diff --git a/charts/vkpr/CRDs.md b/charts/vkpr/CRDs.md new file mode 100644 index 00000000..fe94bfa2 --- /dev/null +++ b/charts/vkpr/CRDs.md @@ -0,0 +1,8 @@ +# CRDs de subcharts + +Estes CRDs precisam ser instalados previamente *ou* automaticamente via pasta "crds". +Em produção recomendamos *não* instalar automaticamente (usar "--skip-crds"). + +## cert-manager + +* https://github.com/jetstack/cert-manager/releases/download/v1.0.3/cert-manager.crds.yaml diff --git a/charts/vkpr/acme.yaml b/charts/vkpr/acme.yaml new file mode 100644 index 00000000..9dbfb663 --- /dev/null +++ b/charts/vkpr/acme.yaml @@ -0,0 +1,39 @@ +{{- if index .Values "cert-manager" "enabled" -}} +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-staging +spec: + acme: + # You must replace this email address with your own. + # Let's Encrypt will use this to contact you about expiring + # certificates, and issues related to your account. + email: {{ .Values.acme.email }} + server: https://acme-staging-v02.api.letsencrypt.org/directory + privateKeySecretRef: + # Secret resource used to store the account's private key. + name: acme-staging-issuer-account-key + {{- with .Values.acme.solvers }} + solvers: + {{- toYaml . | nindent 4 }} + {{- end }} +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-production +spec: + acme: + # You must replace this email address with your own. + # Let's Encrypt will use this to contact you about expiring + # certificates, and issues related to your account. + email: {{ .Values.acme.email }} + server: https://acme-v02.api.letsencrypt.org/directory + privateKeySecretRef: + # Secret resource used to store the account's private key. + name: acme-production-issuer-account-key + {{- with .Values.acme.solvers }} + solvers: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end -}} diff --git a/examples/local/acme.yaml b/examples/local/acme.yaml new file mode 100644 index 00000000..a1820c82 --- /dev/null +++ b/examples/local/acme.yaml @@ -0,0 +1,41 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-staging +spec: + acme: + # You must replace this email address with your own. + # Let's Encrypt will use this to contact you about expiring + # certificates, and issues related to your account. + email: 577b76370d-dc8645@inbox.mailtrap.io + server: https://acme-staging-v02.api.letsencrypt.org/directory + privateKeySecretRef: + # Secret resource used to store the account's private key. + name: acme-staging-issuer-account-key + solvers: + - dns01: + digitalocean: + tokenSecretRef: + name: digitalocean-dns + key: access-token +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-production +spec: + acme: + # You must replace this email address with your own. + # Let's Encrypt will use this to contact you about expiring + # certificates, and issues related to your account. + email: 577b76370d-dc8645@inbox.mailtrap.io + server: https://acme-v02.api.letsencrypt.org/directory + privateKeySecretRef: + # Secret resource used to store the account's private key. + name: acme-production-issuer-account-key + solvers: + - dns01: + digitalocean: + tokenSecretRef: + name: digitalocean-dns + key: access-token diff --git a/examples/local/values-local-certs-dns.yaml b/examples/local/values-local-certs-dns.yaml new file mode 100644 index 00000000..93632259 --- /dev/null +++ b/examples/local/values-local-certs-dns.yaml @@ -0,0 +1,94 @@ +# +# Valores para testes locais com o k3d, mas com Cert-manager e External-DNS operando +# via DigitalOcean. +# +# O que executa: +# - Ingress controller (ingress-nginx) +# - Aplicação "whoami" com nome DNS real +# - Cert-Manager +# - External-DNS +# +# kubectl create secret generic digitalocean-dns --from-literal=access-token= +# helm upgrade -i vkpr --skip-crds -f examples/local/values-local-certs-dns.yaml ./charts/vkpr \ +# --set external-dns.digitalocean.apiToken= +# kubectl apply -f examples/local/acme.yaml +# +# Testar com: +# +# curl -k -H "Host: whoami.vkpr-dev.vertigo.com.br" https:// +# curl -k https://whoami.vkpr-dev.vertigo.com.br +# + +# +# INGRESS STACK +# +ingress-nginx: + enabled: true + +external-dns: + enabled: true + rbac: + create: true + sources: + - ingress + provider: digitalocean + # provide no value here, use --set in command line + # digitalocean: + # apiToken: + interval: "1m" + logLevel: debug + +cert-manager: + enabled: true + installCRDs: true # ok for testing + ingressShim: + defaultIssuerName: letsencrypt-staging + defaultIssuerKind: ClusterIssuer + defaultIssuerGroup: cert-manager.io + prometheus: + enabled: false + +# dados para o CRD do ACME +# acme: +# email: andre@vertigo.com.br +# solvers: +# - dns01: +# digitalocean: +# tokenSecretRef: +# name: digitalocean-dns +# key: access-token + +# chart values +ingress: + enabled: true + annotations: + kubernetes.io/ingress.class: nginx + kubernetes.io/tls-acme: "true" + hosts: + - host: whoami.vkpr-dev.vertigo.com.br + paths: ["/"] + tls: + - hosts: + - whoami.vkpr-dev.vertigo.com.br + secretName: whoami-cert + +# +# LOGGING STACK: +# + +loki-stack: + enabled: false + +# +# MONITORING STACK +# +kube-prometheus-stack: + enabled: false + +# +# SECURITY STACK +# +vault: + enabled: false +keycloak: + enabled: false diff --git a/examples/local/values-local-minimal.yaml b/examples/local/values-local-minimal.yaml new file mode 100644 index 00000000..c2f03fdc --- /dev/null +++ b/examples/local/values-local-minimal.yaml @@ -0,0 +1,61 @@ +# +# Valores para testes locais com o k3d. +# +# O que executa: +# - Ingress controller (ingress-nginx) +# - Aplicação "whoami" +# +# helm upgrade -i vkpr -f examples/local/values-local-minimal.yaml ./charts/vkpr +# +# Coloque as seguintes entradas no /etc/hosts : +# 127.0.0.1 whoami.localdomain +# +# Testar com: +# +# curl whoami.localdomain:8080 +# + +# +# INGRESS STACK +# +ingress-nginx: + enabled: true + # service: + # type: NodePort + # nodePorts: + # http: 32080 + +external-dns: + enabled: false +cert-manager: + enabled: false + +# chart values +ingress: + enabled: true + annotations: + ingress.kubernetes.io/ssl-redirect: "false" + hosts: + - host: whoami.localdomain + paths: ["/"] + +# +# LOGGING STACK: +# + +loki-stack: + enabled: false + +# +# MONITORING STACK +# +kube-prometheus-stack: + enabled: false + +# +# SECURITY STACK +# +vault: + enabled: false +keycloak: + enabled: false