Port rest of manifests to DigitalOcean

2023-04-22 12:44:44 -07:00 · 2023-04-22 12:44:44 -07:00 · 2d95bb12c3
parent aad6e34df9
commit 2d95bb12c3
35 changed files with 5343 additions and 259 deletions
--- a/env.yaml.bash
+++ b/env.yaml.bash
@ -10,30 +10,20 @@ proxy_password="$(pwgen -s 20 1)"
 cat <<EOF
 networking:
  domain: riju.example.com  # FIXME
-  ip: x.y.z.w  # FIXME

-s3:
-  accessKeyId: fixme
-  accessKeySecret: fixme
-  bucket: fixme
-  region: fixme
-  endpoint: fixme.digitaloceanspaces.com
-
-contact:
-  letsEncryptEmail: ops@example.com  # FIXME
-  letsEncryptProductionEnabled: false
-
-metallb:
-  secretkey: "$(pwgen -s 256 1)"
+letsEncrypt:
+  contactEmail: ops@example.com  # FIXME

 registry:
  password: "${registry_password}"
  htpasswd: "$(htpasswd -nbB admin "${registry_password}")"
  httpSecret: "$(pwgen -s 16 1)"
-
-minio:
-  accessKey: "$(head -c16 /dev/urandom | xxd -p)"
-  secretKey: "$(head -c16 /dev/urandom | xxd -p)"
+  s3:
+    accessKeyId: fixme
+    accessKeySecret: fixme
+    bucket: fixme
+    region: fixme
+    endpoint: fixme.digitaloceanspaces.com

 proxy:
  password: "${proxy_password}"
--- a/k8s/00-namespaces/00-namespaces.yaml
+++ b/k8s/00-namespaces/00-namespaces.yaml
@ -2,22 +2,34 @@
 kind: Namespace
 apiVersion: v1
 metadata:
-  name: traefik
+  name: ingress-nginx

 ---
 kind: Namespace
 apiVersion: v1
 metadata:
-  name: metallb
+  name: cert-manager

 ---
 kind: Namespace
 apiVersion: v1
 metadata:
-  name: riju
+  name: docker-registry

 ---
 kind: Namespace
 apiVersion: v1
 metadata:
-  name: riju-user
+  name: riju-proxy
+
+---
+kind: Namespace
+apiVersion: v1
+metadata:
+  name: riju-server
+
+---
+kind: Namespace
+apiVersion: v1
+metadata:
+  name: user
--- a/k8s/01-secrets/00-s3.in.yaml
+++ b/k8s/01-secrets/00-s3.in.yaml
@ -1,20 +0,0 @@
---
-kind: Secret
-apiVersion: v1
-metadata:
-  namespace: riju
-  name: s3-auth
-stringData:
-  access-key: "{{ .s3.accessKey }}"
-  secret-key: "{{ .s3.secretKey }}"
-
---
-kind: ConfigMap
-apiVersion: v1
-metadata:
-  namespace: riju
-  name: s3-config
-data:
-  bucket: "{{ .s3.bucket }}"
-  region: "{{ .s3.region }}"
-  endpoint: "{{ .s3.endpoint }}"
--- a/k8s/01-secrets/01-docker-registry.in.yaml
+++ b/k8s/01-secrets/01-docker-registry.in.yaml
@ -2,8 +2,29 @@
 kind: Secret
 apiVersion: v1
 metadata:
-  namespace: riju
-  name: registry-http-secret
+  namespace: docker-registry
+  name: docker-registry-s3-auth
+stringData:
+  access-key: "{{ .registry.s3.accessKey }}"
+  secret-key: "{{ .registry.s3.secretKey }}"
+
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  namespace: docker-registry
+  name: docker-registry-s3-config
+data:
+  bucket: "{{ .registry.s3.bucket }}"
+  region: "{{ .registry.s3.region }}"
+  endpoint: "{{ .registry.s3.endpoint }}"
+
+---
+kind: Secret
+apiVersion: v1
+metadata:
+  namespace: docker-registry
+  name: docker-registry-http-secret
 stringData:
  http-secret: "{{ .registry.httpSecret }}"

@ -11,8 +32,8 @@ stringData:
 kind: Secret
 apiVersion: v1
 metadata:
-  namespace: riju
-  name: registry-auth
+  namespace: docker-registry
+  name: docker-registry-htpasswd
 data:
  htpasswd: "{{ .registry.htpasswd | println | b64enc }}"

@ -20,8 +41,8 @@ data:
 kind: Secret
 apiVersion: v1
 metadata:
-  namespace: riju
-  name: registry-login
+  namespace: riju-server
+  name: docker-registry-auth
 type: kubernetes.io/dockerconfigjson
 stringData:
  .dockerconfigjson: |
@ -39,8 +60,8 @@ stringData:
 kind: Secret
 apiVersion: v1
 metadata:
-  namespace: riju-user
-  name: registry-user-login
+  namespace: user
+  name: docker-registry-auth
 type: kubernetes.io/dockerconfigjson
 stringData:
  .dockerconfigjson: |
--- a/k8s/01-secrets/02-riju-proxy.in.yaml
+++ b/k8s/01-secrets/02-riju-proxy.in.yaml
@ -2,7 +2,7 @@
 kind: Secret
 apiVersion: v1
 metadata:
-  namespace: riju
+  namespace: riju-proxy
  name: riju-proxy-auth
 data:
  htpasswd: "{{ .proxy.htpasswd | println | b64enc }}"
--- a/k8s/02-ingress/00-serviceaccount.yaml
+++ b/k8s/02-ingress/00-serviceaccount.yaml
@ -0,0 +1,7 @@
+---
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  namespace: ingress-nginx
+  name: ingress-nginx
+automountServiceAccountToken: true
--- a/k8s/02-ingress/01-role-cluster.yaml
+++ b/k8s/02-ingress/01-role-cluster.yaml
@ -0,0 +1,90 @@
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: ingress-nginx
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+      - endpoints
+      - nodes
+      - pods
+      - secrets
+      - namespaces
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+    verbs:
+      - get
+  - apiGroups:
+      - ""
+    resources:
+      - services
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - create
+      - patch
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - ingresses/status
+    verbs:
+      - update
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - ingressclasses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - discovery.k8s.io
+    resources:
+      - endpointslices
+    verbs:
+      - list
+      - watch
+      - get
+
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: ingress-nginx
+roleRef:
+  kind: ClusterRole
+  apiGroup: rbac.authorization.k8s.io
+  name: ingress-nginx
+subjects:
+  - kind: ServiceAccount
+    namespace: ingress-nginx
+    name: ingress-nginx
--- a/k8s/02-ingress/01-role-namespace.yaml
+++ b/k8s/02-ingress/01-role-namespace.yaml
@ -0,0 +1,99 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: ingress-nginx
+  name: ingress-nginx
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+    verbs:
+      - get
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+      - pods
+      - secrets
+      - endpoints
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - services
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - ingresses/status
+    verbs:
+      - update
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - ingressclasses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    resourceNames:
+      - ingress-leader
+    verbs:
+      - get
+      - update
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - create
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - create
+      - patch
+  - apiGroups:
+      - discovery.k8s.io
+    resources:
+      - endpointslices
+    verbs:
+      - list
+      - watch
+      - get
+
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  namespace: ingress-nginx
+  name: ingress-nginx
+roleRef:
+  kind: Role
+  apiGroup: rbac.authorization.k8s.io
+  name: ingress-nginx
+subjects:
+  - kind: ServiceAccount
+    namespace: ingress-nginx
+    name: ingress-nginx
--- a/k8s/02-ingress/02-deployment.yaml
+++ b/k8s/02-ingress/02-deployment.yaml
@ -0,0 +1,80 @@
+---
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  namespace: ingress-nginx
+  name: ingress-nginx
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: ingress-nginx
+  template:
+    metadata:
+      labels:
+        app: ingress-nginx
+    spec:
+      dnsPolicy: ClusterFirst
+      containers:
+        - name: controller
+          image: "registry.k8s.io/ingress-nginx/controller:v1.7.0"
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                - /wait-shutdown
+          args:
+            - /nginx-ingress-controller
+            - --controller-class=k8s.io/ingress-nginx
+            - --election-id=ingress-leader
+            - --publish-service=ingress-nginx/ingress-nginx
+          securityContext:
+            capabilities:
+              drop:
+              - ALL
+              add:
+              - NET_BIND_SERVICE
+            runAsUser: 101
+            allowPrivilegeEscalation: true
+          env:
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          livenessProbe:
+            failureThreshold: 5
+            httpGet:
+              path: /healthz
+              port: 10254
+              scheme: HTTP
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 1
+          readinessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /healthz
+              port: 10254
+              scheme: HTTP
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 1
+          ports:
+            - name: http
+              containerPort: 80
+              protocol: TCP
+            - name: https
+              containerPort: 443
+              protocol: TCP
+          resources:
+            requests:
+              cpu: 100m
+              memory: 90Mi
+      serviceAccountName: ingress-nginx
+      terminationGracePeriodSeconds: 300
--- a/k8s/02-ingress/03-service.yaml
+++ b/k8s/02-ingress/03-service.yaml
@ -0,0 +1,21 @@
+---
+kind: Service
+apiVersion: v1
+metadata:
+  namespace: ingress-nginx
+  name: ingress-nginx
+spec:
+  type: LoadBalancer
+  ports:
+    - name: http
+      port: 80
+      protocol: TCP
+      targetPort: http
+      appProtocol: http
+    - name: https
+      port: 443
+      protocol: TCP
+      targetPort: https
+      appProtocol: https
+  selector:
+    app: ingress-nginx
--- a/k8s/02-ingress/04-ingressclass.yaml
+++ b/k8s/02-ingress/04-ingressclass.yaml
@ -0,0 +1,7 @@
+---
+kind: IngressClass
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: nginx
+spec:
+  controller: k8s.io/ingress-nginx
--- a/k8s/03-certs/00-crds.yaml
+++ b/k8s/03-certs/00-crds.yaml
--- a/k8s/03-certs/01-serviceaccount.yaml
+++ b/k8s/03-certs/01-serviceaccount.yaml
@ -0,0 +1,7 @@
+---
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  namespace: cert-manager
+  name: cert-manager
+automountServiceAccountToken: true
--- a/k8s/03-certs/02-role-approve.yaml
+++ b/k8s/03-certs/02-role-approve.yaml
@ -0,0 +1,25 @@
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: cert-manager-approve
+rules:
+  - apiGroups: ["cert-manager.io"]
+    resources: ["signers"]
+    verbs: ["approve"]
+    resourceNames:
+      ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
+
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: cert-manager-approve
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-approve
+subjects:
+  - kind: ServiceAccount
+    namespace: cert-manager
+    name: cert-manager
--- a/k8s/03-certs/02-role-certificates.yaml
+++ b/k8s/03-certs/02-role-certificates.yaml
@ -0,0 +1,45 @@
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: cert-manager-certificates
+rules:
+  - apiGroups: ["cert-manager.io"]
+    resources:
+      [
+        "certificates",
+        "certificates/status",
+        "certificaterequests",
+        "certificaterequests/status",
+      ]
+    verbs: ["update", "patch"]
+  - apiGroups: ["cert-manager.io"]
+    resources:
+      ["certificates", "certificaterequests", "clusterissuers", "issuers"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["cert-manager.io"]
+    resources: ["certificates/finalizers", "certificaterequests/finalizers"]
+    verbs: ["update"]
+  - apiGroups: ["acme.cert-manager.io"]
+    resources: ["orders"]
+    verbs: ["create", "delete", "get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "watch", "create", "update", "delete", "patch"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create", "patch"]
+
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: cert-manager-certificates
+roleRef:
+  kind: ClusterRole
+  apiGroup: rbac.authorization.k8s.io
+  name: cert-manager-certificates
+subjects:
+  - kind: ServiceAccount
+    namespace: cert-manager
+    name: cert-manager
--- a/k8s/03-certs/02-role-certificatesigningrequests.yaml
+++ b/k8s/03-certs/02-role-certificatesigningrequests.yaml
@ -0,0 +1,34 @@
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: cert-manager-certificatesigningrequests
+rules:
+  - apiGroups: ["certificates.k8s.io"]
+    resources: ["certificatesigningrequests"]
+    verbs: ["get", "list", "watch", "update"]
+  - apiGroups: ["certificates.k8s.io"]
+    resources: ["certificatesigningrequests/status"]
+    verbs: ["update", "patch"]
+  - apiGroups: ["certificates.k8s.io"]
+    resources: ["signers"]
+    resourceNames:
+      ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
+    verbs: ["sign"]
+  - apiGroups: ["authorization.k8s.io"]
+    resources: ["subjectaccessreviews"]
+    verbs: ["create"]
+
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: cert-manager-certificatesigningrequests
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-controller-certificatesigningrequests
+subjects:
+  - kind: ServiceAccount
+    namespace: cert-manager
+    name: cert-manager
--- a/k8s/03-certs/02-role-challenges.yaml
+++ b/k8s/03-certs/02-role-challenges.yaml
@ -0,0 +1,50 @@
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: cert-manager-challenges
+rules:
+  - apiGroups: ["acme.cert-manager.io"]
+    resources: ["challenges", "challenges/status"]
+    verbs: ["update", "patch"]
+  - apiGroups: ["acme.cert-manager.io"]
+    resources: ["challenges"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["cert-manager.io"]
+    resources: ["issuers", "clusterissuers"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create", "patch"]
+  - apiGroups: [""]
+    resources: ["pods", "services"]
+    verbs: ["get", "list", "watch", "create", "delete"]
+  - apiGroups: ["networking.k8s.io"]
+    resources: ["ingresses"]
+    verbs: ["get", "list", "watch", "create", "delete", "update"]
+  - apiGroups: ["gateway.networking.k8s.io"]
+    resources: ["httproutes"]
+    verbs: ["get", "list", "watch", "create", "delete", "update"]
+  - apiGroups: ["route.openshift.io"]
+    resources: ["routes/custom-host"]
+    verbs: ["create"]
+  - apiGroups: ["acme.cert-manager.io"]
+    resources: ["challenges/finalizers"]
+    verbs: ["update"]
+
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: cert-manager-challenges
+roleRef:
+  kind: ClusterRole
+  apiGroup: rbac.authorization.k8s.io
+  name: cert-manager-challenges
+subjects:
+  - kind: ServiceAccount
+    namespace: cert-manager
+    name: cert-manager
--- a/k8s/03-certs/02-role-clusterissuers.yaml
+++ b/k8s/03-certs/02-role-clusterissuers.yaml
@ -0,0 +1,32 @@
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: cert-manager-clusterissuers
+rules:
+  - apiGroups: ["cert-manager.io"]
+    resources: ["clusterissuers", "clusterissuers/status"]
+    verbs: ["update", "patch"]
+  - apiGroups: ["cert-manager.io"]
+    resources: ["clusterissuers"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "watch", "create", "update", "delete"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create", "patch"]
+
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: cert-manager-clusterissuers
+roleRef:
+  kind: ClusterRole
+  apiGroup: rbac.authorization.k8s.io
+  name: cert-manager-clusterissuers
+subjects:
+  - kind: ServiceAccount
+    namespace: cert-manager
+    name: cert-manager
--- a/k8s/03-certs/02-role-ingress-shim.yaml
+++ b/k8s/03-certs/02-role-ingress-shim.yaml
@ -0,0 +1,42 @@
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: cert-manager-ingress-shim
+rules:
+  - apiGroups: ["cert-manager.io"]
+    resources: ["certificates", "certificaterequests"]
+    verbs: ["create", "update", "delete"]
+  - apiGroups: ["cert-manager.io"]
+    resources:
+      ["certificates", "certificaterequests", "issuers", "clusterissuers"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["networking.k8s.io"]
+    resources: ["ingresses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["networking.k8s.io"]
+    resources: ["ingresses/finalizers"]
+    verbs: ["update"]
+  - apiGroups: ["gateway.networking.k8s.io"]
+    resources: ["gateways", "httproutes"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["gateway.networking.k8s.io"]
+    resources: ["gateways/finalizers", "httproutes/finalizers"]
+    verbs: ["update"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create", "patch"]
+
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: cert-manager-ingress-shim
+roleRef:
+  kind: ClusterRole
+  apiGroup: rbac.authorization.k8s.io
+  name: cert-manager-ingress-shim
+subjects:
+  - namespace: cert-manager
+    name: cert-manager
+    kind: ServiceAccount
--- a/k8s/03-certs/02-role-issuers.yaml
+++ b/k8s/03-certs/02-role-issuers.yaml
@ -0,0 +1,34 @@
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: cert-manager-issuers
+  labels:
+    app: cert-manager
+rules:
+  - apiGroups: ["cert-manager.io"]
+    resources: ["issuers", "issuers/status"]
+    verbs: ["update", "patch"]
+  - apiGroups: ["cert-manager.io"]
+    resources: ["issuers"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "watch", "create", "update", "delete"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create", "patch"]
+
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: cert-manager-issuers
+roleRef:
+  kind: ClusterRole
+  apiGroup: rbac.authorization.k8s.io
+  name: cert-manager-issuers
+subjects:
+  - kind: ServiceAccount
+    namespace: cert-manager
+    name: cert-manager
--- a/k8s/03-certs/02-role-leaderelection.yaml
+++ b/k8s/03-certs/02-role-leaderelection.yaml
@ -0,0 +1,30 @@
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: cert-manager-leaderelection
+  namespace: cert-manager
+rules:
+  - apiGroups: ["coordination.k8s.io"]
+    resources: ["leases"]
+    resourceNames: ["cert-manager-controller"]
+    verbs: ["get", "update", "patch"]
+  - apiGroups: ["coordination.k8s.io"]
+    resources: ["leases"]
+    verbs: ["create"]
+
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  namespace: cert-manager
+  name: cert-manager-leaderelection
+roleRef:
+  kind: Role
+  apiGroup: rbac.authorization.k8s.io
+  name: cert-manager-leaderelection
+subjects:
+  - kind: ServiceAccount
+    namespace: cert-manager
+    name: cert-manager
+    apiGroup: ""
--- a/k8s/03-certs/02-role-orders.yaml
+++ b/k8s/03-certs/02-role-orders.yaml
@ -0,0 +1,41 @@
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: cert-manager-orders
+rules:
+  - apiGroups: ["acme.cert-manager.io"]
+    resources: ["orders", "orders/status"]
+    verbs: ["update", "patch"]
+  - apiGroups: ["acme.cert-manager.io"]
+    resources: ["orders", "challenges"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["cert-manager.io"]
+    resources: ["clusterissuers", "issuers"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["acme.cert-manager.io"]
+    resources: ["challenges"]
+    verbs: ["create", "delete"]
+  - apiGroups: ["acme.cert-manager.io"]
+    resources: ["orders/finalizers"]
+    verbs: ["update"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create", "patch"]
+
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: cert-manager-orders
+roleRef:
+  kind: ClusterRole
+  apiGroup: rbac.authorization.k8s.io
+  name: cert-manager-orders
+subjects:
+  - kind: ServiceAccount
+    namespace: cert-manager
+    name: cert-manager
--- a/k8s/03-certs/03-clusterissuer.in.yaml
+++ b/k8s/03-certs/03-clusterissuer.in.yaml
@ -0,0 +1,31 @@
+---
+kind: ClusterIssuer
+apiVersion: cert-manager.io/v1
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    email: "{{ .letsEncrypt.contactEmail }}"
+    privateKeySecretRef:
+      name: letsencrypt-staging-private-key
+    solvers:
+    - http01:
+        ingress:
+          class: nginx
+
+---
+kind: ClusterIssuer
+apiVersion: cert-manager.io/v1
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: "{{ .letsEncrypt.contactEmail }}"
+    privateKeySecretRef:
+      name: letsencrypt-prod-private-key
+    solvers:
+    - http01:
+        ingress:
+          class: nginx
--- a/k8s/03-certs/04-deployment.yaml
+++ b/k8s/03-certs/04-deployment.yaml
@ -0,0 +1,33 @@
+---
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  namespace: cert-manager
+  name: cert-manager
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: cert-manager
+  template:
+    metadata:
+      labels:
+        app: cert-manager
+    spec:
+      serviceAccountName: cert-manager
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
+      containers:
+        - name: cert-manager-controller
+          image: "quay.io/jetstack/cert-manager-controller:v1.10.1"
+          args:
+            - --v=2
+            - --cluster-resource-namespace=cert-manager
+            - --leader-election-namespace=cert-manager
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
--- a/k8s/04-docker-registry/00-docker-registry.yaml
+++ b/k8s/04-docker-registry/00-docker-registry.yaml
@ -2,7 +2,7 @@
 kind: Deployment
 apiVersion: apps/v1
 metadata:
-  namespace: riju
+  namespace: docker-registry
  name: docker-registry
 spec:
  replicas: 1
@ -15,9 +15,9 @@ spec:
        app: docker-registry
    spec:
      volumes:
-        - name: auth
+        - name: htpasswd
          secret:
-            secretName: registry-auth
+            secretName: docker-registry-htpasswd
      containers:
        - name: registry
          image: "registry:2"
@ -48,38 +48,38 @@ spec:
            - name: REGISTRY_AUTH_HTPASSWD_REALM
              value: "Registry Realm"
            - name: REGISTRY_AUTH_HTPASSWD_PATH
-              value: /var/run/registry/auth/htpasswd
+              value: /var/run/registry/htpasswd/htpasswd
            - name: REGISTRY_HTTP_SECRET
              valueFrom:
                secretKeyRef:
-                  name: registry-http-secret
+                  name: docker-registry-http-secret
                  key: http-secret
            - name: REGISTRY_STORAGE
              value: s3
            - name: REGISTRY_STORAGE_S3_REGIONENDPOINT
              valueFrom:
                configMapKeyRef:
-                  name: s3-config
+                  name: docker-registry-s3-config
                  key: endpoint
            - name: REGISTRY_STORAGE_S3_REGION
              valueFrom:
                configMapKeyRef:
-                  name: s3-config
+                  name: docker-registry-s3-config
                  key: region
            - name: REGISTRY_STORAGE_S3_BUCKET
              valueFrom:
                configMapKeyRef:
-                  name: s3-config
+                  name: docker-registry-s3-config
                  key: bucket
            - name: REGISTRY_STORAGE_S3_ACCESSKEY
              valueFrom:
                secretKeyRef:
-                  name: s3-auth
+                  name: docker-registry-s3-auth
                  key: access-key
            - name: REGISTRY_STORAGE_S3_SECRETKEY
              valueFrom:
                secretKeyRef:
-                  name: s3-auth
+                  name: docker-registry-s3-auth
                  key: secret-key
            - name: REGISTRY_STORAGE_S3_SECURE
              value: "true"
@ -87,38 +87,5 @@ spec:
            - name: api
              containerPort: 5000
          volumeMounts:
-            - name: auth
-              mountPath: /var/run/registry/auth
-
---
-kind: Service
-apiVersion: v1
-metadata:
-  namespace: riju
-  name: docker-registry
-spec:
-  selector:
-    app: docker-registry
-  type: NodePort
-  ports:
-    - name: api
-      port: 80
-      nodePort: 30999
-      targetPort: 5000
-
---
-kind: IngressRoute
-apiVersion: traefik.containo.us/v1alpha1
-metadata:
-  namespace: riju
-  name: docker-registry
-spec:
-  entryPoints:
-    - docker
-  routes:
-    - kind: Rule
-      match: "PathPrefix(`/`)"
-      services:
-        - namespace: riju
-          name: docker-registry
-          port: 80
+            - name: htpasswd
+              mountPath: /var/run/registry/htpasswd
--- a/k8s/04-registry/01-service.yaml
+++ b/k8s/04-registry/01-service.yaml
@ -0,0 +1,15 @@
+---
+kind: Service
+apiVersion: v1
+metadata:
+  namespace: docker-registry
+  name: docker-registry
+spec:
+  selector:
+    app: docker-registry
+  type: NodePort
+  ports:
+    - name: api
+      port: 80
+      nodePort: 30999
+      targetPort: 5000
--- a/k8s/04-registry/02-ingress.in.yaml
+++ b/k8s/04-registry/02-ingress.in.yaml
@ -0,0 +1,26 @@
+---
+kind: Ingress
+apiVersion: networking.k8s.io/v1
+metadata:
+  namespace: docker-registry
+  name: docker-registry
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    nginx.ingress.kubernetes.io/proxy-body-size: "30720m"
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: "docker.{{ .networking.domain }}"
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: docker-registry
+                port:
+                  number: 5000
+  tls:
+    - hosts:
+      - "docker.{{ .networking.domain }}"
+      secretName: docker-registry-tls
--- a/k8s/05-riju-proxy/00-configmap.yaml
+++ b/k8s/05-riju-proxy/00-configmap.yaml
@ -0,0 +1,33 @@
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  namespace: riju-proxy
+  name: riju-proxy-config
+data:
+  default.conf: |
+    underscores_in_headers on;
+
+    server {
+      resolver kube-dns.kube-system.svc.cluster.local;
+      listen 1869 default_server;
+
+      auth_basic "Riju administrative proxy";
+      auth_basic_user_file /etc/nginx/passwd;
+
+      location ~ /(10\.[0-9]+\.[0-9]+\.[0-9]+)/health {
+        proxy_pass http://$1:869/health;
+      }
+
+      location ~ /(10\.[0-9]+\.[0-9]+\.[0-9]+)/exec {
+        proxy_pass http://$1:869/exec$is_args$args;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "Upgrade";
+        proxy_set_header Host $host;
+      }
+
+      location / {
+        return 404;
+      }
+    }
--- a/k8s/05-riju-proxy/00-riju-proxy.yaml
+++ b/k8s/05-riju-proxy/00-riju-proxy.yaml
@ -1,117 +0,0 @@
---
-kind: ConfigMap
-apiVersion: v1
-metadata:
-  namespace: riju
-  name: riju-proxy-config
-data:
-  default.conf: |
-    underscores_in_headers on;
-
-    server {
-      resolver kube-dns.kube-system.svc.cluster.local;
-      listen 1869 default_server;
-
-      auth_basic "Riju administrative proxy";
-      auth_basic_user_file /etc/nginx/passwd;
-
-      location ~ /(10\.[0-9]+\.[0-9]+\.[0-9]+)/health {
-        proxy_pass http://$1:869/health;
-      }
-
-      location ~ /(10\.[0-9]+\.[0-9]+\.[0-9]+)/exec {
-        proxy_pass http://$1:869/exec$is_args$args;
-        proxy_http_version 1.1;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection "Upgrade";
-        proxy_set_header Host $host;
-      }
-
-      location / {
-        return 404;
-      }
-    }
-
---
-kind: Deployment
-apiVersion: apps/v1
-metadata:
-  namespace: riju
-  name: riju-proxy
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: riju-proxy
-  template:
-    metadata:
-      labels:
-        app: riju-proxy
-    spec:
-      volumes:
-        - name: config
-          configMap:
-            name: riju-proxy-config
-        - name: auth
-          secret:
-            secretName: riju-proxy-auth
-      containers:
-        - name: nginx
-          image: "nginx:1.23"
-          resources: {}
-          readinessProbe:
-            tcpSocket:
-              port: 1869
-            failureThreshold: 1
-            initialDelaySeconds: 2
-            periodSeconds: 10
-            successThreshold: 1
-            timeoutSeconds: 2
-          livenessProbe:
-            tcpSocket:
-              port: 1869
-            failureThreshold: 3
-            initialDelaySeconds: 2
-            periodSeconds: 10
-            successThreshold: 1
-            timeoutSeconds: 2
-          ports:
-            - name: http
-              containerPort: 1869
-          volumeMounts:
-            - name: config
-              mountPath: /etc/nginx/conf.d
-            - name: auth
-              mountPath: /etc/nginx/passwd
-              subPath: htpasswd
-
---
-kind: Service
-apiVersion: v1
-metadata:
-  namespace: riju
-  name: riju-proxy
-spec:
-  selector:
-    app: riju-proxy
-  ports:
-    - name: http
-      port: 1869
-      targetPort: 1869
-
---
-kind: IngressRoute
-apiVersion: traefik.containo.us/v1alpha1
-metadata:
-  namespace: riju
-  name: riju-proxy
-spec:
-  entryPoints:
-    - proxy
-  routes:
-    - kind: Rule
-      match: "PathPrefix(`/`)"
-      services:
-        - namespace: riju
-          name: riju-proxy
-          port: 1869
--- a/k8s/05-riju-proxy/01-deployment.yaml
+++ b/k8s/05-riju-proxy/01-deployment.yaml
@ -0,0 +1,52 @@
+---
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  namespace: riju-proxy
+  name: riju-proxy
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: riju-proxy
+  template:
+    metadata:
+      labels:
+        app: riju-proxy
+    spec:
+      volumes:
+        - name: config
+          configMap:
+            name: riju-proxy-config
+        - name: auth
+          secret:
+            secretName: riju-proxy-auth
+      containers:
+        - name: nginx
+          image: "nginx:1.23"
+          resources: {}
+          readinessProbe:
+            tcpSocket:
+              port: 1869
+            failureThreshold: 1
+            initialDelaySeconds: 2
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 2
+          livenessProbe:
+            tcpSocket:
+              port: 1869
+            failureThreshold: 3
+            initialDelaySeconds: 2
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 2
+          ports:
+            - name: http
+              containerPort: 1869
+          volumeMounts:
+            - name: config
+              mountPath: /etc/nginx/conf.d
+            - name: auth
+              mountPath: /etc/nginx/passwd
+              subPath: htpasswd
--- a/k8s/05-riju-proxy/02-service.yaml
+++ b/k8s/05-riju-proxy/02-service.yaml
@ -0,0 +1,14 @@
+
+---
+kind: Service
+apiVersion: v1
+metadata:
+  namespace: riju-proxy
+  name: riju-proxy
+spec:
+  selector:
+    app: riju-proxy
+  ports:
+    - name: http
+      port: 1869
+      targetPort: 1869
--- a/k8s/05-riju-proxy/03-ingress.in.yaml
+++ b/k8s/05-riju-proxy/03-ingress.in.yaml
@ -0,0 +1,25 @@
+---
+kind: Ingress
+apiVersion: networking.k8s.io/v1
+metadata:
+  namespace: riju-proxy
+  name: riju-proxy
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: "proxy.{{ .networking.domain }}"
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: riju-proxy
+                port:
+                  number: 1869
+  tls:
+    - hosts:
+      - "proxy.{{ .networking.domain }}"
+      secretName: riju-proxy-tls
--- a/k8s/06-riju-server/00-riju-server.yaml
+++ b/k8s/06-riju-server/00-riju-server.yaml
@ -2,7 +2,7 @@
 kind: Deployment
 apiVersion: apps/v1
 metadata:
-  namespace: riju
+  namespace: riju-server
  name: riju-server
 spec:
  replicas: 1
@ -14,15 +14,8 @@ spec:
      labels:
        app: riju-server
    spec:
-      volumes:
-        - name: cache
-          hostPath:
-            path: /var/cache/riju
-        - name: docker
-          hostPath:
-            path: /var/run/docker.sock
      imagePullSecrets:
-        - name: registry-login
+        - name: docker-registry-login
      containers:
        - name: server
          image: "localhost:30999/riju:app"
@ -50,40 +43,3 @@ spec:
          ports:
            - name: http
              containerPort: 6119
-          volumeMounts:
-            - name: cache
-              mountPath: /var/cache/riju
-            - name: docker
-              mountPath: /var/run/docker.sock
-              readOnly: true
-
---
-kind: Service
-apiVersion: v1
-metadata:
-  namespace: riju
-  name: riju-server
-spec:
-  selector:
-    app: riju-server
-  ports:
-    - name: http
-      port: 80
-      targetPort: 6119
-
---
-kind: IngressRoute
-apiVersion: traefik.containo.us/v1alpha1
-metadata:
-  namespace: riju
-  name: riju-server
-spec:
-  entryPoints:
-    - https
-  routes:
-    - kind: Rule
-      match: "PathPrefix(`/`)"
-      services:
-        - namespace: riju
-          name: riju-server
-          port: 80
--- a/k8s/06-riju-server/01-service.yaml
+++ b/k8s/06-riju-server/01-service.yaml
@ -0,0 +1,13 @@
+---
+kind: Service
+apiVersion: v1
+metadata:
+  namespace: riju-server
+  name: riju-server
+spec:
+  selector:
+    app: riju-server
+  ports:
+    - name: http
+      port: 80
+      targetPort: 6119
--- a/k8s/06-riju-server/02-ingress.yaml
+++ b/k8s/06-riju-server/02-ingress.yaml
@ -0,0 +1,25 @@
+---
+kind: Ingress
+apiVersion: networking.k8s.io/v1
+metadata:
+  namespace: riju-proxy
+  name: riju-proxy
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: "{{ .networking.domain }}"
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: riju-server
+                port:
+                  number: 80
+  tls:
+    - hosts:
+      - "{{ .networking.domain }}"
+      secretName: riju-proxy-tls