feat(cert-manager): migrate

ref: #14 clusters/.profile#11
2025-08-02 04:22:42 +00:00 · 2025-07-07 01:54:31 +09:30
parent e83286ae70
commit 0e963810df
14 changed files with 1703 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,6 @@
+# Build Directories
+manifests/*/base/charts/
+manifests/*/overlays/*/charts/
+
 # Temp Files
 *.tmp.*
--- a/manifests/cert-manager/base/kustomization.yaml
+++ b/manifests/cert-manager/base/kustomization.yaml
@ -0,0 +1,17 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+
+namespace: certs
+
+
+helmCharts:
+  - name: cert-manager
+    repo: https://charts.jetstack.io
+    releaseName: cert-manager
+    namespace: certs
+    version: 'v1.16.2'
+    additionalValuesFiles:
+      - values-custom.yaml
+    valuesFile: values-default.yaml
--- a/manifests/cert-manager/base/values-custom.yaml
+++ b/manifests/cert-manager/base/values-custom.yaml
@ -0,0 +1,15 @@
+---
+
+crds:
+  enabled: true
+affinity:
+  nodeAffinity: {}
+  podAntiAffinity:
+    preferredDuringSchedulingIgnoredDuringExecution:
+      - weight: 100
+        podAffinityTerm:
+          labelSelector:
+            matchExpressions:
+              - key: kubernetes.io/hostname
+                operator: Exists
+          topologyKey: kubernetes.io/hostname
--- a/manifests/cert-manager/base/values-default.yaml
+++ b/manifests/cert-manager/base/values-default.yaml
--- a/manifests/cert-manager/components/clusterissuer-cluster/Certificate-cluster-ca.yaml
+++ b/manifests/cert-manager/components/clusterissuer-cluster/Certificate-cluster-ca.yaml
@ -0,0 +1,16 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: cluster-ca
+spec:
+  isCA: true
+  commonName: cluster.local
+  secretName: cluster-ca-cert
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: selfsigned
+    kind: Issuer
+    group: cert-manager.io
--- a/manifests/cert-manager/components/clusterissuer-cluster/ClusterIssuer-cluster.yaml
+++ b/manifests/cert-manager/components/clusterissuer-cluster/ClusterIssuer-cluster.yaml
@ -0,0 +1,8 @@
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: cluster
+spec:
+  ca:
+    secretName: cluster-ca-cert
--- a/manifests/cert-manager/components/clusterissuer-cluster/ClusterIssuer-selfsigned.yaml
+++ b/manifests/cert-manager/components/clusterissuer-cluster/ClusterIssuer-selfsigned.yaml
@ -0,0 +1,7 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: selfsigned
+spec:
+  selfSigned: {}
--- a/manifests/cert-manager/components/clusterissuer-cluster/kustomization.yaml
+++ b/manifests/cert-manager/components/clusterissuer-cluster/kustomization.yaml
@ -0,0 +1,25 @@
+---
+
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+
+resources:
+  - Certificate-cluster-ca.yaml
+  - ClusterIssuer-cluster.yaml
+  - ClusterIssuer-selfsigned.yaml
+
+
+# patches:
+#   #
+#   # Set in Overlay kustomization.yaml
+#   #
+#   - target:
+#       kind: ClusterIssuer
+#       name: letsencrypt-prod
+#     # yamllint disable rule:indentation
+#     patch: |-
+#       - op: replace
+#         path: /spec/commonName
+#         value: -kubernetes domain name-
+#     # yamllint enable rule:indentation
--- a/manifests/cert-manager/components/clusterissuer-letsencrypt-prod/ClusterIssuer-letsencrypt.yaml
+++ b/manifests/cert-manager/components/clusterissuer-letsencrypt-prod/ClusterIssuer-letsencrypt.yaml
@ -0,0 +1,15 @@
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: -set within kustomize using patch.replace-
+    privateKeySecretRef:
+      name: letsencrypt-prod
+    solvers:
+      - http01:
+          ingress:
+            ingressClassName: nginx
--- a/manifests/cert-manager/components/clusterissuer-letsencrypt-prod/kustomization.yaml
+++ b/manifests/cert-manager/components/clusterissuer-letsencrypt-prod/kustomization.yaml
@ -0,0 +1,22 @@
+---
+
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+  - ClusterIssuer-letsencrypt.yaml
+
+
+# patches:
+#   #
+#   # Set in Overlay kustomization.yaml
+#   #
+#   - target:
+#       kind: ClusterIssuer
+#       name: letsencrypt-prod
+#     # yamllint disable rule:indentation
+#     patch: |-
+#       - op: replace
+#         path: /spec/acme/email
+#         value: -My email-
+#     # yamllint enable rule:indentation
--- a/manifests/cert-manager/components/clusterissuer-letsencrypt-staging/ClusterIssuer-letsencrypt.yaml
+++ b/manifests/cert-manager/components/clusterissuer-letsencrypt-staging/ClusterIssuer-letsencrypt.yaml
@ -0,0 +1,15 @@
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    email: -set within kustomize using patch.replace-
+    privateKeySecretRef:
+      name: letsencrypt-staging
+    solvers:
+      - http01:
+          ingress:
+            ingressClassName: nginx
--- a/manifests/cert-manager/components/clusterissuer-letsencrypt-staging/kustomization.yaml
+++ b/manifests/cert-manager/components/clusterissuer-letsencrypt-staging/kustomization.yaml
@ -0,0 +1,22 @@
+---
+
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+  - ClusterIssuer-letsencrypt.yaml
+
+
+# patches:
+#   #
+#   # Set in Overlay kustomization.yaml
+#   #
+#   - target:
+#       kind: ClusterIssuer
+#       name: letsencrypt-prod
+#     # yamllint disable rule:indentation
+#     patch: |-
+#       - op: replace
+#         path: /spec/acme/email
+#         value: -My email-
+#     # yamllint enable rule:indentation
--- a/manifests/cert-manager/overlays/production/kustomization.yaml
+++ b/manifests/cert-manager/overlays/production/kustomization.yaml
@ -0,0 +1,66 @@
+---
+
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+
+namespace: certs
+
+
+patches:
+  - target:
+      kind: ClusterIssuer
+      name: letsencrypt-prod
+    # yamllint disable rule:indentation
+    patch: |-
+      - op: replace
+        path: /spec/commonName
+        value: -kubernetes domain name-
+    # yamllint enable rule:indentation
+
+  - target:
+      kind: ClusterIssuer
+      name: letsencrypt-prod
+    # yamllint disable rule:indentation
+    patch: |-
+      - op: replace
+        path: /spec/acme/email
+        value: -My email-
+    # yamllint enable rule:indentation
+
+  - target:
+      kind: ClusterIssuer
+      name: letsencrypt-prod
+    # yamllint disable rule:indentation
+    patch: |-
+      - op: replace
+        path: /spec/acme/email
+        value: -My email-
+    # yamllint enable rule:indentation
+ 
+  - target:
+      kind: CustomResourceDefinition
+    # yamllint disable rule:indentation
+    patch: |-
+      - op: replace
+        path: /metadata/annotations/argocd.argoproj.io~1sync-options
+        value: ServerSideApply=true
+    # yamllint enable rule:indentation
+
+
+helmCharts:
+  - name: cert-manager
+    repo: https://charts.jetstack.io
+    releaseName: cert-manager
+    namespace: certs
+    version: 'v1.16.2'
+    additionalValuesFiles:
+      - ../../base/values-custom.yaml
+      - values-production.yaml
+    valuesFile: ../../base/values-default.yaml
+
+
+components:
+  - ../../components/clusterissuer-cluster
+  - ../../components/clusterissuer-letsencrypt-prod
+  - ../../components/clusterissuer-letsencrypt-staging
--- a/manifests/cert-manager/overlays/production/values-production.yaml
+++ b/manifests/cert-manager/overlays/production/values-production.yaml
@ -0,0 +1,11 @@
+---
+
+global:
+  leaderElection:
+    namespace: certs
+prometheus:
+  enabled: true
+  servicemonitor:
+    enabled: true
+webhook:
+  replicaCount: 1