wallyqs/cert-manager.yaml

## readme.md

      
    Raw
  

              readme.md
            
          
    helm repo add jetstack https://charts.jetstack.io

kubectl create namespace cert-manager
helm install \
  cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --version v0.15.1 \
  --set installCRDs=true

kubectl apply -f cert-manager.yaml
helm install nats -f nats.yaml nats/nats


## cert-manager.yaml
---
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: selfsigning
spec:
  selfSigned: {}
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: nats-ca
spec:
  secretName: nats-ca
  duration: 8736h # 1 year
  renewBefore: 240h # 10 days
  issuerRef:
    name: selfsigning
    kind: ClusterIssuer
  commonName: nats-ca
  usages:
  - cert sign
  organization:
  - Your organization
  isCA: true
---
apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
  name: nats-ca
spec:
  ca:
    secretName: nats-ca
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: nats-server-tls
spec:
  secretName: nats-server-tls
  duration: 2160h # 90 days
  renewBefore: 240h # 10 days
  issuerRef:
    name: nats-ca
    kind: Issuer
  usages:
  - signing
  - key encipherment
  - server auth
  organization:
  - Your organization
  commonName: nats.default.svc.cluster.local
  dnsNames:
  - nats.default.svc
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: nats-routes-tls
spec:
  secretName: nats-routes-tls
  duration: 2160h # 90 days
  renewBefore: 240h # 10 days
  issuerRef:
    name: nats-ca
    kind: Issuer
  usages:
  - signing
  - key encipherment
  - server auth
  - client auth
  organization:
  - Your organization
  commonName: "*.nats.default.svc.cluster.local"
  dnsNames:
  - "*.nats.default.svc"

## nats.yaml
nats:
  logging:
    debug: true
    trace: true
  tls:
    secret:
      name: nats-server-tls
    ca: "ca.crt"
    cert: "tls.crt"
    key: "tls.key"

cluster:
  enabled: true
  tls:
    secret:
      name: nats-routes-tls
    ca: "ca.crt"
    cert: "tls.crt"
    key: "tls.key"

# Add system credentials to the nats-box instance for example
natsbox:
  enabled: true
	---
	apiVersion: cert-manager.io/v1alpha2
	kind: ClusterIssuer
	metadata:
	name: selfsigning
	spec:
	selfSigned: {}
	---
	apiVersion: cert-manager.io/v1alpha2
	kind: Certificate
	metadata:
	name: nats-ca
	spec:
	secretName: nats-ca
	duration: 8736h # 1 year
	renewBefore: 240h # 10 days
	issuerRef:
	name: selfsigning
	kind: ClusterIssuer
	commonName: nats-ca
	usages:
	- cert sign
	organization:
	- Your organization
	isCA: true
	---
	apiVersion: cert-manager.io/v1alpha2
	kind: Issuer
	metadata:
	name: nats-ca
	spec:
	ca:
	secretName: nats-ca
	---
	apiVersion: cert-manager.io/v1alpha2
	kind: Certificate
	metadata:
	name: nats-server-tls
	spec:
	secretName: nats-server-tls
	duration: 2160h # 90 days
	renewBefore: 240h # 10 days
	issuerRef:
	name: nats-ca
	kind: Issuer
	usages:
	- signing
	- key encipherment
	- server auth
	organization:
	- Your organization
	commonName: nats.default.svc.cluster.local
	dnsNames:
	- nats.default.svc
	---
	apiVersion: cert-manager.io/v1alpha2
	kind: Certificate
	metadata:
	name: nats-routes-tls
	spec:
	secretName: nats-routes-tls
	duration: 2160h # 90 days
	renewBefore: 240h # 10 days
	issuerRef:
	name: nats-ca
	kind: Issuer
	usages:
	- signing
	- key encipherment
	- server auth
	- client auth
	organization:
	- Your organization
	commonName: "*.nats.default.svc.cluster.local"
	dnsNames:
	- "*.nats.default.svc"
	nats:
	logging:
	debug: true
	trace: true
	tls:
	secret:
	name: nats-server-tls
	ca: "ca.crt"
	cert: "tls.crt"
	key: "tls.key"

	cluster:
	enabled: true
	tls:
	secret:
	name: nats-routes-tls
	ca: "ca.crt"
	cert: "tls.crt"
	key: "tls.key"

	# Add system credentials to the nats-box instance for example
	natsbox:
	enabled: true