From aab40b012ddd2aaf1b636638fd846dac2cf34141 Mon Sep 17 00:00:00 2001 From: rasmus Date: Wed, 18 Jun 2025 17:41:50 +0300 Subject: [PATCH] cert-manager to argo kustomize helm --- .gitignore | 4 ++++ argocd/applications/cert-manager.yaml | 21 +++++++++++++++++++ bind/README.md | 7 +++---- cert-manager/.gitignore | 1 - cert-manager/README.md | 21 ++++++------------- cert-manager/default-cluster-cert-issuer.yaml | 2 +- cert-manager/kustomization.yaml | 7 ++++++- tigera-operator/.gitignore | 1 - woodpecker/.gitignore | 2 -- 9 files changed, 41 insertions(+), 25 deletions(-) create mode 100644 argocd/applications/cert-manager.yaml delete mode 100644 cert-manager/.gitignore delete mode 100644 tigera-operator/.gitignore delete mode 100644 woodpecker/.gitignore diff --git a/.gitignore b/.gitignore index 0faa25c..7b1d303 100644 --- a/.gitignore +++ b/.gitignore @@ -5,6 +5,10 @@ *.save *.1 +# Kustomize with Helm and secrets: +charts/ +*.env + ### IntelliJ IDEA ### .idea *.iml diff --git a/argocd/applications/cert-manager.yaml b/argocd/applications/cert-manager.yaml new file mode 100644 index 0000000..7699f60 --- /dev/null +++ b/argocd/applications/cert-manager.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: cert-manager + namespace: argocd +spec: + project: k-space.ee + source: + # also depends on git@git.k-space.ee:secretspace/kube.git + repoURL: git@git.k-space.ee:k-space/kube.git + targetRevision: HEAD + path: cert-manager + destination: + server: 'https://kubernetes.default.svc' + namespace: cert-manager + syncPolicy: + automated: + prune: true + syncOptions: + - CreateNamespace=true diff --git a/bind/README.md b/bind/README.md index b08cd6c..ef45731 100644 --- a/bind/README.md +++ b/bind/README.md @@ -36,7 +36,7 @@ which are internally exposed IP-s of the secondaries. To configure TSIG secrets: -``` +```sh kubectl create secret generic -n bind bind-readonly-secret \ --from-file=readonly.key kubectl create secret generic -n bind bind-readwrite-secret \ @@ -45,9 +45,8 @@ kubectl create secret generic -n bind external-dns kubectl -n bind delete secret tsig-secret kubectl -n bind create secret generic tsig-secret \ --from-literal=TSIG_SECRET=$(cat readwrite.key | grep secret | cut -d '"' -f 2) -kubectl -n cert-manager delete secret tsig-secret -kubectl -n cert-manager create secret generic tsig-secret \ - --from-literal=TSIG_SECRET=$(cat readwrite.key | grep secret | cut -d '"' -f 2) + +# ^ same tsig-secret is in git.k-space.ee/secretspace/kube cert-manager ``` # Serving additional zones diff --git a/cert-manager/.gitignore b/cert-manager/.gitignore deleted file mode 100644 index 7e74288..0000000 --- a/cert-manager/.gitignore +++ /dev/null @@ -1 +0,0 @@ -cert-manager.yaml diff --git a/cert-manager/README.md b/cert-manager/README.md index 2eed19c..a8e843b 100644 --- a/cert-manager/README.md +++ b/cert-manager/README.md @@ -7,7 +7,7 @@ Refer to the [Bind primary Ansible playbook](https://git.k-space.ee/k-space/ansi [Bind namespace on Kubernetes cluster](https://git.k-space.ee/k-space/kube/src/branch/master/bind) for more details -# For user +# For developer Use `Certificate` CRD of cert-manager, refer to [official documentation](https://cert-manager.io/docs/usage/certificate/). @@ -15,23 +15,14 @@ Use `Certificate` CRD of cert-manager, refer to To find usage examples in this repository use `grep -r -A10 "^kind: Certificate" .` -# For administrator +# Deployment +With ArgoCD. Render it locally: -Deployed with: - -``` -curl -L https://github.com/jetstack/cert-manager/releases/download/v1.15.1/cert-manager.yaml -O -kubectl apply -f cert-manager.yaml -``` - -To update the issuer configuration or TSIG secret: - -``` -kubectl apply -f default-issuer.yml - kubectl -n cert-manager create secret generic tsig-secret \ - --from-literal=TSIG_SECRET= +```sh +kustomize build . --enable-helm ``` +## Webhook timeout Workaround for webhook timeout issue https://github.com/jetstack/cert-manager/issues/2602 It's not very clear why this is happening, deserves further investigation - presumably Calico related somehow: diff --git a/cert-manager/default-cluster-cert-issuer.yaml b/cert-manager/default-cluster-cert-issuer.yaml index 1643fa0..9a54742 100644 --- a/cert-manager/default-cluster-cert-issuer.yaml +++ b/cert-manager/default-cluster-cert-issuer.yaml @@ -9,7 +9,7 @@ spec: email: info@k-space.ee server: https://acme-v02.api.letsencrypt.org/directory privateKeySecretRef: - name: default-cluster-cert-issuer-accountKey # auto-generated by cert-manager + name: example-issuer-account-key # auto-generated by cert-manager solvers: - dns01: rfc2136: diff --git a/cert-manager/kustomization.yaml b/cert-manager/kustomization.yaml index 24f8b92..a60ed40 100644 --- a/cert-manager/kustomization.yaml +++ b/cert-manager/kustomization.yaml @@ -9,7 +9,12 @@ helmCharts: name: &name cert-manager releaseName: *name repo: https://charts.jetstack.io - version: v1.15.1 + valuesInline: + namespace: *name + global: + leaderElection: + namespace: *name + version: v1.18.1 resources: - ssh://git@git.k-space.ee/secretspace/kube/cert-manager # secrets (.env): tsig-secret diff --git a/tigera-operator/.gitignore b/tigera-operator/.gitignore deleted file mode 100644 index 03bd412..0000000 --- a/tigera-operator/.gitignore +++ /dev/null @@ -1 +0,0 @@ -*.env diff --git a/woodpecker/.gitignore b/woodpecker/.gitignore deleted file mode 100644 index 2faa846..0000000 --- a/woodpecker/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -charts/ -*.env