Refactor cert-manager and ExternalDNS configurations

- Updated the namespace for the internal wildcard certificate from 'internal' to 'cert-manager'. - Adjusted the DNS zone selectors in Let's Encrypt configurations to use CLOUDFLARE_DOMAIN consistently. - Changed the namespace for the wildcard certificate from 'default' to 'cert-manager'. - Modified ExternalDNS configuration to use OWNER_ID instead of CLUSTER_ID for TXT owner ID. - Cleaned up setup-cert-manager.sh by removing unnecessary internal namespace creation and secret duplication. - Updated certificate wait commands to reflect the new namespace structure. - Simplified the copying of certificates to the example-admin namespace. - Removed test service deployment from setup-externaldns.sh for a cleaner setup process.
2025-05-03 13:51:52 -07:00
parent 84376fb3d5
commit 21d89c2b79
10 changed files with 5683 additions and 44 deletions
--- a/infrastructure_setup/cert-manager/cert-manager.yaml
+++ b/infrastructure_setup/cert-manager/cert-manager.yaml
--- a/infrastructure_setup/cert-manager/internal-wildcard-certificate.yaml
+++ b/infrastructure_setup/cert-manager/internal-wildcard-certificate.yaml
@@ -3,7 +3,7 @@ apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: wildcard-internal-sovereign-cloud
-  namespace: internal
+  namespace: cert-manager
 spec:
  secretName: wildcard-internal-sovereign-cloud-tls
  dnsNames:
--- a/infrastructure_setup/cert-manager/letsencrypt-prod-dns01.yaml
+++ b/infrastructure_setup/cert-manager/letsencrypt-prod-dns01.yaml
@@ -19,7 +19,7 @@ spec:
            key: api-token
      selector:
        dnsZones:
-        - "${CLOUDFLARE_DOMAIN}" # This will cover all subdomains
+        - "${CLOUDFLARE_DOMAIN}"
    # Keep the HTTP-01 solver for non-wildcard certificates
    - http01:
        ingress:
--- a/infrastructure_setup/cert-manager/letsencrypt-staging-dns01.yaml
+++ b/infrastructure_setup/cert-manager/letsencrypt-staging-dns01.yaml
@@ -19,7 +19,7 @@ spec:
            key: api-token
      selector:
        dnsZones:
-        - "${DOMAIN}" # This will cover all subdomains
+        - "${CLOUDFLARE_DOMAIN}"
    # Keep the HTTP-01 solver for non-wildcard certificates
    - http01:
        ingress:
--- a/infrastructure_setup/cert-manager/wildcard-certificate.yaml
+++ b/infrastructure_setup/cert-manager/wildcard-certificate.yaml
@@ -3,7 +3,7 @@ apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: wildcard-sovereign-cloud
-  namespace: default
+  namespace: cert-manager
 spec:
  secretName: wildcard-sovereign-cloud-tls
  dnsNames:
--- a/infrastructure_setup/externaldns/externaldns.yaml
+++ b/infrastructure_setup/externaldns/externaldns.yaml
@@ -57,9 +57,9 @@ spec:
            - --source=service
            - --source=ingress
            - --provider=cloudflare
-            - --txt-owner-id=${CLUSTER_ID}
+            - --txt-owner-id=${OWNER_ID}
            - --log-level=debug
-            - --publish-internal-services # Also publish internal services
+            - --publish-internal-services
            - --no-cloudflare-proxied
          env:
            - name: CF_API_TOKEN
--- a/infrastructure_setup/setup-cert-manager.sh
+++ b/infrastructure_setup/setup-cert-manager.sh
@@ -39,23 +39,11 @@ if [[ -n "${CLOUDFLARE_API_TOKEN}" ]]; then
  kubectl create secret generic cloudflare-api-token \
    --namespace cert-manager \
    --from-literal=api-token="${CLOUDFLARE_API_TOKEN}" \
-    --dry-run=client -o yaml | kubectl apply -f -
-  
-  # Create internal namespace if it doesn't exist
-  echo "Creating internal namespace if it doesn't exist..."
-  kubectl create namespace internal --dry-run=client -o yaml | kubectl apply -f -
-  
-  # Create the same secret in the internal namespace
-  echo "Creating Cloudflare API token secret in internal namespace..."
-  kubectl create secret generic cloudflare-api-token \
-    --namespace internal \
-    --from-literal=api-token="${CLOUDFLARE_API_TOKEN}" \
-    --dry-run=client -o yaml | kubectl apply -f -
+    --dry-run=client -o yaml | kubectl apply -f -  
 else
  echo "Warning: CLOUDFLARE_API_TOKEN not set. DNS01 challenges will not work."
 fi

-# Apply Let's Encrypt issuers
 echo "Creating Let's Encrypt issuers..."
 cat ${SCRIPT_DIR}/cert-manager/letsencrypt-staging-dns01.yaml | envsubst | kubectl apply -f -
 cat ${SCRIPT_DIR}/cert-manager/letsencrypt-prod-dns01.yaml | envsubst | kubectl apply -f -
@@ -72,26 +60,22 @@ echo "Wildcard certificate creation initiated. This may take some time to comple

 # Wait for the certificates to be issued (with a timeout)
 echo "Waiting for wildcard certificates to be ready (this may take several minutes)..."
-kubectl wait --for=condition=Ready certificate wildcard-soverign-cloud -n default --timeout=300s || true
-kubectl wait --for=condition=Ready certificate wildcard-internal-sovereign-cloud -n internal --timeout=300s || true
+kubectl wait --for=condition=Ready certificate wildcard-internal-sovereign-cloud -n cert-manager --timeout=300s || true
+kubectl wait --for=condition=Ready certificate wildcard-sovereign-cloud -n cert-manager --timeout=300s || true

-# Copy the internal wildcard certificate to example-admin namespace
-echo "Copying internal wildcard certificate to example-admin namespace..."
+# Copy the certificates to necessary namespaces
+echo "Copying certificates to necessary namespaces..."
 if kubectl get namespace example-admin &>/dev/null; then
  # Create example-admin namespace if it doesn't exist
  kubectl create namespace example-admin --dry-run=client -o yaml | kubectl apply -f -
  
  # Get the internal wildcard certificate secret and copy it to example-admin namespace
-  if kubectl get secret wildcard-internal-sovereign-cloud-tls -n internal &>/dev/null; then
-    kubectl get secret wildcard-internal-sovereign-cloud-tls -n internal -o yaml | \
-      sed 's/namespace: internal/namespace: example-admin/' | \
-      kubectl apply -f -
-    echo "Certificate copied to example-admin namespace"
+  if kubectl get secret wildcard-internal-sovereign-cloud-tls -n cert-manager &>/dev/null; then
+    copy-secret cert-manager:wildcard-internal-sovereign-cloud-tls example-admin
+    echo "Internal certificate copied to example-admin namespace"
  else
    echo "Internal wildcard certificate not ready yet. Please manually copy it later with:"
-    echo "  kubectl get secret wildcard-internal-sovereign-cloud-tls -n internal -o yaml | \\"
-    echo "    sed 's/namespace: internal/namespace: example-admin/' | \\"
-    echo "    kubectl apply -f -"
+    echo "  copy-secret cert-manager:wildcard-internal-sovereign-cloud-tls example-admin"
  fi
 fi

--- a/infrastructure_setup/setup-externaldns.sh
+++ b/infrastructure_setup/setup-externaldns.sh
@@ -36,20 +36,8 @@ cat ${SCRIPT_DIR}/externaldns/externaldns.yaml | envsubst | kubectl apply -f -
 echo "Waiting for ExternalDNS to be ready..."
 kubectl rollout status deployment/external-dns -n externaldns --timeout=60s

-# Deploy test services if --test flag is provided
-if [[ "$1" == "--test" ]]; then
-  echo "Deploying test services to verify ExternalDNS..."
-  cat ${SCRIPT_DIR}/externaldns/test-service.yaml | envsubst | kubectl apply -f -
-  cat ${SCRIPT_DIR}/externaldns/test-cname-service.yaml | envsubst | kubectl apply -f -
-  
-  echo "Test services deployed at:"
-  echo "- test.${DOMAIN}"
-  echo "- test-cname.${DOMAIN} (CNAME record)"
-  echo "DNS records should be automatically created in Cloudflare within a few minutes."
-fi
-
 echo "ExternalDNS setup complete!"
 echo ""
 echo "To verify the installation:"
 echo "  kubectl get pods -n externaldns"
-echo "  kubectl logs -n externaldns -l app=external-dns -f"
+echo "  kubectl logs -n externaldns -l app=external-dns -f"