Skip to content

Commit cb5d4f2

Browse files
copelcocopelco
authored
Upgrade ingress-nginx and configure DNS-based certificate validation (#378)
1 parent 5f45884 commit cb5d4f2

File tree

1 file changed

+29
-1
lines changed

1 file changed

+29
-1
lines changed

deploy/group_vars/all.yml

Lines changed: 29 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -86,9 +86,37 @@ k8s_iam_users: [copelco]
8686
# Pin ingress-nginx and cert-manager to current versions so future upgrades of this
8787
# role will not upgrade these charts without your intervention:
8888
# https://github.com/kubernetes/ingress-nginx/releases
89-
k8s_ingress_nginx_chart_version: "4.13.0"
89+
k8s_ingress_nginx_chart_version: "4.14.1"
9090
# https://github.com/jetstack/cert-manager/releases
9191
k8s_cert_manager_chart_version: "v1.18"
92+
k8s_cert_manager_solvers:
93+
- selector:
94+
# Use *dnsZones* (not dnsNames) to match on any subdomain. Note that individual
95+
# _acme-challenge CNAME records will still need to be created for each subdomain, e.g.:
96+
#
97+
# Production:
98+
# _acme-challenge.nccopwatch.org CNAME _acme-challenge.acme.nccopwatch.org
99+
# _acme-challenge.www.nccopwatch.org CNAME _acme-challenge.www.acme.nccopwatch.org
100+
#
101+
# Staging:
102+
# _acme-challenge.staging.nccopwatch.org CNAME _acme-challenge.acme.nccopwatch.org
103+
#
104+
# https://cert-manager.io/docs/reference/api-docs/#acme.cert-manager.io/v1.CertificateDNSNameSelector
105+
# (Unlike the documentation, we prefer different values for each CNAME to avoid the
106+
# potential for conflicts when attempting to solve multiple challenges simultaneously.)
107+
dnsZones:
108+
- nccopwatch.org
109+
dns01:
110+
# Follow CNAMEs (use delegation) so we can provide access only to a less privileged DNS zone:
111+
# https://cert-manager.io/docs/configuration/acme/dns01/#delegated-domains-for-dns01
112+
cnameStrategy: Follow
113+
route53:
114+
region: us-east-2 # What is this used for? Zones are global...
115+
# acme.nccopwatch.org access granted by container instance role
116+
hostedZoneID: Z0716299GIIMBNJ5C3G8
117+
# Keep HTTP-01 solver as a fallback in case of DNS issues.
118+
# https://cert-manager.io/docs/configuration/acme/#adding-multiple-solver-types
119+
- "{{ k8s_cert_manager_http01_solver }}"
92120
# AWS only:
93121
# Use the newer load balancer type (NLB). DO NOT edit k8s_aws_load_balancer_type after
94122
# creating your Service.

0 commit comments

Comments
 (0)