From ba893ad46d58d402a4faa9399c0531323e5ec085 Mon Sep 17 00:00:00 2001 From: Golda Velez Date: Thu, 3 Oct 2024 14:50:33 -0700 Subject: [PATCH 1/9] feat: use cert manager not static files --- k8s/base/composedb/daemon-config.json | 9 ++- k8s/cert-ingress/README.md | 76 ++++++++++++------- k8s/cert-ingress/ingress.yaml | 17 +---- k8s/cert-ingress/kustomization.yaml | 6 +- k8s/cert-ingress/static-files-deployment.yaml | 27 ------- k8s/cert-ingress/static-files-service.yaml | 13 ---- 6 files changed, 62 insertions(+), 86 deletions(-) delete mode 100644 k8s/cert-ingress/static-files-deployment.yaml delete mode 100644 k8s/cert-ingress/static-files-service.yaml diff --git a/k8s/base/composedb/daemon-config.json b/k8s/base/composedb/daemon-config.json index 36f811b..301fa7f 100644 --- a/k8s/base/composedb/daemon-config.json +++ b/k8s/base/composedb/daemon-config.json @@ -17,12 +17,15 @@ "log-to-files": false }, "metrics": { - "metrics-exporter-enabled": false + "metrics-exporter-enabled": false, + "metrics-publisher-enabled": true }, "network": { "name": "${CERAMIC_NETWORK}" }, - "node": {}, + "node": { + "privateSeedUrl": "inplace:ed25519#fe7728465b2dec4878912851013e17ca7ea903bdb630ea08518fc8b801167e57" + }, "state-store": { "mode": "fs", "local-directory": "${CERAMIC_STATE_STORE_PATH}" @@ -31,4 +34,4 @@ "db": "postgres://${CERAMIC_INDEXING_DB_USERNAME}:${CERAMIC_INDEXING_DB_PASSWORD}@postgres/ceramic", "allow-queries-before-historical-sync": true } -} \ No newline at end of file +} diff --git a/k8s/cert-ingress/README.md b/k8s/cert-ingress/README.md index 39526b1..4a7152e 100644 --- a/k8s/cert-ingress/README.md +++ b/k8s/cert-ingress/README.md @@ -1,43 +1,61 @@ -## Configuring domain name and SSL cert for your composedb node +# Configuring Domain Name and Automatic SSL Cert for Your ComposeDB Node -### Remove the default load balancer +## Prerequisites +- A Kubernetes cluster (e.g., on DigitalOcean) +- `kubectl` configured to interact with your cluster +- A domain name pointed to your cluster's IP address -We are going to replace the load balancer that was installed with an ingress controller and related services +## Setup Steps -`kubectl delete -f k8s/base/composedb/do-lb.yaml` +### 1. Remove the default load balancer +Replace the existing load balancer with an ingress controller: +(this step assumes a digital ocean load balancer, adjust for your configuration) -### Install an ingress controller - -If you have not already done so, install the ingress controller to your cluster - -`kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.0/deploy/static/provider/do/deploy.yaml` - -### Apply the ingress and related services - -The resources in this deployment may be deployed from the repository root like so - -``` -kubectl apply -k k8s/cert-ingress/ +```bash +kubectl delete -f k8s/base/composedb/do-lb.yaml ``` -This will spin up the ingress and the static file server. You may remove the static file server if it is not needed for your configuration. +### 2. Install the NGINX Ingress Controller +If not already installed, add the NGINX ingress controller to your cluster: -### If you need to get a cert +```bash +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.2/deploy/static/provider/do/deploy.yaml +``` -You may need to return a challenge file. In this case you will use the static server -that is included in this deployment, and configure its files like so +### 3. Install cert-manager +cert-manager will automatically manage and renew SSL certificates: +```bash +kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.0/cert-manager.yaml ``` -mkdir -p .well-known/acme-challenge -# place the challenge file in this directory, then -kubectl create configmap acme-challenge --from-file=.well-known/acme-challenge/ --namespace=ceramic -``` -Follow the instructions from your cert provider to get your TLS certificate and private key. -Place them in files such as `fullchain.pem` and `privkey.pem` +### 4. Update Configuration Files +1. Edit `ingress.yaml`: + - Replace `your-domain.com` with your actual domain name. +2. Edit `letsencrypt-issuer.yaml`: + - Replace `your-email@example.com` with your actual email address. -Then run +### 5. Apply the Ingress and Related Services +From the repository root, run: +```bash +kubectl apply -k k8s/cert-ingress/ ``` -kubectl create secret tls ceramic-tls-secret --cert=fullchain.pem --key=privkey.pem -``` + +This will set up the ingress, ClusterIP service, and cert-manager configurations. + +### 6. Verify the Setup +1. Check that the ingress has been created: + ```bash + kubectl get ingress -n ceramic + ``` +2. Verify that cert-manager has issued a certificate: + ```bash + kubectl get certificates -n ceramic + ``` +3. Once the certificate is ready, you should be able to access your ComposeDB node securely via HTTPS at your domain. + +## Notes +- SSL certificates will be automatically obtained and renewed by cert-manager. +- If you need to make changes, modify the relevant files in the `k8s/cert-ingress/` directory and reapply using `kubectl apply -k k8s/cert-ingress/`. +- Ensure your domain's DNS is properly configured to point to your cluster's IP address. diff --git a/k8s/cert-ingress/ingress.yaml b/k8s/cert-ingress/ingress.yaml index 0a18b62..aec1b2d 100644 --- a/k8s/cert-ingress/ingress.yaml +++ b/k8s/cert-ingress/ingress.yaml @@ -4,25 +4,17 @@ metadata: name: composedb-ingress namespace: ceramic annotations: - cert-manager.io/cluster-issuer: "letsencrypt-prod" # if you're using cert-manager for SSL + kubernetes.io/ingress.class: nginx + cert-manager.io/cluster-issuer: "letsencrypt-prod" spec: - ingressClassName: nginx tls: - hosts: - - "example.com" - # this is where the SSL certificate should be stored + - "your-domain.com" # Replace with your actual domain secretName: ceramic-tls-secret rules: - - host: "example.com" + - host: "your-domain.com" # Replace with your actual domain http: paths: - - path: /.well-known/acme-challenge - pathType: Prefix - backend: - service: - name: static-files-service # Your service name for static files - port: - number: 80 - path: / pathType: Prefix backend: @@ -30,4 +22,3 @@ spec: name: composedb port: number: 7007 - diff --git a/k8s/cert-ingress/kustomization.yaml b/k8s/cert-ingress/kustomization.yaml index e86f73f..2f98361 100644 --- a/k8s/cert-ingress/kustomization.yaml +++ b/k8s/cert-ingress/kustomization.yaml @@ -1,3 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization resources: + - cluster-ip.yaml - ingress.yaml - - static-file-service.yaml + - letsencrypt-issuer.yaml +namespace: ceramic diff --git a/k8s/cert-ingress/static-files-deployment.yaml b/k8s/cert-ingress/static-files-deployment.yaml deleted file mode 100644 index 4d31430..0000000 --- a/k8s/cert-ingress/static-files-deployment.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: static-files - namespace: ceramic -spec: - replicas: 1 - selector: - matchLabels: - app: static-files - template: - metadata: - labels: - app: static-files - spec: - containers: - - name: nginx - image: nginx:alpine - volumeMounts: - - name: acme-challenge - mountPath: /usr/share/nginx/html/.well-known/acme-challenge - readOnly: true - volumes: - - name: acme-challenge - configMap: - name: acme-challenge - diff --git a/k8s/cert-ingress/static-files-service.yaml b/k8s/cert-ingress/static-files-service.yaml deleted file mode 100644 index 1c6d310..0000000 --- a/k8s/cert-ingress/static-files-service.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: static-files-service - namespace: ceramic -spec: - type: ClusterIP - selector: - app: static-files - ports: - - port: 80 - targetPort: 80 - From fffc8e6a9deacd4e0b41b76d3c42e44503cc05d3 Mon Sep 17 00:00:00 2001 From: Golda Velez Date: Mon, 7 Oct 2024 13:55:07 -0700 Subject: [PATCH 2/9] fix: remove hardcoded version from naming --- k8s/base/ceramic-one/README.md | 2 +- k8s/base/ceramic-one/kustomization.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/k8s/base/ceramic-one/README.md b/k8s/base/ceramic-one/README.md index c88b008..341b484 100644 --- a/k8s/base/ceramic-one/README.md +++ b/k8s/base/ceramic-one/README.md @@ -9,7 +9,7 @@ Comands assume this directory as the current working directory. ### Create a namespace for the nodes. ``` -export CERAMIC_NAMESPACE=ceramic-one-0-17-0 +export CERAMIC_NAMESPACE=ceramic-one kubectl create namespace ${CERAMIC_NAMESPACE} ``` diff --git a/k8s/base/ceramic-one/kustomization.yaml b/k8s/base/ceramic-one/kustomization.yaml index b8c775b..f34f64c 100644 --- a/k8s/base/ceramic-one/kustomization.yaml +++ b/k8s/base/ceramic-one/kustomization.yaml @@ -1,4 +1,4 @@ -namespace: ceramic-one-0-17-0 +namespace: ceramic-one images: - name: ceramicnetwork/composedb-cli From 70280599eda177cb558a92513655c89f38965d1c Mon Sep 17 00:00:00 2001 From: Golda Velez Date: Mon, 7 Oct 2024 13:58:17 -0700 Subject: [PATCH 3/9] fix: namespace is now 'ceramic-one' --- k8s/cert-ingress/cluster-ip.yaml | 2 +- k8s/cert-ingress/ingress.yaml | 2 +- k8s/cert-ingress/kustomization.yaml | 2 +- k8s/cert-ingress/letsencrypt-issuer.yaml | 14 ++++++++++++++ 4 files changed, 17 insertions(+), 3 deletions(-) create mode 100644 k8s/cert-ingress/letsencrypt-issuer.yaml diff --git a/k8s/cert-ingress/cluster-ip.yaml b/k8s/cert-ingress/cluster-ip.yaml index 1e5ce8f..d6e144b 100644 --- a/k8s/cert-ingress/cluster-ip.yaml +++ b/k8s/cert-ingress/cluster-ip.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Service metadata: name: composedb - namespace: ceramic + namespace: ceramic-one labels: app: composedb spec: diff --git a/k8s/cert-ingress/ingress.yaml b/k8s/cert-ingress/ingress.yaml index aec1b2d..6f5c201 100644 --- a/k8s/cert-ingress/ingress.yaml +++ b/k8s/cert-ingress/ingress.yaml @@ -2,7 +2,7 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: composedb-ingress - namespace: ceramic + namespace: ceramic-one annotations: kubernetes.io/ingress.class: nginx cert-manager.io/cluster-issuer: "letsencrypt-prod" diff --git a/k8s/cert-ingress/kustomization.yaml b/k8s/cert-ingress/kustomization.yaml index 2f98361..bcf6ec9 100644 --- a/k8s/cert-ingress/kustomization.yaml +++ b/k8s/cert-ingress/kustomization.yaml @@ -4,4 +4,4 @@ resources: - cluster-ip.yaml - ingress.yaml - letsencrypt-issuer.yaml -namespace: ceramic +namespace: ceramic-one diff --git a/k8s/cert-ingress/letsencrypt-issuer.yaml b/k8s/cert-ingress/letsencrypt-issuer.yaml new file mode 100644 index 0000000..ee7f333 --- /dev/null +++ b/k8s/cert-ingress/letsencrypt-issuer.yaml @@ -0,0 +1,14 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-prod +spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + email: your@email.com # Replace with your email + privateKeySecretRef: + name: letsencrypt-prod + solvers: + - http01: + ingress: + class: nginx From 721dcd0de990f7f1e4e2d6701c977aac27c974c0 Mon Sep 17 00:00:00 2001 From: Golda Velez Date: Mon, 7 Oct 2024 14:03:25 -0700 Subject: [PATCH 4/9] update path to load balancer yaml --- k8s/cert-ingress/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s/cert-ingress/README.md b/k8s/cert-ingress/README.md index 4a7152e..90f6fac 100644 --- a/k8s/cert-ingress/README.md +++ b/k8s/cert-ingress/README.md @@ -12,7 +12,7 @@ Replace the existing load balancer with an ingress controller: (this step assumes a digital ocean load balancer, adjust for your configuration) ```bash -kubectl delete -f k8s/base/composedb/do-lb.yaml +kubectl delete -f ./k8s/base/ceramic-one/manifests/js-ceramic-lb.yaml ``` ### 2. Install the NGINX Ingress Controller From 075b9129724b70930eee4e2a5a4ee2729aad2402 Mon Sep 17 00:00:00 2001 From: Golda Velez Date: Mon, 7 Oct 2024 14:21:29 -0700 Subject: [PATCH 5/9] fix: had to disable proxy protocol for the cert challenge --- k8s/cert-ingress/ingress-nginx-do-deploy.yaml | 649 ++++++++++++++++++ 1 file changed, 649 insertions(+) create mode 100644 k8s/cert-ingress/ingress-nginx-do-deploy.yaml diff --git a/k8s/cert-ingress/ingress-nginx-do-deploy.yaml b/k8s/cert-ingress/ingress-nginx-do-deploy.yaml new file mode 100644 index 0000000..0cdfde6 --- /dev/null +++ b/k8s/cert-ingress/ingress-nginx-do-deploy.yaml @@ -0,0 +1,649 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + name: ingress-nginx +--- +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.8.1 + name: ingress-nginx + namespace: ingress-nginx +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.8.1 + name: ingress-nginx-admission + namespace: ingress-nginx +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.8.1 + name: ingress-nginx + namespace: ingress-nginx +rules: +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +- apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - coordination.k8s.io + resourceNames: + - ingress-nginx-leader + resources: + - leases + verbs: + - get + - update +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - list + - watch + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.8.1 + name: ingress-nginx-admission + namespace: ingress-nginx +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.8.1 + name: ingress-nginx +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - secrets + - namespaces + verbs: + - list + - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - nodes + verbs: + - get +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - list + - watch + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.8.1 + name: ingress-nginx-admission +rules: +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - get + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.8.1 + name: ingress-nginx + namespace: ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ingress-nginx +subjects: +- kind: ServiceAccount + name: ingress-nginx + namespace: ingress-nginx +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.8.1 + name: ingress-nginx-admission + namespace: ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ingress-nginx-admission +subjects: +- kind: ServiceAccount + name: ingress-nginx-admission + namespace: ingress-nginx +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.8.1 + name: ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ingress-nginx +subjects: +- kind: ServiceAccount + name: ingress-nginx + namespace: ingress-nginx +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.8.1 + name: ingress-nginx-admission +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ingress-nginx-admission +subjects: +- kind: ServiceAccount + name: ingress-nginx-admission + namespace: ingress-nginx +--- +apiVersion: v1 +data: + allow-snippet-annotations: "true" + use-proxy-protocol: "false" +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.8.1 + name: ingress-nginx-controller + namespace: ingress-nginx +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "false" + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.8.1 + name: ingress-nginx-controller + namespace: ingress-nginx +spec: + externalTrafficPolicy: Local + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - appProtocol: http + name: http + port: 80 + protocol: TCP + targetPort: http + - appProtocol: https + name: https + port: 443 + protocol: TCP + targetPort: https + selector: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + type: LoadBalancer +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.8.1 + name: ingress-nginx-controller-admission + namespace: ingress-nginx +spec: + ports: + - appProtocol: https + name: https-webhook + port: 443 + targetPort: webhook + selector: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + type: ClusterIP +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.8.1 + name: ingress-nginx-controller + namespace: ingress-nginx +spec: + minReadySeconds: 0 + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + template: + metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.8.1 + spec: + containers: + - args: + - /nginx-ingress-controller + - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller + - --election-id=ingress-nginx-leader + - --controller-class=k8s.io/ingress-nginx + - --ingress-class=nginx + - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller + - --validating-webhook=:8443 + - --validating-webhook-certificate=/usr/local/certificates/cert + - --validating-webhook-key=/usr/local/certificates/key + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LD_PRELOAD + value: /usr/local/lib/libmimalloc.so + image: registry.k8s.io/ingress-nginx/controller:v1.8.1@sha256:e5c4824e7375fcf2a393e1c03c293b69759af37a9ca6abdb91b13d78a93da8bd + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - /wait-shutdown + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: controller + ports: + - containerPort: 80 + name: http + protocol: TCP + - containerPort: 443 + name: https + protocol: TCP + - containerPort: 8443 + name: webhook + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 100m + memory: 90Mi + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + runAsUser: 101 + volumeMounts: + - mountPath: /usr/local/certificates/ + name: webhook-cert + readOnly: true + dnsPolicy: ClusterFirst + nodeSelector: + kubernetes.io/os: linux + serviceAccountName: ingress-nginx + terminationGracePeriodSeconds: 300 + volumes: + - name: webhook-cert + secret: + secretName: ingress-nginx-admission +--- +apiVersion: batch/v1 +kind: Job +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.8.1 + name: ingress-nginx-admission-create + namespace: ingress-nginx +spec: + template: + metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.8.1 + name: ingress-nginx-admission-create + spec: + containers: + - args: + - create + - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc + - --namespace=$(POD_NAMESPACE) + - --secret-name=ingress-nginx-admission + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230407@sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b + imagePullPolicy: IfNotPresent + name: create + securityContext: + allowPrivilegeEscalation: false + nodeSelector: + kubernetes.io/os: linux + restartPolicy: OnFailure + securityContext: + fsGroup: 2000 + runAsNonRoot: true + runAsUser: 2000 + serviceAccountName: ingress-nginx-admission +--- +apiVersion: batch/v1 +kind: Job +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.8.1 + name: ingress-nginx-admission-patch + namespace: ingress-nginx +spec: + template: + metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.8.1 + name: ingress-nginx-admission-patch + spec: + containers: + - args: + - patch + - --webhook-name=ingress-nginx-admission + - --namespace=$(POD_NAMESPACE) + - --patch-mutating=false + - --secret-name=ingress-nginx-admission + - --patch-failure-policy=Fail + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230407@sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b + imagePullPolicy: IfNotPresent + name: patch + securityContext: + allowPrivilegeEscalation: false + nodeSelector: + kubernetes.io/os: linux + restartPolicy: OnFailure + securityContext: + fsGroup: 2000 + runAsNonRoot: true + runAsUser: 2000 + serviceAccountName: ingress-nginx-admission +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.8.1 + name: nginx +spec: + controller: k8s.io/ingress-nginx +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.8.1 + name: ingress-nginx-admission +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: ingress-nginx-controller-admission + namespace: ingress-nginx + path: /networking/v1/ingresses + failurePolicy: Fail + matchPolicy: Equivalent + name: validate.nginx.ingress.kubernetes.io + rules: + - apiGroups: + - networking.k8s.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - ingresses + sideEffects: None + timeoutSeconds: 29 From 6e7e0c8d16612fa5272ec32059ba4e89fd110fe0 Mon Sep 17 00:00:00 2001 From: Golda Velez Date: Mon, 7 Oct 2024 14:24:09 -0700 Subject: [PATCH 6/9] fix: note that we had to modify the default DigitalOcean nginx ingress config --- k8s/cert-ingress/README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/k8s/cert-ingress/README.md b/k8s/cert-ingress/README.md index 90f6fac..7bbea88 100644 --- a/k8s/cert-ingress/README.md +++ b/k8s/cert-ingress/README.md @@ -16,10 +16,10 @@ kubectl delete -f ./k8s/base/ceramic-one/manifests/js-ceramic-lb.yaml ``` ### 2. Install the NGINX Ingress Controller -If not already installed, add the NGINX ingress controller to your cluster: +If not already installed, add the NGINX ingress controller to your cluster. If using Digital Ocean, use the included version that disables the proxy so that the cert-manager command will work correctly. -```bash -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.2/deploy/static/provider/do/deploy.yaml + ```bash +kubectl apply -f ingress-nginx-do-deploy.yaml ``` ### 3. Install cert-manager From d8808dc47d7a21ac8688e96ac72e14997965cf93 Mon Sep 17 00:00:00 2001 From: Golda Velez Date: Mon, 7 Oct 2024 14:36:32 -0700 Subject: [PATCH 7/9] Update README.md --- k8s/cert-ingress/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/k8s/cert-ingress/README.md b/k8s/cert-ingress/README.md index 7bbea88..a546404 100644 --- a/k8s/cert-ingress/README.md +++ b/k8s/cert-ingress/README.md @@ -16,10 +16,10 @@ kubectl delete -f ./k8s/base/ceramic-one/manifests/js-ceramic-lb.yaml ``` ### 2. Install the NGINX Ingress Controller -If not already installed, add the NGINX ingress controller to your cluster. If using Digital Ocean, use the included version that disables the proxy so that the cert-manager command will work correctly. +If not already installed, add the NGINX ingress controller to your cluster. This example uses the digital ocean manifests ```bash -kubectl apply -f ingress-nginx-do-deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.2/deploy/static/provider/do/deploy.yaml ``` ### 3. Install cert-manager From 7e43378fd5c8e597631b27df47615c0e6217002e Mon Sep 17 00:00:00 2001 From: Golda Velez Date: Mon, 7 Oct 2024 14:55:51 -0700 Subject: [PATCH 8/9] Update README.md --- k8s/cert-ingress/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/k8s/cert-ingress/README.md b/k8s/cert-ingress/README.md index a546404..e29d005 100644 --- a/k8s/cert-ingress/README.md +++ b/k8s/cert-ingress/README.md @@ -47,11 +47,11 @@ This will set up the ingress, ClusterIP service, and cert-manager configurations ### 6. Verify the Setup 1. Check that the ingress has been created: ```bash - kubectl get ingress -n ceramic + kubectl get ingress -n ceramic-one ``` 2. Verify that cert-manager has issued a certificate: ```bash - kubectl get certificates -n ceramic + kubectl get certificates -n ceramic-one ``` 3. Once the certificate is ready, you should be able to access your ComposeDB node securely via HTTPS at your domain. From dc353ac4319ae8ad5470cca5e3e8d34932b8b6f1 Mon Sep 17 00:00:00 2001 From: Golda Velez Date: Tue, 8 Oct 2024 15:43:40 -0700 Subject: [PATCH 9/9] Update README.md --- k8s/cert-ingress/README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/k8s/cert-ingress/README.md b/k8s/cert-ingress/README.md index e29d005..38184ca 100644 --- a/k8s/cert-ingress/README.md +++ b/k8s/cert-ingress/README.md @@ -8,12 +8,12 @@ ## Setup Steps ### 1. Remove the default load balancer -Replace the existing load balancer with an ingress controller: -(this step assumes a digital ocean load balancer, adjust for your configuration) -```bash -kubectl delete -f ./k8s/base/ceramic-one/manifests/js-ceramic-lb.yaml -``` + +We are going to replace the load balancer that was installed with an ingress controller and related services +This is assuming a starting point from the `ceramic-one` manifests applied. + +`kubectl delete -f k8s/base/ceramic-one/manifests/js-ceramic-lb.yaml` ### 2. Install the NGINX Ingress Controller If not already installed, add the NGINX ingress controller to your cluster. This example uses the digital ocean manifests