gsdavidp/home-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Refactor noble cluster configurations by removing deprecated Argo CD application management files and transitioning to a streamlined Ansible-driven installation approach. Update kustomization.yaml files to reflect the new structure, ensuring clarity on resource management. Introduce new namespaces and configurations for cert-manager, external-secrets, and logging components, enhancing the overall deployment process. Add detailed README.md documentation for each component to guide users through the setup and management of the noble lab environment.

Browse Source
This commit is contained in:
Nikholas Pcenicni
2026-03-28 17:02:50 -04:00
parent 41841abc84
commit 90fd8fb8a6
59 changed files with 28 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
clusters/noble/bootstrap/cert-manager/README.md Normal file
View File

@@ -0,0 +1,53 @@
# cert-manager — noble
**Prerequisites:** **Traefik** (ingress class **`traefik`**), DNS for **`*.apps.noble.lab.pcenicni.dev`** → Traefik LB for app traffic.
**ACME (Lets Encrypt)** uses **DNS-01** via **Cloudflare** for zone **`pcenicni.dev`**. Create an API token with **Zone → DNS → Edit** and **Zone → Zone → Read** (or use the “Edit zone DNS” template), then:
**Option A — Ansible:** copy **`.env.sample`** to **`.env`** in the repo root, set **`CLOUDFLARE_DNS_API_TOKEN`**, run **`ansible/playbooks/noble.yml`** (or **`deploy.yml`**). The **cert-manager** role creates **cloudflare-dns-api-token** from `.env` after the chart installs.
**Option B — kubectl:**
```bash
kubectl -n cert-manager create secret generic cloudflare-dns-api-token \
--from-literal=api-token='YOUR_CLOUDFLARE_API_TOKEN' \
--dry-run=client -o yaml | kubectl apply -f -
```
Without this Secret, **`ClusterIssuer`** will not complete certificate orders.
1. Create the namespace:
```bash
kubectl apply -f clusters/noble/apps/cert-manager/namespace.yaml
```
2. Install the chart (CRDs included via `values.yaml`):
```bash
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm upgrade --install cert-manager jetstack/cert-manager \
--namespace cert-manager \
--version v1.20.0 \
-f clusters/noble/apps/cert-manager/values.yaml \
--wait
```
3. Optionally edit **`spec.acme.email`** in both ClusterIssuer manifests (default **`certificates@noble.lab.pcenicni.dev`**) — Lets Encrypt uses this for expiry and account notices. Do **not** use **`example.com`** (ACME rejects it).
4. Apply ClusterIssuers (staging then prod, or both):
```bash
kubectl apply -k clusters/noble/apps/cert-manager
```
5. Confirm:
```bash
kubectl get clusterissuer
```
Use **`cert-manager.io/cluster-issuer: letsencrypt-staging`** on Ingresses while testing; switch to **`letsencrypt-prod`** when ready.
**HTTP-01** is not configured: if the hostname is **proxied** (orange cloud) in Cloudflare, Lets Encrypt may hit Cloudflares edge and get **404** for `/.well-known/acme-challenge/`. DNS-01 avoids that.