k-space/kube
12
1
Fork 3
Code Issues 61 Pull Requests 1 Wiki Activity

cert-manager to argo kustomize helm

Browse Source
This commit is contained in:
rasmus
2025-06-18 17:41:50 +03:00
parent 28daa56bad
commit aab40b012d
9 changed files with 41 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.gitignore vendored
View File

@@ -5,6 +5,10 @@
*.save
*.1
# Kustomize with Helm and secrets:
charts/
*.env
### IntelliJ IDEA ###
.idea
*.iml

21
argocd/applications/cert-manager.yaml Normal file
View File

@@ -0,0 +1,21 @@
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: cert-manager
namespace: argocd
spec:
project: k-space.ee
source:
# also depends on git@git.k-space.ee:secretspace/kube.git
repoURL: git@git.k-space.ee:k-space/kube.git
targetRevision: HEAD
path: cert-manager
destination:
server: 'https://kubernetes.default.svc'
namespace: cert-manager
syncPolicy:
automated:
prune: true
syncOptions:
- CreateNamespace=true

7
bind/README.md
View File

@@ -36,7 +36,7 @@ which are internally exposed IP-s of the secondaries.
To configure TSIG secrets:
```
```sh
kubectl create secret generic -n bind bind-readonly-secret \
--from-file=readonly.key
kubectl create secret generic -n bind bind-readwrite-secret \
@@ -45,9 +45,8 @@ kubectl create secret generic -n bind external-dns
kubectl -n bind delete secret tsig-secret
kubectl -n bind create secret generic tsig-secret \
--from-literal=TSIG_SECRET=$(cat readwrite.key | grep secret | cut -d '"' -f 2)
kubectl -n cert-manager delete secret tsig-secret
kubectl -n cert-manager create secret generic tsig-secret \
--from-literal=TSIG_SECRET=$(cat readwrite.key | grep secret | cut -d '"' -f 2)
# ^ same tsig-secret is in git.k-space.ee/secretspace/kube cert-manager
```
# Serving additional zones

1
cert-manager/.gitignore vendored
View File

@@ -1 +0,0 @@
cert-manager.yaml

21
cert-manager/README.md
View File

@@ -7,7 +7,7 @@ Refer to the [Bind primary Ansible playbook](https://git.k-space.ee/k-space/ansi
[Bind namespace on Kubernetes cluster](https://git.k-space.ee/k-space/kube/src/branch/master/bind)
for more details
# For user
# For developer
Use `Certificate` CRD of cert-manager, refer to
[official documentation](https://cert-manager.io/docs/usage/certificate/).
@@ -15,23 +15,14 @@ Use `Certificate` CRD of cert-manager, refer to
To find usage examples in this repository use
`grep -r -A10 "^kind: Certificate" .`
# For administrator
# Deployment
With ArgoCD. Render it locally:
Deployed with:
```
curl -L https://github.com/jetstack/cert-manager/releases/download/v1.15.1/cert-manager.yaml -O
kubectl apply -f cert-manager.yaml
```
To update the issuer configuration or TSIG secret:
```
kubectl apply -f default-issuer.yml
kubectl -n cert-manager create secret generic tsig-secret \
--from-literal=TSIG_SECRET=<secret>
```sh
kustomize build . --enable-helm
```
## Webhook timeout
Workaround for webhook timeout issue https://github.com/jetstack/cert-manager/issues/2602
It's not very clear why this is happening, deserves further investigation - presumably Calico related somehow:

2
cert-manager/default-cluster-cert-issuer.yaml
View File

@@ -9,7 +9,7 @@ spec:
email: info@k-space.ee
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: default-cluster-cert-issuer-accountKey # auto-generated by cert-manager
name: example-issuer-account-key # auto-generated by cert-manager
solvers:
- dns01:
rfc2136:

7
cert-manager/kustomization.yaml
View File

@@ -9,7 +9,12 @@ helmCharts:
name: &name cert-manager
releaseName: *name
repo: https://charts.jetstack.io
version: v1.15.1
valuesInline:
namespace: *name
global:
leaderElection:
namespace: *name
version: v1.18.1
resources:
- ssh://git@git.k-space.ee/secretspace/kube/cert-manager # secrets (.env): tsig-secret

1
tigera-operator/.gitignore vendored
View File

@@ -1 +0,0 @@
*.env

2
woodpecker/.gitignore vendored
View File

@@ -1,2 +0,0 @@
charts/
*.env