setting up tls
This commit is contained in:
James Mellors
parent
1f01ea0b7f
commit
66542d819d
78
helm/uptime-karma/templates/certificate.yaml
Normal file
78
helm/uptime-karma/templates/certificate.yaml
Normal file
@ -0,0 +1,78 @@
|
|||||||
|
{{- /* ================================================================== */ -}}
|
||||||
|
{{- /* Cert-Manager Certificate Configuration */ -}}
|
||||||
|
{{- /* ================================================================== */ -}}
|
||||||
|
{{- /*
|
||||||
|
Creates a Certificate resource for cert-manager.
|
||||||
|
Prerequisites:
|
||||||
|
- cert-manager must be installed in the cluster.
|
||||||
|
- An Issuer or ClusterIssuer (referenced in values.yaml) must exist.
|
||||||
|
- ingress.enabled must be true.
|
||||||
|
- certManager.enabled must be true.
|
||||||
|
- At least one entry must exist in ingress.tls.
|
||||||
|
*/}}
|
||||||
|
{{- if and .Values.ingress.enabled .Values.certManager.enabled .Values.ingress.tls }}
|
||||||
|
{{- $namespace := include "uptime-kuma.namespace" . -}}
|
||||||
|
{{- $issuerName := .Values.certManager.issuer.name -}}
|
||||||
|
{{- $issuerKind := .Values.certManager.issuer.kind -}}
|
||||||
|
{{- if not $issuerName }}
|
||||||
|
{{- fail "ERROR: certManager.enabled is true but certManager.issuer.name is not set!" }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if not $issuerKind }}
|
||||||
|
{{- fail "ERROR: certManager.enabled is true but certManager.issuer.kind is not set!" }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- /* Loop through each TLS entry defined in ingress.tls */}}
|
||||||
|
{{- range .Values.ingress.tls }}
|
||||||
|
{{- $secretName := .secretName }}
|
||||||
|
{{- $hosts := .hosts }}
|
||||||
|
{{- if not $secretName }}
|
||||||
|
{{- fail "ERROR: certManager.enabled is true but ingress.tls contains an entry without a 'secretName'." }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if not $hosts }}
|
||||||
|
{{- fail (printf "ERROR: certManager.enabled is true but ingress.tls entry for secret '%s' contains no 'hosts'." $secretName) }}
|
||||||
|
{{- end }}
|
||||||
|
---
|
||||||
|
apiVersion: cert-manager.io/v1
|
||||||
|
kind: Certificate
|
||||||
|
metadata:
|
||||||
|
# The name of the Certificate resource itself. Often matches the secretName for clarity.
|
||||||
|
name: {{ $secretName }}
|
||||||
|
namespace: istio-system # Change to the namespace where the Istio Gateway is deployed
|
||||||
|
labels:
|
||||||
|
{{- include "uptime-kuma.labels" $ | nindent 4 }}
|
||||||
|
{{- with $.Values.certManager.certificate.extraLabels }}
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with $.Values.certManager.certificate.annotations }}
|
||||||
|
annotations:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
# secretName: The name of the Kubernetes Secret resource where the certificate
|
||||||
|
# and key will be stored by cert-manager. This MUST match the
|
||||||
|
# secretName used by the Istio Gateway's credentialName.
|
||||||
|
secretName: {{ $secretName }}
|
||||||
|
|
||||||
|
# issuerRef: Reference to the Issuer or ClusterIssuer that will sign the certificate.
|
||||||
|
issuerRef:
|
||||||
|
name: {{ $issuerName }}
|
||||||
|
kind: {{ $issuerKind }}
|
||||||
|
# group: cert-manager.io # group is usually implicit for core issuers
|
||||||
|
|
||||||
|
# List of DNS names the certificate will be valid for.
|
||||||
|
dnsNames:
|
||||||
|
{{- range $hosts }}
|
||||||
|
- {{ . | quote }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
# Optional: Define Common Name (CN). Often derived from the first DNS name.
|
||||||
|
{{- $firstHost := first $hosts -}}
|
||||||
|
{{- if $firstHost }}
|
||||||
|
commonName: {{ $firstHost | quote }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
# Optional: Add other cert-manager spec fields like duration, renewBefore, privateKey, usages etc.
|
||||||
|
# duration: 2160h # 90d
|
||||||
|
# renewBefore: 360h # 15d
|
||||||
|
{{- end }} {{/* end range .Values.ingress.tls */}}
|
||||||
|
{{- end }} {{/* end if certManager.enabled */}}
|
||||||
@ -84,7 +84,9 @@ ingress:
|
|||||||
pathType: ImplementationSpecific
|
pathType: ImplementationSpecific
|
||||||
|
|
||||||
tls:
|
tls:
|
||||||
[]
|
- secretName: uptime-kuma-tls
|
||||||
|
hosts:
|
||||||
|
- uptime.james-mellors.com
|
||||||
# - secretName: chart-example-tls
|
# - secretName: chart-example-tls
|
||||||
# hosts:
|
# hosts:
|
||||||
# - chart-example.local
|
# - chart-example.local
|
||||||
@ -258,3 +260,22 @@ istio:
|
|||||||
# -- Add extra annotations to the Istio VirtualService resource
|
# -- Add extra annotations to the Istio VirtualService resource
|
||||||
annotations: {}
|
annotations: {}
|
||||||
# some-istio-annotation: value
|
# some-istio-annotation: value
|
||||||
|
certManager:
|
||||||
|
# -- Enable automatic Certificate creation via cert-manager
|
||||||
|
enabled: true # Set to true to create Certificate resource
|
||||||
|
|
||||||
|
# -- Reference to the cert-manager Issuer or ClusterIssuer to use
|
||||||
|
issuer:
|
||||||
|
# -- Name of the Issuer or ClusterIssuer
|
||||||
|
name: "letsencrypt-cloudflare" # REQUIRED if certManager.enabled is true (e.g., "letsencrypt-prod")
|
||||||
|
# -- Kind of the issuer (Issuer or ClusterIssuer)
|
||||||
|
kind: ClusterIssuer # Or "Issuer" if using a namespaced Issuer
|
||||||
|
|
||||||
|
# -- Optional: Add extra labels to the Certificate resource
|
||||||
|
certificate:
|
||||||
|
extraLabels: {}
|
||||||
|
# my-cert-label: value
|
||||||
|
|
||||||
|
# -- Optional: Add extra annotations to the Certificate resource
|
||||||
|
annotations: {}
|
||||||
|
# cert-manager.io/issue-temporary-certificate: "true"
|
||||||
Loading…
x
Reference in New Issue
Block a user