters/dolo/external-secrets/release.yaml
+++ b/k8s/clusters/dolo/external-secrets/release.yaml
@ -1,15 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: external-secrets
-  namespace: external-secrets
-spec:
-  interval: 10m
-  chart:
-    spec:
-      chart: external-secrets
-      sourceRef:
-        kind: HelmRepository
-        name: external-secrets
-        namespace: flux-system
-      interval: 10m
--- a/k8s/clusters/dolo/external-secrets/repository.yaml
+++ b/k8s/clusters/dolo/external-secrets/repository.yaml
@ -1,9 +0,0 @@
-apiVersion: source.toolkit.fluxcd.io/v1
-kind: HelmRepository
-metadata:
-  name: external-secrets
-  namespace: flux-system
-spec:
-  interval: 1m
-  url: https://charts.external-secrets.io
-
--- a/k8s/clusters/dolo/infrastructure.yaml
+++ b/k8s/clusters/dolo/infrastructure.yaml
--- a/k8s/clusters/dolo/external-secrets/.gitignore
+++ b/k8s/clusters/dolo/external-secrets/.gitignore
--- a/k8s/infrastructure/configs/cluster-issuer.yaml
+++ b/k8s/infrastructure/configs/cluster-issuer.yaml
@ -0,0 +1,41 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: cloudflare
+  namespace: cert-manager
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: infisical
+
+  target:
+    name: cloudflare
+
+  data:
+    - secretKey: dns-api-token
+      remoteRef:
+        key: cloudflare/dns-api-token
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: le-cf-issuer
+spec:
+  acme:
+    # server: https://acme-v02.api.letsencrypt.org/directory
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    email: tonydu121@hotmail.com
+    privateKeySecretRef:
+      name: le-cf-issuer-pk
+    solvers:
+      - dns01:
+          cloudflare:
+            email: tonydu121@hotmail.com
+            apiTokenSecretRef:
+              name: cloudflare
+              key: dns-api-token
+        selector:
+          dnsZones:
+            - mnke.org
+
--- a/k8s/clusters/dolo/external-secrets/cluster-secret-store.yaml
+++ b/k8s/clusters/dolo/external-secrets/cluster-secret-store.yaml
@ -1,3 +1,6 @@
+---
+# See this guide:
+# https://external-secrets.io/latest/provider/infisical/
 apiVersion: external-secrets.io/v1beta1
 kind: ClusterSecretStore
 metadata:
@ -26,3 +29,4 @@ spec:
      # optional
      hostAPI: https://infisical.stingray.mnke.org

+
--- a/k8s/infrastructure/configs/kustomization.yaml
+++ b/k8s/infrastructure/configs/kustomization.yaml
@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - cluster-secret-store.yaml
+  - cluster-issuer.yaml
--- a/k8s/infrastructure/controllers/cert-manager.yaml
+++ b/k8s/infrastructure/controllers/cert-manager.yaml
@ -0,0 +1,44 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cert-manager
+
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: jetstack
+  namespace: cert-manager
+spec:
+  interval: 1m
+  url: https://charts.jetstack.io
+
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: cert-manager
+  namespace: cert-manager
+spec:
+  interval: 10m
+  chart:
+    spec:
+      chart: cert-manager
+      sourceRef:
+        kind: HelmRepository
+        name: jetstack
+        namespace: cert-manager
+      interval: 10m
+  values:
+    crds:
+      enabled: true
+    replicaCount: 3
+    extraArgs:
+      - --dns01-recursive-nameservers=1.1.1.1:53,9.9.9.9:53
+      - --dns01-recursive-nameservers-only
+    podDnsPolicy: None
+    podDnsConfig:
+      nameservers:
+        - 1.1.1.1
+        - 9.9.9.9
--- a/k8s/infrastructure/controllers/external-secrets.yaml
+++ b/k8s/infrastructure/controllers/external-secrets.yaml
@ -0,0 +1,32 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: external-secrets
+
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: external-secrets
+  namespace: external-secrets
+spec:
+  interval: 1m
+  url: https://charts.external-secrets.io
+
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: external-secrets
+  namespace: external-secrets
+spec:
+  interval: 10m
+  chart:
+    spec:
+      chart: external-secrets
+      sourceRef:
+        kind: HelmRepository
+        name: external-secrets
+        namespace: external-secrets
+      interval: 10m
--- a/k8s/infrastructure/controllers/kustomization.yaml
+++ b/k8s/infrastructure/controllers/kustomization.yaml
@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - external-secrets.yaml
+  - cert-manager.yaml