commit ef0d1af353615e5c365035ad18375fa4ebf8fccf Author: argocd Date: Wed Feb 4 05:13:41 2026 +0800 Add HTTPS configuration with cert-manager - cert-manager namespace - ClusterIssuer for Let's Encrypt (prod and staging) - HTTPS Ingress for ArgoCD, Gitea, and test-app - Automatic certificate management Co-Authored-By: Claude Sonnet 4.5 diff --git a/README.md b/README.md new file mode 100644 index 0000000..5122a70 --- /dev/null +++ b/README.md @@ -0,0 +1,24 @@ +# HTTPS配置 - GitOps方式 + +## 方案说明 + +使用ArgoCD管理cert-manager,实现完全GitOps化的HTTPS配置。 + +## 架构 + +Git仓库 -> ArgoCD监控 -> 自动部署cert-manager -> 自动申请证书 -> HTTPS启用 + +## 特点 + +- 完全GitOps化 +- 支持幂等性 +- 配置存储在Git +- 自动续期证书 +- 修改Git自动更新 + +## 部署步骤 + +1. 推送到Gitea +2. 创建ArgoCD应用 +3. ArgoCD自动部署 +4. 自动申请证书 diff --git a/manifests/01-namespace.yaml b/manifests/01-namespace.yaml new file mode 100644 index 0000000..c90416f --- /dev/null +++ b/manifests/01-namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager diff --git a/manifests/02-cert-manager.yaml b/manifests/02-cert-manager.yaml new file mode 100644 index 0000000..5528af0 --- /dev/null +++ b/manifests/02-cert-manager.yaml @@ -0,0 +1,35 @@ +# cert-manager installation +# This will be applied by ArgoCD +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cert-manager + namespace: cert-manager +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cert-manager +rules: + - apiGroups: ["cert-manager.io"] + resources: ["*"] + verbs: ["*"] + - apiGroups: [""] + resources: ["secrets", "events", "configmaps"] + verbs: ["*"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cert-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cert-manager +subjects: + - kind: ServiceAccount + name: cert-manager + namespace: cert-manager diff --git a/manifests/03-clusterissuer.yaml b/manifests/03-clusterissuer.yaml new file mode 100644 index 0000000..e5e3d2a --- /dev/null +++ b/manifests/03-clusterissuer.yaml @@ -0,0 +1,34 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-prod +spec: + acme: + # Let's Encrypt production server + server: https://acme-v02.api.letsencrypt.org/directory + # Email for certificate expiration notifications + email: admin@jpc.net3w.com + # Secret to store ACME account private key + privateKeySecretRef: + name: letsencrypt-prod + # HTTP-01 challenge + solvers: + - http01: + ingress: + class: traefik +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-staging +spec: + acme: + # Let's Encrypt staging server (for testing) + server: https://acme-staging-v02.api.letsencrypt.org/directory + email: admin@jpc.net3w.com + privateKeySecretRef: + name: letsencrypt-staging + solvers: + - http01: + ingress: + class: traefik diff --git a/manifests/04-ingress-argocd-tls.yaml b/manifests/04-ingress-argocd-tls.yaml new file mode 100644 index 0000000..677ce86 --- /dev/null +++ b/manifests/04-ingress-argocd-tls.yaml @@ -0,0 +1,25 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: argocd-server-tls + namespace: argocd + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: websecure + traefik.ingress.kubernetes.io/router.tls: "true" + cert-manager.io/cluster-issuer: letsencrypt-prod +spec: + tls: + - hosts: + - argocd.jpc.net3w.com + secretName: argocd-tls-cert + rules: + - host: argocd.jpc.net3w.com + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: argocd-server + port: + number: 80 diff --git a/manifests/05-ingress-gitea-tls.yaml b/manifests/05-ingress-gitea-tls.yaml new file mode 100644 index 0000000..daba215 --- /dev/null +++ b/manifests/05-ingress-gitea-tls.yaml @@ -0,0 +1,25 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: gitea-tls + namespace: gitea + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: websecure + traefik.ingress.kubernetes.io/router.tls: "true" + cert-manager.io/cluster-issuer: letsencrypt-prod +spec: + tls: + - hosts: + - git.jpc.net3w.com + secretName: gitea-tls-cert + rules: + - host: git.jpc.net3w.com + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: gitea-http + port: + number: 3000 diff --git a/manifests/06-ingress-test-app-tls.yaml b/manifests/06-ingress-test-app-tls.yaml new file mode 100644 index 0000000..ebc4ae2 --- /dev/null +++ b/manifests/06-ingress-test-app-tls.yaml @@ -0,0 +1,25 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: test-app-tls + namespace: default + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: websecure + traefik.ingress.kubernetes.io/router.tls: "true" + cert-manager.io/cluster-issuer: letsencrypt-prod +spec: + tls: + - hosts: + - test.jpc.net3w.com + secretName: test-app-tls-cert + rules: + - host: test.jpc.net3w.com + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: test-app + port: + number: 80