Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- apiVersion: networking.k8s.io/v1
- kind: Ingress
- metadata:
- name: bootstrap-ingress
- namespace: kube-system
- annotations:
- # Use the Kube-VIP ingress class
- #kubernetes.io/ingress.class: "traefik"
- cert-manager.io/cluster-issuer: cloudflare-issuer
- # Optional: Specify Traefik-specific configurations if needed
- # traefik.ingress.kubernetes.io/router.entrypoints: websecure
- # traefik.ingress.kubernetes.io/router.tls: "true"
- spec:
- ingressClassName: traefik
- tls:
- - hosts:
- - "bootstrap.example.com"
- secretName: bootstrap-wildcard-tls-secret #from the kind certificate field secretName
- rules:
- - host: bootstrap.example.com
- #Ensure there is a DNS override for *.example.com
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: bootstrap-service
- port:
- number: 80
- ---
- apiVersion: v1
- kind: Service
- metadata:
- namespace: kube-system
- name: bootstrap-service
- spec:
- type: ClusterIP
- selector:
- app: bootstrap
- ports:
- - protocol: TCP
- port: 80
- targetPort: 80
- name: web
- ---
- apiVersion: apps/v1
- kind: Deployment
- metadata:
- name: bootstrap-deployment
- namespace: kube-system
- spec:
- selector:
- matchLabels:
- app: bootstrap
- replicas: 1
- template:
- metadata:
- labels:
- app: bootstrap
- spec:
- nodeSelector:
- node.longhorn.io/type: agent #match label
- containers:
- - name: nginx
- image: nginx
- ports:
- - containerPort: 80
- volumeMounts:
- - name: bootstrap-volume
- mountPath: /usr/share/nginx/html
- volumes:
- - name: bootstrap-volume
- configMap:
- name: bootstrap-configmap
- ---
- apiVersion: v1
- kind: ConfigMap
- metadata:
- name: bootstrap-configmap
- namespace: kube-system
- data:
- index.html: |
- <html>
- <head>
- <title>Hello World via HTTPS bootstrap!</title>
- </head>
- <body>Hello World via HTTPS bootstrap!</body>
- </html>
- #Putting the wildcard into a shared namespace. The individual ingress will need a role and rolebinding to access it
- #kubectl describe certificaterequest -A
- #kubectl get certificaterequests -A
- ---
- apiVersion: traefik.io/v1alpha1
- kind: TLSStore
- metadata:
- name: tls-store
- namespace: kube-system # Use the namespace where Traefik is installed (kube-system under k3s)
- spec:
- defaultCertificate:
- secretName: bootstrap-wildcard-tls-secret
- ---
- apiVersion: cert-manager.io/v1
- kind: Certificate
- metadata:
- name: bootstrap-cert
- namespace: kube-system
- spec:
- # Secret names are always required.
- secretName: bootstrap-wildcard-tls-secret
- # secretTemplate is optional. If set, these annotations and labels will be
- # copied to the Secret named example-com-tls. These labels and annotations will
- # be re-reconciled if the Certificate's secretTemplate changes. secretTemplate
- # is also enforced, so relevant label and annotation changes on the Secret by a
- # third party will be overwriten by cert-manager to match the secretTemplate.
- # secretTemplate:
- # annotations:
- # my-secret-annotation-1: "foo"
- # my-secret-annotation-2: "bar"
- # labels:
- # my-secret-label: foo
- privateKey:
- algorithm: RSA
- encoding: PKCS1
- size: 2048
- # keystores allows adding additional output formats. This is an example for reference only.
- # keystores:
- # pkcs12:
- # create: true
- # passwordSecretRef:
- # name: example-com-tls-keystore
- # key: password
- # profile: Modern2023
- duration: 2160h # 90d
- renewBefore: 360h # 15d
- isCA: false
- usages:
- - server auth
- - client auth
- subject:
- organizations:
- - cert-manager
- # Avoid using commonName for DNS names in end-entity (leaf) certificates. Unless you have a specific
- # need for it in your environment, use dnsNames exclusively to avoid issues with commonName.
- # Usually, commonName is used to give human-readable names to CA certificates and can be avoided for
- # other certificates.
- commonName: "*.example.com"
- # The literalSubject field is exclusive with subject and commonName. It allows
- # specifying the subject directly as a string. This is useful for when the order
- # of the subject fields is important or when the subject contains special types
- # which can be specified by their OID.
- #
- # literalSubject: "O=jetstack, CN=example.com, 2.5.4.42=John, 2.5.4.4=Doe"
- # At least one of commonName (possibly through literalSubject), dnsNames, uris, emailAddresses, ipAddresses or otherNames is required.
- dnsNames:
- - "*.example.com"
- # - example.com
- # - www.example.com
- # uris:
- # - spiffe://cluster.local/ns/sandbox/sa/example
- # emailAddresses:
- # ipAddresses:
- # - 192.168.0.5
- # # Needs cert-manager 1.14+ and "OtherNames" feature flag
- # otherNames:
- # # Should only supply oid of ut8 valued types
- # - oid: 1.3.6.1.4.1.311.20.2.3 # User Principal Name "OID"
- # utf8Value: [email protected]
- # Issuer references are always required.
- issuerRef:
- name: cloudflare-issuer
- # We can reference ClusterIssuers by changing the kind here.
- # The default value is Issuer (i.e. a locally namespaced Issuer)
- kind: ClusterIssuer
- # This is optional since cert-manager will default to this value however
- # if you are using an external issuer, change this to that issuer group.
- group: cert-manager.io
- ---
- #ClusterIssuer needs to live in a specific namespace - cert-manager
- apiVersion: v1
- kind: Secret
- metadata:
- name: cloudflare-api-token-secret
- namespace: cert-manager
- type: Opaque
- stringData:
- api-token:
- ---
- apiVersion: cert-manager.io/v1
- kind: ClusterIssuer #Has to be cluster type so as to not be namespaced
- metadata:
- name: cloudflare-issuer
- namespace: cert-manager
- spec:
- acme:
- email: xx
- #server: https://acme-staging-v02.api.letsencrypt.org/directory
- server: https://acme-v02.api.letsencrypt.org/directory
- privateKeySecretRef:
- name: ca-key-pair # Secret resource that will be used to store the account's private key.
- solvers:
- - dns01:
- cloudflare:
- apiTokenSecretRef:
- name: cloudflare-api-token-secret #CF api token from secret
- key: api-token
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
