Skip to content

Instantly share code, notes, and snippets.

@seeker815

seeker815/ingress-patch.ts

Created January 25, 2023 21:00
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save seeker815/a6e4184fd4712b5efbe47ceb9df51440 to your computer and use it in GitHub Desktop.
Save seeker815/a6e4184fd4712b5efbe47ceb9df51440 to your computer and use it in GitHub Desktop.
Download ZIP
setup ingress, issuer and patch with tls
Raw
ingress-patch.ts
// create a static Global IP to map to ingress
const globalIP = new gcp.compute.GlobalAddress(`api-global-${projectEnv}`, {
addressType: "EXTERNAL",
description: `Use for Ingress/Load balancer for backend-API, project {gcp.config.project}`,
} );
export const ingressGlobalIP = globalIP.address
// create certificate manager
const certNS = new k8s.core.v1.Namespace(`cert-manager-${projectEnv}`, {metadata: { name: `cert-manager-${projectEnv}` }}, { provider: clusterProvider });
const certManager = new certmanager.CertManager("cert-manager", {
installCRDs: true,
helmOptions: {
namespace: certNS.metadata.name,
skipAwait: true,
},
}, { provider: clusterProvider, dependsOn: certNS });
export const certManagerStatus = certManager.status;
// Create an ingress for the app
const ingress = new k8s.networking.v1.Ingress(`api-ingress-${projectEnv}`, {
metadata: {
namespace: appNs.metadata.name,
annotations: {
"kubernetes.io/ingress.class": "gce",
"kubernetes.io/ingress.allow-http": "true",
"kubernetes.io/ingress.global-static-ip-name": globalIP.name,
},
name: `api-ingress-${projectEnv}`,
},
spec: {
rules: [
{
host: domainHost,
http: {
paths: [
{
path: "/*",
pathType: "ImplementationSpecific",
backend: {
service: {
name: api_serviceService.metadata.name,
port:{
number: 80,
},
},
},
},
],
},
},
],
},
}, { dependsOn: [appNs, globalIP]})
// create secret to store tls certificate
const issuerSecret = new k8s.core.v1.Secret(`letsencrypt-cert-${projectEnv}`, {
metadata: {
name: `letsencrypt-cert-${projectEnv}`,
namespace: appNs.metadata.name,
},
type: "kubernetes.io/tls",
stringData: {
"tls.key": "",
"tls.crt": "",
}
}, { provider: clusterProvider, dependsOn: [appNs]});
// create an issuer for cert manager
const issuer = new k8s.apiextensions.CustomResource(`letsencrypt-issuer-${projectEnv}`, {
apiVersion: "cert-manager.io/v1",
kind: "Issuer",
metadata: {
namespace: appNs.metadata.name,
name: `letsencrypt-issuer-${projectEnv}`,
},
spec: {
acme: {
server: "https://acme-v02.api.letsencrypt.org/directory",
email: "",
privateKeySecretRef: {
name: `letsencrypt-issuer-secret-${projectEnv}`,
},
solvers: [{
http01: {
ingress: {
name: ingress.metadata.name,
},
},
}],
},
},
},{provider: clusterProvider, dependsOn: [certManager, ingress] });
// patch the ingress with tls and issuer name
const patchIngress = new k8s.networking.v1.IngressPatch(`api-ingress-${projectEnv}`, {
metadata: {
annotations: {
"cert-manager.io/issuer": issuer.metadata.name,
},
name: ingress.metadata.name,
},
spec: {
tls: [
{
hosts: [domainHost],
secretName: issuerSecret.metadata.name,
},
],
// adding the rules again as it doesn't accept without it*
rules: [
{
host: domainHost,
http: {
paths: [
{
path: "/*",
pathType: "ImplementationSpecific",
backend: {
service: {
name: api_serviceService.metadata.name,
port:{
number: 80,
},
},
},
},
],
},
},
],
},
},{ dependsOn: [ingress]});
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment