-
-
Notifications
You must be signed in to change notification settings - Fork 320
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add letsencrypt ClusterIssuers + Hetzner webhook + reflector + auto w…
…idlcard cert generation
- Loading branch information
1 parent
5583100
commit 4058a6d
Showing
7 changed files
with
198 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -12,6 +12,11 @@ module "kube-hetzner" { | |
hcloud = hcloud | ||
} | ||
hcloud_token = var.hcloud_token != "" ? var.hcloud_token : local.hcloud_token | ||
# This is only for Hetzner delegated DNS Zones and it is a requirement for those who want to obtain a LetsEncrypt TLS wildcard certificate | ||
# using the Hetzner webhook to solve a DNS Challenge. See through https://docs.hetzner.com/dns-console/dns for more info on how to delegate | ||
# your DNS Zone and check templates/cluster_issuers.yaml.tpl for webhook installation. Once you've delegated your DNS Zone, go to your Hetzner | ||
# Control Panel, select DNS, go to API Tokens on the User Menu and create a token to use here. | ||
# hetzner_dns_api_key = var.hetzner_dns_api_key != "" ? var.hetzner_dns_api_key : local.hetzner_dns_api_key | ||
|
||
# Then fill or edit the below values. Only the first values starting with a * are obligatory; the rest can remain with their default values, or you | ||
# could adapt them to your needs. | ||
|
@@ -714,6 +719,14 @@ module "kube-hetzner" { | |
# You can enable cert-manager (installed by Helm behind the scenes) with the following flag, the default is "true". | ||
# enable_cert_manager = false | ||
|
||
# You can enable LetsEncrypt ClusterIssuers (installed by Helm behind the scenes) to obtain FQDN domains or wildcard domains (requires Hetzner DNS API Token for wildcards read carefully above) with the following flag, the default is "false". | ||
# enable_cluster_issuers = true | ||
# LetsEncrypt email for cert-manager certs renewal updates | ||
# cert_manager_email = "[email protected]" | ||
# Reflector copies Secrets or ConfigMaps so they are available for all Namespaces. Default is "false". | ||
# enable_reflector = true | ||
# reflector_values = "" | ||
|
||
# IP Addresses to use for the DNS Servers, the defaults are the ones provided by Hetzner https://docs.hetzner.com/dns-console/dns/general/recursive-name-servers/. | ||
# The number of different DNS servers is limited to 3 by Kubernetes itself. | ||
# It's always a good idea to have at least 1 IPv4 and 1 IPv6 DNS server for robustness. | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,73 @@ | ||
|
||
%{if hetzner_dns_api_key != ""~} | ||
apiVersion: v1 | ||
kind: Secret | ||
metadata: | ||
name: hetzner-dns-secret | ||
namespace: cert-manager | ||
type: Opaque | ||
data: | ||
api-key: ${hetzner_dns_api_key} | ||
--- | ||
%{endif~} | ||
apiVersion: helm.cattle.io/v1 | ||
kind: HelmChart | ||
metadata: | ||
name: cert-manager-webhook-hetzner | ||
namespace: cert-manager | ||
spec: | ||
chart: cert-manager-webhook-hetzner | ||
version: 1.3.1 | ||
repo: https://vadimkim.github.io/cert-manager-webhook-hetzner | ||
valuesContent: |- | ||
groupName: ${base_domain} | ||
secretName: | ||
- hetzner-dns-secret | ||
--- | ||
apiVersion: cert-manager.io/v1 | ||
kind: ClusterIssuer | ||
metadata: | ||
name: letsencrypt-staging | ||
namespace: cert-manager | ||
spec: | ||
acme: | ||
email: ${cert_manager_email} | ||
server: https://acme-staging-v02.api.letsencrypt.org/directory | ||
privateKeySecretRef: | ||
name: letsencrypt-staging | ||
solvers: | ||
- http01: | ||
ingress: | ||
ingressClassName: ${ingress_controller} | ||
- dns01: | ||
webhook: | ||
groupName: ${base_domain} | ||
solverName: hetzner | ||
config: | ||
secretName: hetzner-dns-secret | ||
zoneName: ${common_name} | ||
apiUrl: https://dns.hetzner.com/api/v1 | ||
--- | ||
apiVersion: cert-manager.io/v1 | ||
kind: ClusterIssuer | ||
metadata: | ||
name: letsencrypt-prod | ||
namespace: cert-manager | ||
spec: | ||
acme: | ||
email: ${cert_manager_email} | ||
server: https://acme-v02.api.letsencrypt.org/directory | ||
privateKeySecretRef: | ||
name: letsencrypt-prod | ||
solvers: | ||
- http01: | ||
ingress: | ||
ingressClassName: ${ingress_controller} | ||
- dns01: | ||
webhook: | ||
groupName: ${base_domain} | ||
solverName: hetzner | ||
config: | ||
secretName: hetzner-dns-secret | ||
zoneName: ${common_name} | ||
apiUrl: https://dns.hetzner.com/api/v1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
apiVersion: helm.cattle.io/v1 | ||
kind: HelmChart | ||
metadata: | ||
name: emberstack | ||
namespace: kube-system | ||
spec: | ||
chart: reflector | ||
repo: https://emberstack.github.io/helm-charts | ||
valuesContent: |- | ||
${values} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
%{if hetzner_dns_api_key != ""~} | ||
apiVersion: cert-manager.io/v1 | ||
kind: Certificate | ||
metadata: | ||
name: wildcard-domain | ||
namespace: cert-manager | ||
spec: | ||
commonName: "*.${common_name}" | ||
dnsNames: | ||
- "*.${common_name}" | ||
issuerRef: | ||
name: letsencrypt-prod | ||
kind: ClusterIssuer | ||
secretName: wildcard-domain-secret | ||
%{if reflector_enabled} | ||
secretTemplate: | ||
annotations: | ||
reflector.v1.k8s.emberstack.com/reflection-allowed: "true" | ||
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "" | ||
reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true" | ||
reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "" | ||
%{endif} | ||
%{endif~} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -3,6 +3,12 @@ variable "hcloud_token" { | |
type = string | ||
sensitive = true | ||
} | ||
variable "hetzner_dns_api_key" { | ||
description = "Hetzner DNS Zone API Key." | ||
type = string | ||
sensitive = true | ||
default = "" | ||
} | ||
|
||
variable "k3s_token" { | ||
description = "k3s master token (must match when restoring a cluster)." | ||
|
@@ -718,12 +724,36 @@ variable "enable_cert_manager" { | |
description = "Enable cert manager." | ||
} | ||
|
||
variable "cert_manager_email" { | ||
type = string | ||
default = "[email protected]" | ||
description = "Cert Manager Letsencrypt email" | ||
} | ||
|
||
variable "cert_manager_values" { | ||
type = string | ||
default = "" | ||
description = "Additional helm values file to pass to Cert-Manager as 'valuesContent' at the HelmChart." | ||
} | ||
|
||
variable "enable_cluster_issuers" { | ||
type = bool | ||
default = false | ||
description = "Enable LetsEncrypt ClusterIssuers." | ||
} | ||
|
||
variable "enable_reflector" { | ||
type = bool | ||
default = false | ||
description = "Enable Reflector." | ||
} | ||
|
||
variable "reflector_values" { | ||
type = string | ||
default = "" | ||
description = "Additional helm values file to pass to Reflector as 'valuesContent' at the HelmChart." | ||
} | ||
|
||
variable "enable_rancher" { | ||
type = bool | ||
default = false | ||
|