Merge branch 'feat/ingress-tls-configuration-staging' into 'main'

feat(ingress): add TLS configuration for staging hosts

See merge request unboundsoftware/local-k8s!191

certs/README.md

@@ -28,7 +28,7 @@ kubectl create secret generic ca-key-pair2 \
   --from-literal=tls.key="$(cat local-ca.key)"
 ```
 
-The [certificates.yaml](../kind/certificates.yaml) contains the secrets already and wil be used by cert-manager
+The [certificates.yaml](../k8s/app/certificates.yaml) contains the secrets already and wil be used by cert-manager
 to sign certificates.
 
 ## Install and trust the CA

k8s/app/certificates.yaml

@@ -30,6 +30,7 @@ spec:
   - shiny
   - auth0
   - staging-shiny.unbound.se
+  - staging-shiny-api.unbound.se
   secretName: self-signed-cert-tls
   issuerRef:
     name: self-signed

k8s/app/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- certificates.yaml
+- secrets-store.yaml
+- local-proxy.yaml

k8s/app/local-proxy.yaml

@@ -27,6 +27,10 @@ metadata:
     nginx.ingress.kubernetes.io/upstream-vhost: "localhost:3300"
 spec:
   ingressClassName: nginx
+  tls:
+    - hosts:
+        - staging-shiny.unbound.se
+      secretName: self-signed-cert-tls
   rules:
     - host: staging-shiny.unbound.se
       http:
@@ -58,6 +62,10 @@ metadata:
     nginx.ingress.kubernetes.io/upstream-vhost: "localhost:4444"
 spec:
   ingressClassName: nginx
+  tls:
+    - hosts:
+        - staging-shiny-api.unbound.se
+      secretName: self-signed-cert-tls
   rules:
     - host: staging-shiny-api.unbound.se
       http:

k8s/infra/kustomization.yaml

@@ -4,9 +4,6 @@ resources:
 - postgres.yaml
 - rabbitmq.yaml
 - namespaces.yaml
-- certificates.yaml
-- secrets-store.yaml
-- local-proxy.yaml
 helmCharts:
 - name: external-secrets
   namespace: external-secrets
@@ -23,10 +20,3 @@ helmCharts:
   valuesInline:
     crds:
       enabled: true
-- name: ingress-nginx
-  namespace: ingress-nginx
-  includeCRDs: true
-  releaseName: ingress-nginx
-  repo: https://kubernetes.github.io/ingress-nginx
-  version: 4.14.1
-  valuesFile: https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/hack/manifest-templates/provider/kind/values.yaml

k8s/infra/namespaces.yaml

@@ -7,8 +7,3 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: cert-manager
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: ingress-nginx

k8s/nginx/kustomization.yaml

@@ -0,0 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- namespaces.yaml
+helmCharts:
+- name: ingress-nginx
+  namespace: ingress-nginx
+  includeCRDs: true
+  releaseName: ingress-nginx
+  repo: https://kubernetes.github.io/ingress-nginx
+  version: 4.14.1
+  valuesFile: https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/hack/manifest-templates/provider/kind/values.yaml

k8s/nginx/namespaces.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ingress-nginx

setup

@@ -12,14 +12,42 @@ kubectl create secret docker-registry gitlab \
 
 kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "gitlab"}]}'
 
-kustomized="$(mktemp --suffix .unboundkind.yaml --tmpdir=/tmp/)"
+kustomized="$(mktemp -t unboundnginx.yaml.XXXXXX)"
 
-kubectl kustomize --enable-helm ./kind > "${kustomized}"
+kubectl kustomize --enable-helm "k8s/nginx" >> "${kustomized}"
 kubectl apply -f "${kustomized}" --server-side || true
-kubectl wait --for=condition=Ready pods -n cert-manager -l app=cert-manager --timeout 5m
-kubectl wait --for=condition=Ready pods -n cert-manager -l app=cainjector --timeout 5m
-kubectl wait --for=condition=Ready pods -n cert-manager -l app=webhook --timeout 5m
-kubectl wait --for=condition=Ready pods --all -n external-secrets --timeout=5m
-kubectl apply -f "${kustomized}" --server-side
 
-kubectl wait --for=condition=Ready pods --all --timeout=5m
+printf "\nWait for pod app.kubernetes.io/component=controller to be created."
+while :; do
+  sleep 2
+  [ -n "$(kubectl -n ingress-nginx get pod --selector=app.kubernetes.io/component=controller 2>/dev/null)" ] && printf "\n\n" && break
+  printf "."
+done
+
+echo "Wait for nginx to be available."
+until [[ $(kubectl -n ingress-nginx get endpointslices -l 'kubernetes.io/service-name=ingress-nginx-controller' -o=jsonpath='{.items[*].endpoints[*].addresses[*]}') ]]; do sleep 5; done
+
+kustomized="$(mktemp -t unboundinfra.yaml.XXXXXX)"
+
+kubectl kustomize --enable-helm "k8s/infra" >> "${kustomized}"
+kubectl apply -f "${kustomized}" --server-side || true
+
+printf "\nWait for pod app.kubernetes.io/instance=cert-manager to be created."
+while :; do
+  sleep 2
+  [ -n "$(kubectl -n cert-manager get pod --selector=app.kubernetes.io/instance=cert-manager 2>/dev/null)" ] && printf "\n\n" && break
+  printf "."
+done
+kubectl wait --for=condition=Ready pods -n cert-manager -l app=cert-manager --timeout 4m
+kubectl wait --for=condition=Ready pods -n cert-manager -l app=cainjector --timeout 4m
+kubectl wait --for=condition=Ready pods -n cert-manager -l app=webhook --timeout 4m
+kubectl wait --for=condition=Ready pods --all -n external-secrets --timeout=5m
+# Apply again to get any CRD's that wasn't applied earlier since the definitions wasn't available
+kubectl apply -f "${kustomized}" --server-side || true
+kubectl apply -k k8s/app --server-side
+
+kubectl wait --for=condition=Ready pods -n cert-manager -l app=cert-manager --timeout 4m
+kubectl wait --for=condition=Ready pods -n cert-manager -l app=cainjector --timeout 4m
+kubectl wait --for=condition=Ready pods -n cert-manager -l app=webhook --timeout 4m
+kubectl wait --for=condition=Ready pods --all -n external-secrets --timeout=5m
+kubectl wait --for=condition=Ready pods --all -n default --timeout 3m