feat(sftpgo): add TLS support and internal certificate management

This commit is contained in:
2025-05-08 22:36:47 +02:00
parent 4d4f085c3e
commit 9de7d52192
12 changed files with 285 additions and 116 deletions
+88 -7
View File
@@ -22,7 +22,6 @@ resource "kubernetes_service_account" "website_service_account" {
automount_service_account_token = false
}
resource "kubernetes_service" "website" {
for_each = local.websites
metadata {
@@ -31,9 +30,18 @@ resource "kubernetes_service" "website" {
}
spec {
port {
name = "http"
port = 80
target_port = "http"
}
dynamic "port" {
for_each = each.value.tls ? [443] : []
content {
name = "https"
port = 443
target_port = "https"
}
}
selector = {
app = format("website-%s", replace(each.key, ".", "-"))
}
@@ -41,6 +49,29 @@ resource "kubernetes_service" "website" {
}
}
resource "kubernetes_manifest" "internal_cert" {
for_each = {
for k, v in local.websites : k => v if v.tls == true
}
manifest = {
apiVersion = "cert-manager.io/v1"
kind = "Certificate"
metadata = {
name = format("website-%s-tls-internal", replace(each.key, ".", "-"))
namespace = kubernetes_namespace.website.metadata[0].name
}
spec = {
secretName = format("website-%s-tls-internal", replace(each.key, ".", "-"))
issuerRef = {
name = each.value.issuer
kind = "ClusterIssuer"
}
commonName = each.value.domain_name
dnsNames = each.value.fqdn
}
}
}
resource "kubernetes_config_map" "nginx_config" {
metadata {
name = "nginx-config"
@@ -60,7 +91,11 @@ resource "kubernetes_config_map" "nginx_default_config" {
}
data = {
"default.conf" = each.value.config
"default.conf" = coalesce(each.value.config, templatefile("${path.module}/resources/conf.d/default.conf.tpl", {
tls = each.value.tls
fqdn = each.value.domain_name
custom_snippet = each.value.custom_snippet
}))
}
}
@@ -70,10 +105,17 @@ resource "kubernetes_ingress_v1" "website_ingress" {
name = "website-ingress"
namespace = kubernetes_namespace.website.metadata[0].name
annotations = {
annotations = merge({
"kubernetes.io/ingress.class" = "public"
"cert-manager.io/cluster-issuer" = "letsencrypt-prod"
}
},
each.value.tls ? {
"nginx.org/ssl-services" = format("website-%s", replace(each.key, ".", "-"))
"nginx.org/ssl-redirect" = "true"
"nginx.org/redirect-to-https" = "true"
"nginx.ingress.kubernetes.io/backend-protocol" = "HTTPS"
} : {}
)
}
spec {
tls {
@@ -90,7 +132,7 @@ resource "kubernetes_ingress_v1" "website_ingress" {
service {
name = format("website-%s", replace(each.key, ".", "-"))
port {
number = 80
name = each.value.tls ? "https" : "http"
}
}
}
@@ -123,8 +165,13 @@ resource "kubernetes_deployment" "website" {
app = format("website-%s", replace(each.key, ".", "-"))
}
annotations = {
"checksum/nginx" = local.nginx_config_checksum
"checksum/default" = sha256(each.value.config)
"checksum/nginx" = local.nginx_config_checksum
"checksum/default" = sha256(coalesce(each.value.config, templatefile("${path.module}/resources/conf.d/default.conf.tpl", {
tls = each.value.tls
fqdn = each.value.domain_name
custom_snippet = each.value.custom_snippet
}))
)
}
}
spec {
@@ -175,6 +222,14 @@ resource "kubernetes_deployment" "website" {
container_port = 8080
name = "http"
}
dynamic "port" {
for_each = each.value.tls ? [443] : []
content {
container_port = 8443
name = "https"
}
}
volume_mount {
name = "nginx"
mount_path = "/etc/nginx/nginx.conf"
@@ -192,6 +247,14 @@ resource "kubernetes_deployment" "website" {
mount_path = "/tmp/site"
read_only = true
}
dynamic "volume_mount" {
for_each = each.value.tls ? [443] : []
content {
name = "tls"
mount_path = "/etc/ssl/certs/private"
read_only = true
}
}
}
volume {
name = "nginx"
@@ -211,9 +274,27 @@ resource "kubernetes_deployment" "website" {
path = format("%s/%s", local.websites_path, each.key)
}
}
dynamic "volume" {
for_each = each.value.tls ? [443] : []
content {
name = "tls"
secret {
secret_name = kubernetes_manifest.internal_cert[each.key].manifest["metadata"]["name"]
items {
key = "tls.crt"
path = "tls.crt"
}
items {
key = "tls.key"
path = "tls.key"
}
}
}
}
}
}
}
lifecycle {
ignore_changes = [spec[0].template[0].metadata[0].annotations["kubectl.kubernetes.io/restartedAt"]]
}
@@ -1,7 +1,12 @@
server {
listen 8080;
server_name localhost;
%{ if tls ~}
listen 8443 ssl;
ssl_certificate /etc/ssl/certs/private/tls.crt;
ssl_certificate_key /etc/ssl/certs/private/tls.key;
ssl_protocols TLSv1.2 TLSv1.3;
%{ endif ~}
server_name ${fqdn};
gzip on;
gzip_comp_level 9;
gzip_types
@@ -16,18 +21,17 @@ server {
application/xml
application/rss+xml
image/svg+xml;
root /tmp/site;
%{ if custom_snippet != "" ~}
${custom_snippet}
%{ endif ~}
location / {
index index.html index.htm;
}
location ~* ^/([^/]+) {
index index.html index.htm;
error_page 404 = @error;
}
error_page 404 /404.html;
location @error {
try_files /$1/404.html /404.html =404;
+7 -3
View File
@@ -12,8 +12,12 @@ variable "tag" {
variable "websites" {
description = "A list of websites to be deployed"
type = map(object({
domain_name = string
fqdn = list(string)
config = optional(string, "")
domain_name = string
fqdn = list(string)
config = optional(string, "")
tls = optional(bool, false)
issuer = optional(string, "internal-ca")
custom_snippet = optional(string, "")
}))
}