feat(ingress): add TLS configuration for staging hosts

Add TLS configuration for staging-shiny and staging-shiny-api hosts in the ingress resources. Create a new namespace for ingress-nginx to better organize resources. Update kustomization files to include new certificates and secrets. Streamline setup process with improved wait commands for pod readiness.
2025-12-10 08:16:27 +01:00
parent 7dd42187fe
commit 58b04fe47e
12 changed files with 68 additions and 24 deletions
@@ -28,7 +28,7 @@ kubectl create secret generic ca-key-pair2 \
  --from-literal=tls.key="$(cat local-ca.key)"
 ```

-The [certificates.yaml](../kind/certificates.yaml) contains the secrets already and wil be used by cert-manager
+The [certificates.yaml](../k8s/app/certificates.yaml) contains the secrets already and wil be used by cert-manager
 to sign certificates.

 ## Install and trust the CA
@@ -30,6 +30,7 @@ spec:
  - shiny
  - auth0
  - staging-shiny.unbound.se
+  - staging-shiny-api.unbound.se
  secretName: self-signed-cert-tls
  issuerRef:
    name: self-signed
@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- certificates.yaml
+- secrets-store.yaml
+- local-proxy.yaml
@@ -27,6 +27,10 @@ metadata:
    nginx.ingress.kubernetes.io/upstream-vhost: "localhost:3300"
 spec:
  ingressClassName: nginx
+  tls:
+    - hosts:
+        - staging-shiny.unbound.se
+      secretName: self-signed-cert-tls
  rules:
    - host: staging-shiny.unbound.se
      http:
@@ -58,6 +62,10 @@ metadata:
    nginx.ingress.kubernetes.io/upstream-vhost: "localhost:4444"
 spec:
  ingressClassName: nginx
+  tls:
+    - hosts:
+        - staging-shiny-api.unbound.se
+      secretName: self-signed-cert-tls
  rules:
    - host: staging-shiny-api.unbound.se
      http:
@@ -4,9 +4,6 @@ resources:
 - postgres.yaml
 - rabbitmq.yaml
 - namespaces.yaml
- certificates.yaml
- secrets-store.yaml
- local-proxy.yaml
 helmCharts:
 - name: external-secrets
  namespace: external-secrets
@@ -23,10 +20,3 @@ helmCharts:
  valuesInline:
    crds:
      enabled: true
- name: ingress-nginx
-  namespace: ingress-nginx
-  includeCRDs: true
-  releaseName: ingress-nginx
-  repo: https://kubernetes.github.io/ingress-nginx
-  version: 4.14.1
-  valuesFile: https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/hack/manifest-templates/provider/kind/values.yaml
@@ -7,8 +7,3 @@ apiVersion: v1
 kind: Namespace
 metadata:
  name: cert-manager
---
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: ingress-nginx
@@ -0,0 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- namespaces.yaml
+helmCharts:
+- name: ingress-nginx
+  namespace: ingress-nginx
+  includeCRDs: true
+  releaseName: ingress-nginx
+  repo: https://kubernetes.github.io/ingress-nginx
+  version: 4.14.1
+  valuesFile: https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/hack/manifest-templates/provider/kind/values.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ingress-nginx
@@ -12,14 +12,42 @@ kubectl create secret docker-registry gitlab \

 kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "gitlab"}]}'

-kustomized="$(mktemp --suffix .unboundkind.yaml --tmpdir=/tmp/)"
+kustomized="$(mktemp -t unboundnginx.yaml.XXXXXX)"

-kubectl kustomize --enable-helm ./kind > "${kustomized}"
+kubectl kustomize --enable-helm "k8s/nginx" >> "${kustomized}"
 kubectl apply -f "${kustomized}" --server-side || true
-kubectl wait --for=condition=Ready pods -n cert-manager -l app=cert-manager --timeout 5m
-kubectl wait --for=condition=Ready pods -n cert-manager -l app=cainjector --timeout 5m
-kubectl wait --for=condition=Ready pods -n cert-manager -l app=webhook --timeout 5m
-kubectl wait --for=condition=Ready pods --all -n external-secrets --timeout=5m
-kubectl apply -f "${kustomized}" --server-side

-kubectl wait --for=condition=Ready pods --all --timeout=5m
+printf "\nWait for pod app.kubernetes.io/component=controller to be created."
+while :; do
+  sleep 2
+  [ -n "$(kubectl -n ingress-nginx get pod --selector=app.kubernetes.io/component=controller 2>/dev/null)" ] && printf "\n\n" && break
+  printf "."
+done
+
+echo "Wait for nginx to be available."
+until [[ $(kubectl -n ingress-nginx get endpointslices -l 'kubernetes.io/service-name=ingress-nginx-controller' -o=jsonpath='{.items[*].endpoints[*].addresses[*]}') ]]; do sleep 5; done
+
+kustomized="$(mktemp -t unboundinfra.yaml.XXXXXX)"
+
+kubectl kustomize --enable-helm "k8s/infra" >> "${kustomized}"
+kubectl apply -f "${kustomized}" --server-side || true
+
+printf "\nWait for pod app.kubernetes.io/instance=cert-manager to be created."
+while :; do
+  sleep 2
+  [ -n "$(kubectl -n cert-manager get pod --selector=app.kubernetes.io/instance=cert-manager 2>/dev/null)" ] && printf "\n\n" && break
+  printf "."
+done
+kubectl wait --for=condition=Ready pods -n cert-manager -l app=cert-manager --timeout 4m
+kubectl wait --for=condition=Ready pods -n cert-manager -l app=cainjector --timeout 4m
+kubectl wait --for=condition=Ready pods -n cert-manager -l app=webhook --timeout 4m
+kubectl wait --for=condition=Ready pods --all -n external-secrets --timeout=5m
+# Apply again to get any CRD's that wasn't applied earlier since the definitions wasn't available
+kubectl apply -f "${kustomized}" --server-side || true
+kubectl apply -k k8s/app --server-side
+
+kubectl wait --for=condition=Ready pods -n cert-manager -l app=cert-manager --timeout 4m
+kubectl wait --for=condition=Ready pods -n cert-manager -l app=cainjector --timeout 4m
+kubectl wait --for=condition=Ready pods -n cert-manager -l app=webhook --timeout 4m
+kubectl wait --for=condition=Ready pods --all -n external-secrets --timeout=5m
+kubectl wait --for=condition=Ready pods --all -n default --timeout 3m