Upgrade cert-manager to the latest version

The older version we used had a too old version of the ACME client, which has been blocked
due to excessive calls.

services/10-cluster/cert-manager/README.md

@@ -0,0 +1,78 @@
+# Certificate manager
+
+I'm using [cert-manager](https://github.com/jetstack/cert-manager) to automatically get SSL certificates for our ingresses. I configure the certificate manager to use Lets Encrypt as certificate issuer.
+
+
+## Installation
+
+We use Helm 3 to install cert-manager:
+
+```
+$ kubectl apply --validate=false -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.12/deploy/manifests/00-crds.yaml
+$ kubectl create namespace cert-manager
+$ helm repo add jetstack https://charts.jetstack.io
+$ helm install cert-manager jetstack/cert-manager --namespace cert-manager --version v0.12.0 --values helm-values.yaml
+$ kubectl apply -f issuers.yaml
+```
+
+For any future upgrades, this command can be used:
+
+```
+$ helm upgrade cert-manager jetstack/cert-manager --namespace cert-manager --version v0.12.0 --values helm-values.yaml
+```
+
+Note: I've disabled the `webhook` component, because I didn't get it to work properly. It's not recommended, but it's viable option. Read more [here](https://cert-manager.io/docs/installation/compatibility/#disabling-webhook).
+
+
+## Using it
+
+To use dynamic SSL certificates, you create `Certificate` resources. These resources will in turn generate `Secret` resources that you can use in your tls-configuration. Here is an example:
+
+```yaml
+---
+kind: Certificate
+apiVersion: cert-manager.io/v1alpha2
+metadata:
+  name: some-service
+  namespace: test
+spec:
+  secretName: some-service-certificate
+  dnsNames:
+    - some-external-domain.com
+  issuerRef:
+    name: letsencrypt
+    kind: ClusterIssuer
+    group: cert-manager.io
+
+---
+kind: Ingress
+apiVersion: networking.k8s.io/v1beta1
+metadata:
+  name: some-service
+  namespace: test
+  labels:
+    app.kubernetes.io/name: some-service
+  annotations:
+    kubernetes.io/ingress.class: external
+spec:
+  rules:
+    - host: some-external-domain.com
+      http:
+        paths:
+          - path: /
+            backend:
+              serviceName: some-service
+              servicePort: 8080
+  tls:
+    - secretName: some-service-certificate
+      hosts:
+        - some-external-domain.com
+```
+
+
+### Issuers
+
+I have the following cluster issuers:
+
+* `letsencrypt`
+* `letsencrypt-staging` (useful only for testing cert-manager upgrades and similar)

services/10-cluster/cert-manager/helm-values.yaml

@@ -0,0 +1,3 @@
+webhook:
+  enabled: false
+

services/10-cluster/cert-manager/issuers.yaml

@@ -0,0 +1,31 @@
+---
+kind: ClusterIssuer
+apiVersion: cert-manager.io/v1alpha2
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    email: hello@anton-johansson.com
+    privateKeySecretRef:
+      name: letsencrypt-staging
+    solvers:
+      - http01:
+          ingress:
+            class: external
+
+---
+kind: ClusterIssuer
+apiVersion: cert-manager.io/v1alpha2
+metadata:
+  name: letsencrypt
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: hello@anton-johansson.com
+    privateKeySecretRef:
+      name: letsencrypt
+    solvers:
+      - http01:
+          ingress:
+            class: external

services/20-core/home-assistant/40-certificate.yaml

@@ -0,0 +1,16 @@
+---
+kind: Certificate
+apiVersion: cert-manager.io/v1alpha2
+metadata:
+  name: home-assistant
+  namespace: home-assistant
+  labels:
+    app.kubernetes.io/name: home-assistant
+spec:
+  secretName: home-assistant-certificate
+  dnsNames:
+    - home.anton-johansson.com
+  issuerRef:
+    name: letsencrypt
+    kind: ClusterIssuer
+    group: cert-manager.io

services/20-core/home-assistant/40-ingress.yaml → services/20-core/home-assistant/50-ingress.yaml

@@ -8,7 +8,6 @@ metadata:
     app.kubernetes.io/name: home-assistant
   annotations:
     kubernetes.io/ingress.class: external
-    certmanager.k8s.io/cluster-issuer: letsencrypt
 spec:
   rules:
     - host: home.anton-johansson.com
@@ -19,6 +18,6 @@ spec:
               serviceName: home-assistant
               servicePort: 8123
   tls:
-    - secretName: home-assistant-cert
+    - secretName: home-assistant-certificate
       hosts:
         - home.anton-johansson.com

services/30-metrics/grafana/50-certificate.yaml

@@ -0,0 +1,16 @@
+---
+kind: Certificate
+apiVersion: cert-manager.io/v1alpha2
+metadata:
+  name: grafana
+  namespace: grafana
+  labels:
+    app.kubernetes.io/name: grafana
+spec:
+  secretName: grafana-certificate
+  dnsNames:
+    - grafana.anton-johansson.com
+  issuerRef:
+    name: letsencrypt
+    kind: ClusterIssuer
+    group: cert-manager.io

services/30-metrics/grafana/50-ingress.yaml → services/30-metrics/grafana/60-ingress.yaml

@@ -8,7 +8,6 @@ metadata:
     app.kubernetes.io/name: grafana
   annotations:
     kubernetes.io/ingress.class: external
-    certmanager.k8s.io/cluster-issuer: letsencrypt
 spec:
   rules:
     - host: grafana.anton-johansson.com
@@ -19,6 +18,6 @@ spec:
               serviceName: grafana
               servicePort: 3000
   tls:
-    - secretName: grafana-cert
+    - secretName: grafana-certificate
       hosts:
         - grafana.anton-johansson.com