Marcelo Ochoa marcelo-ochoa

## whoami-tls.yaml
# whoami-tls.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: app-tls
spec:
  entryPoints:
    - websecure
  routes:
    - kind: Rule

## whoami.yml
# whoami.yaml
kind: Deployment
apiVersion: apps/v1
metadata:
  name: app-v1
spec:
  replicas: 1
  selector:
    matchLabels:
      app: app-v1

## traefik-values.yaml
additionalArguments:
  - --certificatesresolvers.le.acme.email=marcelo.ochoa@gmail.com
  - --certificatesresolvers.le.acme.storage=/data/acme.json
  - --certificatesresolvers.le.acme.tlschallenge=true
  - --certificatesresolvers.le.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53
persistence:
  enabled: true
  path: /data
podSecurityContext:
  fsGroup: 65532

## sample-app.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-test
  annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: "letsencrypt-staging"
spec:
  rules:
    - host: www.example.com

## letsencrypt-http01.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: user@example.com
    privateKeySecretRef:
      name: letsencrypt

## letsencrypt-staging-http01.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    # You must replace this email address with your own.
    # Let's Encrypt will use this to contact you about expiring
    # certificates, and issues related to your account.
    email: user@example.com

## docker-compose.yml
version: '3.6'

services:
  registry:
    image: registry:2
    hostname: registry.mydomain.com
    networks:
      - lb_network
    volumes:
      - data:/var/lib/registry

## docker-compose.yml
version: '3.6'
x-default-opts:
        &default-opts
        image: certbot-oci:v1.10.1
        volumes:
            - certs-repo:/etc/letsencrypt
        environment:
            OCID: ocid1.loadbalancer.oc1.iad.nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
            RENEWED_DOMAINS: dev-oci.mydomain.com
        deploy:

## create-lb-certs.sh
#!/bin/sh
cd /etc/letsencrypt
cert_number=$(ls csr/|tail -1|sed s/_.*//)
cert_name=$RENEWED_DOMAINS-$cert_number
echo $cert_name
oci lb certificate create --load-balancer-id $OCID --certificate-name $cert_name --public-certificate-file /etc/letsencrypt/live/$RENEWED_DOMAINS/fullchain.pem --private-key-file /etc/letsencrypt/live/$RENEWED_DOMAINS/privkey.pem
sleep 30
oci lb listener update --force --listener-name lb_ssl --default-backend-set-name bs_default --port 443 --protocol HTTP --load-balancer-id $OCID --ssl-certificate-name $cert_name

## Dockerfile
ARG VERSION=v1.10.1
FROM certbot/certbot:$VERSION

COPY requirements.txt ./
RUN apk add --update alpine-sdk libffi libffi-dev openssl openssl-dev && pip install --no-cache-dir -r requirements.txt

COPY oci/* /root/.oci/
COPY *.sh /
	# whoami-tls.yaml
	apiVersion: traefik.containo.us/v1alpha1
	kind: IngressRoute
	metadata:
	name: app-tls
	spec:
	entryPoints:
	- websecure
	routes:
	- kind: Rule
	# whoami.yaml
	kind: Deployment
	apiVersion: apps/v1
	metadata:
	name: app-v1
	spec:
	replicas: 1
	selector:
	matchLabels:
	app: app-v1
	additionalArguments:
	- --certificatesresolvers.le.acme.email=marcelo.ochoa@gmail.com
	- --certificatesresolvers.le.acme.storage=/data/acme.json
	- --certificatesresolvers.le.acme.tlschallenge=true
	- --certificatesresolvers.le.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53
	persistence:
	enabled: true
	path: /data
	podSecurityContext:
	fsGroup: 65532
	apiVersion: networking.k8s.io/v1
	kind: Ingress
	metadata:
	name: ingress-test
	annotations:
	kubernetes.io/ingress.class: nginx
	cert-manager.io/cluster-issuer: "letsencrypt-staging"
	spec:
	rules:
	- host: www.example.com
	apiVersion: cert-manager.io/v1
	kind: ClusterIssuer
	metadata:
	name: letsencrypt
	spec:
	acme:
	server: https://acme-v02.api.letsencrypt.org/directory
	email: user@example.com
	privateKeySecretRef:
	name: letsencrypt
	version: '3.6'

	services:
	registry:
	image: registry:2
	hostname: registry.mydomain.com
	networks:
	- lb_network
	volumes:
	- data:/var/lib/registry
	version: '3.6'
	x-default-opts:
	&default-opts
	image: certbot-oci:v1.10.1
	volumes:
	- certs-repo:/etc/letsencrypt
	environment:
	OCID: ocid1.loadbalancer.oc1.iad.nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
	RENEWED_DOMAINS: dev-oci.mydomain.com
	deploy:
	#!/bin/sh
	cd /etc/letsencrypt
	cert_number=$(ls csr/\|tail -1\|sed s/_.*//)
	cert_name=$RENEWED_DOMAINS-$cert_number
	echo $cert_name
	oci lb certificate create --load-balancer-id $OCID --certificate-name $cert_name --public-certificate-file /etc/letsencrypt/live/$RENEWED_DOMAINS/fullchain.pem --private-key-file /etc/letsencrypt/live/$RENEWED_DOMAINS/privkey.pem
	sleep 30
	oci lb listener update --force --listener-name lb_ssl --default-backend-set-name bs_default --port 443 --protocol HTTP --load-balancer-id $OCID --ssl-certificate-name $cert_name
	ARG VERSION=v1.10.1
	FROM certbot/certbot:$VERSION

	COPY requirements.txt ./
	RUN apk add --update alpine-sdk libffi libffi-dev openssl openssl-dev && pip install --no-cache-dir -r requirements.txt

	COPY oci/* /root/.oci/
	COPY *.sh /