From 22e9f69e5028918c9d43eb008bc5cadd00cbdbfa Mon Sep 17 00:00:00 2001 From: tuna Date: Thu, 5 Sep 2024 15:04:33 +0200 Subject: [PATCH] cert-manager --- manifests/argocd/cert-manager.yaml | 22 +++++++++++++++++++ manifests/blog-app/blog-app.yaml | 2 +- .../istio-gateway-virtualService.yaml | 7 ++++++ terraform/app.tf | 15 +++++++++++++ 4 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 manifests/argocd/cert-manager.yaml diff --git a/manifests/argocd/cert-manager.yaml b/manifests/argocd/cert-manager.yaml new file mode 100644 index 0000000..fc99818 --- /dev/null +++ b/manifests/argocd/cert-manager.yaml @@ -0,0 +1,22 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: cert-manager + namespace: argocd +spec: + destination: + namespace: cert-manager + server: https://kubernetes.default.svc + project: infrastructure + source: + chart: cert-manager + helm: + parameters: + - name: installCRDs + value: "true" + repoURL: https://charts.jetstack.io + targetRevision: v1.15.3 + syncPolicy: + automated: {} + syncOptions: + - CreateNamespace=true \ No newline at end of file diff --git a/manifests/blog-app/blog-app.yaml b/manifests/blog-app/blog-app.yaml index 2b9d124..2f6612c 100644 --- a/manifests/blog-app/blog-app.yaml +++ b/manifests/blog-app/blog-app.yaml @@ -269,7 +269,7 @@ metadata: spec: selector: app: frontend - # We'll use istio-ingress, that's wh4y front-end's service should become clusterIP type + # We'll use istio-ingress, that's why using LoadBalancer type of service would be redundant for frontend service type: ClusterIP ports: - protocol: TCP diff --git a/manifests/blog-app/istio-gateway-virtualService.yaml b/manifests/blog-app/istio-gateway-virtualService.yaml index 75fb803..03ca27e 100644 --- a/manifests/blog-app/istio-gateway-virtualService.yaml +++ b/manifests/blog-app/istio-gateway-virtualService.yaml @@ -1,3 +1,4 @@ +# Gateway is a CustomResourceDefinition that helps to define how the external-traffic should be handled apiVersion: networking.istio.io/v1 kind: Gateway metadata: @@ -5,12 +6,15 @@ metadata: namespace: blog-app spec: selector: + # istio-ingress service (which was deployed to namespace istio-ingress) has the following label istio: ingress servers: - port: number: 80 name: http protocol: HTTP + # Accepts traffic from any hostname. It’s like saying, “I don’t care who’s knocking, let everyone in.” + # hosts: ["myblog.com"]: Accepts traffic only for myblog.com hosts: - "*" --- @@ -23,6 +27,7 @@ spec: hosts: - "*" gateways: + # This resource applies to this gateway. - blog-app-gateway http: - match: @@ -42,6 +47,8 @@ spec: exact: /updateprofile route: - destination: + # Since this resource is already deployed to same namespace that frontend service in, it can access that service just by its name. + # However, if they were in different namespaces, we should've written something like: frontend.blog-app.svc.cluster.local host: frontend port: number: 80 \ No newline at end of file diff --git a/terraform/app.tf b/terraform/app.tf index 6fcefd9..8ae7548 100644 --- a/terraform/app.tf +++ b/terraform/app.tf @@ -16,6 +16,7 @@ resource "kubectl_manifest" "apps" { override_namespace = "argocd" } +# istio.yaml file contains charts for 'istio-base', 'istiod' and 'istio-ingress' data "kubectl_file_documents" "istio" { content = file("../manifests/argocd/istio.yaml") } @@ -29,6 +30,20 @@ resource "kubectl_manifest" "istio" { override_namespace = "argocd" } +# Cert-manager chart for the digital certificate creation +data "kubectl_file_documents" "cert-manager" { + content = file("../manifests/argocd/cert-manager.yaml") +} + +resource "kubectl_manifest" "cert-manager" { + depends_on = [ + kubectl_manifest.argocd, + ] + for_each = data.kubectl_file_documents.cert-manager.manifests + yaml_body = each.value + override_namespace = "argocd" +} + # I am done with externalSecrets, a lot of problems # Managing Secrets using ExternalSecrets Operator # # External-Secrets operator for the retrieval of secrets