Setup cert-manager, radicale, etc.
Anirudh Oppiliappan x@icyphox.sh
Tue, 15 Jun 2021 22:29:09 +0530
9 files changed,
89 insertions(+),
15 deletions(-)
M
apps/radicale/Dockerfile
→
apps/radicale/Dockerfile
@@ -11,4 +11,4 @@ USER radicale
WORKDIR /home/radicale EXPOSE 5232 -CMD ["python3", "-m", "radicale", "--storage-filesystem-folder=./collections"] +CMD ["python3", "-m", "radicale", "--server-hosts", "0.0.0.0:5232", "--storage-filesystem-folder=./collections"]
A
apps/radicale/ing.yaml
@@ -0,0 +1,28 @@
+apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + nginx.ingress.kubernetes.io/configuration-snippet: | + proxy_set_header X-Script-Name /; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $http_host; + proxy_pass_header Authorization; + kubernetes.io/tls-acme: 'true' + cert-manager.io/issuer: "letsencrypt-prod" + name: radicale-ingress +spec: + tls: + - hosts: + - dav.icyphox.sh + secretName: radicale-certs + rules: + - host: dav.icyphox.sh + http: + paths: + - backend: + service: + name: radicale + port: + number: 5232 + path: / + pathType: Prefix
M
apps/radicale/radicale.yaml
→
apps/radicale/radicale.yaml
@@ -13,6 +13,8 @@ metadata:
labels: app: radicale spec: + securityContext: + fsGroup: 101 imagePullSecrets: - name: registry-creds nodeSelector:@@ -20,12 +22,13 @@ arch: "amd64"
containers: - name: radicale image: reg.icyphox.sh/radicale + imagePullPolicy: Always volumeMounts: - name: collections mountPath: "/home/radicale/collections" ports: - name: http - containerPort: 5000 + containerPort: 5232 volumes: - name: collections persistentVolumeClaim:
M
apps/registry/registry.yaml
→
apps/registry/registry.yaml
@@ -24,9 +24,6 @@ mountPath: "/var/lib/registry"
- name: auth mountPath: "/auth" readOnly: true - # - name: certs - # mountPath: "/certs" - # readOnly: true env: - name: REGISTRY_AUTH value: "htpasswd"@@ -34,10 +31,6 @@ - name: REGISTRY_AUTH_HTPASSWD_REALM
value: "Registry Realm" - name: REGISTRY_AUTH_HTPASSWD_PATH value: "/auth/htpasswd" - # - name: REGISTRY_HTTP_TLS_CERTIFICATE - # value: "/certs/tls.crt" - # - name: REGISTRY_HTTP_TLS_KEY - # value: "/certs/tls.key" ports: - name: http containerPort: 5000@@ -45,9 +38,6 @@ volumes:
- name: repo persistentVolumeClaim: claimName: registry-repo - # - name: certs - # secret: - # secretName: registry-certs - name: auth secret: secretName: registry-auth@@ -57,11 +47,9 @@ kind: Service
metadata: name: registry spec: - # type: NodePort selector: app: registry ports: - name: http port: 5000 targetPort: 5000 - # nodePort: 30019
A
cert-manager/issuer-prod.yaml
@@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: letsencrypt-prod +spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + email: x@icyphox.sh + privateKeySecretRef: + name: letsencrypt-prod + solvers: + - http01: + ingress: + class: nginx
A
cert-manager/issuer-staging.yaml
@@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: letsencrypt-staging +spec: + acme: + server: https://acme-staging-v02.api.letsencrypt.org/directory + email: x@icyphox.sh + privateKeySecretRef: + name: letsencrypt-staging + solvers: + - http01: + ingress: + class: nginx
M
ingress/ing.yaml
→
apps/registry/ing.yaml
@@ -6,7 +6,8 @@ nginx.ingress.kubernetes.io/proxy-body-size: "0"
nginx.ingress.kubernetes.io/proxy-read-timeout: "600" nginx.ingress.kubernetes.io/proxy-send-timeout: "600" kubernetes.io/tls-acme: 'true' - name: fern-ingress + cert-manager.io/issuer: "letsencrypt-prod" + name: registry-ingress spec: tls: - hosts:
A
nginx/ingress.conf
@@ -0,0 +1,19 @@
+stream { + upstream ingress443 { + server 192.168.4.150:443; + } + + upstream ingress80 { + server 192.168.4.150:80; + } + server { + listen 443; + proxy_pass ingress443; + proxy_next_upstream on; + } + server { + listen 80; + proxy_pass ingress80; + proxy_next_upstream on; + } +}
A
nginx/readme
@@ -0,0 +1,7 @@
+nginx +----- + +Non-terminating SSL passthrough back to our K8s ingress, plus port 80 +proxying for cert-manager solvers. + +Runs on jade.