From 659e445f041bdea27d0d2e5a57bf9beed90aa4d4 Mon Sep 17 00:00:00 2001 From: Nico Schottelius Date: Fri, 18 Jun 2021 23:42:15 +0200 Subject: [PATCH] [nginx/certbot] finish! --- apps/nginx-certbot/README.md | 19 +++ apps/nginx-certbot/base/deployment.yaml | 58 +------- apps/nginx-certbot/base/kustomization.yaml | 4 +- apps/nginx-certbot/base/nginx.conf | 20 --- apps/nginx-certbot/v1/deployment.yaml | 161 +++++++++++++++++++++ apps/nginx-certbot/v1/kustomization.yaml | 9 ++ apps/nginx-certbot/v1/nginx-443 | 15 ++ apps/nginx-certbot/v1/nginx-80 | 16 ++ 8 files changed, 229 insertions(+), 73 deletions(-) delete mode 100644 apps/nginx-certbot/base/nginx.conf create mode 100644 apps/nginx-certbot/v1/deployment.yaml create mode 100644 apps/nginx-certbot/v1/kustomization.yaml create mode 100644 apps/nginx-certbot/v1/nginx-443 create mode 100644 apps/nginx-certbot/v1/nginx-80 diff --git a/apps/nginx-certbot/README.md b/apps/nginx-certbot/README.md index adb6691..c329ba3 100644 --- a/apps/nginx-certbot/README.md +++ b/apps/nginx-certbot/README.md @@ -11,3 +11,22 @@ Get real letsencrypt certificates in IPv6 based clusters. ## Missing bits * cronjob for renewal +* Automatic restart of nginx +* Fixing the service <-> pod mapping problem (goes to both http/https + pods) + +## Brain storming + +### certbot --standalone / init container + +* Could in theory be used as an init container +* nginx / port 80+443 could take over afterwards + +Conclusion: does not work, as initcontainers are not targetted by +services + + +### certbot --standalone / job + +Similar pattern as before -> works, because ports of jobs are caught +by the service! diff --git a/apps/nginx-certbot/base/deployment.yaml b/apps/nginx-certbot/base/deployment.yaml index 3aa308e..84c4c77 100644 --- a/apps/nginx-certbot/base/deployment.yaml +++ b/apps/nginx-certbot/base/deployment.yaml @@ -25,46 +25,6 @@ spec: --- apiVersion: apps/v1 kind: Deployment -metadata: - name: tls1-http -spec: - selector: - matchLabels: - app: tls1-nginx - ssl: no - replicas: 1 - template: - metadata: - labels: - app: tls1-nginx - ssl: no - spec: - containers: - - name: nginx-80 - image: nginx:1.20.0-alpine - ports: - - containerPort: 80 - volumeMounts: - - name: nginx-config-80 - mountPath: "/etc/nginx/conf.d/" - - name: etcletsencrypt - mountPath: "/etc/letsencrypt" - - name: webroot - mountPath: "/usr/share/nginx/html" - volumes: - - name: nginx-config-80 - configMap: - name: nginx-80-config - - name: etcletsencrypt - persistentVolumeClaim: - claimName: tls1-letsencrypt-certs - - name: webroot - persistentVolumeClaim: - claimName: tls1-webroot - ---- -apiVersion: apps/v1 -kind: Deployment metadata: name: tls1-https spec: @@ -81,8 +41,9 @@ spec: spec: containers: - name: nginx-443 - image: nginx:1.20.0-alpine + image: nginx:1.21.0-alpine ports: + - containerPort: 80 - containerPort: 443 volumeMounts: - name: nginx-config-443 @@ -125,11 +86,16 @@ metadata: name: tls1-getcert spec: template: + metadata: + labels: + app: tls1-nginx spec: restartPolicy: Never containers: - name: certbot image: ungleich/ungleich-certbot + ports: + - containerPort: 80 command: - certbot - certonly @@ -140,22 +106,14 @@ spec: - sre@ungleich.ch - --expand - --non-interactive - - --webroot - - --webroot-path - - /usr/share/nginx/html - --domain - 'tls1.default.svc.c2.k8s.ooo' -# - --staging + - --standalone volumeMounts: - name: etcletsencrypt mountPath: "/etc/letsencrypt" - - name: webroot - mountPath: "/usr/share/nginx/html" volumes: - name: etcletsencrypt persistentVolumeClaim: claimName: tls1-letsencrypt-certs - - name: webroot - persistentVolumeClaim: - claimName: tls1-webroot backoffLimit: 3 diff --git a/apps/nginx-certbot/base/kustomization.yaml b/apps/nginx-certbot/base/kustomization.yaml index 4f105fb..b0901a2 100644 --- a/apps/nginx-certbot/base/kustomization.yaml +++ b/apps/nginx-certbot/base/kustomization.yaml @@ -1,9 +1,7 @@ configMapGenerator: -- name: nginx-80-config - files: - - default.conf=nginx-80 - name: nginx-443-config files: - default.conf=nginx-443 + - http.conf=nginx-80 resources: - deployment.yaml diff --git a/apps/nginx-certbot/base/nginx.conf b/apps/nginx-certbot/base/nginx.conf deleted file mode 100644 index 594e1cd..0000000 --- a/apps/nginx-certbot/base/nginx.conf +++ /dev/null @@ -1,20 +0,0 @@ -server { - listen *:443 ssl http2; - listen [::]:443 ssl http2; - - server_name www.schottelius.org; - - access_log /home/services/www/nico/www.schottelius.org/logs/access.log; - - ssl_certificate /etc/letsencrypt/live/www.schottelius.org/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/www.schottelius.org/privkey.pem; - - index index.html index.htm; - - - - location / { - root /home/services/www/nico/www.schottelius.org/www; - autoindex on; - } -} diff --git a/apps/nginx-certbot/v1/deployment.yaml b/apps/nginx-certbot/v1/deployment.yaml new file mode 100644 index 0000000..3aa308e --- /dev/null +++ b/apps/nginx-certbot/v1/deployment.yaml @@ -0,0 +1,161 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: tls1-letsencrypt-certs +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 50Mi + storageClassName: rook-cephfs +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: tls1-webroot +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 100Mi + storageClassName: rook-cephfs +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tls1-http +spec: + selector: + matchLabels: + app: tls1-nginx + ssl: no + replicas: 1 + template: + metadata: + labels: + app: tls1-nginx + ssl: no + spec: + containers: + - name: nginx-80 + image: nginx:1.20.0-alpine + ports: + - containerPort: 80 + volumeMounts: + - name: nginx-config-80 + mountPath: "/etc/nginx/conf.d/" + - name: etcletsencrypt + mountPath: "/etc/letsencrypt" + - name: webroot + mountPath: "/usr/share/nginx/html" + volumes: + - name: nginx-config-80 + configMap: + name: nginx-80-config + - name: etcletsencrypt + persistentVolumeClaim: + claimName: tls1-letsencrypt-certs + - name: webroot + persistentVolumeClaim: + claimName: tls1-webroot + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tls1-https +spec: + selector: + matchLabels: + app: tls1-nginx + ssl: yes + replicas: 1 + template: + metadata: + labels: + app: tls1-nginx + ssl: yes + spec: + containers: + - name: nginx-443 + image: nginx:1.20.0-alpine + ports: + - containerPort: 443 + volumeMounts: + - name: nginx-config-443 + mountPath: "/etc/nginx/conf.d/" + - name: etcletsencrypt + mountPath: "/etc/letsencrypt" + - name: webroot + mountPath: "/usr/share/nginx/html" + volumes: + - name: nginx-config-443 + configMap: + name: nginx-443-config + - name: etcletsencrypt + persistentVolumeClaim: + claimName: tls1-letsencrypt-certs + - name: webroot + persistentVolumeClaim: + claimName: tls1-webroot + +--- +apiVersion: v1 +kind: Service +metadata: + name: tls1 + labels: + app: tls1 +spec: + type: ClusterIP + ports: + - port: 80 + name: http + - port: 443 + name: https + selector: + app: tls1-nginx +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: tls1-getcert +spec: + template: + spec: + restartPolicy: Never + containers: + - name: certbot + image: ungleich/ungleich-certbot + command: + - certbot + - certonly + - --agree-tos + - --cert-name + - 'tls1.default.svc.c2.k8s.ooo' + - --email + - sre@ungleich.ch + - --expand + - --non-interactive + - --webroot + - --webroot-path + - /usr/share/nginx/html + - --domain + - 'tls1.default.svc.c2.k8s.ooo' +# - --staging + volumeMounts: + - name: etcletsencrypt + mountPath: "/etc/letsencrypt" + - name: webroot + mountPath: "/usr/share/nginx/html" + volumes: + - name: etcletsencrypt + persistentVolumeClaim: + claimName: tls1-letsencrypt-certs + - name: webroot + persistentVolumeClaim: + claimName: tls1-webroot + backoffLimit: 3 diff --git a/apps/nginx-certbot/v1/kustomization.yaml b/apps/nginx-certbot/v1/kustomization.yaml new file mode 100644 index 0000000..4f105fb --- /dev/null +++ b/apps/nginx-certbot/v1/kustomization.yaml @@ -0,0 +1,9 @@ +configMapGenerator: +- name: nginx-80-config + files: + - default.conf=nginx-80 +- name: nginx-443-config + files: + - default.conf=nginx-443 +resources: +- deployment.yaml diff --git a/apps/nginx-certbot/v1/nginx-443 b/apps/nginx-certbot/v1/nginx-443 new file mode 100644 index 0000000..452c3f2 --- /dev/null +++ b/apps/nginx-certbot/v1/nginx-443 @@ -0,0 +1,15 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name tls1.default.svc.c2.k8s.ooo; + + ssl_certificate /etc/letsencrypt/live/tls1.default.svc.c2.k8s.ooo/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/tls1.default.svc.c2.k8s.ooo/privkey.pem; + + client_max_body_size 256m; + + root /usr/share/nginx/html; + + autoindex on; +} diff --git a/apps/nginx-certbot/v1/nginx-80 b/apps/nginx-certbot/v1/nginx-80 new file mode 100644 index 0000000..8a9e368 --- /dev/null +++ b/apps/nginx-certbot/v1/nginx-80 @@ -0,0 +1,16 @@ +server { + listen *:80; + listen [::]:80; + + server_name _; + + # Forward for certbot + location /.well-known/acme-challenge/ { + root /usr/share/nginx/html; + } + + # Everything else -> ssl + location / { + return 301 https://$host$request_uri; + } +}