From 3ea29bde5b8ec8e8bea8bdf1d2ca325641447feb Mon Sep 17 00:00:00 2001 From: Luke Repko Date: Fri, 19 Apr 2024 19:41:10 -0500 Subject: [PATCH] Add optional kustomize letsencrypt overlay When using letsencrypt, you must annotate the named ingress with the letsencrypt cluster-issuer as well as any other desired acme.cert-manager.io annotations [1]. As most services have multiple ingresses (external vs internal), we must only annotate the ingress that will be accessed externally, else the ACME solver will not work correctly. Using this optional overlay will help ensure the expected ingress is annotated. So that the challenge url is accessible externally. 1. https://cert-manager.io/docs/usage/ingress/#supported-annotations --- .../cinder/letsencrypt/kustomization.yaml | 13 ++++++++ .../glance/letsencrypt/kustomization.yaml | 13 ++++++++ kustomize/heat/letsencrypt/kustomization.yaml | 22 +++++++++++++ .../horizon/letsencrypt/kustomization.yaml | 13 ++++++++ .../keystone/letsencrypt/kustomization.yaml | 13 ++++++++ .../neutron/letsencrypt/kustomization.yaml | 13 ++++++++ kustomize/nova/letsencrypt/kustomization.yaml | 31 ++++++++++++++++++ .../octavia/letsencrypt/kustomization.yaml | 13 ++++++++ .../placement/letsencrypt/kustomization.yaml | 13 ++++++++ .../skyline/letsencrypt/kustomization.yaml | 32 +++++++++++++++++++ 10 files changed, 176 insertions(+) create mode 100644 kustomize/cinder/letsencrypt/kustomization.yaml create mode 100644 kustomize/glance/letsencrypt/kustomization.yaml create mode 100644 kustomize/heat/letsencrypt/kustomization.yaml create mode 100644 kustomize/horizon/letsencrypt/kustomization.yaml create mode 100644 kustomize/keystone/letsencrypt/kustomization.yaml create mode 100644 kustomize/neutron/letsencrypt/kustomization.yaml create mode 100644 kustomize/nova/letsencrypt/kustomization.yaml create mode 100644 kustomize/octavia/letsencrypt/kustomization.yaml create mode 100644 kustomize/placement/letsencrypt/kustomization.yaml create mode 100644 kustomize/skyline/letsencrypt/kustomization.yaml diff --git a/kustomize/cinder/letsencrypt/kustomization.yaml b/kustomize/cinder/letsencrypt/kustomization.yaml new file mode 100644 index 00000000..600c2979 --- /dev/null +++ b/kustomize/cinder/letsencrypt/kustomization.yaml @@ -0,0 +1,13 @@ +bases: + - ../base + +patches: + - target: + kind: Ingress + name: cinder-namespace-fqdn + patch: |- + - op: add + path: /metadata/annotations + value: + cert-manager.io/cluster-issuer: letsencrypt-prod + acme.cert-manager.io/http01-edit-in-place: "true" diff --git a/kustomize/glance/letsencrypt/kustomization.yaml b/kustomize/glance/letsencrypt/kustomization.yaml new file mode 100644 index 00000000..36dd9501 --- /dev/null +++ b/kustomize/glance/letsencrypt/kustomization.yaml @@ -0,0 +1,13 @@ +bases: + - ../base + +patches: + - target: + kind: Ingress + name: glance-namespace-fqdn + patch: |- + - op: add + path: /metadata/annotations + value: + cert-manager.io/cluster-issuer: letsencrypt-prod + acme.cert-manager.io/http01-edit-in-place: "true" diff --git a/kustomize/heat/letsencrypt/kustomization.yaml b/kustomize/heat/letsencrypt/kustomization.yaml new file mode 100644 index 00000000..72dcb904 --- /dev/null +++ b/kustomize/heat/letsencrypt/kustomization.yaml @@ -0,0 +1,22 @@ +bases: + - ../base + +patches: + - target: + kind: Ingress + name: heat-namespace-fqdn + patch: |- + - op: add + path: /metadata/annotations + value: + cert-manager.io/cluster-issuer: letsencrypt-prod + acme.cert-manager.io/http01-edit-in-place: "true" + - target: + kind: Ingress + name: cloudformation-namespace-fqdn + patch: |- + - op: add + path: /metadata/annotations + value: + cert-manager.io/cluster-issuer: letsencrypt-prod + acme.cert-manager.io/http01-edit-in-place: "true" diff --git a/kustomize/horizon/letsencrypt/kustomization.yaml b/kustomize/horizon/letsencrypt/kustomization.yaml new file mode 100644 index 00000000..77ac7bd9 --- /dev/null +++ b/kustomize/horizon/letsencrypt/kustomization.yaml @@ -0,0 +1,13 @@ +bases: + - ../base + +patches: + - target: + kind: Ingress + name: horizon-namespace-fqdn + patch: |- + - op: add + path: /metadata/annotations + value: + cert-manager.io/cluster-issuer: letsencrypt-prod + acme.cert-manager.io/http01-edit-in-place: "true" diff --git a/kustomize/keystone/letsencrypt/kustomization.yaml b/kustomize/keystone/letsencrypt/kustomization.yaml new file mode 100644 index 00000000..394f3d8e --- /dev/null +++ b/kustomize/keystone/letsencrypt/kustomization.yaml @@ -0,0 +1,13 @@ +bases: + - ../base + +patches: + - target: + kind: Ingress + name: keystone-namespace-fqdn + patch: |- + - op: add + path: /metadata/annotations + value: + cert-manager.io/cluster-issuer: letsencrypt-prod + acme.cert-manager.io/http01-edit-in-place: "true" diff --git a/kustomize/neutron/letsencrypt/kustomization.yaml b/kustomize/neutron/letsencrypt/kustomization.yaml new file mode 100644 index 00000000..1e6b4270 --- /dev/null +++ b/kustomize/neutron/letsencrypt/kustomization.yaml @@ -0,0 +1,13 @@ +bases: + - ../base + +patches: + - target: + kind: Ingress + name: neutron-namespace-fqdn + patch: |- + - op: add + path: /metadata/annotations + value: + cert-manager.io/cluster-issuer: letsencrypt-prod + acme.cert-manager.io/http01-edit-in-place: "true" diff --git a/kustomize/nova/letsencrypt/kustomization.yaml b/kustomize/nova/letsencrypt/kustomization.yaml new file mode 100644 index 00000000..57a890ec --- /dev/null +++ b/kustomize/nova/letsencrypt/kustomization.yaml @@ -0,0 +1,31 @@ +bases: + - ../base + +patches: + - target: + kind: Ingress + name: nova-namespace-fqdn + patch: |- + - op: add + path: /metadata/annotations + value: + cert-manager.io/cluster-issuer: letsencrypt-prod + acme.cert-manager.io/http01-edit-in-place: "true" + - target: + kind: Ingress + name: metadata-namespace-fqdn + patch: |- + - op: add + path: /metadata/annotations + value: + cert-manager.io/cluster-issuer: letsencrypt-prod + acme.cert-manager.io/http01-edit-in-place: "true" + - target: + kind: Ingress + name: novncproxy-namespace-fqdn + patch: |- + - op: add + path: /metadata/annotations + value: + cert-manager.io/cluster-issuer: letsencrypt-prod + acme.cert-manager.io/http01-edit-in-place: "true" diff --git a/kustomize/octavia/letsencrypt/kustomization.yaml b/kustomize/octavia/letsencrypt/kustomization.yaml new file mode 100644 index 00000000..c6b2199f --- /dev/null +++ b/kustomize/octavia/letsencrypt/kustomization.yaml @@ -0,0 +1,13 @@ +bases: + - ../base + +patches: + - target: + kind: Ingress + name: octavia-namespace-fqdn + patch: |- + - op: add + path: /metadata/annotations + value: + cert-manager.io/cluster-issuer: letsencrypt-prod + acme.cert-manager.io/http01-edit-in-place: "true" diff --git a/kustomize/placement/letsencrypt/kustomization.yaml b/kustomize/placement/letsencrypt/kustomization.yaml new file mode 100644 index 00000000..0c6295f8 --- /dev/null +++ b/kustomize/placement/letsencrypt/kustomization.yaml @@ -0,0 +1,13 @@ +bases: + - ../base + +patches: + - target: + kind: Ingress + name: placement-namespace-fqdn + patch: |- + - op: add + path: /metadata/annotations + value: + cert-manager.io/cluster-issuer: letsencrypt-prod + acme.cert-manager.io/http01-edit-in-place: "true" diff --git a/kustomize/skyline/letsencrypt/kustomization.yaml b/kustomize/skyline/letsencrypt/kustomization.yaml new file mode 100644 index 00000000..6427ce88 --- /dev/null +++ b/kustomize/skyline/letsencrypt/kustomization.yaml @@ -0,0 +1,32 @@ +bases: + - ../base + +patches: + - target: + kind: Ingress + name: skyline + patch: |- + - op: add + path: /spec/rules + value: + - host: skyline.dfw-ospcv2-staging.ohthree.com + http: + paths: + - path: / + pathType: ImplementationSpecific + backend: + service: + name: skyline-apiserver + port: + name: "s-apiserver" + - op: add + path: /spec/tls + value: + - hosts: + - skyline.dfw-ospcv2-staging.ohthree.com + secretName: skyline-tls-public + - op: add + path: /metadata/annotations + value: + cert-manager.io/cluster-issuer: letsencrypt-prod + acme.cert-manager.io/http01-edit-in-place: "true"