with manifests

manifests/hub-cacrt.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: hub-ca-crt
+data:
+  ca.crt: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZWRENDQkR5Z0F3SUJBZ0lSQU8xZFc4bHQrOTlOUHMxcVNZM1JzOGN3RFFZSktvWklodmNOQVFFTEJRQXcKY1RFTE1Ba0dBMVVFQmhNQ1ZWTXhNekF4QmdOVkJBb1RLaWhUVkVGSFNVNUhLU0JKYm5SbGNtNWxkQ0JUWldOMQpjbWwwZVNCU1pYTmxZWEpqYUNCSGNtOTFjREV0TUNzR0ExVUVBeE1rS0ZOVVFVZEpUa2NwSUVSdlkzUnZjbVZrCklFUjFjbWxoYmlCU2IyOTBJRU5CSUZnek1CNFhEVEl4TURFeU1ERTVNVFF3TTFvWERUSTBNRGt6TURFNE1UUXcKTTFvd1pqRUxNQWtHQTFVRUJoTUNWVk14TXpBeEJnTlZCQW9US2loVFZFRkhTVTVIS1NCSmJuUmxjbTVsZENCVApaV04xY21sMGVTQlNaWE5sWVhKamFDQkhjbTkxY0RFaU1DQUdBMVVFQXhNWktGTlVRVWRKVGtjcElGQnlaWFJsCmJtUWdVR1ZoY2lCWU1UQ0NBaUl3RFFZSktvWklodmNOQVFFQkJRQURnZ0lQQURDQ0Fnb0NnZ0lCQUxiYWdFZEQKVGExUWdHQldTWWt5TWhzY1pYRU5PQmFWUlRNWDFoY2VKRU5nc0wwTWE0OUQzTWlsSTRLUzM4bXRrbWRGNmNQVwpuTCsrZmdlaFQwRmJSSFpnak9FcjhVQU40akg2b21qcmJURCsrVlpuZVRzTVZhR2FtUW1EZEZsNWcxZ1lhaWdrCmtteDhPaUNPNjhhNFFYZzR3U3luNmlEaXBLUDh1dHNFK3gxRTI4U0E3NUhPWXFwZHJrNEhHeHVVTHZscjAzd1oKR1RJZi9vUnQyL2MrZFltRG9hSmhnZStHT3JMQUVRQnlPNys4K3Z6T3dwTkFQRXg2TFcrY3JFRVo3ZUJYaWg2VgpQMTlzVEd5M3lmcUs1dFB0VGRYWENPUU1LQXArZ0NqL1ZCeWhtSXIrMGlOREM1NDBndHZWMzAzV3BjYndua2tMCllDMEZ0MmNZVXlIdGtzdE9mUmNSTytLMmNab3pvU3dWUHlCOC9KOVJwY1JLM2pnblg5bHVqZndBL3BBYlAwSjIKVVBRRnhtV0ZSUW5GamFxNnJrcWJORUJnTHkra0ZMMU5Fc1JidkZiS3JSaTViWXkybE5tczJOSlBadmROUWJULwoyZEJaS21KcXhIa3hDdU9RRmpoSlFOZU8rTmptMVoxaUFUUy8zcnRzMnlabHFYS3N4UVV6TjZ2TmJEOEtuWFJNCkVlT1hVWXZiVjRscWZDZjhtUzE0V0ViU2lNeTg3R0I1Uzl1Y1NWMVhVcmxURzVVR2NNU1pPQmNFVXBpc1JQRW0KUVdVT1RXSW9EUTVGT2lhL0dJK0tpNTIzcjJydUVtYm1HMzdFQlNCWGR4SWRuZHFyankrUVZBbUNlYnlEeDllVgpFR09JcG4yNmJXNUxLZXJ1bUp4YS9DRkJhS2k0YlJ2bWRKUkxBZ01CQUFHamdmRXdnZTR3RGdZRFZSMFBBUUgvCkJBUURBZ0VHTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRkxYelpmTCtzQXFTSC9zOGZmTkUKb0t4akpjTVVNQjhHQTFVZEl3UVlNQmFBRkFoWDJvbkhvbE41REUvZDRKQ1BkTHJpSjNORU1EZ0dDQ3NHQVFVRgpCd0VCQkN3d0tqQW9CZ2dyQmdFRkJRY3dBb1ljYUhSMGNEb3ZMM04wWnkxa2MzUXpMbWt1YkdWdVkzSXViM0puCkx6QXRCZ05WSFI4RUpqQWtNQ0tnSUtBZWhoeG9kSFJ3T2k4dmMzUm5MV1J6ZERNdVl5NXNaVzVqY2k1dmNtY3YKTUNJR0ExVWRJQVFiTUJrd0NBWUdaNEVNQVFJQk1BMEdDeXNHQVFRQmd0OFRBUUVCTUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQjd0UjhCMGVJUVNTNk1oUDVrdXZHdGgrZE4wMkRzSWhyMHlKdGsyZWhJY1BJcVN4UlJtSEdsCjR1MmMzUWx2RXBlUkRwMnc3ZVFkUlRsSS9Xbk5oWTRKT29mcE1mMnp3QUJnQld0QXUwVm9vUWNaWlRwUXJ1aWcKRi96NnhZa0JrM1VIa2plcXh6TU4zZDFFcUd1c3hKb3FnZFRvdVo1WDVRVFRJZWU5blEzTEVoV25SU1hEeDdZMAp0dFIxQkdmY2RxSG9wTzRJQnFBaGJrS1JqRjV6ajdPRDhjRzM1b215d1ViWnRPSm5mdGlJMG5GY1JheGJYbzB2Cm9EZkxEMFM2K0FDMlIzdEtwcWprTlg2LzkxaHJSRmdsVWFreU1jWlUveGxlcWJ2NitMcjNZRDhQc0JUdWI2bEkKb1oybFMzOGZMMThBb240NThmYmMwQlBIdGVuZmhLajUKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo="

manifests/hub-cert.yaml

@@ -0,0 +1,34 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: hub-dev-fixergrid-net-stg
+  namespace: hub
+spec:
+  # Secret names are always required.
+  secretName: hub-dev-stg-cert-tls
+
+  duration: 2160h # 90d
+  renewBefore: 360h # 15d
+  subject:
+    organizations:
+      - Equinix Metal
+  # The use of the common name field has been deprecated since 2000 and is
+  # discouraged from being used.
+  commonName: hub.dev.fixergrid.net
+  isCA: false
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS1
+    size: 2048
+  usages:
+    - server auth
+    - client auth
+  # At least one of a DNS Name, URI, or IP address is required.
+  dnsNames:
+    - hub.dev.fixergrid.net
+  # Issuer references are always required.
+  issuerRef:
+    name: letsencrypt-staging
+    # We can reference ClusterIssuers by changing the kind here.
+    # The default value is Issuer (i.e. a locally namespaced Issuer)
+    kind: ClusterIssuer

manifests/hub.yaml

@@ -0,0 +1,71 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: hub
+  name: hub
+  namespace: hub
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: hub
+  template:
+    metadata:
+      labels:
+        app: hub
+    spec:
+      volumes:
+        - name: server-certs
+          projected:
+            sources:
+              - secret:
+                  name: hub-dev-stg-cert-tls
+              - secret:
+                  name: hub-ca-crt
+      containers:
+      - image: amohd/servicedemon:v2
+        name: servicedemon
+        command: ["/hub"]
+        env:
+          - name: HUB_CA_CERT_FILE
+            value: /etc/hub/certs/ca.crt
+          - name: HUB_SERVER_CERT_FILE
+            value: /etc/hub/certs/tls.crt
+          - name: HUB_SERVER_KEY_FILE
+            value: /etc/hub/certs/tls.key
+        volumeMounts:
+          - name: server-certs
+            mountPath: /etc/hub/certs/
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: hub-svc
+  namespace: hub
+spec:
+  type: ClusterIP
+  selector:
+    app: hub
+  ports:
+    - port: 443
+      targetPort: 3001
+      protocol: "TCP"
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRouteTCP
+metadata:
+  namespace: hub
+  name: hub-dev-fixergrid-net
+spec:
+  entryPoints:
+    - websecure
+  tls:
+    passthrough: true
+  routes:
+  - match: HostSNI(`hub.dev.fixergrid.net`)
+    priority: 1
+    services:
+      - name: hub-svc
+        port: 443
+        weight: 1

manifests/issuer.yaml

@@ -0,0 +1,19 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    # You must replace this email address with your own.
+    # Let's Encrypt will use this to contact you about expiring
+    # certificates, and issues related to your account.
+    email: adam@fixergrid.net
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      # Secret resource that will be used to store the account's private key.
+      name: dev-fixergrid-net-issuer-account-key
+    # Add a single challenge solver, HTTP01 using nginx
+    solvers:
+    - http01:
+        ingress:
+          ingressClassName: traefik

manifests/my-app-crt.yaml

@@ -0,0 +1,34 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: app-dev-fixergrid-net-stg
+  namespace: app1
+spec:
+  # Secret names are always required.
+  secretName: app1-dev-stg-cert-tls
+
+  duration: 2160h # 90d
+  renewBefore: 360h # 15d
+  subject:
+    organizations:
+      - Equinix Metal
+  # The use of the common name field has been deprecated since 2000 and is
+  # discouraged from being used.
+  commonName: app1.dev.fixergrid.net
+  isCA: false
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS1
+    size: 2048
+  usages:
+    - server auth
+    - client auth
+  # At least one of a DNS Name, URI, or IP address is required.
+  dnsNames:
+    - app1.dev.fixergrid.net
+  # Issuer references are always required.
+  issuerRef:
+    name: letsencrypt-staging
+    # We can reference ClusterIssuers by changing the kind here.
+    # The default value is Issuer (i.e. a locally namespaced Issuer)
+    kind: ClusterIssuer

manifests/my-app.yaml

@@ -0,0 +1,42 @@
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: app1
+  name: app1
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: app1
+  template:
+    metadata:
+      labels:
+        app: app1
+    spec:
+      volumes:
+        - name: server-certs
+          projected:
+            sources:
+              - secret:
+                  name: app1-dev-stg-cert-tls
+              - secret:
+                  name: hub-ca-crt
+      containers:
+      - image: amohd/servicedemon:v2
+        name: servicedemon
+        command: ["/spoke-agent"]
+        env:
+          - name: SPOKE_AGENT_CA_CERT_FILE
+            value: /etc/spoke-agent/certs/ca.crt
+          - name: SPOKE_AGENT_CERT_FILE
+            value: /etc/spoke-agent/certs/tls.crt
+          - name: SPOKE_AGENT_KEY_FILE
+            value: /etc/spoke-agent/certs/tls.key
+          - name: HUB_SERVER_URL
+            value: https://hub.dev.fixergrid.net
+        volumeMounts:
+          - name: server-certs
+            mountPath: /etc/spoke-agent/certs/