add cert-manager configuration

This commit is contained in:
vfebvre 2023-08-30 16:23:34 +02:00
parent d33d3b150d
commit 785cc54cef
8 changed files with 135 additions and 24 deletions

View File

@ -9,6 +9,7 @@ metadata:
nginx.ingress.kubernetes.io/enable-cors: "true" #cf 01 nginx.ingress.kubernetes.io/enable-cors: "true" #cf 01
nginx.ingress.kubernetes.io/cors-allow-headers: "X-Forwarded-For" #cf 01 nginx.ingress.kubernetes.io/cors-allow-headers: "X-Forwarded-For" #cf 01
# nginx.ingress.kubernetes.io/client_max_body_size: "100m" # nginx.ingress.kubernetes.io/client_max_body_size: "100m"
spec: spec:
ingressClassName: nginx ingressClassName: nginx
rules: rules:

View File

@ -1,33 +1,33 @@
- op: replace #- op: replace
path: /metadata/annotations/nginx.ingress.kubernetes.io~1proxy-body-size # path: /metadata/annotations/nginx.ingress.kubernetes.io~1proxy-body-size
value: "1G" # value: "1G"
- op: replace #- op: replace
path: /metadata/annotations/nginx.ingress.kubernetes.io~1enable-cors # path: /metadata/annotations/nginx.ingress.kubernetes.io~1enable-cors
value: "true" # value: "true"
- op: replace #- op: replace
path: /metadata/annotations/nginx.ingress.kubernetes.io~1cors-allow-headers # path: /metadata/annotations/nginx.ingress.kubernetes.io~1cors-allow-headers
value: "X-Forwarded-For" # value: "X-Forwarded-For"
# En cas de besoin # En cas de besoin
#- op: add #- op: add
# path: /metadata/annotations/nginx.ingress.kubernetes.io~1client_max_body_size # path: /metadata/annotations/nginx.ingress.kubernetes.io~1client_max_body_size
# value: "100m" # value: "100m"
- op: replace #- op: replace
path: /spec/rules/0/host # path: /spec/rules/0/host
value: nxt.cadoles.fr # value: nxt.cadoles.fr
- op: replace #- op: replace
path: /spec/rules/0/http/paths/0/path # path: /spec/rules/0/http/paths/0/path
value: / # value: /
- op: replace #- op: replace
path: /spec/rules/0/http/paths/0/pathType # path: /spec/rules/0/http/paths/0/pathType
value: Prefix # value: Prefix
- op: replace #- op: replace
path: /spec/rules/0/http/paths/0/backend/service/name # path: /spec/rules/0/http/paths/0/backend/service/name
value: nextcloud # value: nextcloud
- op: replace #- op: replace
path: /spec/rules/0/http/paths/0/backend/service/port/number # path: /spec/rules/0/http/paths/0/backend/service/port/number
value: 80 # value: 80

View File

@ -0,0 +1,29 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nextcloud
annotations:
nginx.ingress.kubernetes.io/proxy-body-size: "5m"
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/cors-allow-headers: "X-Forwarded-For"
cert-manager.io/issuer: cadoles-selfsigned-ca
spec:
ingressClassName: nginx
tls:
- hosts:
- nxt.cadoles.fr
secretName: cadoles-selfsigned-ca
rules:
- host: nxt.cadoles.fr
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: nextcloud
port:
number: 80

View File

@ -0,0 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./resources/cluster-issuer.yaml
- ./resources/ca.yaml
- ./resources/issuer.yaml

View File

@ -0,0 +1,19 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: cadoles-selfsigned-ca
# namespace: cert-manager
# namespace: ingress-nginx
spec:
isCA: true
commonName: cadoles-selfsigned-ca
# secretName: root-secret
secretName: cadoles-selfsigned-ca
privateKey:
algorithm: ECDSA
size: 256
issuerRef:
name: cadoles-selfsigned-issuer
kind: ClusterIssuer
group: cert-manager.io

View File

@ -0,0 +1,6 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: cadoles-selfsigned-issuer
spec:
selfSigned: {}

View File

@ -0,0 +1,9 @@
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: cadoles-ca-issuer
# namespace: cert-manager
# namespace: ingress-nginx
spec:
ca:
secretName: cadoles-selfsigned-ca

View File

@ -0,0 +1,40 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: nextcloud
spec:
# Secret names are always required.
#secretName: nextcloud-tls
secretName: cadoles-selfsigned-ca
duration: 2160h # 90d
renewBefore: 360h # 15d
subject:
organizations:
- cadoles
# The use of the common name field has been deprecated since 2000 and is
# discouraged from being used.
commonName: cadoles.fr
isCA: false
privateKey:
algorithm: RSA
encoding: PKCS1
size: 2048
usages:
- server auth
- client auth
# At least one of a DNS Name, URI, or IP address is required.
dnsNames:
- nextcloud
- nextcloud.cadoles.fr
- nxt.cadoles.fr
# Issuer references are always required.
issuerRef:
name: cadoles-ca-issuer
# We can reference ClusterIssuers by changing the kind here.
# The default value is Issuer (i.e. a locally namespaced Issuer)
kind: Issuer
# This is optional since cert-manager will default to this value however
# if you are using an external issuer, change this to that issuer group.
group: cert-manager.io