Skip to content

Coffea casa Kubernetes dependencies

Jump to bottom
Oksana Shadura edited this page Jul 27, 2021 · 8 revisions

Coffea-casa Kubernetes dependencies

Kubeseal (for secrets)

We use kubeseal for encrypting secrets (tokens and others) used while deploying coffea-casa AF in K8s.

Sealed Secrets consists of two components:

  • Client-side CLI tool to encrypt secrets and create sealed secrets
  • Server-side controller used to decrypt sealed secrets and create secrets

For client side (to install CLI tool) please check latest tag here https://github.com/bitnami-labs/sealed-secrets/tags:

wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.16.0/kubeseal-linux-amd64 -O kubeseal
sudo install -m 755 kubeseal /usr/local/bin/kubeseal

Check a link with information how to install Sealed Secret helm chart (server side): https://github.com/bitnami-labs/sealed-secrets#helm-chart.

Also it is possible to install SealedSecret CRD, server-side controller into kube-system namespace using:

$ kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.16.0/controller.yaml

Cert-manager

We deployed cert-manager directly in cert-manager namespace via Flux. See settings below:

  • cert-manager.yaml
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
  name: cert-manager
  namespace: cert-manager
spec:
  chart:
    spec:
      chart: cert-manager
      version: v1.3.0
      sourceRef:
        kind: HelmRepository
        name: jetstack
        namespace: cert-manager
  interval: 5m0s
  values:
    installCRDs: false
    ingressShim:
      defaultIssuerName: letsencrypt-prod
      defaultIssuerKind: ClusterIssuer
      defaultIssuerGroup: cert-manager.io
  • helm.yaml
---
apiVersion: source.toolkit.fluxcd.io/v1beta1
kind: HelmRepository
metadata:
  name: jetstack
  namespace: cert-manager
spec:
  interval: 10m
  url: https://charts.jetstack.io
  • cluster-issues.yaml
# Lets Encrypt certificate issuers
---
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: [email protected]
    privateKeySecretRef:
      name: letsencrypt-staging-secret
    solvers:
    - http01:
        ingress:
          class: nginx
---
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: [email protected]
    privateKeySecretRef:
      name: letsencrypt-prod-secret
    solvers:
    - http01:
        ingress:
          class: nginx

Rook and storageClass

Traefik

Clone this wiki locally