Add cert-manager configurations and scripts for Porkbun and Let's Encrypt integration
- Create .env.example for API credentials - Update .gitignore to include .env file - Add cluster issuer configurations for internal CA and Let's Encrypt - Implement porkbun-secret.sh for creating Kubernetes secrets - Define Helm values for cert-manager, Gitea, and Pihole with TLS settings
This commit is contained in:
parent
5237c03d4b
commit
dc86a961be
3
.env.example
Normal file
3
.env.example
Normal file
@ -0,0 +1,3 @@
|
||||
# Porkbun API credentials
|
||||
PORKBUN_API_KEY=pk1_your_key_here
|
||||
PORKBUN_SECRET_API_KEY=sk1_your_key_here
|
||||
1
.gitignore
vendored
1
.gitignore
vendored
@ -1 +1,2 @@
|
||||
.env
|
||||
old.debian-data
|
||||
33
manifests/cert-manager/cluster-issuer-internal.yaml
Normal file
33
manifests/cert-manager/cluster-issuer-internal.yaml
Normal file
@ -0,0 +1,33 @@
|
||||
# Internal CA for *.home.arpa
|
||||
# Apply: kubectl apply -f manifests/cert-manager/cluster-issuer-internal.yaml
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
name: internal-ca
|
||||
spec:
|
||||
selfSigned: {}
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: internal-ca-cert
|
||||
namespace: cert-manager
|
||||
spec:
|
||||
isCA: true
|
||||
commonName: homelab-internal-ca
|
||||
secretName: internal-ca-cert
|
||||
privateKey:
|
||||
algorithm: ECDSA
|
||||
size: 256
|
||||
issuerRef:
|
||||
name: internal-ca
|
||||
kind: ClusterIssuer
|
||||
group: cert-manager.io
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
name: internal-ca-issuer
|
||||
spec:
|
||||
ca:
|
||||
secretName: internal-ca-cert
|
||||
31
manifests/cert-manager/cluster-issuer-letsencrypt.yaml
Normal file
31
manifests/cert-manager/cluster-issuer-letsencrypt.yaml
Normal file
@ -0,0 +1,31 @@
|
||||
# Let's Encrypt HTTP-01 issuer for *.nik4nao.com
|
||||
# Apply: kubectl apply -f manifests/cert-manager/cluster-issuer-letsencrypt.yaml
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
name: letsencrypt-prod
|
||||
spec:
|
||||
acme:
|
||||
email: nik.afiq98@ymail.com
|
||||
server: https://acme-v02.api.letsencrypt.org/directory
|
||||
privateKeySecretRef:
|
||||
name: letsencrypt-prod-account-key
|
||||
solvers:
|
||||
- http01:
|
||||
ingress:
|
||||
ingressClassName: traefik
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
name: letsencrypt-staging
|
||||
spec:
|
||||
acme:
|
||||
email: nik.afiq98@ymail.com
|
||||
server: https://acme-staging-v02.api.letsencrypt.org/directory
|
||||
privateKeySecretRef:
|
||||
name: letsencrypt-staging-account-key
|
||||
solvers:
|
||||
- http01:
|
||||
ingress:
|
||||
ingressClassName: traefik
|
||||
24
manifests/cert-manager/porkbun-secret.sh
Executable file
24
manifests/cert-manager/porkbun-secret.sh
Executable file
@ -0,0 +1,24 @@
|
||||
#!/bin/bash
|
||||
# Usage: bash manifests/cert-manager/porkbun-secret.sh
|
||||
# Requires: .env file in repo root with PORKBUN_API_KEY and PORKBUN_SECRET_API_KEY
|
||||
|
||||
set -e
|
||||
|
||||
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
||||
ENV_FILE="$SCRIPT_DIR/../../.env"
|
||||
|
||||
if [ ! -f "$ENV_FILE" ]; then
|
||||
echo "Error: .env file not found at $ENV_FILE"
|
||||
echo "Copy .env.example to .env and fill in your values"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
source "$ENV_FILE"
|
||||
|
||||
kubectl create secret generic porkbun-api-credentials \
|
||||
--namespace cert-manager \
|
||||
--from-literal=api-key="$PORKBUN_API_KEY" \
|
||||
--from-literal=secret-api-key="$PORKBUN_SECRET_API_KEY" \
|
||||
--dry-run=client -o yaml | kubectl apply -f -
|
||||
|
||||
echo "Secret applied successfully"
|
||||
12
values/cert-manager.yaml
Normal file
12
values/cert-manager.yaml
Normal file
@ -0,0 +1,12 @@
|
||||
# cert-manager Helm values
|
||||
# Deploy:
|
||||
# helm repo add jetstack https://charts.jetstack.io
|
||||
# helm repo update
|
||||
# helm upgrade --install cert-manager jetstack/cert-manager \
|
||||
# --namespace cert-manager --create-namespace \
|
||||
# -f values/cert-manager.yaml
|
||||
|
||||
crds:
|
||||
enabled: true
|
||||
|
||||
replicaCount: 1
|
||||
@ -15,11 +15,16 @@ ingress:
|
||||
annotations:
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: websecure
|
||||
traefik.ingress.kubernetes.io/router.tls: "true"
|
||||
cert-manager.io/cluster-issuer: internal-ca-issuer
|
||||
hosts:
|
||||
- host: gitea.home.arpa
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
tls:
|
||||
- secretName: gitea-tls
|
||||
hosts:
|
||||
- gitea.home.arpa
|
||||
|
||||
gitea:
|
||||
admin:
|
||||
|
||||
@ -28,9 +28,14 @@ ingress:
|
||||
annotations:
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: websecure
|
||||
traefik.ingress.kubernetes.io/router.tls: "true"
|
||||
cert-manager.io/cluster-issuer: internal-ca-issuer
|
||||
hosts:
|
||||
- pihole.home.arpa
|
||||
path: /admin
|
||||
tls:
|
||||
- secretName: pihole-tls
|
||||
hosts:
|
||||
- pihole.home.arpa
|
||||
|
||||
adminPassword: password
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user