From 8c43c992f0c7d1a33fd49e8654e9b1c43516d206 Mon Sep 17 00:00:00 2001 From: Mayne0213 Date: Wed, 17 Dec 2025 15:04:56 +0900 Subject: [PATCH] INIT(repo): cluster infrastructure setup --- cert-manager/argocd/cert-manager-issuers.yaml | 38 +++++++++++++++ cert-manager/argocd/cert-manager.yaml | 48 +++++++++++++++++++ cert-manager/cluster-issuer-prod.yaml | 24 ++++++++++ cert-manager/cluster-issuer-staging.yaml | 22 +++++++++ cert-manager/helm-values/cert-manager.yaml | 33 +++++++++++++ cert-manager/kustomization.yaml | 9 ++++ 6 files changed, 174 insertions(+) create mode 100644 cert-manager/argocd/cert-manager-issuers.yaml create mode 100644 cert-manager/argocd/cert-manager.yaml create mode 100644 cert-manager/cluster-issuer-prod.yaml create mode 100644 cert-manager/cluster-issuer-staging.yaml create mode 100644 cert-manager/helm-values/cert-manager.yaml create mode 100644 cert-manager/kustomization.yaml diff --git a/cert-manager/argocd/cert-manager-issuers.yaml b/cert-manager/argocd/cert-manager-issuers.yaml new file mode 100644 index 0000000..cfbe1ba --- /dev/null +++ b/cert-manager/argocd/cert-manager-issuers.yaml @@ -0,0 +1,38 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: cert-manager-issuers + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + + source: + repoURL: https://gitea0213.kro.kr/bluemayne/infrastructure.git + targetRevision: main + path: cert-manager + + destination: + server: https://kubernetes.default.svc + namespace: cert-manager + + syncPolicy: + automated: + prune: true + selfHeal: true + allowEmpty: false + + syncOptions: + - CreateNamespace=false + - PrunePropagationPolicy=foreground + + retry: + limit: 5 + backoff: + duration: 5s + factor: 2 + maxDuration: 3m + + revisionHistoryLimit: 10 + diff --git a/cert-manager/argocd/cert-manager.yaml b/cert-manager/argocd/cert-manager.yaml new file mode 100644 index 0000000..d6780d4 --- /dev/null +++ b/cert-manager/argocd/cert-manager.yaml @@ -0,0 +1,48 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: cert-manager + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + + sources: + # Helm chart from Jetstack repository + - repoURL: https://charts.jetstack.io + chart: cert-manager + targetRevision: v1.16.2 + helm: + valueFiles: + - $values/cert-manager/helm-values/cert-manager.yaml + # Values file from Git repository + - repoURL: https://gitea0213.kro.kr/bluemayne/infrastructure.git + targetRevision: main + ref: values + + destination: + server: https://kubernetes.default.svc + namespace: cert-manager + + syncPolicy: + automated: + prune: true + selfHeal: true + allowEmpty: false + + syncOptions: + - CreateNamespace=true + - PrunePropagationPolicy=foreground + - PruneLast=true + - ServerSideApply=true + + retry: + limit: 5 + backoff: + duration: 5s + factor: 2 + maxDuration: 3m + + revisionHistoryLimit: 10 + diff --git a/cert-manager/cluster-issuer-prod.yaml b/cert-manager/cluster-issuer-prod.yaml new file mode 100644 index 0000000..e6c4886 --- /dev/null +++ b/cert-manager/cluster-issuer-prod.yaml @@ -0,0 +1,24 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-prod +spec: + acme: + # Let's Encrypt Production 서버 + # 실제 운영 환경에서 사용 + # Rate limit: 50 certificates per registered domain per week + server: https://acme-v02.api.letsencrypt.org/directory + + # 인증서 만료 알림을 받을 이메일 주소 + email: bluemayne0213@icloud.com + + # ACME 계정의 private key를 저장할 Secret 이름 + privateKeySecretRef: + name: letsencrypt-prod + + # HTTP-01 challenge를 사용하여 도메인 소유권 검증 + # Nginx Ingress를 통해 /.well-known/acme-challenge/ 경로로 검증 + solvers: + - http01: + ingress: + class: nginx diff --git a/cert-manager/cluster-issuer-staging.yaml b/cert-manager/cluster-issuer-staging.yaml new file mode 100644 index 0000000..f49a0a3 --- /dev/null +++ b/cert-manager/cluster-issuer-staging.yaml @@ -0,0 +1,22 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-staging +spec: + acme: + # Let's Encrypt Staging 서버 (테스트용) + # Rate limit이 없어서 테스트할 때 사용 + server: https://acme-staging-v02.api.letsencrypt.org/directory + + # 인증서 만료 알림을 받을 이메일 주소 + email: bluemayne0213@icloud.com + + # ACME 계정의 private key를 저장할 Secret 이름 + privateKeySecretRef: + name: letsencrypt-staging + + # HTTP-01 challenge를 사용하여 도메인 소유권 검증 + solvers: + - http01: + ingress: + class: nginx diff --git a/cert-manager/helm-values/cert-manager.yaml b/cert-manager/helm-values/cert-manager.yaml new file mode 100644 index 0000000..25642da --- /dev/null +++ b/cert-manager/helm-values/cert-manager.yaml @@ -0,0 +1,33 @@ +# Cert-Manager Helm Values +# Chart: https://github.com/cert-manager/cert-manager/tree/master/deploy/charts/cert-manager + +# Install CRDs with Helm +installCRDs: true + +replicaCount: 1 + +resources: + requests: + cpu: 3m # Reduced to 30% of original (10m -> 3m) + memory: 32Mi + +webhook: + replicaCount: 1 + resources: + requests: + cpu: 3m # Reduced to 30% of original (10m -> 3m) + memory: 32Mi + +cainjector: + replicaCount: 1 + resources: + requests: + cpu: 3m # Reduced to 30% of original (10m -> 3m) + memory: 32Mi + +# Prometheus metrics +prometheus: + enabled: true + servicemonitor: + enabled: false + diff --git a/cert-manager/kustomization.yaml b/cert-manager/kustomization.yaml new file mode 100644 index 0000000..c492df9 --- /dev/null +++ b/cert-manager/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + # ArgoCD Application 리소스는 infrastructure/kustomization.yaml에서 관리 + # - argocd/cert-manager.yaml + # - argocd/cert-manager-issuers.yaml + - cluster-issuer-prod.yaml + - cluster-issuer-staging.yaml