Refactor cert-manager and ExternalDNS configurations

- Updated the namespace for the internal wildcard certificate from 'internal' to 'cert-manager'. - Adjusted the DNS zone selectors in Let's Encrypt configurations to use CLOUDFLARE_DOMAIN consistently. - Changed the namespace for the wildcard certificate from 'default' to 'cert-manager'. - Modified ExternalDNS configuration to use OWNER_ID instead of CLUSTER_ID for TXT owner ID. - Cleaned up setup-cert-manager.sh by removing unnecessary internal namespace creation and secret duplication. - Updated certificate wait commands to reflect the new namespace structure. - Simplified the copying of certificates to the example-admin namespace. - Removed test service deployment from setup-externaldns.sh for a cleaner setup process.
2025-05-03 13:51:52 -07:00
parent 84376fb3d5
commit 21d89c2b79
10 changed files with 5683 additions and 44 deletions
--- a/bin/copy-secret
+++ b/bin/copy-secret
@@ -0,0 +1,41 @@
 #!/bin/bash
 # Check if at least secret and namespaces are provided
 if [ $# -lt 1 ]; then
  echo "Usage: $0 <source-namespace:secret-name> [namespace1 namespace2 ...]"
  exit 1
 fi
 # Parse secret and namespace
 SOURCE_INPUT="$1"
 shift
 # Split source input into namespace and secret name
 IFS=":" read -r SOURCE_NAMESPACE SECRET_NAME <<< "$SOURCE_INPUT"
 if [ -z "$SOURCE_NAMESPACE" ] || [ -z "$SECRET_NAME" ]; then
  echo "Error: Source must be in format namespace:secret-name"
  exit 1
 fi
 # Collect target namespaces
 if [ $# -gt 0 ]; then
  NAMESPACES=("$@")
 else
  echo "Enter target namespaces (space-separated), then press Ctrl+D:"
  read -a NAMESPACES
 fi
 for ns in "${NAMESPACES[@]}"; do
  echo "Copying secret '$SECRET_NAME' from namespace '$SOURCE_NAMESPACE' to namespace: '$ns'"
  # Delete the existing secret if it exists
  kubectl delete secret "$SECRET_NAME" -n "$ns" --ignore-not-found
  # Get the secret YAML, change the namespace, and apply it
  kubectl get secret "$SECRET_NAME" -n "$SOURCE_NAMESPACE" -o yaml \
    | sed "s/namespace: $SOURCE_NAMESPACE/namespace: $ns/" \
    | kubectl apply -n "$ns" -f -
 done
 echo "✅ Secret '$SECRET_NAME' copied successfully."
--- a/bin/deploy-service
+++ b/bin/deploy-service
@@ -127,6 +127,9 @@ if [[ -n "$NAMESPACE" ]]; then
  # Create the namespace if it doesn't exist (using kubectl create which is idempotent with --dry-run=client)
  echo "Creating namespace $NAMESPACE if it doesn't exist..."
  kubectl create namespace "$NAMESPACE" --dry-run=client | kubectl create -f - 2>/dev/null || true
  # Copy certificates to the namespace
  copy-secret cert-manager:wildcard-internal-sovereign-cloud-tls $NAMESPACE
  copy-secret cert-manager:wildcard-sovereign-cloud-tls $NAMESPACE
 fi
 # Apply the service
--- a/infrastructure_setup/cert-manager/cert-manager.yaml
+++ b/infrastructure_setup/cert-manager/cert-manager.yaml
--- a/infrastructure_setup/cert-manager/internal-wildcard-certificate.yaml
+++ b/infrastructure_setup/cert-manager/internal-wildcard-certificate.yaml
@@ -3,7 +3,7 @@ apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: wildcard-internal-sovereign-cloud
-  namespace: internal
+  namespace: cert-manager
 spec:
  secretName: wildcard-internal-sovereign-cloud-tls
  dnsNames:
--- a/infrastructure_setup/cert-manager/letsencrypt-prod-dns01.yaml
+++ b/infrastructure_setup/cert-manager/letsencrypt-prod-dns01.yaml
@@ -19,7 +19,7 @@ spec:
            key: api-token
      selector:
        dnsZones:
-        - "${CLOUDFLARE_DOMAIN}" # This will cover all subdomains
+        - "${CLOUDFLARE_DOMAIN}"
    # Keep the HTTP-01 solver for non-wildcard certificates
    - http01:
        ingress:
--- a/infrastructure_setup/cert-manager/letsencrypt-staging-dns01.yaml
+++ b/infrastructure_setup/cert-manager/letsencrypt-staging-dns01.yaml
@@ -19,7 +19,7 @@ spec:
            key: api-token
      selector:
        dnsZones:
-        - "${DOMAIN}" # This will cover all subdomains
+        - "${CLOUDFLARE_DOMAIN}"
    # Keep the HTTP-01 solver for non-wildcard certificates
    - http01:
        ingress:
--- a/infrastructure_setup/cert-manager/wildcard-certificate.yaml
+++ b/infrastructure_setup/cert-manager/wildcard-certificate.yaml
@@ -3,7 +3,7 @@ apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: wildcard-sovereign-cloud
-  namespace: default
+  namespace: cert-manager
 spec:
  secretName: wildcard-sovereign-cloud-tls
  dnsNames:
--- a/infrastructure_setup/externaldns/externaldns.yaml
+++ b/infrastructure_setup/externaldns/externaldns.yaml
@@ -57,9 +57,9 @@ spec:
            - --source=service
            - --source=ingress
            - --provider=cloudflare
-            - --txt-owner-id=${CLUSTER_ID}
+            - --txt-owner-id=${OWNER_ID}
            - --log-level=debug
-            - --publish-internal-services # Also publish internal services
+            - --publish-internal-services
            - --no-cloudflare-proxied
          env:
            - name: CF_API_TOKEN
--- a/infrastructure_setup/setup-cert-manager.sh
+++ b/infrastructure_setup/setup-cert-manager.sh
@@ -39,23 +39,11 @@ if [[ -n "${CLOUDFLARE_API_TOKEN}" ]]; then
  kubectl create secret generic cloudflare-api-token \
    --namespace cert-manager \
    --from-literal=api-token="${CLOUDFLARE_API_TOKEN}" \
-    --dry-run=client -o yaml | kubectl apply -f -
+    --dry-run=client -o yaml | kubectl apply -f -  
  # Create internal namespace if it doesn't exist
  echo "Creating internal namespace if it doesn't exist..."
  kubectl create namespace internal --dry-run=client -o yaml | kubectl apply -f -
  # Create the same secret in the internal namespace
  echo "Creating Cloudflare API token secret in internal namespace..."
  kubectl create secret generic cloudflare-api-token \
    --namespace internal \
    --from-literal=api-token="${CLOUDFLARE_API_TOKEN}" \
    --dry-run=client -o yaml | kubectl apply -f -
 else
  echo "Warning: CLOUDFLARE_API_TOKEN not set. DNS01 challenges will not work."
 fi
 # Apply Let's Encrypt issuers
 echo "Creating Let's Encrypt issuers..."
 cat ${SCRIPT_DIR}/cert-manager/letsencrypt-staging-dns01.yaml | envsubst | kubectl apply -f -
 cat ${SCRIPT_DIR}/cert-manager/letsencrypt-prod-dns01.yaml | envsubst | kubectl apply -f -
@@ -72,26 +60,22 @@ echo "Wildcard certificate creation initiated. This may take some time to comple
 # Wait for the certificates to be issued (with a timeout)
 echo "Waiting for wildcard certificates to be ready (this may take several minutes)..."
-kubectl wait --for=condition=Ready certificate wildcard-soverign-cloud -n default --timeout=300s || true
+kubectl wait --for=condition=Ready certificate wildcard-internal-sovereign-cloud -n cert-manager --timeout=300s || true
-kubectl wait --for=condition=Ready certificate wildcard-internal-sovereign-cloud -n internal --timeout=300s || true
+kubectl wait --for=condition=Ready certificate wildcard-sovereign-cloud -n cert-manager --timeout=300s || true
-# Copy the internal wildcard certificate to example-admin namespace
+# Copy the certificates to necessary namespaces
-echo "Copying internal wildcard certificate to example-admin namespace..."
+echo "Copying certificates to necessary namespaces..."
 if kubectl get namespace example-admin &>/dev/null; then
  # Create example-admin namespace if it doesn't exist
  kubectl create namespace example-admin --dry-run=client -o yaml | kubectl apply -f -
  # Get the internal wildcard certificate secret and copy it to example-admin namespace
-  if kubectl get secret wildcard-internal-sovereign-cloud-tls -n internal &>/dev/null; then
+  if kubectl get secret wildcard-internal-sovereign-cloud-tls -n cert-manager &>/dev/null; then
-    kubectl get secret wildcard-internal-sovereign-cloud-tls -n internal -o yaml | \
+    copy-secret cert-manager:wildcard-internal-sovereign-cloud-tls example-admin
-      sed 's/namespace: internal/namespace: example-admin/' | \
+    echo "Internal certificate copied to example-admin namespace"
      kubectl apply -f -
    echo "Certificate copied to example-admin namespace"
  else
    echo "Internal wildcard certificate not ready yet. Please manually copy it later with:"
-    echo "  kubectl get secret wildcard-internal-sovereign-cloud-tls -n internal -o yaml | \\"
+    echo "  copy-secret cert-manager:wildcard-internal-sovereign-cloud-tls example-admin"
    echo "    sed 's/namespace: internal/namespace: example-admin/' | \\"
    echo "    kubectl apply -f -"
  fi
 fi
--- a/infrastructure_setup/setup-externaldns.sh
+++ b/infrastructure_setup/setup-externaldns.sh
@@ -36,20 +36,8 @@ cat ${SCRIPT_DIR}/externaldns/externaldns.yaml | envsubst | kubectl apply -f -
 echo "Waiting for ExternalDNS to be ready..."
 kubectl rollout status deployment/external-dns -n externaldns --timeout=60s
 # Deploy test services if --test flag is provided
 if [[ "$1" == "--test" ]]; then
  echo "Deploying test services to verify ExternalDNS..."
  cat ${SCRIPT_DIR}/externaldns/test-service.yaml | envsubst | kubectl apply -f -
  cat ${SCRIPT_DIR}/externaldns/test-cname-service.yaml | envsubst | kubectl apply -f -
  echo "Test services deployed at:"
  echo "- test.${DOMAIN}"
  echo "- test-cname.${DOMAIN} (CNAME record)"
  echo "DNS records should be automatically created in Cloudflare within a few minutes."
 fi
 echo "ExternalDNS setup complete!"
 echo ""
 echo "To verify the installation:"
 echo "  kubectl get pods -n externaldns"
-echo "  kubectl logs -n externaldns -l app=external-dns -f"
+echo "  kubectl logs -n externaldns -l app=external-dns -f"