diff --git a/blog/blog-ingress.yaml b/blog/blog-ingress.yaml index 1052893..b891a10 100644 --- a/blog/blog-ingress.yaml +++ b/blog/blog-ingress.yaml @@ -2,7 +2,14 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: blog-ingr + annotations: + kubernetes.io/tls-acme: "true" + cert-manager.io/cluster-issuer: letsencrypt-prod spec: + tls: + - secretName: blog-tls + hosts: + - cptrthgs.fr ingressClassName: nginx rules: - host: cptrthgs.fr diff --git a/freshrss/freshrss-ingress.yaml b/freshrss/freshrss-ingress.yaml index 98799be..02e3123 100644 --- a/freshrss/freshrss-ingress.yaml +++ b/freshrss/freshrss-ingress.yaml @@ -2,7 +2,14 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: freshrss-ingr + annotations: + kubernetes.io/tls-acme: "true" + cert-manager.io/cluster-issuer: letsencrypt-prod spec: + tls: + - secretName: freshrss-tls + hosts: + - rss.squi.fr ingressClassName: nginx rules: - host: rss.squi.fr diff --git a/gitea/gitea-ingress.yaml b/gitea/gitea-ingress.yaml index ebaab39..e4af24e 100644 --- a/gitea/gitea-ingress.yaml +++ b/gitea/gitea-ingress.yaml @@ -2,7 +2,14 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: gitea-ingr + annotations: + kubernetes.io/tls-acme: "true" + cert-manager.io/cluster-issuer: letsencrypt-prod spec: + tls: + - secretName: gitea-tls + hosts: + - gitea.squi.fr ingressClassName: nginx rules: - host: gitea.squi.fr diff --git a/mediawiki/mediawiki-ingress.yaml b/mediawiki/mediawiki-ingress.yaml index 10aac8a..718b85f 100644 --- a/mediawiki/mediawiki-ingress.yaml +++ b/mediawiki/mediawiki-ingress.yaml @@ -2,7 +2,14 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: mediawiki-ingr + annotations: + kubernetes.io/tls-acme: "true" + cert-manager.io/cluster-issuer: letsencrypt-prod spec: + tls: + - secretName: mediawiki-tls + hosts: + - wiki.squi.fr ingressClassName: nginx rules: - host: wiki.squi.fr diff --git a/monitoring/grafpromstack/graf-ingress.yaml b/monitoring/grafpromstack/graf-ingress.yaml index ce9d96f..52291a0 100644 --- a/monitoring/grafpromstack/graf-ingress.yaml +++ b/monitoring/grafpromstack/graf-ingress.yaml @@ -3,7 +3,14 @@ kind: Ingress metadata: name: grafana-ingr namespace: monitoring + annotations: + kubernetes.io/tls-acme: "true" + cert-manager.io/cluster-issuer: letsencrypt-prod spec: + tls: + - secretName: grafana-tls + hosts: + - graf.squi.fr ingressClassName: nginx rules: - host: graf.squi.fr diff --git a/nginx-ingress/auth b/nginx-ingress/auth new file mode 100644 index 0000000..3cee27b --- /dev/null +++ b/nginx-ingress/auth @@ -0,0 +1 @@ +squip:$apr1$e0QTsUBf$rVuHisO/pKnOKTBAwcYiT0 diff --git a/nginx-ingress/secret.yaml b/nginx-ingress/secret.yaml new file mode 100644 index 0000000..2119a4f --- /dev/null +++ b/nginx-ingress/secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + auth: c3F1aXA6JGFwcjEkZTBRVHNVQmYkclZ1SGlzTy9wS25PS1RCQXdjWWlUMAo= +kind: Secret +metadata: + name: basic-auth + namespace: default +type: Opaque diff --git a/persosite/site-ingress.yaml b/persosite/site-ingress.yaml index da0b39e..5e047b5 100644 --- a/persosite/site-ingress.yaml +++ b/persosite/site-ingress.yaml @@ -2,7 +2,14 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: site-ingr + annotations: + kubernetes.io/tls-acme: "true" + cert-manager.io/cluster-issuer: letsencrypt-staging spec: + tls: + - secretName: siteperso-tls + hosts: + - justinepelletreau.com ingressClassName: nginx rules: - host: justinepelletreau.com diff --git a/sqnotes/notes-ingress.yaml b/sqnotes/notes-ingress.yaml index 0e7982b..5550a6b 100644 --- a/sqnotes/notes-ingress.yaml +++ b/sqnotes/notes-ingress.yaml @@ -3,8 +3,17 @@ kind: Ingress metadata: name: notes-ingr annotations: + nginx.ingress.kubernetes.io/auth-type: basic + nginx.ingress.kubernetes.io/auth-secret: basic-auth + nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - you fool' kubernetes.io/ingress.class: "nginx" + kubernetes.io/tls-acme: "true" + cert-manager.io/cluster-issuer: letsencrypt-prod spec: + tls: + - secretName: notes-tls + hosts: + - notes.squi.fr rules: - host: notes.squi.fr http: diff --git a/sqtasks/tasks-ingress.yaml b/sqtasks/tasks-ingress.yaml index 511a2d8..9fa71e7 100644 --- a/sqtasks/tasks-ingress.yaml +++ b/sqtasks/tasks-ingress.yaml @@ -2,7 +2,17 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: tasks-ingr + annotations: + kubernetes.io/tls-acme: "true" + nginx.ingress.kubernetes.io/auth-type: basic + nginx.ingress.kubernetes.io/auth-secret: basic-auth + nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - you fool' + cert-manager.io/cluster-issuer: letsencrypt-prod spec: + tls: + - secretName: todo-tls + hosts: + - todo.squi.fr ingressClassName: nginx rules: - host: todo.squi.fr diff --git a/testpod/testpod-depl.yaml b/testpod/testpod-depl.yaml deleted file mode 100644 index a57ae6d..0000000 --- a/testpod/testpod-depl.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: dnsutils - namespace: default -spec: - nodeName: swarm2 - containers: - - name: dnsutils - image: k8s.gcr.io/e2e-test-images/jessie-dnsutils:1.3 - command: - - sleep - - "3600" - imagePullPolicy: IfNotPresent - restartPolicy: Always diff --git a/upgrade-plans/system-upgrade-controller.yaml b/upgrade-plans/system-upgrade-controller.yaml deleted file mode 100644 index 5bac30e..0000000 --- a/upgrade-plans/system-upgrade-controller.yaml +++ /dev/null @@ -1,117 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: system-upgrade ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: system-upgrade - namespace: system-upgrade ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: system-upgrade -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin -subjects: -- kind: ServiceAccount - name: system-upgrade - namespace: system-upgrade ---- -apiVersion: v1 -data: - SYSTEM_UPGRADE_CONTROLLER_DEBUG: "false" - SYSTEM_UPGRADE_CONTROLLER_THREADS: "2" - SYSTEM_UPGRADE_JOB_ACTIVE_DEADLINE_SECONDS: "900" - SYSTEM_UPGRADE_JOB_BACKOFF_LIMIT: "99" - SYSTEM_UPGRADE_JOB_IMAGE_PULL_POLICY: Always - SYSTEM_UPGRADE_JOB_KUBECTL_IMAGE: rancher/kubectl:v1.21.9 - SYSTEM_UPGRADE_JOB_PRIVILEGED: "true" - SYSTEM_UPGRADE_JOB_TTL_SECONDS_AFTER_FINISH: "900" - SYSTEM_UPGRADE_PLAN_POLLING_INTERVAL: 15m -kind: ConfigMap -metadata: - name: default-controller-env - namespace: system-upgrade ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: system-upgrade-controller - namespace: system-upgrade -spec: - selector: - matchLabels: - upgrade.cattle.io/controller: system-upgrade-controller - template: - metadata: - labels: - upgrade.cattle.io/controller: system-upgrade-controller - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: node-role.kubernetes.io/master - operator: Exists - containers: - - env: - - name: SYSTEM_UPGRADE_CONTROLLER_NAME - valueFrom: - fieldRef: - fieldPath: metadata.labels['upgrade.cattle.io/controller'] - - name: SYSTEM_UPGRADE_CONTROLLER_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - envFrom: - - configMapRef: - name: default-controller-env - image: rancher/system-upgrade-controller:v0.9.1 - imagePullPolicy: IfNotPresent - name: system-upgrade-controller - volumeMounts: - - mountPath: /etc/ssl - name: etc-ssl - - mountPath: /etc/pki - name: etc-pki - - mountPath: /etc/ca-certificates - name: etc-ca-certificates - - mountPath: /tmp - name: tmp - serviceAccountName: system-upgrade - tolerations: - - key: CriticalAddonsOnly - operator: Exists - - effect: NoSchedule - key: node-role.kubernetes.io/master - operator: Exists - - effect: NoSchedule - key: node-role.kubernetes.io/controlplane - operator: Exists - - effect: NoSchedule - key: node-role.kubernetes.io/control-plane - operator: Exists - - effect: NoExecute - key: node-role.kubernetes.io/etcd - operator: Exists - volumes: - - hostPath: - path: /etc/ssl - type: Directory - name: etc-ssl - - hostPath: - path: /etc/pki - type: DirectoryOrCreate - name: etc-pki - - hostPath: - path: /etc/ca-certificates - type: DirectoryOrCreate - name: etc-ca-certificates - - emptyDir: {} - name: tmp diff --git a/upgrade-plans/upgrade-agent.yaml b/upgrade-plans/upgrade-agent.yaml deleted file mode 100644 index b0b686c..0000000 --- a/upgrade-plans/upgrade-agent.yaml +++ /dev/null @@ -1,24 +0,0 @@ ---- -# Agent plan -apiVersion: upgrade.cattle.io/v1 -kind: Plan -metadata: - name: agent-plan - namespace: system-upgrade -spec: - concurrency: 1 - cordon: true - nodeSelector: - matchExpressions: - - key: node-role.kubernetes.io/master - operator: DoesNotExist - prepare: - args: - - prepare - - server-plan - image: rancher/k3s-upgrade - serviceAccountName: system-upgrade - upgrade: - image: rancher/k3s-upgrade - version: stable - diff --git a/upgrade-plans/upgrade-master.yaml b/upgrade-plans/upgrade-master.yaml deleted file mode 100644 index f3c0404..0000000 --- a/upgrade-plans/upgrade-master.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# Server plan -apiVersion: upgrade.cattle.io/v1 -kind: Plan -metadata: - name: server-plan - namespace: system-upgrade -spec: - concurrency: 1 - cordon: true - nodeSelector: - matchExpressions: - - key: node-role.kubernetes.io/master - operator: In - values: - - "true" - serviceAccountName: system-upgrade - upgrade: - image: rancher/k3s-upgrade - channel: stable