[nginx/app/tls] ++update

apps/nginx-certbot/README.md

@@ -0,0 +1,5 @@
+## nginx service for getting letsencrypt certificates
+
+### Architecture
+
+* nginx/port 80 serves only the root for letsencrypt

apps/nginx-certbot/base/deployment.yaml

@@ -1,40 +1,50 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: etherpadlite
+  name: tls1
 spec:
   selector:
     matchLabels:
-      app: etherpadsooooolite
+      app: tls1
   replicas: 1
   template:
     metadata:
       labels:
-        app: etherpadsooooolite
+        app: tls1
     spec:
       containers:
-        - name: etherpad
+        - name: nginx-80
-          image: etherpad/etherpad:1.8.13
+          image: nginx:1.20.0-alpine
           ports:
-            - containerPort: 9001
+            - containerPort: 80
           volumeMounts:
-            - name: etherpadconfig
+            - name: nginx-config-80
-              mountPath: "/opt/etherpad-lite/settings.json"
+              mountPath: "/etc/nginx/conf.d/"
-              subPath: settings.json
+        - name: nginx-443
+          image: nginx:1.20.0-alpine
+          ports:
+            - containerPort: 443
+          volumeMounts:
+            - name: nginx-config-443
+              mountPath: "/etc/nginx/conf.d/"
       volumes:
-        - name: etherpadconfig
+        - name: nginx-config-80
           configMap:
-            name: etherpadliteconfig
+            name: nginx-80-config
+        - name: nginx-config-443
+          configMap:
+            name: nginx-443-config
 ---
 apiVersion: v1
 kind: Service
 metadata:
-  name: etherpad
+  name: tls1
   labels:
-    app: etherpadsooooolite
+    app: tls1
 spec:
   type: ClusterIP
   ports:
-   - port: 9001
+   - port: 80
+   - port: 443
   selector:
-   app: etherpadsooooolite
+   app: tls1-nginx

apps/nginx-certbot/base/kustomization.yaml

@@ -1,10 +1,9 @@
 configMapGenerator:
-- name:
+- name: nginx-80-config
   files:
-  - settings.json=settings.json
+  - default.conf=nginx-80
-
+- name: nginx-443-config
-commonLabels:
+  files:
-  app: etherpadlite
+  - default.conf=nginx-443
-  customer: xyz
 resources:
 - deployment.yaml

apps/nginx-certbot/base/nginx-443

@@ -0,0 +1,15 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+
+    server_name tls1.svc.c2.k8s.ooo;
+
+    ssl_certificate      /etc/letsencrypt/live/tls1.svc.c2.k8s.ooo/fullchain.pem;
+    ssl_certificate_key  /etc/letsencrypt/live/tls1.svc.c2.k8s.ooo/privkey.pem;
+
+    client_max_body_size 256m;
+
+    root /usr/share/nginx/html;
+
+    autoindex on;
+}

apps/nginx-certbot/base/nginx-80

@@ -0,0 +1,16 @@
+server {
+    listen *:80;
+    listen [::]:80;
+
+    server_name _;
+
+    # Forward for certbot
+    location /.well-known/acme-challenge/ {
+        root /usr/share/nginx/html;
+    }
+
+    # Everything else -> ssl
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}

generic/nginx-deployment-url

@@ -1 +0,0 @@
-kubectl apply -f https://k8s.io/examples/application/deployment.yaml