progress

Makefile

@@ -8,15 +8,19 @@ namespaces:
 secrets:
 	dotenvx run -f .env.$(ENV) -- ./scripts/k8s-secrets.sh
 
-
 flux:
 	./scripts/flux-bootstrap.sh
 
 dev: kind namespaces secrets chisel velero
 
-prod: export ENV=production namespaces secrets velero chisel flux
+prod: echoenv namespaces secrets velero chisel flux
 
-staging: export ENV=staging namespaces secrets velero chisel flux
+staging: echoenv namespaces secrets velero flux
+
+echoenv:
+	echo "[echoenv] Using ${ENV} environment. If this is not what you want, export ENV=development|staging|production"
+
+scrap: namespaces secrets velero chisel flux
 
 velero:
 	./scripts/velero-create.sh
@@ -25,6 +29,9 @@ tilt:
 	kind get kubeconfig > ~/.kube/kind.yaml
 	KUBECONFIG=~/.kube/kind.yaml tilt up -f ./t.wip.tiltfile
 
+exoscale:
+	kubectl apply -f https://raw.githubusercontent.com/exoscale/cert-manager-webhook-exoscale/master/deploy/exoscale-webhook-kustomize/deploy.yaml
+
 kind:
 	./scripts/kind-with-local-registry.sh
 
@@ -36,7 +43,7 @@ clean:
 	dotenvx run -f .env.$(ENV) -- node ./packages/infra/vultr-delete-orphaned-resources.js
 
 deps:
-	echo "Some of the install methods for these dependencies are not cross-platform compatible. Some of the install methods are not well-tested. Expect this to fail. Please consult the Makefile for URLs to project sources."
+	echo "Some of the install methods for these dependencies are not cross-platform compatible. Some of the install methods are not tested. Expect this to fail. Please consult the Makefile for URLs to project sources."
 	sudo pamac install make entr nvm kubectl docker helm expect
 	curl -fsSL https://raw.githubusercontent.com/tilt-dev/tilt/master/scripts/install.sh | bash
 	curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash
@@ -48,7 +55,9 @@ deps:
 	newgrp docker
 	curl -OL 'https://github.com/vmware-tanzu/velero/releases/download/v1.13.2/velero-v1.13.2-linux-amd64.tar.gz'
 	npm install -g @dotenvx/dotenvx
-
+	OS=$(go env GOOS); ARCH=$(go env GOARCH); curl -fsSL -o cmctl https://github.com/cert-manager/cmctl/releases/latest/download/cmctl_${OS}_${ARCH}
+	chmod +x cmctl
+	sudo mv cmctl /usr/local/bin
 
 # A gitea act runner which runs locally
 # https://docs.gitea.com/next/usage/actions/overview

apps/base/fp/release.yaml

@@ -21,7 +21,6 @@ spec:
       imageName: gitea.futureporn.net/futureporn/link2cid:latest
     next:
       imageName: gitea.futureporn.net/futureporn/next:latest
-      certIssuer: letsencrypt-staging
       hostname: next.futureporn.svc.cluster.local
       ingressClassName: traefik
     capture:
@@ -33,7 +32,6 @@ spec:
         imageName: gitea.futureporn.net/futureporn/scout-worker:latest
         replicas: 1
       pubsubServerUrl: https://realtime.futureporn.svc.cluster.local/faye
-      certIssuer: letsencrypt-staging
       hostname: next.futureporn.svc.cluster.local
       cdnBucketUrl: https://fp-dev.b-cdn.net
       s3BucketName: fp-dev
@@ -41,7 +39,6 @@ spec:
       imageName: gitea.futureporn.net/futureporn/strapi:latest
       port: 1339
       url: https://strapi.piko.sbtp.xyz
-      certIssuer: letsencrypt-staging
       hostname: strapi.futureporn.svc.cluster.local
       ingressClassName: traefik
     realtime:
@@ -49,3 +46,5 @@ spec:
     adminEmail: cj@futureporn.net
     chisel:
       exitNodeIp: "155.138.254.201"
+    certManager:
+      issuer: letsencrypt-staging

apps/base/podinfo/release.yaml

@@ -33,7 +33,7 @@ spec:
         traefik.ingress.kubernetes.io/router.tls.domains.0.main: podinfo.sbtp.xyz
         traefik.ingress.kubernetes.io/router.entrypoints: http
         traefik.ingress.kubernetes.io/service.nativelb: podinfo
-        cert-manager.io/cluster-issuer: "letsencrypt"
+        cert-manager.io/cluster-issuer: "letsencrypt-staging"
         # ingress.kubernetes.io/ssl-redirect: "true"
       hosts:
         - host: podinfo.sbtp.xyz

apps/production/fp-values.yaml

@@ -9,9 +9,10 @@ spec:
       certIssuer: letsencrypt-prod
       hostname: next.futureporn.net
     scout:
-      certIssuer: letsencrypt-prod
       cdnBucketUrl: https://futureporn-b2.b-cdn.net
       s3BucketName: futureporn-b2
     strapi:
       url: https://portal.futureporn.net
-      hostname: portal.futureporn.net
+      hostname: portal.futureporn.net
+    certManager:
+      issuer: letsencrypt-production

apps/staging/fp-values.yaml

@@ -6,13 +6,13 @@ metadata:
 spec:
   values:
     next:
-      certIssuer: letsencrypt-staging
       hostname: next.sbtp.xyz
     scout:
-      certIssuer: letsencrypt-staging
       cdnBucketUrl: https://fp-dev.b-cdn.net
       s3BucketName: fp-dev
     strapi:
       url: https://strapi.sbtp.xyz
       hostname: strapi.sbtp.xyz
-    managedBy: Helm
+    managedBy: Helm
+    certManager:
+      issuer: letsencrypt-staging

charts/fp/templates/cert-manager.yaml

@@ -0,0 +1,127 @@
+## roles to deal with the following error
+##   exoscale.acme.exoscale.com is forbidden: User "system:serviceaccount:cert-manager:cert-manager" cannot create resource "exoscale"
+##   cannot create resource "exoscale" in API group "acme.exoscale.com" at the cluster scope
+
+# I don't think I need the following commented yaml. I think the problem I was seeing was actually caused by the lack of cert-manager-webhook-exoscale
+
+# ---
+# apiVersion: rbac.authorization.k8s.io/v1
+# kind: ClusterRole
+# metadata:
+#   name: cert-manager-webhook-exoscale
+#   namespace: cert-manager
+#   labels:
+#     app: webhook
+# rules:
+#   - apiGroups:
+#       - acme.exoscale.com
+#     resources:
+#       - '*'
+#     verbs:
+#       - 'create'
+
+# ---
+# apiVersion: rbac.authorization.k8s.io/v1
+# kind: ClusterRoleBinding
+# metadata:
+#   name: cert-manager-webhook-exoscale
+#   namespace: cert-manager
+#   labels:
+#     app: webhook
+# roleRef:
+#   apiGroup: rbac.authorization.k8s.io
+#   kind: ClusterRole
+#   name: cert-manager-webhook-exoscale
+# subjects:
+# - apiGroup: ""
+#   kind: ServiceAccount
+#   name: cert-manager
+#   namespace: cert-manager
+
+
+## Role & RoleBinding to give cert-manager access to the exoscale secret
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cert-manager-webhook-exoscale:secret-reader
+  namespace: cert-manager
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  resourceNames: ["exoscale"]
+  verbs: ["get", "watch"]
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cert-manager-webhook-exoscale:secret-reader
+  namespace: cert-manager
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cert-manager-webhook-exoscale:secret-reader
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: cert-manager-webhook-exoscale
+
+---
+{{ if ne .Values.environment "production" }} 
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    # You must replace this email address with your own.
+    # Let's Encrypt will use this to contact you about expiring
+    # certificates, and issues related to your account.
+    email: {{ .Values.adminEmail }}
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      # Secret resource that will be used to store the account's private key.
+      name: letsencrypt-staging
+    solvers:
+    - dns01:
+        webhook:
+          groupName: acme.exoscale.com
+          solverName: exoscale
+          config:
+            apiKeyRef:
+              name: exoscale
+              key: apiKey
+            apiSecretRef:
+              name: exoscale
+              key: apiSecret
+         
+{{ end }}
+
+{{ if eq .Values.environment "production" }} 
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    # server: https://acme-staging-v02.api.letsencrypt.org/directory
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: {{ .Values.adminEmail }}
+    privateKeySecretRef:
+      name: letsencrypt-prod
+    solvers:
+    - dns01:
+        webhook:
+          groupName: acme.exoscale.com
+          solverName: exoscale
+          config:
+            apiKeyRef:
+              name: exoscale
+              key: apiKey
+            apiSecretRef:
+              name: exoscale
+              key: apiSecret
+{{ end }}

charts/fp/templates/echo.yaml

@@ -28,7 +28,7 @@ metadata:
   namespace: futureporn
   annotations:
     external-dns.alpha.kubernetes.io/hostname: "{{ .Values.echo.hostname }}"
-    # chisel-operator.io/exit-node-name: "echo-exit-node"
+    chisel-operator.io/exit-node-name: "echo-exit-node"
 spec:
   selector:
     app: echo
@@ -59,7 +59,7 @@ metadata:
   annotations:
     traefik.ingress.kubernetes.io/router.entrypoints: web
     traefik.ingress.kubernetes.io/router.tls: "false"
-    traefik.ingress.kubernetes.io/router.tls.certresolver: le
+    # cert-manager.io/cluster-issuer: "{{ .Values.certManager.issuer }}"
 spec:
   rules:
     - host: "{{ .Values.echo.hostname }}"
@@ -72,17 +72,5 @@ spec:
                 name: echo
                 port:
                   number: 8001
-
+  tls:
-# ---
+    - secretName: echo-cert
-# apiVersion: traefik.io/v1alpha1
-# kind: IngressRoute
-# metadata:
-#   name: echo
-#   namespace: futureporn
-# spec:
-#   routes:
-#     - match: Host(`echo.sbtp.xyz`)
-#       kind: Rule
-#       services:
-#       - name: echo
-#         port: 8001

charts/fp/templates/exoscale-webhook.yaml

@@ -0,0 +1,321 @@
+## copied from https://github.com/exoscale/cert-manager-webhook-exoscale
+
+---
+# Source: exoscale-webhook/templates/rbac.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cert-manager-webhook-exoscale
+  namespace: "cert-manager"
+  labels:
+    app: exoscale-webhook
+    chart: exoscale-webhook-0.3.0
+    release: exoscale-webhook
+    heritage: Helm
+---
+# Source: exoscale-webhook/templates/rbac.yaml
+# Grant cert-manager permission to validate using our apiserver
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cert-manager-webhook-exoscale:domain-solver
+  labels:
+    app: exoscale-webhook
+    chart: exoscale-webhook-0.3.0
+    release: exoscale-webhook
+    heritage: Helm
+rules:
+  - apiGroups:
+      - acme.exoscale.com
+    resources:
+      - '*'
+    verbs:
+      - 'create'
+---
+# Source: exoscale-webhook/templates/rbac.yaml
+# apiserver gets the auth-delegator role to delegate auth decisions to
+# the core apiserver
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cert-manager-webhook-exoscale:auth-delegator
+  labels:
+    app: exoscale-webhook
+    chart: exoscale-webhook-0.3.0
+    release: exoscale-webhook
+    heritage: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: cert-manager-webhook-exoscale
+    namespace: cert-manager
+---
+# Source: exoscale-webhook/templates/rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cert-manager-webhook-exoscale:domain-solver
+  labels:
+    app: exoscale-webhook
+    chart: exoscale-webhook-0.3.0
+    release: exoscale-webhook
+    heritage: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-webhook-exoscale:domain-solver
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: cert-manager
+    namespace: cert-manager
+---
+# Source: exoscale-webhook/templates/rbac.yaml
+# Grant the webhook permission to read the secrets containing the credentials
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cert-manager-webhook-exoscale:secrets-reader
+  namespace: cert-manager
+  labels:
+    app: exoscale-webhook
+    chart: exoscale-webhook-0.3.0
+    release: exoscale-webhook
+    heritage: Helm
+rules:
+  - apiGroups:
+    - ''
+    resources:
+    - 'secrets'
+    verbs:
+    - 'get'
+---
+# Source: exoscale-webhook/templates/rbac.yaml
+# Grant the webhook permission to read the ConfigMap containing the Kubernetes
+# apiserver's requestheader-ca-certificate.
+# This ConfigMap is automatically created by the Kubernetes apiserver.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cert-manager-webhook-exoscale:webhook-authentication-reader
+  namespace: kube-system
+  labels:
+    app: exoscale-webhook
+    chart: exoscale-webhook-0.3.0
+    release: exoscale-webhook
+    heritage: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: extension-apiserver-authentication-reader
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: cert-manager-webhook-exoscale
+    namespace: cert-manager
+---
+# Source: exoscale-webhook/templates/rbac.yaml
+# Grant the webhook permission to read the secrets containing the credentials
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cert-manager-webhook-exoscale:secrets-reader
+  namespace: cert-manager
+  labels:
+    app: exoscale-webhook
+    chart: exoscale-webhook-0.3.0
+    release: exoscale-webhook
+    heritage: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cert-manager-webhook-exoscale:secrets-reader
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: cert-manager-webhook-exoscale
+    namespace: cert-manager
+---
+# Source: exoscale-webhook/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: cert-manager-webhook-exoscale
+  namespace: "cert-manager"
+  labels:
+    app: exoscale-webhook
+    chart: exoscale-webhook-0.3.0
+    release: exoscale-webhook
+    heritage: Helm
+spec:
+  type: ClusterIP
+  ports:
+    - port: 443
+      targetPort: https
+      protocol: TCP
+      name: https
+  selector:
+    app: exoscale-webhook
+    release: exoscale-webhook
+---
+# Source: exoscale-webhook/templates/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: cert-manager-webhook-exoscale
+  namespace: "cert-manager"
+  labels:
+    app: exoscale-webhook
+    chart: exoscale-webhook-0.3.0
+    release: exoscale-webhook
+    heritage: Helm
+spec:
+  replicas: 
+  selector:
+    matchLabels:
+      app: exoscale-webhook
+      release: exoscale-webhook
+  template:
+    metadata:
+      labels:
+        app: exoscale-webhook
+        release: exoscale-webhook
+    spec:
+      serviceAccountName: cert-manager-webhook-exoscale
+      containers:
+        - name: exoscale-webhook
+          image: "exoscale/cert-manager-webhook-exoscale:latest"
+          imagePullPolicy: IfNotPresent
+          args:
+            - --tls-cert-file=/tls/tls.crt
+            - --tls-private-key-file=/tls/tls.key
+          env:
+            - name: GROUP_NAME
+              value: "acme.exoscale.com"
+            - name: EXOSCALE_DEBUG
+              value: ""
+            - name: EXOSCALE_API_TRACE
+              value: ""
+          ports:
+            - name: https
+              containerPort: 443
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              scheme: HTTPS
+              path: /healthz
+              port: https
+          readinessProbe:
+            httpGet:
+              scheme: HTTPS
+              path: /healthz
+              port: https
+          volumeMounts:
+            - name: certs
+              mountPath: /tls
+              readOnly: true
+          resources:
+            {}
+      volumes:
+        - name: certs
+          secret:
+            secretName: cert-manager-webhook-exoscale-webhook-tls
+---
+# Source: exoscale-webhook/templates/apiservice.yaml
+apiVersion: apiregistration.k8s.io/v1
+kind: APIService
+metadata:
+  name: v1alpha1.acme.exoscale.com
+  labels:
+    app: exoscale-webhook
+    chart: exoscale-webhook-0.3.0
+    release: exoscale-webhook
+    heritage: Helm
+  annotations:
+    cert-manager.io/inject-ca-from: "cert-manager/cert-manager-webhook-exoscale-webhook-tls"
+spec:
+  group: acme.exoscale.com
+  groupPriorityMinimum: 1000
+  versionPriority: 15
+  service:
+    name: cert-manager-webhook-exoscale
+    namespace: cert-manager
+  version: v1alpha1
+---
+# Source: exoscale-webhook/templates/pki.yaml
+# Generate a CA Certificate used to sign certificates for the webhook
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: cert-manager-webhook-exoscale-ca
+  namespace: "cert-manager"
+  labels:
+    app: exoscale-webhook
+    chart: exoscale-webhook-0.3.0
+    release: exoscale-webhook
+    heritage: Helm
+spec:
+  secretName: cert-manager-webhook-exoscale-ca
+  duration: 43800h # 5y
+  issuerRef:
+    name: cert-manager-webhook-exoscale-selfsign
+  commonName: "ca.exoscale-webhook.cert-manager"
+  isCA: true
+---
+# Source: exoscale-webhook/templates/pki.yaml
+# Finally, generate a serving certificate for the webhook to use
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: cert-manager-webhook-exoscale-webhook-tls
+  namespace: "cert-manager"
+  labels:
+    app: exoscale-webhook
+    chart: exoscale-webhook-0.3.0
+    release: exoscale-webhook
+    heritage: Helm
+spec:
+  secretName: cert-manager-webhook-exoscale-webhook-tls
+  duration: 8760h # 1y
+  issuerRef:
+    name: cert-manager-webhook-exoscale-ca
+  dnsNames:
+  - cert-manager-webhook-exoscale
+  - cert-manager-webhook-exoscale.cert-manager
+  - cert-manager-webhook-exoscale.cert-manager.svc
+---
+# Source: exoscale-webhook/templates/pki.yaml
+# Create a selfsigned Issuer, in order to create a root CA certificate for
+# signing webhook serving certificates
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: cert-manager-webhook-exoscale-selfsign
+  namespace: "cert-manager"
+  labels:
+    app: exoscale-webhook
+    chart: exoscale-webhook-0.3.0
+    release: exoscale-webhook
+    heritage: Helm
+spec:
+  selfSigned: {}
+---
+# Source: exoscale-webhook/templates/pki.yaml
+# Create an Issuer that uses the above generated CA certificate to issue certs
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: cert-manager-webhook-exoscale-ca
+  namespace: "cert-manager"
+  labels:
+    app: exoscale-webhook
+    chart: exoscale-webhook-0.3.0
+    release: exoscale-webhook
+    heritage: Helm
+spec:
+  ca:
+    secretName: cert-manager-webhook-exoscale-ca

charts/fp/templates/letsencrypt.yaml

@@ -1,49 +0,0 @@
-{{ if ne .Values.environment "production" }} 
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
-  name: letsencrypt-staging
-spec:
-  acme:
-    # You must replace this email address with your own.
-    # Let's Encrypt will use this to contact you about expiring
-    # certificates, and issues related to your account.
-    email: {{ .Values.adminEmail }}
-    server: https://acme-staging-v02.api.letsencrypt.org/directory
-    privateKeySecretRef:
-      # Secret resource that will be used to store the account's private key.
-      name: letsencrypt-staging
-    solvers:
-    - dns01:
-        webhook:
-          groupName: acme.vultr.com
-          solverName: vultr
-          config:
-            apiKeySecretRef:
-              key: apiKey
-              name: vultr
-{{ end }}
-
-{{ if eq .Values.environment "production" }} 
----
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
-  name: letsencrypt-prod
-spec:
-  acme:
-    # server: https://acme-staging-v02.api.letsencrypt.org/directory
-    server: https://acme-v02.api.letsencrypt.org/directory
-    email: {{ .Values.adminEmail }}
-    privateKeySecretRef:
-      name: letsencrypt-prod
-    solvers:
-    - dns01:
-        webhook:
-          groupName: acme.vultr.com
-          solverName: vultr
-          config:
-            apiKeySecretRef:
-              key: apiKey
-              name: vultr
-{{ end }}

charts/fp/templates/next.yaml

@@ -51,7 +51,7 @@ metadata:
   annotations:
     traefik.ingress.kubernetes.io/router.entrypoints: http
     traefik.ingress.kubernetes.io/router.tls: "true"
-    traefik.ingress.kubernetes.io/tls.certresolver: le
+    cert-manager.io/cluster-issuer: "{{ .Values.certManager.issuer }}"
     kubernetes.io/ingress.class: traefik
     external-dns.alpha.kubernetes.io/hostname: "{{ .Values.next.hostname }}"
 spec:
@@ -98,8 +98,8 @@ metadata:
   namespace: futureporn
   annotations:
     traefik.ingress.kubernetes.io/router.entrypoints: web
-    traefik.ingress.kubernetes.io/router.tls: "false"
+    traefik.ingress.kubernetes.io/router.tls: "true"
-    traefik.ingress.kubernetes.io/router.tls.certresolver: le
+    cert-manager.io/cluster-issuer: "{{ .Values.certManager.issuer }}"
 spec:
   rules:
     - host: next.fp.sbtp.xyz
@@ -112,3 +112,7 @@ spec:
                 name: next
                 port:
                   number: 3000
+  tls:
+  - hosts:
+    - "{{ .Values.next.hostname }}"
+    secretName: next-cert

charts/fp/templates/strapi.yaml

@@ -162,18 +162,14 @@ metadata:
   namespace: futureporn
   annotations:
     kubernetes.io/ingress.class: traefik
-    traefik.ingress.kubernetes.io/router.entrypoints: web
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure,web
     traefik.ingress.kubernetes.io/router.tls: "false"
-    traefik.ingress.kubernetes.io/router.tls.certresolver: le
+    cert-manager.io/cluster-issuer: "{{ .Values.certManager.issuer }}"
 spec:
-  ingressClassName: "{{ .Values.strapi.ingressClassName }}"
+  tls:
-  backend:
+    - hosts:
-    serviceName: strapi
+      - "{{ .Values.strapi.hostname }}"
-    servicePort: 1339
+      secretName: strapi-cert
-  # tls:
-  #   - secretName: strapi-tls
-  #     hosts:
-  #       - "{{ .Values.strapi.hostname }}"
   rules:
     - host: "{{ .Values.strapi.hostname }}"
       http:
@@ -198,18 +194,3 @@ spec:
   port: 9090
   auth: chisel
 {{ end }}
-
-#   annotations:
-
-# spec:
-#   rules:
-#     - host: echo.sbtp.xyz
-#       http:
-#         paths:
-#           - path: /
-#             pathType: Prefix
-#             backend:
-#               service:
-#                 name: echo
-#                 port:
-#                   number: 8001

charts/fp/templates/traefik.yaml

@@ -37,4 +37,6 @@ spec:
   port: 9090
   auth: chisel
 
-{{ end }}
+{{ end }}
+
+

charts/fp/values-dev.yaml

@@ -5,7 +5,6 @@ link2cid:
   imageName: fp/link2cid
 next:
   imageName: fp/next
-  certIssuer: letsencrypt-staging
   hostname: next.fp.sbtp.xyz
   ingressClassName: traefik
 capture:
@@ -17,7 +16,6 @@ scout:
     imageName: fp/scout-worker
     replicas: 1
   pubsubServerUrl: https://realtime.futureporn.svc.cluster.local/faye
-  certIssuer: letsencrypt-staging
   hostname: next.futureporn.svc.cluster.local
   cdnBucketUrl: https://fp-dev.b-cdn.net
   s3BucketName: fp-dev
@@ -25,7 +23,6 @@ strapi:
   imageName: fp/strapi
   port: 1339
   url: https://strapi.fp.sbtp.xyz
-  certIssuer: letsencrypt-staging
   hostname: strapi.fp.sbtp.xyz
   ingressClassName: traefik
 ngrok:
@@ -36,4 +33,6 @@ adminEmail: cj@futureporn.net
 chisel:
   exitNodeIp: "155.138.254.201"
 echo:
-  hostname: echo.fp.sbtp.xyz
+  hostname: echo.fp.sbtp.xyz
+certManager:
+  issuer: letsencrypt-staging

charts/fp/values-prod.yaml

@@ -13,7 +13,6 @@ scout:
   s3BucketName: futureporn
 next:
   imageName: gitea.futureporn.net/futureporn/next:latest
-  certIssuer: letsencrypt-staging
   hostname: next.sbtp.xyz
 capture:
   imageName: gitea.futureporn.net/futureporn/capture:latest
@@ -21,11 +20,12 @@ strapi:
   imageName: sjc.vultrcr.com/fpcontainers/strapi
   port: 1339
   url: https://portal.futureporn.net
-  certIssuer: letsencrypt-prod
   hostname: strapi.sbtp.xyz
   ingressClassName: traefik
 managedBy: Helm
 adminEmail: cj@futureporn.net
 extraArgs: 
   - --dns01-recursive-nameservers-only
-  - --dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53
+  - --dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53
+certManager:
+  issuer: letsencrypt-production

infrastructure/controllers/cert-manager-webhook-exoscale.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - github.com/exoscale.cert-manager-webhook-exoscale/deploy/exoscale-webhook-kustomize

infrastructure/controllers/cert-manager.yaml

@@ -1,5 +1,3 @@
-## DEPRECATED. We are using traefik to get certs
-
 ---
 apiVersion: v1
 kind: Namespace
@@ -35,3 +33,4 @@ spec:
       interval: 12h
   values:
     installCRDs: true
+

infrastructure/controllers/kustomization.yaml

@@ -2,7 +2,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - external-dns.yaml
-  # - cert-manager.yaml
+  - cert-manager.yaml
+  - cert-manager-webhook-exoscale.yaml
   - ingress-traefik.yaml
   - grafana-k8s-dashboards.yaml
   - kube-prometheus-stack.yaml

scripts/flux-bootstrap.sh

@@ -1,10 +1,9 @@
 #!/bin/bash
 
-if [ -z "$(ENV)" ]; then \
+if [ -z "${ENV}" ]; then \
 		echo "Error: ENV variable is not defined. Please set to one of development|staging|production"; exit 1; \
 fi
 
-## this way is annoying because deployment asks for git password
 # flux bootstrap git \
 #   --kubeconfig /home/cj/.kube/vke.yaml \
 #   --url=https://gitea.futureporn.net/futureporn/fp.git \
@@ -13,9 +12,9 @@ fi
 #   --token-auth=true \
 #   --path=clusters/production
 
-## this way is more automatic although it does ask for yes/no confirmation that the ssh key has repo access
+## --silent avoids the [Yes|no] prompt
 flux bootstrap git \
-  --yes \
+  --silent \
   --url="ssh://git@gitea.futureporn.net:2222/futureporn/fp" \
   --branch=main \
   --path="clusters/$ENV" \

scripts/k8s-secrets.sh

@@ -25,8 +25,8 @@ EOF
 # --from-literal=username=${TRAEFIK_USERNAME} \
 # --from-literal=password=${TRAEFIK_PASSWORD}
 
-kubectl --namespace futureporn delete secret exoscale --ignore-not-found
+kubectl --namespace cert-manager delete secret exoscale --ignore-not-found
-kubectl --namespace futureporn create secret generic exoscale \
+kubectl --namespace cert-manager create secret generic exoscale \
 --from-literal=apiKey=${EXOSCALE_API_KEY} \
 --from-literal=apiSecret=${EXOSCALE_API_SECRET}
 

t.wip.tiltfile

@@ -1,11 +1,12 @@
 # Tiltfile for working with Next and Strapi locally
 
 ## cert-manager slows down Tilt updates so I prefer to keep it commented unless I specifically need to test certs
-# load('ext://cert_manager', 'deploy_cert_manager')
+load('ext://cert_manager', 'deploy_cert_manager')
-# deploy_cert_manager(
+deploy_cert_manager(
-#     load_to_kind=True,
+    load_to_kind=True,
-#     # registry='localhost:5001'
+    version='v1.15.1',
-# )
+)
+
 
 default_registry('localhost:5001')
 load('ext://helm_remote', 'helm_remote')
@@ -44,6 +45,21 @@ load('ext://helm_remote', 'helm_remote')
 #     ]
 # )
 
+
+## this method results in the following error. Build Failed: Internal error occurred: failed calling webhook "webhook.cert-manager.io": failed to call webhook: Post "https://cert-manager-webhook.cert-manager.svc:443/validate?timeout=30s": service "cert-manager-webhook" not found
+# helm_remote(
+#     'cert-manager',
+#     repo_url='https://charts.jetstack.io',
+#     repo_name='cert-manager',
+#     namespace='cert-manager',
+#     version='1.15.1',
+#     set=[
+#         'crds.enabled=true'
+#     ]
+# )
+
+
+
 helm_remote(
     'traefik',
     repo_name='traefik',
@@ -52,12 +68,9 @@ helm_remote(
     version='28.3.0',
     set=[
         'globalArguments[0]=--global.sendanonymoususage=false',
-        'globalArguments[1]=--certificatesresolvers.le.acme.email=cj@futureporn.net',
-        'globalArguments[2]=--certificatesresolvers.le.acme.storage=/data/acme.json',
-        'globalArguments[3]=--certificatesresolvers.le.acme.tlschallenge=true',
-        'globalArguments[4]=--certificatesresolvers.le.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory',
         'service.enabled=false',
-        'logs.access.enabled=true'
+        'logs.access.enabled=true',
+        'logs.general.level=DEBUG'
     ]
 )
 
@@ -402,3 +415,20 @@ k8s_resource(
 #         'postgres', 
 #         'strapi'
 #     ])
+
+# k8s_resource(
+#     workload='cert-manager',
+#     labels='cert-manager'
+# )
+# k8s_resource(
+#     workload='cert-manager-webhook',
+#     labels='cert-manager'
+# )
+# k8s_resource(
+#     workload='cert-manager-cainjector',
+#     labels='cert-manager'
+# )
+# k8s_resource(
+#     workload='cert-manager-startupapicheck',
+#     labels='cert-manager'
+# )