diff --git a/cert-manager/argocd.yaml b/cert-manager/argocd.yaml new file mode 100644 index 0000000..497a12e --- /dev/null +++ b/cert-manager/argocd.yaml @@ -0,0 +1,44 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: cert-manager + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + sources: + - repoURL: https://charts.jetstack.io + chart: cert-manager + targetRevision: v1.16.2 + helm: + valueFiles: + - $values/cert-manager/helm-values.yaml + - repoURL: https://github.com/K3S-HOME/security.git + targetRevision: main + ref: values + - repoURL: https://github.com/K3S-HOME/security.git + targetRevision: main + path: cert-manager + destination: + server: https://kubernetes.default.svc + namespace: cert-manager + syncPolicy: + automated: + prune: true + selfHeal: true + allowEmpty: false + syncOptions: + - CreateNamespace=true + - PrunePropagationPolicy=foreground + - PruneLast=true + retry: + limit: 5 + backoff: + duration: 5s + factor: 2 + maxDuration: 3m + managedNamespaceMetadata: + labels: + goldilocks.fairwinds.com/enabled: 'true' + revisionHistoryLimit: 10 diff --git a/cert-manager/helm-values.yaml b/cert-manager/helm-values.yaml new file mode 100644 index 0000000..cf98a70 --- /dev/null +++ b/cert-manager/helm-values.yaml @@ -0,0 +1,70 @@ +# Cert-Manager Helm Values +# Chart: https://github.com/cert-manager/cert-manager/tree/master/deploy/charts/cert-manager + +# Install CRDs with Helm +installCRDs: true + +replicaCount: 1 + +resources: + requests: + cpu: 23m + memory: 115Mi + limits: + memory: 115Mi + +webhook: + replicaCount: 1 + resources: + requests: + cpu: 23m + memory: 115Mi + limits: + memory: 115Mi + # Affinity - Soft Anti-Affinity to spread pods across nodes + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchLabels: + app.kubernetes.io/name: cert-manager-webhook + topologyKey: kubernetes.io/hostname + +cainjector: + replicaCount: 1 + resources: + requests: + cpu: 23m + memory: 230Mi + limits: + memory: 230Mi + # Affinity - Soft Anti-Affinity to spread pods across nodes + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchLabels: + app.kubernetes.io/name: cert-manager-cainjector + topologyKey: kubernetes.io/hostname + +# Affinity - Soft Anti-Affinity to spread pods across nodes +affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchLabels: + app.kubernetes.io/name: cert-manager + topologyKey: kubernetes.io/hostname + +# Prometheus metrics +prometheus: + enabled: true + servicemonitor: + enabled: false + diff --git a/cert-manager/kustomization.yaml b/cert-manager/kustomization.yaml new file mode 100644 index 0000000..f9347af --- /dev/null +++ b/cert-manager/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- manifests/cluster-issuer.yaml diff --git a/cert-manager/manifests/cluster-issuer.yaml b/cert-manager/manifests/cluster-issuer.yaml new file mode 100644 index 0000000..c2ab14c --- /dev/null +++ b/cert-manager/manifests/cluster-issuer.yaml @@ -0,0 +1,41 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-prod +spec: + acme: + # Let's Encrypt Production 서버 + # 실제 운영 환경에서 사용 + # Rate limit: 50 certificates per registered domain per week + server: https://acme-v02.api.letsencrypt.org/directory + + # 인증서 만료 알림을 받을 이메일 주소 + email: bluemayne0213@icloud.com + + # ACME 계정의 private key를 저장할 Secret 이름 + privateKeySecretRef: + name: letsencrypt-prod + + # HTTP-01 challenge를 사용하여 도메인 소유권 검증 + # Traefik Ingress를 통해 /.well-known/acme-challenge/ 경로로 검증 + solvers: + - http01: + ingress: + class: traefik +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-staging +spec: + acme: + # Let's Encrypt Staging 서버 + # 테스트용 - 브라우저에서 신뢰하지 않지만 rate limit 없음 + server: https://acme-staging-v02.api.letsencrypt.org/directory + email: bluemayne0213@icloud.com + privateKeySecretRef: + name: letsencrypt-staging + solvers: + - http01: + ingress: + class: traefik diff --git a/kustomization.yaml b/kustomization.yaml index d6148dd..f195596 100644 --- a/kustomization.yaml +++ b/kustomization.yaml @@ -5,6 +5,7 @@ resources: # Self-reference for App of Apps pattern - application.yaml + - cert-manager/argocd.yaml - authelia/argocd.yaml - vault/argocd.yaml - external-secrets/argocd.yaml