clawd/gravl
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
main
gravl/k8s/production/cert-manager-setup.yaml
T
clawd ca83efe828 Phase 10-08: Implement DNS egress NetworkPolicy for staging environment 
- Add comprehensive network policies to k8s/staging/network-policy.yaml
- Implements default-deny ingress pattern with explicit allow rules
- Critical: Add DNS egress rule for CoreDNS resolution (port 53 UDP/TCP)
- Policies cover: ingress-nginx→backend, backend→postgres, monitoring scrape
- External API egress for backend (HTTP/HTTPS)
- CDN egress for frontend (HTTP/HTTPS)
- Status: Applied to gravl-staging namespace, verified operational
2026-03-08 07:00:07 +01:00

115 lines
2.5 KiB
YAML
Raw Permalink Blame History

# cert-manager Installation & Configuration
# Phase 10-07, Task 5: Production TLS Gate
# Status: READY FOR IMPLEMENTATION
---
# 1. Install cert-manager (version 1.14.x for K8s 1.26+)
# Execution: kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.0/cert-manager.yaml
apiVersion: v1
kind: Namespace
metadata:
name: cert-manager
---
# 2. Let's Encrypt ClusterIssuer (Production)
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
namespace: cert-manager
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: ops@gravl.app
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: nginx
- dns01:
cloudflare:
email: ops@gravl.app
apiTokenSecretRef:
name: cloudflare-api-token
key: api-token
---
# 3. Let's Encrypt ClusterIssuer (Staging - for testing)
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
namespace: cert-manager
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: ops@gravl.app
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- http01:
ingress:
class: nginx
---
# 4. Self-Signed Issuer (Fallback for internal testing)
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: selfsigned-issuer
namespace: gravl-prod
spec:
selfSigned: {}
---
# 5. Updated Ingress with cert-manager annotations
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: gravl-ingress
namespace: gravl-prod
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
tls:
- hosts:
- gravl.app
- api.gravl.app
secretName: gravl-tls-prod
rules:
- host: gravl.app
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: frontend
port:
number: 80
- host: api.gravl.app
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: backend
port:
number: 3000
---
# 6. Secret for Cloudflare API token (for DNS-01 challenges)
# MANUAL STEP: Create this secret with your Cloudflare API token
apiVersion: v1
kind: Secret
metadata:
name: cloudflare-api-token
namespace: cert-manager
type: Opaque
stringData:
api-token: "PLACEHOLDER_REPLACE_WITH_ACTUAL_TOKEN"
Reference in New Issue View Git Blame Copy Permalink