this repo has no description
feat: setup HTTPS for Gateway
+39
-4
+30
platform/staging/cert-manager.yaml
+30
platform/staging/cert-manager.yaml
···
27
27
createNamespace: true
28
28
values:
29
29
config:
30
+
enableGatewayAPI: true
30
31
featureGates:
31
32
ACMEHTTP01IngressPathTypeExact: false
32
33
crds:
33
34
enabled: true
35
+
---
36
+
apiVersion: v1
37
+
kind: Secret
38
+
metadata:
39
+
name: cloudflare-api-token
40
+
namespace: cert-manager
41
+
annotations:
42
+
# TODO dedicated SA for cert-manager
43
+
vault.security.banzaicloud.io/vault-addr: http://vault.vault.svc.cluster.local:8200
44
+
vault.security.banzaicloud.io/vault-role: default
45
+
vault.security.banzaicloud.io/vault-path: kubernetes
46
+
stringData:
47
+
api-token: vault:secret/data/platform/cloudflare#API_TOKEN
48
+
---
49
+
apiVersion: cert-manager.io/v1
50
+
kind: ClusterIssuer
51
+
metadata:
52
+
name: letsencrypt
53
+
spec:
54
+
acme:
55
+
server: https://acme-v02.api.letsencrypt.org/directory
56
+
privateKeySecretRef:
57
+
name: letsencrypt-account-key
58
+
solvers:
59
+
- dns01:
60
+
cloudflare:
61
+
apiTokenSecretRef:
62
+
name: cloudflare-api-token
63
+
key: api-token
+9
-4
platform/staging/istio.yaml
+9
-4
platform/staging/istio.yaml
···
95
95
metadata:
96
96
name: gateway
97
97
namespace: istio-system # TODO dedicated namespace?
98
+
annotations:
99
+
cert-manager.io/cluster-issuer: letsencrypt
98
100
spec:
99
101
gatewayClassName: istio
100
102
listeners:
101
-
- name: default
102
-
hostname: "*.staging.khuedoan.com" # TODO make this var/configurable
103
-
port: 80 # TODO HTTPS by default, only use HTTP for ACME HTTP-01
104
-
protocol: HTTP
103
+
- name: https
104
+
hostname: "*.staging.khuedoan.com"
105
+
port: 443
106
+
protocol: HTTPS
107
+
tls:
108
+
certificateRefs:
109
+
- name: wildcard-tls
105
110
allowedRoutes:
106
111
namespaces:
107
112
from: All