feat(cert-manager): migrate

ref: #14 clusters/.profile#11
2025-08-02 04:22:42 +00:00 · 2025-07-07 01:54:31 +09:30
parent e83286ae70
commit 0e963810df
14 changed files with 1703 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,6 @@
 # Build Directories
 manifests/*/base/charts/
 manifests/*/overlays/*/charts/
 # Temp Files
 *.tmp.*
--- a/manifests/cert-manager/base/kustomization.yaml
+++ b/manifests/cert-manager/base/kustomization.yaml
@ -0,0 +1,17 @@
 ---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: certs
 helmCharts:
  - name: cert-manager
    repo: https://charts.jetstack.io
    releaseName: cert-manager
    namespace: certs
    version: 'v1.16.2'
    additionalValuesFiles:
      - values-custom.yaml
    valuesFile: values-default.yaml
--- a/manifests/cert-manager/base/values-custom.yaml
+++ b/manifests/cert-manager/base/values-custom.yaml
@ -0,0 +1,15 @@
 ---
 crds:
  enabled: true
 affinity:
  nodeAffinity: {}
  podAntiAffinity:
    preferredDuringSchedulingIgnoredDuringExecution:
      - weight: 100
        podAffinityTerm:
          labelSelector:
            matchExpressions:
              - key: kubernetes.io/hostname
                operator: Exists
          topologyKey: kubernetes.io/hostname
--- a/manifests/cert-manager/base/values-default.yaml
+++ b/manifests/cert-manager/base/values-default.yaml
--- a/manifests/cert-manager/components/clusterissuer-cluster/Certificate-cluster-ca.yaml
+++ b/manifests/cert-manager/components/clusterissuer-cluster/Certificate-cluster-ca.yaml
@ -0,0 +1,16 @@
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: cluster-ca
 spec:
  isCA: true
  commonName: cluster.local
  secretName: cluster-ca-cert
  privateKey:
    algorithm: ECDSA
    size: 256
  issuerRef:
    name: selfsigned
    kind: Issuer
    group: cert-manager.io
--- a/manifests/cert-manager/components/clusterissuer-cluster/ClusterIssuer-cluster.yaml
+++ b/manifests/cert-manager/components/clusterissuer-cluster/ClusterIssuer-cluster.yaml
@ -0,0 +1,8 @@
 ---
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
  name: cluster
 spec:
  ca:
    secretName: cluster-ca-cert
--- a/manifests/cert-manager/components/clusterissuer-cluster/ClusterIssuer-selfsigned.yaml
+++ b/manifests/cert-manager/components/clusterissuer-cluster/ClusterIssuer-selfsigned.yaml
@ -0,0 +1,7 @@
 ---
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
  name: selfsigned
 spec:
  selfSigned: {}
--- a/manifests/cert-manager/components/clusterissuer-cluster/kustomization.yaml
+++ b/manifests/cert-manager/components/clusterissuer-cluster/kustomization.yaml
@ -0,0 +1,25 @@
 ---
 apiVersion: kustomize.config.k8s.io/v1alpha1
 kind: Component
 resources:
  - Certificate-cluster-ca.yaml
  - ClusterIssuer-cluster.yaml
  - ClusterIssuer-selfsigned.yaml
 # patches:
 #   #
 #   # Set in Overlay kustomization.yaml
 #   #
 #   - target:
 #       kind: ClusterIssuer
 #       name: letsencrypt-prod
 #     # yamllint disable rule:indentation
 #     patch: |-
 #       - op: replace
 #         path: /spec/commonName
 #         value: -kubernetes domain name-
 #     # yamllint enable rule:indentation
--- a/manifests/cert-manager/components/clusterissuer-letsencrypt-prod/ClusterIssuer-letsencrypt.yaml
+++ b/manifests/cert-manager/components/clusterissuer-letsencrypt-prod/ClusterIssuer-letsencrypt.yaml
@ -0,0 +1,15 @@
 ---
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
  name: letsencrypt-prod
 spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: -set within kustomize using patch.replace-
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
      - http01:
          ingress:
            ingressClassName: nginx
--- a/manifests/cert-manager/components/clusterissuer-letsencrypt-prod/kustomization.yaml
+++ b/manifests/cert-manager/components/clusterissuer-letsencrypt-prod/kustomization.yaml
@ -0,0 +1,22 @@
 ---
 apiVersion: kustomize.config.k8s.io/v1alpha1
 kind: Component
 resources:
  - ClusterIssuer-letsencrypt.yaml
 # patches:
 #   #
 #   # Set in Overlay kustomization.yaml
 #   #
 #   - target:
 #       kind: ClusterIssuer
 #       name: letsencrypt-prod
 #     # yamllint disable rule:indentation
 #     patch: |-
 #       - op: replace
 #         path: /spec/acme/email
 #         value: -My email-
 #     # yamllint enable rule:indentation
--- a/manifests/cert-manager/components/clusterissuer-letsencrypt-staging/ClusterIssuer-letsencrypt.yaml
+++ b/manifests/cert-manager/components/clusterissuer-letsencrypt-staging/ClusterIssuer-letsencrypt.yaml
@ -0,0 +1,15 @@
 ---
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
  name: letsencrypt-staging
 spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: -set within kustomize using patch.replace-
    privateKeySecretRef:
      name: letsencrypt-staging
    solvers:
      - http01:
          ingress:
            ingressClassName: nginx
--- a/manifests/cert-manager/components/clusterissuer-letsencrypt-staging/kustomization.yaml
+++ b/manifests/cert-manager/components/clusterissuer-letsencrypt-staging/kustomization.yaml
@ -0,0 +1,22 @@
 ---
 apiVersion: kustomize.config.k8s.io/v1alpha1
 kind: Component
 resources:
  - ClusterIssuer-letsencrypt.yaml
 # patches:
 #   #
 #   # Set in Overlay kustomization.yaml
 #   #
 #   - target:
 #       kind: ClusterIssuer
 #       name: letsencrypt-prod
 #     # yamllint disable rule:indentation
 #     patch: |-
 #       - op: replace
 #         path: /spec/acme/email
 #         value: -My email-
 #     # yamllint enable rule:indentation
--- a/manifests/cert-manager/overlays/production/kustomization.yaml
+++ b/manifests/cert-manager/overlays/production/kustomization.yaml
@ -0,0 +1,66 @@
 ---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: certs
 patches:
  - target:
      kind: ClusterIssuer
      name: letsencrypt-prod
    # yamllint disable rule:indentation
    patch: |-
      - op: replace
        path: /spec/commonName
        value: -kubernetes domain name-
    # yamllint enable rule:indentation
  - target:
      kind: ClusterIssuer
      name: letsencrypt-prod
    # yamllint disable rule:indentation
    patch: |-
      - op: replace
        path: /spec/acme/email
        value: -My email-
    # yamllint enable rule:indentation
  - target:
      kind: ClusterIssuer
      name: letsencrypt-prod
    # yamllint disable rule:indentation
    patch: |-
      - op: replace
        path: /spec/acme/email
        value: -My email-
    # yamllint enable rule:indentation
  - target:
      kind: CustomResourceDefinition
    # yamllint disable rule:indentation
    patch: |-
      - op: replace
        path: /metadata/annotations/argocd.argoproj.io~1sync-options
        value: ServerSideApply=true
    # yamllint enable rule:indentation
 helmCharts:
  - name: cert-manager
    repo: https://charts.jetstack.io
    releaseName: cert-manager
    namespace: certs
    version: 'v1.16.2'
    additionalValuesFiles:
      - ../../base/values-custom.yaml
      - values-production.yaml
    valuesFile: ../../base/values-default.yaml
 components:
  - ../../components/clusterissuer-cluster
  - ../../components/clusterissuer-letsencrypt-prod
  - ../../components/clusterissuer-letsencrypt-staging
--- a/manifests/cert-manager/overlays/production/values-production.yaml
+++ b/manifests/cert-manager/overlays/production/values-production.yaml
@ -0,0 +1,11 @@
 ---
 global:
  leaderElection:
    namespace: certs
 prometheus:
  enabled: true
  servicemonitor:
    enabled: true
 webhook:
  replicaCount: 1