From 52fbf6d61f3deeed44546363f6a4d89ca3d83643 Mon Sep 17 00:00:00 2001 From: Nico Schottelius Date: Sat, 19 Jun 2021 19:58:09 +0200 Subject: [PATCH] [helm] certbot/nginx: add almost working version --- apps/nginx-certbot-helm/.helmignore | 24 +++++++++ apps/nginx-certbot-helm/Chart.yaml | 24 +++++++++ apps/nginx-certbot-helm/deployment.yaml | 1 + apps/nginx-certbot-helm/nginx-443 | 15 ++++++ apps/nginx-certbot-helm/nginx/http.conf | 16 ++++++ .../templates/certbot-job.yaml | 28 ++++++++++ .../templates/configmap.yaml | 22 ++++++++ .../templates/deployment.yaml | 54 +++++++++++++++++++ apps/nginx-certbot-helm/templates/pvc.yaml | 24 +++++++++ apps/nginx-certbot-helm/values.yaml | 2 + 10 files changed, 210 insertions(+) create mode 100644 apps/nginx-certbot-helm/.helmignore create mode 100644 apps/nginx-certbot-helm/Chart.yaml create mode 100644 apps/nginx-certbot-helm/deployment.yaml create mode 100644 apps/nginx-certbot-helm/nginx-443 create mode 100644 apps/nginx-certbot-helm/nginx/http.conf create mode 100644 apps/nginx-certbot-helm/templates/certbot-job.yaml create mode 100644 apps/nginx-certbot-helm/templates/configmap.yaml create mode 100644 apps/nginx-certbot-helm/templates/deployment.yaml create mode 100644 apps/nginx-certbot-helm/templates/pvc.yaml create mode 100644 apps/nginx-certbot-helm/values.yaml diff --git a/apps/nginx-certbot-helm/.helmignore b/apps/nginx-certbot-helm/.helmignore new file mode 100644 index 0000000..8ecf230 --- /dev/null +++ b/apps/nginx-certbot-helm/.helmignore @@ -0,0 +1,24 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ +.#* diff --git a/apps/nginx-certbot-helm/Chart.yaml b/apps/nginx-certbot-helm/Chart.yaml new file mode 100644 index 0000000..b1431d8 --- /dev/null +++ b/apps/nginx-certbot-helm/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: ungleich-cerbot-nginx +description: nginx enabled with TLS for Letsencrypt + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.1 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.21.1" diff --git a/apps/nginx-certbot-helm/deployment.yaml b/apps/nginx-certbot-helm/deployment.yaml new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/apps/nginx-certbot-helm/deployment.yaml @@ -0,0 +1 @@ + diff --git a/apps/nginx-certbot-helm/nginx-443 b/apps/nginx-certbot-helm/nginx-443 new file mode 100644 index 0000000..452c3f2 --- /dev/null +++ b/apps/nginx-certbot-helm/nginx-443 @@ -0,0 +1,15 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name tls1.default.svc.c2.k8s.ooo; + + ssl_certificate /etc/letsencrypt/live/tls1.default.svc.c2.k8s.ooo/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/tls1.default.svc.c2.k8s.ooo/privkey.pem; + + client_max_body_size 256m; + + root /usr/share/nginx/html; + + autoindex on; +} diff --git a/apps/nginx-certbot-helm/nginx/http.conf b/apps/nginx-certbot-helm/nginx/http.conf new file mode 100644 index 0000000..8a9e368 --- /dev/null +++ b/apps/nginx-certbot-helm/nginx/http.conf @@ -0,0 +1,16 @@ +server { + listen *:80; + listen [::]:80; + + server_name _; + + # Forward for certbot + location /.well-known/acme-challenge/ { + root /usr/share/nginx/html; + } + + # Everything else -> ssl + location / { + return 301 https://$host$request_uri; + } +} diff --git a/apps/nginx-certbot-helm/templates/certbot-job.yaml b/apps/nginx-certbot-helm/templates/certbot-job.yaml new file mode 100644 index 0000000..9d3ddb3 --- /dev/null +++ b/apps/nginx-certbot-helm/templates/certbot-job.yaml @@ -0,0 +1,28 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ .Release.Name }}-getcert +spec: + template: + metadata: + labels: + app: {{ .Release.Name }}-tls1-nginx + spec: + restartPolicy: Never + containers: + - name: certbot + image: ungleich/ungleich-certbot + ports: + - containerPort: 80 + envFrom: + - configMapRef: + name: {{ .Release.Name }}-certbot-configmap + volumeMounts: + - name: etcletsencrypt + mountPath: "/etc/letsencrypt" + volumes: + - name: etcletsencrypt + persistentVolumeClaim: + claimName: {{ .Release.Name }}-letsencrypt-certs + backoffLimit: 3 diff --git a/apps/nginx-certbot-helm/templates/configmap.yaml b/apps/nginx-certbot-helm/templates/configmap.yaml new file mode 100644 index 0000000..b569a9d --- /dev/null +++ b/apps/nginx-certbot-helm/templates/configmap.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-nginx-config +data: +{{ (.Files.Glob "nginx/*.conf").AsConfig | indent 2 }} + default.conf: | + server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name {{ .Values.serviceName }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}; + + ssl_certificate /etc/letsencrypt/live/{{ .Values.serviceName }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ .Values.serviceName }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}/privkey.pem; + + client_max_body_size 256m; + + root /usr/share/nginx/html; + + autoindex on; + } diff --git a/apps/nginx-certbot-helm/templates/deployment.yaml b/apps/nginx-certbot-helm/templates/deployment.yaml new file mode 100644 index 0000000..e16d2e8 --- /dev/null +++ b/apps/nginx-certbot-helm/templates/deployment.yaml @@ -0,0 +1,54 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .Release.Name }}-https +spec: + selector: + matchLabels: + app: {{ .Release.Name }}-nginx + replicas: 1 + template: + metadata: + labels: + app: {{ .Release.Name }}-nginx + spec: + containers: + - name: nginx + image: nginx:1.21.0-alpine + ports: + - containerPort: 80 + - containerPort: 443 + volumeMounts: + - name: nginx-config-443 + mountPath: "/etc/nginx/conf.d/" + - name: etcletsencrypt + mountPath: "/etc/letsencrypt" + - name: webroot + mountPath: "/usr/share/nginx/html" + volumes: + - name: nginx-config + configMap: + name: {{ .Release.Name }}-nginx-config + - name: etcletsencrypt + persistentVolumeClaim: + claimName: {{ .Release.Name }}-letsencrypt-certs + - name: webroot + persistentVolumeClaim: + claimName: {{ .Release.Name }}-webroot +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ .Release.Name }}-tls1 + labels: + app: {{ .Release.Name }}-tls1 +spec: + type: ClusterIP + ports: + - port: 80 + name: http + - port: 443 + name: https + selector: + app: {{ .Release.Name }}-nginx diff --git a/apps/nginx-certbot-helm/templates/pvc.yaml b/apps/nginx-certbot-helm/templates/pvc.yaml new file mode 100644 index 0000000..e567f84 --- /dev/null +++ b/apps/nginx-certbot-helm/templates/pvc.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ .Release.Name }}-letsencrypt-certs +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 50Mi + storageClassName: rook-cephfs +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ .Release.Name }}-webroot +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 100Mi + storageClassName: rook-cephfs diff --git a/apps/nginx-certbot-helm/values.yaml b/apps/nginx-certbot-helm/values.yaml new file mode 100644 index 0000000..3fc175f --- /dev/null +++ b/apps/nginx-certbot-helm/values.yaml @@ -0,0 +1,2 @@ +serviceName: aservice +clusterDomain: c2.k8s.ooo