From 2c303122fb97e7d6d54669f8f57245daa674946e Mon Sep 17 00:00:00 2001
From: Nico Schottelius <nico@nico-notebook.schottelius.org>
Date: Fri, 18 Jun 2021 22:17:57 +0200
Subject: [PATCH] ++working letsencrypt / staging setup!!!

---
 apps/nginx-certbot/base/deployment.yaml | 123 ++++++++++++++++++++++--
 apps/nginx-certbot/base/nginx-443       |   6 +-
 2 files changed, 120 insertions(+), 9 deletions(-)

diff --git a/apps/nginx-certbot/base/deployment.yaml b/apps/nginx-certbot/base/deployment.yaml
index 408c874..c3d7550 100644
--- a/apps/nginx-certbot/base/deployment.yaml
+++ b/apps/nginx-certbot/base/deployment.yaml
@@ -1,16 +1,43 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: tls1-letsencrypt-certs
+spec:
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 50Mi
+  storageClassName: rook-cephfs
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: tls1-webroot
+spec:
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 100Mi
+  storageClassName: rook-cephfs
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: tls1
+  name: tls1-http
 spec:
   selector:
     matchLabels:
-      app: tls1
+      app: tls1-nginx
+      ssl: no
   replicas: 1
   template:
     metadata:
       labels:
-        app: tls1
+        app: tls1-nginx
+        ssl: no
     spec:
       containers:
         - name: nginx-80
@@ -20,6 +47,39 @@ spec:
           volumeMounts:
             - name: nginx-config-80
               mountPath: "/etc/nginx/conf.d/"
+            - name: etcletsencrypt
+              mountPath: "/etc/letsencrypt"
+            - name: webroot
+              mountPath: "/usr/share/nginx/html"
+      volumes:
+        - name: nginx-config-80
+          configMap:
+            name: nginx-80-config
+        - name: etcletsencrypt
+          persistentVolumeClaim:
+            claimName: tls1-letsencrypt-certs
+        - name: webroot
+          persistentVolumeClaim:
+            claimName: tls1-webroot
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: tls1-https
+spec:
+  selector:
+    matchLabels:
+      app: tls1-nginx
+      ssl: yes
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: tls1-nginx
+        ssl: yes
+    spec:
+      containers:
         - name: nginx-443
           image: nginx:1.20.0-alpine
           ports:
@@ -27,13 +87,21 @@ spec:
           volumeMounts:
             - name: nginx-config-443
               mountPath: "/etc/nginx/conf.d/"
+            - name: etcletsencrypt
+              mountPath: "/etc/letsencrypt"
+            - name: webroot
+              mountPath: "/usr/share/nginx/html"
       volumes:
-        - name: nginx-config-80
-          configMap:
-            name: nginx-80-config
         - name: nginx-config-443
           configMap:
             name: nginx-443-config
+        - name: etcletsencrypt
+          persistentVolumeClaim:
+            claimName: tls1-letsencrypt-certs
+        - name: webroot
+          persistentVolumeClaim:
+            claimName: tls1-webroot
+
 ---
 apiVersion: v1
 kind: Service
@@ -45,6 +113,49 @@ spec:
   type: ClusterIP
   ports:
    - port: 80
+     name: http
    - port: 443
+     name: https
   selector:
    app: tls1-nginx
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: tls1-getcert
+spec:
+  template:
+    spec:
+      restartPolicy: Never
+      containers:
+      - name: certbot
+        image: ungleich/ungleich-certbot
+        command:
+          - certbot
+          - certonly
+          - --agree-tos
+          - --cert-name
+          - 'tls1.default.svc.c2.k8s.ooo'
+          - --email
+          - sre@ungleich.ch
+          - --expand
+          - --non-interactive
+          - --webroot
+          - --webroot-path
+          - /usr/share/nginx/html
+          - --domain
+          - 'tls1.default.svc.c2.k8s.ooo'
+          - --staging
+        volumeMounts:
+          - name: etcletsencrypt
+            mountPath: "/etc/letsencrypt"
+          - name: webroot
+            mountPath: "/usr/share/nginx/html"
+      volumes:
+        - name: etcletsencrypt
+          persistentVolumeClaim:
+            claimName: tls1-letsencrypt-certs
+        - name: webroot
+          persistentVolumeClaim:
+            claimName: tls1-webroot
+  backoffLimit: 3
diff --git a/apps/nginx-certbot/base/nginx-443 b/apps/nginx-certbot/base/nginx-443
index 204265f..452c3f2 100644
--- a/apps/nginx-certbot/base/nginx-443
+++ b/apps/nginx-certbot/base/nginx-443
@@ -2,10 +2,10 @@ server {
     listen 443 ssl;
     listen [::]:443 ssl;
 
-    server_name tls1.svc.c2.k8s.ooo;
+    server_name tls1.default.svc.c2.k8s.ooo;
 
-    ssl_certificate      /etc/letsencrypt/live/tls1.svc.c2.k8s.ooo/fullchain.pem;
-    ssl_certificate_key  /etc/letsencrypt/live/tls1.svc.c2.k8s.ooo/privkey.pem;
+    ssl_certificate      /etc/letsencrypt/live/tls1.default.svc.c2.k8s.ooo/fullchain.pem;
+    ssl_certificate_key  /etc/letsencrypt/live/tls1.default.svc.c2.k8s.ooo/privkey.pem;
 
     client_max_body_size 256m;