Merge branch 'master' of code.ungleich.ch:ungleich-public/ungleich-k8s

apps/nginx-certbot/README.md

@@ -1,5 +1,32 @@
 ## nginx service for getting letsencrypt certificates
 
+Get real letsencrypt certificates in IPv6 based clusters.
+
 ### Architecture
 
 * nginx/port 80 serves only the root for letsencrypt
+* nginx/port 443 crashes until the cert is there
+* A job (certbot) gets the cert
+
+## Missing bits
+
+* cronjob for renewal
+* Automatic restart of nginx
+* Fixing the service <-> pod mapping problem (goes to both http/https
+  pods)
+
+## Brain storming
+
+### certbot --standalone / init container
+
+* Could in theory be used as an init container
+* nginx / port 80+443 could take over afterwards
+
+Conclusion: does not work, as initcontainers are not targetted by
+services
+
+
+### certbot --standalone / job
+
+Similar pattern as before -> works, because ports of jobs are caught
+by the service!

apps/nginx-certbot/base/deployment.yaml

@@ -1,39 +1,68 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: tls1-letsencrypt-certs
+spec:
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 50Mi
+  storageClassName: rook-cephfs
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: tls1-webroot
+spec:
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 100Mi
+  storageClassName: rook-cephfs
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: tls1
+  name: tls1-https
 spec:
   selector:
     matchLabels:
-      app: tls1
+      app: tls1-nginx
+      ssl: yes
   replicas: 1
   template:
     metadata:
       labels:
-        app: tls1
+        app: tls1-nginx
+        ssl: yes
     spec:
       containers:
-        - name: nginx-80
+        - name: nginx-443
-          image: nginx:1.20.0-alpine
+          image: nginx:1.21.0-alpine
           ports:
             - containerPort: 80
-          volumeMounts:
-            - name: nginx-config-80
-              mountPath: "/etc/nginx/conf.d/"
-        - name: nginx-443
-          image: nginx:1.20.0-alpine
-          ports:
             - containerPort: 443
           volumeMounts:
             - name: nginx-config-443
               mountPath: "/etc/nginx/conf.d/"
+            - name: etcletsencrypt
+              mountPath: "/etc/letsencrypt"
+            - name: webroot
+              mountPath: "/usr/share/nginx/html"
       volumes:
-        - name: nginx-config-80
-          configMap:
-            name: nginx-80-config
         - name: nginx-config-443
           configMap:
             name: nginx-443-config
+        - name: etcletsencrypt
+          persistentVolumeClaim:
+            claimName: tls1-letsencrypt-certs
+        - name: webroot
+          persistentVolumeClaim:
+            claimName: tls1-webroot
+
 ---
 apiVersion: v1
 kind: Service
@@ -45,6 +74,46 @@ spec:
   type: ClusterIP
   ports:
    - port: 80
+     name: http
    - port: 443
+     name: https
   selector:
    app: tls1-nginx
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: tls1-getcert
+spec:
+  template:
+    metadata:
+      labels:
+        app: tls1-nginx
+    spec:
+      restartPolicy: Never
+      containers:
+      - name: certbot
+        image: ungleich/ungleich-certbot
+        ports:
+          - containerPort: 80
+        command:
+          - certbot
+          - certonly
+          - --agree-tos
+          - --cert-name
+          - 'tls1.default.svc.c2.k8s.ooo'
+          - --email
+          - sre@ungleich.ch
+          - --expand
+          - --non-interactive
+          - --domain
+          - 'tls1.default.svc.c2.k8s.ooo'
+          - --standalone
+        volumeMounts:
+          - name: etcletsencrypt
+            mountPath: "/etc/letsencrypt"
+      volumes:
+        - name: etcletsencrypt
+          persistentVolumeClaim:
+            claimName: tls1-letsencrypt-certs
+  backoffLimit: 3

apps/nginx-certbot/base/kustomization.yaml

@@ -1,9 +1,7 @@
 configMapGenerator:
-- name: nginx-80-config
-  files:
-  - default.conf=nginx-80
 - name: nginx-443-config
   files:
   - default.conf=nginx-443
+  - http.conf=nginx-80
 resources:
 - deployment.yaml

apps/nginx-certbot/base/nginx-443

@@ -2,10 +2,10 @@ server {
     listen 443 ssl;
     listen [::]:443 ssl;
 
-    server_name tls1.svc.c2.k8s.ooo;
+    server_name tls1.default.svc.c2.k8s.ooo;
 
-    ssl_certificate      /etc/letsencrypt/live/tls1.svc.c2.k8s.ooo/fullchain.pem;
+    ssl_certificate      /etc/letsencrypt/live/tls1.default.svc.c2.k8s.ooo/fullchain.pem;
-    ssl_certificate_key  /etc/letsencrypt/live/tls1.svc.c2.k8s.ooo/privkey.pem;
+    ssl_certificate_key  /etc/letsencrypt/live/tls1.default.svc.c2.k8s.ooo/privkey.pem;
 
     client_max_body_size 256m;
 

apps/nginx-certbot/base/nginx.conf

@@ -1,20 +0,0 @@
-server {
-    listen *:443 ssl http2;
-    listen [::]:443 ssl http2;
-
-    server_name www.schottelius.org;
-
-    access_log /home/services/www/nico/www.schottelius.org/logs/access.log;
-
-    ssl_certificate /etc/letsencrypt/live/www.schottelius.org/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/www.schottelius.org/privkey.pem;
-
-    index index.html index.htm;
-
-
-
-    location / {
-        root /home/services/www/nico/www.schottelius.org/www;
-        autoindex on;
-    }
-}

apps/nginx-certbot/v1/deployment.yaml

@@ -0,0 +1,161 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: tls1-letsencrypt-certs
+spec:
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 50Mi
+  storageClassName: rook-cephfs
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: tls1-webroot
+spec:
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 100Mi
+  storageClassName: rook-cephfs
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: tls1-http
+spec:
+  selector:
+    matchLabels:
+      app: tls1-nginx
+      ssl: no
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: tls1-nginx
+        ssl: no
+    spec:
+      containers:
+        - name: nginx-80
+          image: nginx:1.20.0-alpine
+          ports:
+            - containerPort: 80
+          volumeMounts:
+            - name: nginx-config-80
+              mountPath: "/etc/nginx/conf.d/"
+            - name: etcletsencrypt
+              mountPath: "/etc/letsencrypt"
+            - name: webroot
+              mountPath: "/usr/share/nginx/html"
+      volumes:
+        - name: nginx-config-80
+          configMap:
+            name: nginx-80-config
+        - name: etcletsencrypt
+          persistentVolumeClaim:
+            claimName: tls1-letsencrypt-certs
+        - name: webroot
+          persistentVolumeClaim:
+            claimName: tls1-webroot
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: tls1-https
+spec:
+  selector:
+    matchLabels:
+      app: tls1-nginx
+      ssl: yes
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: tls1-nginx
+        ssl: yes
+    spec:
+      containers:
+        - name: nginx-443
+          image: nginx:1.20.0-alpine
+          ports:
+            - containerPort: 443
+          volumeMounts:
+            - name: nginx-config-443
+              mountPath: "/etc/nginx/conf.d/"
+            - name: etcletsencrypt
+              mountPath: "/etc/letsencrypt"
+            - name: webroot
+              mountPath: "/usr/share/nginx/html"
+      volumes:
+        - name: nginx-config-443
+          configMap:
+            name: nginx-443-config
+        - name: etcletsencrypt
+          persistentVolumeClaim:
+            claimName: tls1-letsencrypt-certs
+        - name: webroot
+          persistentVolumeClaim:
+            claimName: tls1-webroot
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: tls1
+  labels:
+    app: tls1
+spec:
+  type: ClusterIP
+  ports:
+   - port: 80
+     name: http
+   - port: 443
+     name: https
+  selector:
+   app: tls1-nginx
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: tls1-getcert
+spec:
+  template:
+    spec:
+      restartPolicy: Never
+      containers:
+      - name: certbot
+        image: ungleich/ungleich-certbot
+        command:
+          - certbot
+          - certonly
+          - --agree-tos
+          - --cert-name
+          - 'tls1.default.svc.c2.k8s.ooo'
+          - --email
+          - sre@ungleich.ch
+          - --expand
+          - --non-interactive
+          - --webroot
+          - --webroot-path
+          - /usr/share/nginx/html
+          - --domain
+          - 'tls1.default.svc.c2.k8s.ooo'
+#          - --staging
+        volumeMounts:
+          - name: etcletsencrypt
+            mountPath: "/etc/letsencrypt"
+          - name: webroot
+            mountPath: "/usr/share/nginx/html"
+      volumes:
+        - name: etcletsencrypt
+          persistentVolumeClaim:
+            claimName: tls1-letsencrypt-certs
+        - name: webroot
+          persistentVolumeClaim:
+            claimName: tls1-webroot
+  backoffLimit: 3

apps/nginx-certbot/v1/kustomization.yaml

@@ -0,0 +1,9 @@
+configMapGenerator:
+- name: nginx-80-config
+  files:
+  - default.conf=nginx-80
+- name: nginx-443-config
+  files:
+  - default.conf=nginx-443
+resources:
+- deployment.yaml

apps/nginx-certbot/v1/nginx-443

@@ -0,0 +1,15 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+
+    server_name tls1.default.svc.c2.k8s.ooo;
+
+    ssl_certificate      /etc/letsencrypt/live/tls1.default.svc.c2.k8s.ooo/fullchain.pem;
+    ssl_certificate_key  /etc/letsencrypt/live/tls1.default.svc.c2.k8s.ooo/privkey.pem;
+
+    client_max_body_size 256m;
+
+    root /usr/share/nginx/html;
+
+    autoindex on;
+}

apps/nginx-certbot/v1/nginx-80

@@ -0,0 +1,16 @@
+server {
+    listen *:80;
+    listen [::]:80;
+
+    server_name _;
+
+    # Forward for certbot
+    location /.well-known/acme-challenge/ {
+        root /usr/share/nginx/html;
+    }
+
+    # Everything else -> ssl
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}