k8s let's encrypt issuer and cert creation

2022-08-04 20:03:42 -04:00
parent 7410984c5e
commit 8c752b2b70
10 changed files with 171 additions and 11 deletions
--- a/ansible-5/roles/prod.k3s/files/cert-manager/acme.issuer.prod.yaml
+++ b/ansible-5/roles/prod.k3s/files/cert-manager/acme.issuer.prod.yaml
@@ -0,0 +1,20 @@
+---
+#https://cert-manager.io/docs/configuration/acme/#creating-a-basic-acme-issuer
+
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-production
+spec:
+  acme:
+    email: r_morgan@sympatico.ca
+    server: https://acme-v02.api.letsencrypt.org/directory
+#    disableAccountKeyGeneration: true
+    privateKeySecretRef:
+      # Secret resource that will be used to store the account's private key.
+      name: letsencrypt-production-issuer-account-key
+    # Add a single challenge solver, HTTP01
+    solvers:
+      - http01:
+          ingress:
+            class: traefik
--- a/ansible-5/roles/prod.k3s/files/cert-manager/acme.issuer.stg.yaml
+++ b/ansible-5/roles/prod.k3s/files/cert-manager/acme.issuer.stg.yaml
@@ -0,0 +1,20 @@
+---
+#https://cert-manager.io/docs/configuration/acme/#creating-a-basic-acme-issuer
+
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    email: r_morgan@sympatico.ca
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+#    disableAccountKeyGeneration: true
+    privateKeySecretRef:
+      # Secret resource that will be used to store the account's private key.
+      name: letsencrypt-staging-issuer-account-key
+    # Add a single challenge solver, HTTP01
+    solvers:
+      - http01:
+          ingress:
+            class: traefik
--- a/ansible-5/roles/prod.k3s/files/cert-manager/certificate.xai-corp.prod.yaml
+++ b/ansible-5/roles/prod.k3s/files/cert-manager/certificate.xai-corp.prod.yaml
@@ -0,0 +1,32 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: xai-corp
+  namespace: default
+spec:
+  # Secret names are always required.
+  secretName: xai-corp-staging-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: xai-corp.net
+  dnsNames:
+    - xai-corp.net
+    - git.xai-corp.net
+    - tunedb.xai-corp.net
+    - www.xai-corp.net
+    - xaibox.xai-corp.net
+    - sql.xai-corp.net
+    - cik.xai-corp.net
+  acme:
+    config:
+      - http01:
+          ingressClass: traefik
+        domains:
+          - xai-corp.net
+#      - http01:
+#          ingress: certs-ingress
+#        domains:
+#          - hello.xai-corp.net
+#          - sql.xai-corp.net
--- a/ansible-5/roles/prod.k3s/files/cert-manager/certificate.xai-corp.stg.yaml
+++ b/ansible-5/roles/prod.k3s/files/cert-manager/certificate.xai-corp.stg.yaml
@@ -0,0 +1,28 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: xai-corp
+  namespace: default
+spec:
+  # Secret names are always required.
+  secretName: xai-corp-staging-tls
+  issuerRef:
+    name: letsencrypt-staging
+    kind: ClusterIssuer
+  commonName: xai-corp.net
+  dnsNames:
+    - xai-corp.net
+    - www.xai-corp.net
+    - sql.xai-corp.net
+  acme:
+    config:
+      - http01:
+          ingressClass: traefik
+        domains:
+          - xai-corp.net
+#      - http01:
+#          ingress: certs-ingress
+#        domains:
+#          - hello.xai-corp.net
+#          - sql.xai-corp.net