add cert manager

casa-limbosolutions-com/certificate.yaml

@@ -1,4 +1,6 @@
-# to run on icarus
+# Proxima iteração arranjar uma maneira de copiar os certificados entre namespaces, ainda foi a mão
+# ter em atenção que ao copiar é melhor apagar anotations do cert manager para o mesmo nao ser gerido por mais do que um namespcace
+
 
 apiVersion: cert-manager.io/v1
 kind: Certificate

services/cert-manager/.gitignore

@@ -0,0 +1,2 @@
+.env.d/**
+.env

services/cert-manager/README.md

@@ -0,0 +1,94 @@
+# cert-manager
+
+- [cloudflare](#cloudflare)
+- [api secrets](#api-secrets)
+- [Cluster Issuer](#cluster-issuer)
+  - [Staging](#staging)
+    - [Deploy](#deploy)
+    - [Describe](#describe)
+  - [Production](#production)
+    - [Deploy (Production)](#deploy-production)
+    - [Describe (Production)](#describe-production)
+- [helm chart](#helm-chart)
+
+## cloudflare
+
+## api secrets
+
+[cloudflare-api-token.yaml](./cloudflare-api-token.yaml).
+
+```bash
+set -a
+source ./.env
+set +a
+envsubst < ./cloudflare-api-token.yaml \
+| kubectl apply -n kube-system -f -
+```
+
+## Cluster Issuer
+
+### Staging
+
+#### Deploy
+
+[letsencrypt-clusterissuer-staging.yaml](./letsencrypt-clusterissuer-staging.yaml).
+
+```bash
+set -a
+source ./.env
+set +a
+envsubst < ./letsencrypt-clusterissuer-staging.yaml \
+| kubectl apply -n kube-system -f -
+```
+
+#### Describe
+
+```bash
+kubectl describe clusterissuer letsencrypt-staging
+```
+
+### Production
+
+#### Deploy (Production)
+
+[letsencrypt-clusterissuer-prod.yaml](./letsencrypt-clusterissuer-prod.yaml).
+
+```bash
+set -a
+source ./.env
+set +a
+envsubst < ./letsencrypt-clusterissuer-prod.yaml \
+| kubectl apply -n kube-system -f -
+```
+
+```bash
+set -a
+source ./.env
+set +a
+envsubst < ./letsencrypt-clusterissuer-staging.yaml \
+| kubectl apply -n kube-system -f -
+```
+
+#### Describe (Production)
+
+```bash
+kubectl describe clusterissuer letsencrypt-prod
+```
+
+**Force cert refresh:**
+
+``` bash
+kubectl delete certificaterequest -l cert-manager.io/certificate-name=monitoring-limbosolutions-com-tls
+kubectl delete order  -l cert-manager.io/certificate-name=monitoring-limbosolutions-com-tls
+```
+
+## helm chart
+
+``` bash
+helm repo add jetstack https://charts.jetstack.io  --force-update  
+helm upgrade --install cert-manager jetstack/cert-manager \
+--namespace kube-system \
+--version=v1.20.2 \
+--create-namespace \
+--set crds.enabled=true
+```

services/cert-manager/cloudflare-api-token.yaml

@@ -0,0 +1,15 @@
+#########################################################################
+# requires ./.env
+# ./.env example:
+# EMAIL="myemail@example.com"
+# check README.md for more information
+##########################################################################
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cloudflare-api-token
+  namespace: kube-system
+type: Opaque
+stringData:
+  api-token: ${CLOUDFLARE_API_TOKEN}

services/cert-manager/letsencrypt-clusterissuer-prod.yaml

@@ -0,0 +1,28 @@
+#########################################################################
+# requires ./.env
+# ./.env example:
+# EMAIL="myemail@example.com"
+# check README.md for more information
+##########################################################################
+
+
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+  namespace: kube-system
+spec:
+  acme:
+    email: "${EMAIL}"
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: letsencrypt-prod
+    solvers:
+    - selector:
+        dnsZones:
+        - "limbosolutions.com"
+      dns01:
+        cloudflare:
+          apiTokenSecretRef:
+            name: cloudflare-api-token
+            key: api-token

services/cert-manager/letsencrypt-clusterissuer-staging.yaml

@@ -0,0 +1,29 @@
+#########################################################################
+# requires ./.env
+# ./.env example:
+# EMAIL="myemail@example.com"
+# CLOUDFLARE_API_TOKEN="clouddlare api key"
+# check README.md for more information
+##########################################################################
+
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+  namespace: kube-system
+spec:
+  acme:
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    # Replace with your domain email.
+    email: "${EMAIL}"
+    privateKeySecretRef:
+      name: letsencrypt-staging
+    solvers:
+       - dns01:
+          cloudflare:
+            email: ${EMAIL}
+            apiTokenSecretRef:
+              name: cloudflare-api-token
+              key:  api-token
+
+