Created
January 25, 2023 21:00
-
-
Save seeker815/a6e4184fd4712b5efbe47ceb9df51440 to your computer and use it in GitHub Desktop.
setup ingress, issuer and patch with tls
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// create a static Global IP to map to ingress | |
const globalIP = new gcp.compute.GlobalAddress(`api-global-${projectEnv}`, { | |
addressType: "EXTERNAL", | |
description: `Use for Ingress/Load balancer for backend-API, project {gcp.config.project}`, | |
} ); | |
export const ingressGlobalIP = globalIP.address | |
// create certificate manager | |
const certNS = new k8s.core.v1.Namespace(`cert-manager-${projectEnv}`, {metadata: { name: `cert-manager-${projectEnv}` }}, { provider: clusterProvider }); | |
const certManager = new certmanager.CertManager("cert-manager", { | |
installCRDs: true, | |
helmOptions: { | |
namespace: certNS.metadata.name, | |
skipAwait: true, | |
}, | |
}, { provider: clusterProvider, dependsOn: certNS }); | |
export const certManagerStatus = certManager.status; | |
// Create an ingress for the app | |
const ingress = new k8s.networking.v1.Ingress(`api-ingress-${projectEnv}`, { | |
metadata: { | |
namespace: appNs.metadata.name, | |
annotations: { | |
"kubernetes.io/ingress.class": "gce", | |
"kubernetes.io/ingress.allow-http": "true", | |
"kubernetes.io/ingress.global-static-ip-name": globalIP.name, | |
}, | |
name: `api-ingress-${projectEnv}`, | |
}, | |
spec: { | |
rules: [ | |
{ | |
host: domainHost, | |
http: { | |
paths: [ | |
{ | |
path: "/*", | |
pathType: "ImplementationSpecific", | |
backend: { | |
service: { | |
name: api_serviceService.metadata.name, | |
port:{ | |
number: 80, | |
}, | |
}, | |
}, | |
}, | |
], | |
}, | |
}, | |
], | |
}, | |
}, { dependsOn: [appNs, globalIP]}) | |
// create secret to store tls certificate | |
const issuerSecret = new k8s.core.v1.Secret(`letsencrypt-cert-${projectEnv}`, { | |
metadata: { | |
name: `letsencrypt-cert-${projectEnv}`, | |
namespace: appNs.metadata.name, | |
}, | |
type: "kubernetes.io/tls", | |
stringData: { | |
"tls.key": "", | |
"tls.crt": "", | |
} | |
}, { provider: clusterProvider, dependsOn: [appNs]}); | |
// create an issuer for cert manager | |
const issuer = new k8s.apiextensions.CustomResource(`letsencrypt-issuer-${projectEnv}`, { | |
apiVersion: "cert-manager.io/v1", | |
kind: "Issuer", | |
metadata: { | |
namespace: appNs.metadata.name, | |
name: `letsencrypt-issuer-${projectEnv}`, | |
}, | |
spec: { | |
acme: { | |
server: "https://acme-v02.api.letsencrypt.org/directory", | |
email: "", | |
privateKeySecretRef: { | |
name: `letsencrypt-issuer-secret-${projectEnv}`, | |
}, | |
solvers: [{ | |
http01: { | |
ingress: { | |
name: ingress.metadata.name, | |
}, | |
}, | |
}], | |
}, | |
}, | |
},{provider: clusterProvider, dependsOn: [certManager, ingress] }); | |
// patch the ingress with tls and issuer name | |
const patchIngress = new k8s.networking.v1.IngressPatch(`api-ingress-${projectEnv}`, { | |
metadata: { | |
annotations: { | |
"cert-manager.io/issuer": issuer.metadata.name, | |
}, | |
name: ingress.metadata.name, | |
}, | |
spec: { | |
tls: [ | |
{ | |
hosts: [domainHost], | |
secretName: issuerSecret.metadata.name, | |
}, | |
], | |
// adding the rules again as it doesn't accept without it* | |
rules: [ | |
{ | |
host: domainHost, | |
http: { | |
paths: [ | |
{ | |
path: "/*", | |
pathType: "ImplementationSpecific", | |
backend: { | |
service: { | |
name: api_serviceService.metadata.name, | |
port:{ | |
number: 80, | |
}, | |
}, | |
}, | |
}, | |
], | |
}, | |
}, | |
], | |
}, | |
},{ dependsOn: [ingress]}); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment