diff --git a/clusters/pink/kubeconfig b/clusters/pink/kubeconfig index c7d6cca..3871014 100755 --- a/clusters/pink/kubeconfig +++ b/clusters/pink/kubeconfig @@ -4,7 +4,7 @@ clusters: - name: pink cluster: server: https://api.pink.k8s.tjo.cloud:6443 - certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpakNDQVRDZ0F3SUJBZ0lSQVBPU2NEaVZVUGNmRkI1OXl3cE1rQmt3Q2dZSUtvWkl6ajBFQXdJd0ZURVQKTUJFR0ExVUVDaE1LYTNWaVpYSnVaWFJsY3pBZUZ3MHlOREEzTVRReE1ERXhORGxhRncwek5EQTNNVEl4TURFeApORGxhTUJVeEV6QVJCZ05WQkFvVENtdDFZbVZ5Ym1WMFpYTXdXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CCkJ3TkNBQVFpa1Y0cVVyVFY5WW1VUzRQZGp5UWhnYkgxaHNNWTlVK0RVVFdWU1pqaGFsRkZuWjBLYTFkMUtGTkoKSFRSa3psdW9va3kxK3JZRkhLejM4SFpqczVIaG8yRXdYekFPQmdOVkhROEJBZjhFQkFNQ0FvUXdIUVlEVlIwbApCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPCkJCWUVGS1VSWnVWTUlHcHhqRFNKdC80OVBTSDZUSzBmTUFvR0NDcUdTTTQ5QkFNQ0EwZ0FNRVVDSUFKZXVSdEMKYkR3VGhLSDBYV0hid3YveDV6clJhU2ZhRi9sSnVqcGY3bTMwQWlFQWxyTkx3L056dXFRQmorcnozbXVBdW5ZSAp5NzNNVm9zakRQOTJ2RWo5clBZPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpakNDQVRDZ0F3SUJBZ0lSQU9vTSthdnlEZkN1THc4TVptRnFnNll3Q2dZSUtvWkl6ajBFQXdJd0ZURVQKTUJFR0ExVUVDaE1LYTNWaVpYSnVaWFJsY3pBZUZ3MHlOREEzTVRReE1UQTFNRGRhRncwek5EQTNNVEl4TVRBMQpNRGRhTUJVeEV6QVJCZ05WQkFvVENtdDFZbVZ5Ym1WMFpYTXdXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CCkJ3TkNBQVNEU3JVdUk1RFRxMHR4MkM4SmJHWmsvZXJlU0dlQU1tUzgzcE9RZklMbEFaMWE1NjJ4MnZobi9lMHYKWHQ0NmJFbzQ3QWttTlh3eEFNTExSRmkrYjF5V28yRXdYekFPQmdOVkhROEJBZjhFQkFNQ0FvUXdIUVlEVlIwbApCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPCkJCWUVGSGNLNFBEZHNSMmxnbHdRZmUwN2c3L0gralpGTUFvR0NDcUdTTTQ5QkFNQ0EwZ0FNRVVDSVFERm1qeTkKcm4yVXpUN1hTL1pUZW5nbHpIZC9OOFZHU1JIQlQzV0xCbkpZendJZ0hKMFdEd1NoOGJQTHpvSzNxSkNjVDlmQgp1ZmZ0U0ZMVHdhdkNvdmF6Y09BPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== contexts: - name: oidc@pink context: diff --git a/clusters/pink/kubernetes.tf b/clusters/pink/kubernetes.tf index cfe9df3..0205132 100644 --- a/clusters/pink/kubernetes.tf +++ b/clusters/pink/kubernetes.tf @@ -78,18 +78,107 @@ resource "kubernetes_manifest" "hetzner-nodes-as-loadbalancers" { } } -# TODO: Certmanager, externaldns... +resource "kubernetes_namespace" "tjo-cloud" { + metadata { + name = "tjo-cloud" + } +} + +resource "kubernetes_secret" "digitalocean-token" { + metadata { + name = "digitalocean-token" + namespace = kubernetes_namespace.tjo-cloud.metadata[0].name + } + data = { + token = var.digitalocean_token + } +} + +resource "helm_release" "external-dns" { + name = "external-dns" + chart = "external-dns" + repository = "https://kubernetes-sigs.github.io/external-dns/" + version = "v1.14.5" + namespace = kubernetes_namespace.tjo-cloud.metadata[0].name + + set { + name = "namespaced" + value = "true" + } + + set { + name = "provider" + value = "digitalocean" + } + + set { + name = "env[0].name" + value = "DO_TOKEN" + } + set { + name = "env[0].valueFrom.secretKeyRef.name" + value = kubernetes_secret.digitalocean-token.metadata[0].name + } + set { + name = "env[0].valueFrom.secretKeyRef.key" + value = "token" + } + + set_list { + name = "sources" + value = ["gateway-httproute", "gateway-tlsroute", "gateway-tcproute", "gateway-udproute", "ingress", "service"] + } +} + resource "helm_release" "cert-manager" { name = "cert-manager" chart = "cert-manager" repository = "https://charts.jetstack.io" version = "v1.15.1" - namespace = "kube-system" + namespace = kubernetes_namespace.tjo-cloud.metadata[0].name set { name = "crds.enabled" value = true } + + set_list { + name = "extraArgs" + value = ["--enable-gateway-api"] + } +} + + +resource "kubernetes_manifest" "tjo-cloud-issuer" { + manifest = { + apiVersion = "cert-manager.io/v1" + kind = "Issuer" + metadata = { + name = "tjo-cloud" + namespace = kubernetes_namespace.tjo-cloud.metadata[0].name + } + spec = { + acme = { + email = "tine@tjo.space" + server = "https://acme-staging-v02.api.letsencrypt.org/directory" + privateKeySecretRef = { + name = "tjo-cloud-acme-account" + } + solvers = [ + { + dns01 = { + digitalocean = { + tokenSecretRef = { + name = kubernetes_secret.digitalocean-token.metadata[0].name + key = "token" + } + } + } + } + ] + } + } + } } resource "kubernetes_manifest" "gateway" { @@ -98,13 +187,33 @@ resource "kubernetes_manifest" "gateway" { kind = "Gateway" metadata = { name = "gateway" - namespace = "kube-system" + namespace = kubernetes_namespace.tjo-cloud.metadata[0].name + annotations = { + "cert-manager.io/issuer" : "tjo-cloud" + } } spec = { gatewayClassName = "cilium" listeners = [ - { name : "http", protocol : "HTTP", port : 80 }, - { name : "https", protocol : "HTTPS", port : 443 }, + { + name : "http" + hostname : "*.${module.cluster.name}.${module.cluster.domain}" + protocol : "HTTPS" + port : 443 + allowedRoutes : { + namespaces : { + from : "Same" + } + } + tls : { + mode : "Terminate" + certificateRefs : [ + { + name : "tjo-cloud-tls" + } + ] + } + } ] } } @@ -115,7 +224,7 @@ resource "helm_release" "dashboard" { repository = "https://kubernetes.github.io/dashboard" chart = "kubernetes-dashboard" version = "7.5.0" - namespace = "kube-system" + namespace = kubernetes_namespace.tjo-cloud.metadata[0].name } resource "kubernetes_manifest" "dashoard-http-route" { @@ -128,11 +237,13 @@ resource "kubernetes_manifest" "dashoard-http-route" { kind = "HTTPRoute" metadata = { name = "dashboard" - namespace = "kube-system" + namespace = kubernetes_namespace.tjo-cloud.metadata[0].name } spec = { parentRefs = [ - { name : "gateway" } + { + name : "gateway" + } ] hostnames = [ "dashboard.${module.cluster.name}.${module.cluster.domain}" @@ -149,8 +260,8 @@ resource "kubernetes_manifest" "dashoard-http-route" { ] backendRefs = [ { - name : "kubernetes-dashboard-kong-proxy" - port : 443 + name : "kubernetes-dashboard-web" + port : 8000 } ] } diff --git a/clusters/pink/variables.tf b/clusters/pink/variables.tf index 9f71d9e..65c8e3c 100644 --- a/clusters/pink/variables.tf +++ b/clusters/pink/variables.tf @@ -19,3 +19,8 @@ variable "oidc_client_id" { variable "oidc_issuer_url" { type = string } + +variable "digitalocean_token" { + type = string + sensitive = true +}