Add cert-manager

services/2-essential/2-certificate-manager/1-namespace.yaml

@@ -0,0 +1,5 @@
+---
+kind: Namespace
+apiVersion: v1
+metadata:
+  name: cert-manager

services/2-essential/2-certificate-manager/2-custom-resource-definitions.yaml

@@ -0,0 +1,77 @@
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+  name: certificates.certmanager.k8s.io
+  labels:
+    app.kubernetes.io/name: cert-manager
+spec:
+  group: certmanager.k8s.io
+  version: v1alpha1
+  scope: Namespaced
+  names:
+    kind: Certificate
+    plural: certificates
+    shortNames:
+      - cert
+      - certs
+
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+  name: issuers.certmanager.k8s.io
+  labels:
+    app.kubernetes.io/name: cert-manager
+spec:
+  group: certmanager.k8s.io
+  version: v1alpha1
+  scope: Namespaced
+  names:
+    kind: Issuer
+    plural: issuers
+
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+  name: clusterissuers.certmanager.k8s.io
+  labels:
+    app.kubernetes.io/name: cert-manager
+spec:
+  group: certmanager.k8s.io
+  version: v1alpha1
+  scope: Cluster
+  names:
+    kind: ClusterIssuer
+    plural: clusterissuers
+
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+  name: orders.certmanager.k8s.io
+  labels:
+    app.kubernetes.io/name: cert-manager
+spec:
+  group: certmanager.k8s.io
+  version: v1alpha1
+  scope: Namespaced
+  names:
+    kind: Order
+    plural: orders
+
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+  name: challenges.certmanager.k8s.io
+  labels:
+    app.kubernetes.io/name: cert-manager
+spec:
+  group: certmanager.k8s.io
+  version: v1alpha1
+  scope: Namespaced
+  names:
+    kind: Challenge
+    plural: challenges

services/2-essential/2-certificate-manager/3-rbac.yaml

@@ -0,0 +1,43 @@
+---
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: cert-manager
+  namespace: cert-manager
+  labels:
+    app.kubernetes.io/name: cert-manager
+
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: cert-manager
+  labels:
+    app.kubernetes.io/name: cert-manager
+rules:
+  - apiGroups: ['certmanager.k8s.io']
+    resources: [certificates, issuers, clusterissuers, orders, challenges]
+    verbs: ['*']
+  - apiGroups: ['']
+    resources: [configmaps, secrets, events, services, pods]
+    verbs: ['*']
+  - apiGroups: [extensions, networking.k8s.io]
+    resources: [ingresses]
+    verbs: ['*']
+
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: cert-manager
+  labels:
+    app.kubernetes.io/name: cert-manager
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager
+subjects:
+  - name: cert-manager
+    namespace: cert-manager
+    kind: ServiceAccount
+

services/2-essential/2-certificate-manager/4-deployment.yaml

@@ -0,0 +1,36 @@
+---
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: cert-manager
+  namespace: cert-manager
+  labels:
+    app.kubernetes.io/name: cert-manager
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: cert-manager
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: cert-manager
+    spec:
+      serviceAccountName: cert-manager
+      nodeSelector:
+        kubernetes.io/role: worker
+      containers:
+        - name: cert-manager
+          image: 'quay.io/jetstack/cert-manager-controller:v0.6.0-alpha.0'
+          args:
+            - '--cluster-resource-namespace=$(POD_NAMESPACE)'
+            - '--leader-election-namespace=$(POD_NAMESPACE)'
+          env:
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          resources:
+            requests:
+              cpu: 10m
+              memory: 32Mi

services/2-essential/2-certificate-manager/README.md

@@ -1 +1,41 @@
 # Certificate manager
+
+Our `Ingress` controller has support for supplying the `Ingress` resources with server certificates. However, it would be nice if we could automatically have certificates generated for us by Let's Encrypt for `Ingress` resources of our choosing. Not-so-surprisingly, there is a service for just that! It's called [cert-manager](https://github.com/jetstack/cert-manager).
+
+
+## Install
+
+```yaml
+$ kubectl apply -f .
+```
+
+
+## Usage
+
+The manager will look for `Ingress` resources that are annotated with `certmanager.k8s.io/cluster-issuer` and use its value as the issuer. Here is an example:
+
+```yaml
+kind: Ingress
+apiVersion: networking.k8s.io/v1beta1
+metadata:
+  name: my-application
+  namespace: my-namespace
+  annotations:
+    kubernetes.io/ingress.class: external
+    certmanager.k8s.io/cluster-issuer: letsencrypt
+spec:
+  rules:
+    - host: example.com
+      http:
+        paths:
+          - path: /
+            backend:
+              serviceName: my-application
+              servicePort: 8080
+  tls:
+    - secretName: my-application-cert
+      hosts:
+        - example.com
+```
+
+The manager will create a secret with the same name as the `Ingress` resource but with the `-cert` suffix. When first creating the `Ingress` resource, your `Ingress` controller might complain that the secret is missing. This will shortly be fixed if the certificate generation process succeeds.

services/2-essential/README.md

@@ -1,6 +1,6 @@
 # Essential services
 
-???
+Essential services aren't required to have a working cluster, but without them you won't be able to do much of the things that you probably want to do.
 
 
 ## Services

services/README.md

@@ -18,7 +18,7 @@ Mandatory services are required to actually run anything properly in the cluster
 Essential services aren't required to have a working cluster, but without them you won't be able to do much of the things that you probably want to do.
 
 * Authentication
-* Certificate manager
+* [Certificate manager](./2-essential/2-certificate-manager)
 * Dynamic storage provider
 * Descheduler