k3s-apps/https-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add HTTPS configuration with cert-manager

Browse Source 
- cert-manager namespace
- ClusterIssuer for Let's Encrypt (prod and staging)
- HTTPS Ingress for ArgoCD, Gitea, and test-app
- Automatic certificate management

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
argocd
2026-02-04 05:13:41 +08:00
commit ef0d1af353
7 changed files with 172 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
README.md Normal file
View File

@@ -0,0 +1,24 @@
# HTTPS配置 - GitOps方式
## 方案说明
使用ArgoCD管理cert-manager实现完全GitOps化的HTTPS配置。
## 架构
Git仓库 -> ArgoCD监控 -> 自动部署cert-manager -> 自动申请证书 -> HTTPS启用
## 特点
- 完全GitOps化
- 支持幂等性
- 配置存储在Git
- 自动续期证书
- 修改Git自动更新
## 部署步骤
1. 推送到Gitea
2. 创建ArgoCD应用
3. ArgoCD自动部署
4. 自动申请证书

4
manifests/01-namespace.yaml Normal file
View File

@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: cert-manager

35
manifests/02-cert-manager.yaml Normal file
View File

@@ -0,0 +1,35 @@
# cert-manager installation
# This will be applied by ArgoCD
apiVersion: v1
kind: ServiceAccount
metadata:
name: cert-manager
namespace: cert-manager
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-manager
rules:
- apiGroups: ["cert-manager.io"]
resources: ["*"]
verbs: ["*"]
- apiGroups: [""]
resources: ["secrets", "events", "configmaps"]
verbs: ["*"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cert-manager
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager
subjects:
- kind: ServiceAccount
name: cert-manager
namespace: cert-manager

34
manifests/03-clusterissuer.yaml Normal file
View File

@@ -0,0 +1,34 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
# Let's Encrypt production server
server: https://acme-v02.api.letsencrypt.org/directory
# Email for certificate expiration notifications
email: admin@jpc.net3w.com
# Secret to store ACME account private key
privateKeySecretRef:
name: letsencrypt-prod
# HTTP-01 challenge
solvers:
- http01:
ingress:
class: traefik
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
# Let's Encrypt staging server (for testing)
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: admin@jpc.net3w.com
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- http01:
ingress:
class: traefik

25
manifests/04-ingress-argocd-tls.yaml Normal file
View File

@@ -0,0 +1,25 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: argocd-server-tls
namespace: argocd
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
tls:
- hosts:
- argocd.jpc.net3w.com
secretName: argocd-tls-cert
rules:
- host: argocd.jpc.net3w.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: argocd-server
port:
number: 80

25
manifests/05-ingress-gitea-tls.yaml Normal file
View File

@@ -0,0 +1,25 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: gitea-tls
namespace: gitea
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
tls:
- hosts:
- git.jpc.net3w.com
secretName: gitea-tls-cert
rules:
- host: git.jpc.net3w.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: gitea-http
port:
number: 3000

25
manifests/06-ingress-test-app-tls.yaml Normal file
View File

@@ -0,0 +1,25 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: test-app-tls
namespace: default
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
tls:
- hosts:
- test.jpc.net3w.com
secretName: test-app-tls-cert
rules:
- host: test.jpc.net3w.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: test-app
port:
number: 80