# HG changeset patch # User drewp@bigasterisk.com # Date 2022-09-14 05:32:50 # Node ID 9d3a9e524ad3e5c2832418d6d92b174b1a6d2ec5 # Parent 6bf6438293305c2269ac995ca728ea42a942f4fd fuss with ns and stuff to get it working. forward all (over http) to nginx at first diff --git a/ingress-default.yaml b/ingress-default.yaml new file mode 100644 --- /dev/null +++ b/ingress-default.yaml @@ -0,0 +1,19 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: default + annotations: + cert-manager.io/issuer: letsencrypt-prod + ingress.pomerium.io/allow_public_unauthenticated_access: "true" + ingress.pomerium.io/pass_identity_headers: "true" + ingress.pomerium.io/preserve_host_header: "true" +spec: + ingressClassName: pomerium + rules: + - host: "bigasterisk.com" + http: + paths: + - { pathType: Prefix, path: /, backend: { service: { name: nginx, port: { number: 11444 } } } } + tls: + - hosts: [bigasterisk.com] + secretName: bigasterisk.com-tls diff --git a/kube/10-pomerium.yaml b/kube/10-pomerium.yaml --- a/kube/10-pomerium.yaml +++ b/kube/10-pomerium.yaml @@ -12,5 +12,6 @@ spec: refreshDirectory: interval: "10h" timeout: "10s" - certificates: - - pomerium/pomerium-proxy-tls + # Note pom won't start up if this cert doesn't exist, so you have to run once + # with it commented out, then after cert success, run again with it enabled. + certificates: [pomerium/pomerium-proxy-tls] diff --git a/kube/51-pomerium-production-issuer.yaml b/kube/51-pomerium-production-issuer.yaml --- a/kube/51-pomerium-production-issuer.yaml +++ b/kube/51-pomerium-production-issuer.yaml @@ -2,7 +2,7 @@ apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: letsencrypt-prod - namespace: pomerium + namespace: default spec: acme: # The ACME server URL @@ -14,6 +14,6 @@ spec: name: letsencrypt-prod # Enable the HTTP-01 challenge provider solvers: - - http01: - ingress: - class: pomerium + - http01: + ingress: + class: pomerium diff --git a/kube/51-pomerium-staging-issuer.yaml b/kube/51-pomerium-staging-issuer.yaml --- a/kube/51-pomerium-staging-issuer.yaml +++ b/kube/51-pomerium-staging-issuer.yaml @@ -2,7 +2,7 @@ apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: letsencrypt-staging - namespace: pomerium + namespace: default spec: acme: # The ACME server URL @@ -16,4 +16,4 @@ spec: solvers: - http01: ingress: - class: pomerium \ No newline at end of file + class: pomerium diff --git a/kube/60-auth-cert.yaml b/kube/60-auth-cert.yaml new file mode 100644 --- /dev/null +++ b/kube/60-auth-cert.yaml @@ -0,0 +1,12 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: pomerium-proxy-tls + namespace: pomerium +spec: + dnsNames: + - 'authenticate.bigasterisk.com' + issuerRef: + kind: Issuer + name: letsencrypt-prod + secretName: pomerium-proxy-tls \ No newline at end of file diff --git a/switch_to_nginx.sh b/switch_to_nginx.sh --- a/switch_to_nginx.sh +++ b/switch_to_nginx.sh @@ -1,7 +1,11 @@ #!/bin/zsh cd /my/serv/pomerium -kubectl delete -f kube + +# not all this, since it includes Certs and also the ns and CRD for the Certs +kubectl delete -f kube/10-pomerium.yaml +kubectl delete -f kube/20-deployment.yaml +kubectl delete -f kube/03-volumes.yaml cd /my/serv/nginx /my/proj/release/env/bin/invoke run diff --git a/switch_to_pomerium.sh b/switch_to_pomerium.sh --- a/switch_to_pomerium.sh +++ b/switch_to_pomerium.sh @@ -1,9 +1,10 @@ #!/bin/zsh -cd /my/serv/nginx -skaffold delete -f wrapped_skaffold.yaml +#cd /my/serv/nginx +#skaffold delete -f wrapped_skaffold.yaml + cd /my/serv/pomerium -kubectl apply -f kube/ -#kubectl create secret tls megasecond-club-tls --namespace=pomerium --cert=./megasecond.club.pem --key=./megasecond.club-key.pem -#kubectl create secret tls photo-bigasterisk-com-tls --namespace=pomerium --cert=./photo.bigasterisk.com.pem --key=./photo.bigasterisk.com-key.pem +kubectl apply -f kube/03-volumes.yaml +kubectl apply -f kube/10-pomerium.yaml +kubectl apply -f kube/20-deployment.yaml \ No newline at end of file