From 58b04fe47e8aaf63f2bf01ecea434f1410ec2efc Mon Sep 17 00:00:00 2001
From: Joakim Olsson <joakim@unbound.se>
Date: Wed, 10 Dec 2025 08:16:27 +0100
Subject: [PATCH] feat(ingress): add TLS configuration for staging hosts

Add TLS configuration for staging-shiny and staging-shiny-api
hosts in the ingress resources. Create a new namespace for
ingress-nginx to better organize resources. Update kustomization
files to include new certificates and secrets. Streamline setup
process with improved wait commands for pod readiness.
---
 certs/README.md                        |  2 +-
 {kind => k8s/app}/certificates.yaml    |  1 +
 k8s/app/kustomization.yaml             |  6 ++++
 {kind => k8s/app}/local-proxy.yaml     |  8 +++++
 {kind => k8s/app}/secrets-store.yaml   |  0
 {kind => k8s/infra}/kustomization.yaml | 10 ------
 {kind => k8s/infra}/namespaces.yaml    |  5 ---
 {kind => k8s/infra}/postgres.yaml      |  0
 {kind => k8s/infra}/rabbitmq.yaml      |  0
 k8s/nginx/kustomization.yaml           | 12 +++++++
 k8s/nginx/namespaces.yaml              |  4 +++
 setup                                  | 44 +++++++++++++++++++++-----
 12 files changed, 68 insertions(+), 24 deletions(-)
 rename {kind => k8s/app}/certificates.yaml (99%)
 create mode 100644 k8s/app/kustomization.yaml
 rename {kind => k8s/app}/local-proxy.yaml (89%)
 rename {kind => k8s/app}/secrets-store.yaml (100%)
 rename {kind => k8s/infra}/kustomization.yaml (58%)
 rename {kind => k8s/infra}/namespaces.yaml (66%)
 rename {kind => k8s/infra}/postgres.yaml (100%)
 rename {kind => k8s/infra}/rabbitmq.yaml (100%)
 create mode 100644 k8s/nginx/kustomization.yaml
 create mode 100644 k8s/nginx/namespaces.yaml

diff --git a/certs/README.md b/certs/README.md
index 75469bb..8c61c51 100644
--- a/certs/README.md
+++ b/certs/README.md
@@ -28,7 +28,7 @@ kubectl create secret generic ca-key-pair2 \
   --from-literal=tls.key="$(cat local-ca.key)"
 ```
 
-The [certificates.yaml](../kind/certificates.yaml) contains the secrets already and wil be used by cert-manager
+The [certificates.yaml](../k8s/app/certificates.yaml) contains the secrets already and wil be used by cert-manager
 to sign certificates.
 
 ## Install and trust the CA
diff --git a/kind/certificates.yaml b/k8s/app/certificates.yaml
similarity index 99%
rename from kind/certificates.yaml
rename to k8s/app/certificates.yaml
index dc9b858..a3625e5 100644
--- a/kind/certificates.yaml
+++ b/k8s/app/certificates.yaml
@@ -30,6 +30,7 @@ spec:
   - shiny
   - auth0
   - staging-shiny.unbound.se
+  - staging-shiny-api.unbound.se
   secretName: self-signed-cert-tls
   issuerRef:
     name: self-signed
diff --git a/k8s/app/kustomization.yaml b/k8s/app/kustomization.yaml
new file mode 100644
index 0000000..c4e917a
--- /dev/null
+++ b/k8s/app/kustomization.yaml
@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- certificates.yaml
+- secrets-store.yaml
+- local-proxy.yaml
diff --git a/kind/local-proxy.yaml b/k8s/app/local-proxy.yaml
similarity index 89%
rename from kind/local-proxy.yaml
rename to k8s/app/local-proxy.yaml
index 1c48861..21abe25 100644
--- a/kind/local-proxy.yaml
+++ b/k8s/app/local-proxy.yaml
@@ -27,6 +27,10 @@ metadata:
     nginx.ingress.kubernetes.io/upstream-vhost: "localhost:3300"
 spec:
   ingressClassName: nginx
+  tls:
+    - hosts:
+        - staging-shiny.unbound.se
+      secretName: self-signed-cert-tls
   rules:
     - host: staging-shiny.unbound.se
       http:
@@ -58,6 +62,10 @@ metadata:
     nginx.ingress.kubernetes.io/upstream-vhost: "localhost:4444"
 spec:
   ingressClassName: nginx
+  tls:
+    - hosts:
+        - staging-shiny-api.unbound.se
+      secretName: self-signed-cert-tls
   rules:
     - host: staging-shiny-api.unbound.se
       http:
diff --git a/kind/secrets-store.yaml b/k8s/app/secrets-store.yaml
similarity index 100%
rename from kind/secrets-store.yaml
rename to k8s/app/secrets-store.yaml
diff --git a/kind/kustomization.yaml b/k8s/infra/kustomization.yaml
similarity index 58%
rename from kind/kustomization.yaml
rename to k8s/infra/kustomization.yaml
index 34909ea..2279581 100644
--- a/kind/kustomization.yaml
+++ b/k8s/infra/kustomization.yaml
@@ -4,9 +4,6 @@ resources:
 - postgres.yaml
 - rabbitmq.yaml
 - namespaces.yaml
-- certificates.yaml
-- secrets-store.yaml
-- local-proxy.yaml
 helmCharts:
 - name: external-secrets
   namespace: external-secrets
@@ -23,10 +20,3 @@ helmCharts:
   valuesInline:
     crds:
       enabled: true
-- name: ingress-nginx
-  namespace: ingress-nginx
-  includeCRDs: true
-  releaseName: ingress-nginx
-  repo: https://kubernetes.github.io/ingress-nginx
-  version: 4.14.1
-  valuesFile: https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/hack/manifest-templates/provider/kind/values.yaml
diff --git a/kind/namespaces.yaml b/k8s/infra/namespaces.yaml
similarity index 66%
rename from kind/namespaces.yaml
rename to k8s/infra/namespaces.yaml
index 9dd166a..6748b77 100644
--- a/kind/namespaces.yaml
+++ b/k8s/infra/namespaces.yaml
@@ -7,8 +7,3 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: cert-manager
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: ingress-nginx
diff --git a/kind/postgres.yaml b/k8s/infra/postgres.yaml
similarity index 100%
rename from kind/postgres.yaml
rename to k8s/infra/postgres.yaml
diff --git a/kind/rabbitmq.yaml b/k8s/infra/rabbitmq.yaml
similarity index 100%
rename from kind/rabbitmq.yaml
rename to k8s/infra/rabbitmq.yaml
diff --git a/k8s/nginx/kustomization.yaml b/k8s/nginx/kustomization.yaml
new file mode 100644
index 0000000..4140878
--- /dev/null
+++ b/k8s/nginx/kustomization.yaml
@@ -0,0 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- namespaces.yaml
+helmCharts:
+- name: ingress-nginx
+  namespace: ingress-nginx
+  includeCRDs: true
+  releaseName: ingress-nginx
+  repo: https://kubernetes.github.io/ingress-nginx
+  version: 4.14.1
+  valuesFile: https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/hack/manifest-templates/provider/kind/values.yaml
diff --git a/k8s/nginx/namespaces.yaml b/k8s/nginx/namespaces.yaml
new file mode 100644
index 0000000..6878f0b
--- /dev/null
+++ b/k8s/nginx/namespaces.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ingress-nginx
diff --git a/setup b/setup
index 80b29d3..e957c20 100755
--- a/setup
+++ b/setup
@@ -12,14 +12,42 @@ kubectl create secret docker-registry gitlab \
 
 kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "gitlab"}]}'
 
-kustomized="$(mktemp --suffix .unboundkind.yaml --tmpdir=/tmp/)"
+kustomized="$(mktemp -t unboundnginx.yaml.XXXXXX)"
 
-kubectl kustomize --enable-helm ./kind > "${kustomized}"
+kubectl kustomize --enable-helm "k8s/nginx" >> "${kustomized}"
 kubectl apply -f "${kustomized}" --server-side || true
-kubectl wait --for=condition=Ready pods -n cert-manager -l app=cert-manager --timeout 5m
-kubectl wait --for=condition=Ready pods -n cert-manager -l app=cainjector --timeout 5m
-kubectl wait --for=condition=Ready pods -n cert-manager -l app=webhook --timeout 5m
-kubectl wait --for=condition=Ready pods --all -n external-secrets --timeout=5m
-kubectl apply -f "${kustomized}" --server-side
 
-kubectl wait --for=condition=Ready pods --all --timeout=5m
+printf "\nWait for pod app.kubernetes.io/component=controller to be created."
+while :; do
+  sleep 2
+  [ -n "$(kubectl -n ingress-nginx get pod --selector=app.kubernetes.io/component=controller 2>/dev/null)" ] && printf "\n\n" && break
+  printf "."
+done
+
+echo "Wait for nginx to be available."
+until [[ $(kubectl -n ingress-nginx get endpointslices -l 'kubernetes.io/service-name=ingress-nginx-controller' -o=jsonpath='{.items[*].endpoints[*].addresses[*]}') ]]; do sleep 5; done
+
+kustomized="$(mktemp -t unboundinfra.yaml.XXXXXX)"
+
+kubectl kustomize --enable-helm "k8s/infra" >> "${kustomized}"
+kubectl apply -f "${kustomized}" --server-side || true
+
+printf "\nWait for pod app.kubernetes.io/instance=cert-manager to be created."
+while :; do
+  sleep 2
+  [ -n "$(kubectl -n cert-manager get pod --selector=app.kubernetes.io/instance=cert-manager 2>/dev/null)" ] && printf "\n\n" && break
+  printf "."
+done
+kubectl wait --for=condition=Ready pods -n cert-manager -l app=cert-manager --timeout 4m
+kubectl wait --for=condition=Ready pods -n cert-manager -l app=cainjector --timeout 4m
+kubectl wait --for=condition=Ready pods -n cert-manager -l app=webhook --timeout 4m
+kubectl wait --for=condition=Ready pods --all -n external-secrets --timeout=5m
+# Apply again to get any CRD's that wasn't applied earlier since the definitions wasn't available
+kubectl apply -f "${kustomized}" --server-side || true
+kubectl apply -k k8s/app --server-side
+
+kubectl wait --for=condition=Ready pods -n cert-manager -l app=cert-manager --timeout 4m
+kubectl wait --for=condition=Ready pods -n cert-manager -l app=cainjector --timeout 4m
+kubectl wait --for=condition=Ready pods -n cert-manager -l app=webhook --timeout 4m
+kubectl wait --for=condition=Ready pods --all -n external-secrets --timeout=5m
+kubectl wait --for=condition=Ready pods --all -n default --timeout 3m