├── .gitignore ├── README.md ├── bases ├── cert-manager │ ├── .gitignore │ └── kustomization.yaml ├── helloweb │ ├── deployment.yaml │ ├── ingress.yaml │ ├── kustomization.yaml │ ├── namespace.yaml │ └── service.yaml └── ingress-nginx │ ├── .gitignore │ └── kustomization.yaml ├── environments ├── dev │ └── kustomization.yaml └── prod │ └── kustomization.yaml └── overlays ├── helloweb-cert-letsencrypt ├── .gitignore ├── issuer.yaml └── kustomization.yaml ├── helloweb-cert-self-signed ├── .gitignore ├── example-secrets │ ├── tls.crt │ └── tls.key ├── issuer.yaml └── kustomization.yaml └── helloweb-cert ├── .gitignore ├── cert-manager-configuration.yaml ├── ingress.yaml └── kustomization.yaml /.gitignore: -------------------------------------------------------------------------------- 1 | .idea 2 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Kustomize cert-manager demo 2 | 3 | Demo of using Kustomize to deploy [cert-manager](https://github.com/jetstack/cert-manager) and an example workload. 4 | 5 | Follow the blog post to learn more: https://blog.jetstack.io/blog/kustomize-cert-manager/ 6 | -------------------------------------------------------------------------------- /bases/cert-manager/.gitignore: -------------------------------------------------------------------------------- 1 | cert-manager.yaml 2 | -------------------------------------------------------------------------------- /bases/cert-manager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | commonLabels: 5 | demo: kustomize-cert-manager 6 | 7 | resources: 8 | - cert-manager.yaml 9 | -------------------------------------------------------------------------------- /bases/helloweb/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: helloweb-deployment 5 | spec: 6 | selector: 7 | matchLabels: 8 | app: helloweb 9 | template: 10 | metadata: 11 | labels: 12 | app: helloweb 13 | spec: 14 | containers: 15 | - name: hello-app 16 | image: gcr.io/google-samples/hello-app:1.0 17 | ports: 18 | - containerPort: 8080 19 | -------------------------------------------------------------------------------- /bases/helloweb/ingress.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: Ingress 3 | metadata: 4 | name: helloweb-ingress 5 | spec: 6 | ingressClassName: nginx 7 | rules: 8 | - http: 9 | paths: 10 | - path: / 11 | pathType: Prefix 12 | backend: 13 | service: 14 | name: helloweb-service 15 | port: 16 | number: 8080 17 | -------------------------------------------------------------------------------- /bases/helloweb/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | commonLabels: 5 | app: helloweb 6 | demo: kustomize-cert-manager 7 | 8 | namespace: helloweb 9 | 10 | resources: 11 | - namespace.yaml 12 | - deployment.yaml 13 | - service.yaml 14 | - ingress.yaml 15 | -------------------------------------------------------------------------------- /bases/helloweb/namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: helloweb -------------------------------------------------------------------------------- /bases/helloweb/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: helloweb-service 5 | spec: 6 | type: NodePort 7 | selector: 8 | app: helloweb 9 | ports: 10 | - protocol: TCP 11 | port: 8080 12 | targetPort: 8080 13 | -------------------------------------------------------------------------------- /bases/ingress-nginx/.gitignore: -------------------------------------------------------------------------------- 1 | ingress-nginx.yaml 2 | -------------------------------------------------------------------------------- /bases/ingress-nginx/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | resources: 5 | - https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.1/deploy/static/provider/cloud/deploy.yaml 6 | -------------------------------------------------------------------------------- /environments/dev/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | bases: 5 | - ../../bases/ingress-nginx 6 | - ../../bases/cert-manager 7 | - ../../overlays/helloweb-cert-self-signed 8 | -------------------------------------------------------------------------------- /environments/prod/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | bases: 5 | - ../../bases/ingress-nginx 6 | - ../../bases/cert-manager 7 | - ../../overlays/helloweb-cert-letsencrypt 8 | -------------------------------------------------------------------------------- /overlays/helloweb-cert-letsencrypt/.gitignore: -------------------------------------------------------------------------------- 1 | issuer_patch.json 2 | -------------------------------------------------------------------------------- /overlays/helloweb-cert-letsencrypt/issuer.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cert-manager.io/v1 2 | kind: Issuer 3 | metadata: 4 | name: helloweb-issuer 5 | spec: 6 | acme: 7 | server: "https://acme-v02.api.letsencrypt.org/directory" 8 | privateKeySecretRef: 9 | name: issuer-letsencrypt-account-key 10 | solvers: 11 | - http01: 12 | ingress: 13 | name: helloweb-ingress 14 | -------------------------------------------------------------------------------- /overlays/helloweb-cert-letsencrypt/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | bases: 5 | - ../helloweb-cert 6 | 7 | namespace: helloweb 8 | 9 | commonLabels: 10 | app: helloweb 11 | demo: kustomize-cert-manager 12 | 13 | resources: 14 | - issuer.yaml 15 | 16 | # Create this patch to set the Issuer email 17 | patchesJSON6902: 18 | - path: issuer_patch.json 19 | target: 20 | group: cert-manager.io 21 | version: v1 22 | kind: Issuer 23 | name: helloweb-issuer -------------------------------------------------------------------------------- /overlays/helloweb-cert-self-signed/.gitignore: -------------------------------------------------------------------------------- 1 | secrets/ 2 | -------------------------------------------------------------------------------- /overlays/helloweb-cert-self-signed/example-secrets/tls.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIFLTCCAxWgAwIBAgIURk2mF2zcPVs+Nqss6Q2pYdNsynQwDQYJKoZIhvcNAQEL 3 | BQAwJjEkMCIGA1UECgwbS3VzdG9taXplIGNlcnQtbWFuYWdlciBEZW1vMB4XDTIy 4 | MDIxNTEyMDc0NFoXDTIzMDIxNTEyMDc0NFowJjEkMCIGA1UECgwbS3VzdG9taXpl 5 | IGNlcnQtbWFuYWdlciBEZW1vMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC 6 | AgEAxU+HXt2TvhC4vXdnxk4+cUYh/5RGrGHqi7Go66BDS15LhZguEFK4dW/SAio3 7 | 5wlZEoaj8FkPNirumxLVsCRmAebV3Eyv0nYTE2aBPLoTV0OiOHYF2uRvHrJ7hJvc 8 | MuEDIegwGRHwAEmvjSwbVYbII8ks5jH0kpNtolazaiPRGj+LlF+dU+5rdlLyEWli 9 | cQ7pao0JpaFx4tquSsvdOl8NdrpBqh7FLCDD+6j8wWL/Y4wKslNB3z3JQqz/VCe2 10 | PQfcF8fAXTK57pYMIAmITCAtfETTdDWfQwczhS12U92tGBczM7dIqrcnkwBK4p82 11 | JAXocm2ITyVZlDQhNtzkaTV+hOokWgootYUefWECZ7kGrAdsvn6I51OlRXdk5i/i 12 | Wc+nJbnuQxt4ZWUKnkKY0UgDtk24Nypf6TVoQN7F3MdayItrUe1Lf35Fz6/7BLLC 13 | PHfUhwdbwqGwooQHufVdgUiIY5gdGavvMx3zmb+PErRbEsUg91C7QT4kwowfn7wn 14 | 2ETLCEN1FVxKUaXtVgHPwDg0f9aQwXf6e6IqglEOj3yp2Lzi8jmL0vVaruEX4TmY 15 | 06obUNlVxtR/H41HoJVqIsRSh73VRwUExOv+CrFX6wqWXw8EjwH23/KIPYS9SCb4 16 | vLLZ+cowEsyOrHf0/66gLd5ttsXxNOcsff00LlUN+8K7E2UCAwEAAaNTMFEwHQYD 17 | VR0OBBYEFLrVvfesL98gESQYMR+JN0hExzssMB8GA1UdIwQYMBaAFLrVvfesL98g 18 | ESQYMR+JN0hExzssMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIB 19 | AD9ohY7OE7DfeltNtS6FHtFULpUtOhYcNKy+JCGT+7eJ/qulzeKnQdD9bxFBFQtm 20 | 7n4TqTzS3sVNlUljONI7m5LXWVfoHvvbfltHiH4Nppa/VQEwsSfbJBJVgR3ZbcSg 21 | wIjrXWQAZ4srbY0jUVRHfe7m6F8VCB3T3azmOEs/g794DM7mGCPyeg3k9wlG6MhZ 22 | 0lNsGRFkDjLwATT0YLjqUku8Wsg7wZUJA9+FPRShIBZTh1Yw54XUs6XFfiJO10Hy 23 | 3xqAK3nWUmYCLdI3eanA2uGhXeNVPCmoT2vXYs2TDDtXi1LJIpTQi5e/AS8OjsA+ 24 | TYJwK8YbLWHAjs6F2zFFcayNEAetXBYoHVy+DmM39rrTpRhD8Zbr8g0lkUGQbKvt 25 | V/LvhchtIvIklkkzWtBMFlQFrGygT3KqAcuMqXdQFmkHRAt+hkAm1wEAkcoA9drH 26 | JtFB7nCbut3KAXKWyMm1UaHschNjmGZsM/mUMTlHfk8U7lIvvMkY6ej9+t+RfnFI 27 | O++iHJjb83NuBAFcCPAbhj9DEq5hQMQ8hc+G8bdGjOf9JvtDeujWXDcbCnZrweMC 28 | XNALBBhDpAC2Q/XpnGPg0+FiGwnbZtJWh9ZBLrEI4Cg9aEh/qEocP6VAipAxaLGk 29 | +ShnmCI9eDaXsOAr+vzxXvyJi+bMWrLjfxRGjZHOU41c 30 | -----END CERTIFICATE----- 31 | -------------------------------------------------------------------------------- /overlays/helloweb-cert-self-signed/example-secrets/tls.key: -------------------------------------------------------------------------------- 1 | -----BEGIN PRIVATE KEY----- 2 | MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDFT4de3ZO+ELi9 3 | d2fGTj5xRiH/lEasYeqLsajroENLXkuFmC4QUrh1b9ICKjfnCVkShqPwWQ82Ku6b 4 | EtWwJGYB5tXcTK/SdhMTZoE8uhNXQ6I4dgXa5G8esnuEm9wy4QMh6DAZEfAASa+N 5 | LBtVhsgjySzmMfSSk22iVrNqI9EaP4uUX51T7mt2UvIRaWJxDulqjQmloXHi2q5K 6 | y906Xw12ukGqHsUsIMP7qPzBYv9jjAqyU0HfPclCrP9UJ7Y9B9wXx8BdMrnulgwg 7 | CYhMIC18RNN0NZ9DBzOFLXZT3a0YFzMzt0iqtyeTAErinzYkBehybYhPJVmUNCE2 8 | 3ORpNX6E6iRaCii1hR59YQJnuQasB2y+fojnU6VFd2TmL+JZz6clue5DG3hlZQqe 9 | QpjRSAO2Tbg3Kl/pNWhA3sXcx1rIi2tR7Ut/fkXPr/sEssI8d9SHB1vCobCihAe5 10 | 9V2BSIhjmB0Zq+8zHfOZv48StFsSxSD3ULtBPiTCjB+fvCfYRMsIQ3UVXEpRpe1W 11 | Ac/AODR/1pDBd/p7oiqCUQ6PfKnYvOLyOYvS9Vqu4RfhOZjTqhtQ2VXG1H8fjUeg 12 | lWoixFKHvdVHBQTE6/4KsVfrCpZfDwSPAfbf8og9hL1IJvi8stn5yjASzI6sd/T/ 13 | rqAt3m22xfE05yx9/TQuVQ37wrsTZQIDAQABAoICADCJLe5Y2KtILz2SJhGqtSMF 14 | or7dQV5NrtXCs+AUWgFr9m1sQCaNRqlCwrj8HCjFzKapPqIUslB7kprMcQrFhV9B 15 | 4okwxw5hM7ORw0hGKJROg5TaeXm9OBVnx8kY0vukDLJ2TICaQDy944R5XVb2Uvy0 16 | k8ojbztwLyegJr29Bkar64Cp3YhkLYSbhkbgstHHXoUyoPUgp+RrMTUefXLKp4P1 17 | cMoxjASdIcCh8tz6ZoLdE9OGdf19lCjF6AASTbqpGIuz/B6g6Apn2B84YRIC11WK 18 | k65yM1VYa+S+iG08akQzDsoRs7sk10QKriEdk4Kcfm/JgF6hvC2f/iyh/UDhIxgN 19 | 17nK2NlRzvywVevBsCOsgWB5d6M2zYt0E1rwWv5W9s75wQJqdPpILmvcH9ohduOb 20 | VctBrEWAH/7YGe8RBGA2kRgzZGPErxOLPGciwHjd83AozYsGL7Nc4prs+x+rUy0C 21 | ouo860ZvtoSzcgSO3tqjHQYiBxrKyeTXuBMvrvc4/U05DQwg1EEVtlnDuzXO7+FD 22 | bomaFgzyv2+4NC7e072bOhbUO64U4PJLfvb82s+bziVN1t9HOPgNSfauOz59yjb9 23 | Ktc+x/x1j5baQCu7P/OutKMIo4xkgg4lj7imaxbJ/3IWvPbdtULcBJZXCxCBs0bm 24 | 5QsPU9DHNj0SnevzkAUJAoIBAQDq5oauFcj6s/Mws5PXyI1iWDfMiGYIFs5eoafZ 25 | 4E/0lVX309+SghAYuAxCufcPUSMNakaCoGLrVOdZvjn3WKOn3UO7yJiCa07qx9bm 26 | E5J6YUNKNBja2pW/LREbKg3peHVsowE269Gldkh+q+j3PVSnbszSzoJ7E4mn3uWQ 27 | sUHPkJAwMm07tFneHaQSIHCXHBayp6abd8T+a1SS9PWKGlYhGqokDEQXz/0T+f4f 28 | 7hmCLmc0HD+PyGotYHZSpC1btjDIeFBpQ+uCOgPoSCuesMAjQyNoOR7DTu5hjc2Q 29 | zZLytXsP6C/tv5AMVU0dF+QThoFJ5PqGLVXQp2uaXf5umI3NAoIBAQDXCKJx9zwy 30 | 0a+p3nQp2Jtw2OHpG0mF0qP2ekCdhel6T/xAhXRpYhzT2Sdc5OkSZkOstWL8Ql7H 31 | R2JEjtY0MKr4P8jImtmo22J6lxV4LUxoj8lk6I9mojGuDCfQFrzkGbwUlmxBtrhS 32 | GOFBOazmCRZIzHqIUnsn8Jt3f5GKobDKhIZCE8f2yNLplZuNdijWPt01LMeQCSNg 33 | +oaFApxDBWTXtYbc8lnizS0LUTXfNIUBQB3MZaTqC3tPfbmADtzSiWQMk/O2YDi/ 34 | +sfsoKt3Sabdvp8nSYnwL7gl1eLr9GYWgiDJ4bkGUtPo0OIRAwiE3Yldu/8scuwF 35 | fFEUr38HrsP5AoIBAF+5b7rzj8JyoLEBDUeLJ+qizqJgF0xGlvTDZdaI7axbSvxC 36 | cEKRFCQupHhwtjictO8blv5Wg9ko8VqGBbNBgPfAWIDm3xeOyUsuAuohobiTeEt9 37 | 7X8KQqn0oJr0SVUSTK/nwW/zK60FBcfxIG/Yo23T3k4t78heDuPFFsIfKhV+8PNj 38 | KVaCSXkVlS354EgEH0/QuDl01mdjr8RvZLxRvTWiWyFzijA2BwkkACZc7jI53L7E 39 | oDZk0rgJLk7BLubH2RtoxEQRdKDOKZd4CaaSmsoD6yLm3B11RfmlQtc2nyKfSDYU 40 | RavaO8Z64IDxonU+g+NsF5ekU+tCvrvaf/vr2SUCggEBAKRbaS6KtmxxcT75VPiX 41 | I1hBrYqq3Kt4sPI3xyOfszFV6Yy3dJ8H6tjR5hBOtwblO1zK13nQkPjoSufz9S22 42 | 9TcCKcmK8krqRH9G85YDqZ9SJ7EFQHZGCorpp5SZjI8cTHG/98bSjlfRxHpCRzEc 43 | SPgjspR31sJUWcAgtXGs3KAuYyAmVnT+UpdPTrH1WolHS3TVYUNqeKwrUJ5hvGZN 44 | vSJTEV3Xr3R3NrKrw+1zCyZFh4EvP7nURNAhXKPQuGADu4ERpPoE2duDJ0RqGiT3 45 | Gp/qj2NMBi6birkAno2TJGSX2c/0w6Nds7MD1YcDNoO3gMMwan3i6RvYRXD2IrYQ 46 | kqECggEBANcPEr9DTQIxi3ufq+4AqofxF4HzzYIFjtyiBGqgPND0AXFd1b+NCiYF 47 | ZtXnLrt3CDDsGK9L7OqhhhB2CIcsfmtMGEE03a2mHQ9tu8B1IqxLAyavFirTkV9+ 48 | ZbKmolMc6NHgtBmpUlGlDf4PTesaBPtr15Yj0a1vMN9y1cIFdVTFurEAfCPEgLrY 49 | l38gGcHd8J+js+c4opiEoP1Y84PLEPodT6crnXASR9xIbu2LbF9eKDU4sO/1wDPe 50 | bzQYUkMjTqOZWUVVrSiW64u5ITajzYu7pfFzQuyJGuBJkf77sFtkLWZVXpwLGZt9 51 | Zy/GkrwsX6tNEHuwFC2BG+viR4ZxQB4= 52 | -----END PRIVATE KEY----- 53 | -------------------------------------------------------------------------------- /overlays/helloweb-cert-self-signed/issuer.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cert-manager.io/v1 2 | kind: Issuer 3 | metadata: 4 | name: helloweb-issuer 5 | spec: 6 | ca: 7 | secretName: helloweb-ca 8 | -------------------------------------------------------------------------------- /overlays/helloweb-cert-self-signed/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | bases: 5 | - ../helloweb-cert 6 | 7 | namespace: helloweb 8 | 9 | commonLabels: 10 | app: helloweb 11 | demo: kustomize-cert-manager 12 | 13 | # Create secrets/tls.crt and secrets/tls.key files to use as a CA 14 | secretGenerator: 15 | - name: helloweb-ca 16 | files: 17 | - secrets/tls.crt 18 | - secrets/tls.key 19 | type: "kubernetes.io/tls" 20 | 21 | generatorOptions: 22 | disableNameSuffixHash: true 23 | labels: 24 | kustomize.generated.resource: somevalue 25 | 26 | resources: 27 | - issuer.yaml 28 | -------------------------------------------------------------------------------- /overlays/helloweb-cert/.gitignore: -------------------------------------------------------------------------------- 1 | ingress_patch.json 2 | -------------------------------------------------------------------------------- /overlays/helloweb-cert/cert-manager-configuration.yaml: -------------------------------------------------------------------------------- 1 | nameReference: 2 | - kind: Issuer 3 | fieldSpecs: 4 | - path: spec/issuerRef/name 5 | kind: Certificate 6 | - kind: Secret 7 | fieldSpecs: 8 | - path: spec/ca/secretName 9 | kind: Issuer 10 | - kind: Ingress 11 | fieldSpecs: 12 | - path: spec/acme/config/http01/ingress 13 | kind: Certificate -------------------------------------------------------------------------------- /overlays/helloweb-cert/ingress.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: Ingress 3 | metadata: 4 | name: helloweb-ingress 5 | annotations: 6 | cert-manager.io/issuer: helloweb-issuer 7 | spec: 8 | tls: 9 | - hosts: [] # hosts will be added in another patch 10 | secretName: helloweb-cert 11 | -------------------------------------------------------------------------------- /overlays/helloweb-cert/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | bases: 5 | - ../../bases/helloweb 6 | 7 | namespace: helloweb 8 | 9 | patchesStrategicMerge: 10 | - ingress.yaml 11 | 12 | # Create this patch to set the Ingress domain 13 | patchesJSON6902: 14 | - path: ingress_patch.json 15 | target: 16 | group: networking.k8s.io 17 | version: v1 18 | kind: Ingress 19 | name: helloweb-ingress 20 | 21 | configurations: 22 | - cert-manager-configuration.yaml 23 | --------------------------------------------------------------------------------