workignn on getting cert manager up to snuff

2025-01-13 22:23:24 -07:00
parent 1458dfe23b
commit 92b2bb78c0
7 changed files with 99 additions and 24 deletions
--- a/kubernetes/Readme.md
+++ b/kubernetes/Readme.md
@@ -0,0 +1,23 @@
+# sources
+
+
+nix instructions: <https://github.com/NixOS/nixpkgs/blob/master/pkgs/applications/networking/cluster/k3s/README.md>
+
+
+
+## tailscale operator
+
+```
+helm repo add tailscale https://pkgs.tailscale.com/helmcharts
+helm repo update
+helm upgrade \
+  --install \
+  tailscale-operator \
+  tailscale/tailscale-operator \
+  --namespace=tailscale \
+  --create-namespace \
+  --set-string oauth.clientId="<OAauth client ID>" \
+  --set-string oauth.clientSecret="<OAuth client secret>" \
+  --wait
+```
+
--- a/kubernetes/cloudflare-issuer/Readme.md
+++ b/kubernetes/cloudflare-issuer/Readme.md
@@ -0,0 +1,22 @@
+## Cloudflare cert manager
+
+<https://cert-manager.io/docs/installation/helm/>
+```bash
+helm repo add jetstack https://charts.jetstack.io --force-update
+helm install \
+  cert-manager jetstack/cert-manager \
+  --namespace cert-manager \
+  --create-namespace \
+  --version v1.16.2 \
+  --set crds.enabled=true
+```
+
+
+<https://medium.com/@kevinlutzer9/managed-ssl-certs-for-a-private-kubernetes-cluster-with-cloudflare-cert-manager-and-lets-encrypt-7987ba19044f>
+
+```bash
+kubectl create secret generic cloudflare-api-key-secret --from-literal=api-key=<TOKEN>
+```
+
+
+then apply `issuer.yml`1
--- a/kubernetes/cloudflare-issuer/issuer.yml
+++ b/kubernetes/cloudflare-issuer/issuer.yml
@@ -0,0 +1,18 @@
+# issuer.yml
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: ca-issuer
+spec:
+  acme:
+    email: alexmickelson96@gmail.com
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: issuer-key
+    solvers:
+    - dns01:
+        cloudflare:
+          email: alexmickelson96@gmail.com
+          apiTokenSecretRef:
+            name: cloudflare-api-key-secret
+            key: api-key
--- a/kubernetes/gitea/db.yml
+++ b/kubernetes/gitea/db.yml
@@ -2,16 +2,16 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  namespace: projects
-  name: gitea_db
+  name: gitea-db
 spec:
  replicas: 1
  selector:
    matchLabels:
-      app: gitea_db
+      app: gitea-db
  template:
    metadata:
      labels:
-        app: gitea_db
+        app: gitea-db
    spec:
      containers:
        - name: postgres
@@ -22,7 +22,7 @@ spec:
            - name: POSTGRES_USER
              value: "gitea"
            - name: POSTGRES_PASSWORD
-              value: "${POSTGRES_PASSWORD}"
+              value: wauiofnasufnweaiufbsdklfjb23456
            - name: POSTGRES_DB
              value: "gitea"
          volumeMounts:
@@ -37,15 +37,15 @@ spec:
 apiVersion: v1
 kind: Service
 metadata:
-  name: gitea_db
+  name: gitea-db-svc
  namespace: projects
  labels:
-    app: gitea_db
+    app: gitea-db
 spec:
  ports:
    - protocol: TCP
      port: 5432
      targetPort: 5432
  selector:
-    app: gitea_db
+    app: gitea-db
  type: ClusterIP
--- a/kubernetes/gitea/web.yml
+++ b/kubernetes/gitea/web.yml
@@ -1,17 +1,17 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: gitea_web
+  name: gitea-web
  namespace: projects
 spec:
  replicas: 1
  selector:
    matchLabels:
-      app: gitea_web
+      app: gitea-web
  template:
    metadata:
      labels:
-        app: gitea_web
+        app: gitea-web
    spec:
      containers:
        - name: gitea
@@ -27,16 +27,13 @@ spec:
            - name: GITEA__database__DB_TYPE
              value: "postgres"
            - name: GITEA__database__HOST
-              value: "postgres:5432"
+              value: "gitea-db-svc:5432"
            - name: GITEA__database__NAME
              value: "gitea"
            - name: GITEA__database__USER
              value: "gitea"
            - name: GITEA__database__PASSWD
-              valueFrom:
-                secretKeyRef:
-                  name: gitea-db-secret
-                  key: postgres-password
+              value: wauiofnasufnweaiufbsdklfjb23456
          volumeMounts:
            - name: gitea-data
              mountPath: /data
@@ -62,7 +59,7 @@ spec:
 apiVersion: v1
 kind: Service
 metadata:
-  name: gitea_web
+  name: gitea-web-svc
  namespace: projects
 spec:
  type: NodePort
@@ -74,4 +71,25 @@ spec:
      port: 22
      targetPort: 22
  selector:
-    app: gitea_web
+    app: gitea-web
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: gitea
+  namespace: projects
+spec:
+  ingressClassName: tailscale
+  tls:
+  - hosts: 
+    - gitea
+  rules:
+    - http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: gitea-web-svc
+                port:
+                  number: 3000
--- a/kubernetes/k3s-install.md
+++ b/kubernetes/k3s-install.md
@@ -1,7 +0,0 @@
-# sources
-
-
-nix instructions <https://github.com/NixOS/nixpkgs/blob/master/pkgs/applications/networking/cluster/k3s/README.md>
-
-
-
--- a/nix/home-manager/desktop.home.nix
+++ b/nix/home-manager/desktop.home.nix
@@ -9,6 +9,7 @@
    # nerd-fonts.droid-sans-mono
    # fira-code
    (nerdfonts.override { fonts = [ "FiraCode" "DroidSansMono" ]; })
+    kubernetes-helm
  ];
  fonts.fontconfig.enable = true;
  dconf.enable = true;