support manual cert

4 years ago · 65bcc568c7
parent 60ee8e0de8
commit 65bcc568c7
8 changed files with 79 additions and 38 deletions
--- a/argocd/ingressroute-server.yaml.sh
+++ b/argocd/ingressroute-server.yaml.sh
@ -1,3 +1,11 @@
+if [ -n "${FQDN}" ]; then
+  HOST_RULE="Host(\`${FQDN}\`)"
+  TLS_CERT_RESOLVER="certResolver: ${CERT_RESOLVER}"
+else
+  HOST_RULE="Host(\`${PUBLIC_IP}\`)"
+  TLS_MAP="{}"
+fi
+
 cat <<EOF
 apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRoute
@ -9,16 +17,16 @@ spec:
    - websecure
  routes:
    - kind: Rule
-      match: Host(\`${FQDN}\`) && PathPrefix(\`/argocd\`)
+      match: ${HOST_RULE} && PathPrefix(\`/argocd\`)
      services:
        - name: argocd-server
          port: 80
    - kind: Rule
-      match: Host(\`${FQDN}\`) && PathPrefix(\`/argocd\`) && Headers(\`Content-Type\`, \`application/grpc\`)
+      match: ${HOST_RULE} && PathPrefix(\`/argocd\`) && Headers(\`Content-Type\`, \`application/grpc\`)
      services:
        - name: argocd-server
          port: 80
          scheme: h2c
-  tls:
-    certResolver: ${CERT_RESOLVER}
+  tls: ${TLS_MAP}
+    ${TLS_CERT_RESOLVER}
 EOF
--- a/deploy_jitsi.sh
+++ b/deploy_jitsi.sh
@ -21,12 +21,23 @@ apt update && apt -y install grep bind9-dnsutils iproute2 curl wget git
 # parameters
 export FQDN=$1
 export ACME_EMAIL=$2
-export PUBLIC_IP=$(nslookup ${FQDN} | grep -A1 Name: | grep Address: | cut -d' ' -f2)
+
+if [[ "${FQDN}" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+  export PUBLIC_IP=${FQDN}
+  export FQDN=""
+  if [ -z "${TLS_CERT}" ] || [ -z "${TLS_KEY}" ];
+    err "both of 'TLS_CERT' and 'TLS_KEY' envvars should be specified when deploying without domain name"
+  fi
+else
+  export PUBLIC_IP=$(nslookup ${FQDN} | grep -A1 Name: | grep Address: | cut -d' ' -f2)
+fi
+
 if [ -z "${PUBLIC_IP}" ]; then
-  err "can't resolve hostname: ${FQDN}"
+  err "can't resolve hostname: ${1}"
 else
-  echo "resolved hostname '${FQDN}' to ip address ${PUBLIC_IP}"
+  echo "resolved hostname '${1}' to ip address ${PUBLIC_IP}"
 fi
+
 if ! (curl -s https://ipinfo.io/ip | grep -q ${PUBLIC_IP}); then
  err "the host doesn't have such public ip: ${PUBLIC_IP}"
 fi
@ -116,6 +127,14 @@ function do_traefik {
  done
  echo "ready."
  kubectl -n kube-system get job -o wide
+
+  if [ -n "${TLS_CERT}" ] && [ -n "${TLS_KEY}" ]; then
+    if kubectl -n default get secret | grep -q tls-secret; then
+      kubectl -n default delete secret tls-secret
+    fi
+    kubectl -n default create secret tls tls-secret --cert ${TLS_CERT} --key ${TLS_KEY}
+    kubectl apply -f tlsstore.yaml
+  fi
 }

 function do_argocd {
@ -154,8 +173,8 @@ function do_chart {
    -f values.yaml \
    $EXCLUDE_JVB_VALUES_FILE \
    --set certResolver=${CERT_RESOLVER} \
-    --set fqdn=${FQDN} \
-    --set jitsi-meet.publicURL=https://${FQDN} \
+    --set fqdn="${FQDN}" \
+    --set jitsi-meet.publicURL=https://${FQDN:-${PUBLIC_IP}} \
    --set jitsi-meet.jvb.publicIP=${PUBLIC_IP} \
    --set jitsi-meet.jvb.UDPPort=${JVB_PORT}
 }
@ -192,8 +211,8 @@ function do_app {
    --values values.yaml \
    ${EXCLUDE_JVB_VALUES_FILE} \
    --helm-set certResolver=${CERT_RESOLVER} \
-    --helm-set fqdn=${FQDN} \
-    --helm-set jitsi-meet.publicURL=https://${FQDN} \
+    --helm-set fqdn="${FQDN}" \
+    --helm-set jitsi-meet.publicURL=https://${FQDN:-${PUBLIC_IP}} \
    --helm-set jitsi-meet.jvb.publicIP=${PUBLIC_IP} \
    --helm-set jitsi-meet.jvb.UDPPort=${JVB_PORT}

--- a/jitsi/Chart.yaml
+++ b/jitsi/Chart.yaml
@ -1,7 +1,7 @@
 ---
 apiVersion: v2
 name: jitsi-deploy
-version: 0.1.4
+version: 0.1.5
 dependencies:
  - name: jitsi-meet
    version: "1.2.2+etherpad.1"
--- a/jitsi/templates/ingressroute-redir.yaml
+++ b/jitsi/templates/ingressroute-redir.yaml
@ -1,15 +0,0 @@
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
-metadata:
-  name: redir
-spec:
-  entryPoints:
-    - web
-  routes:
-    - kind: Rule
-      match: PathPrefix(`/`)
-      middlewares:
-      - name: any-redirectregex
-      services:
-        - name: {{ .Release.Name }}-jitsi-meet-web
-          port: 80
--- a/jitsi/templates/ingressroute-web.yaml
+++ b/jitsi/templates/ingressroute-web.yaml
@ -1,16 +1,38 @@
+{{- $hostname := default (index .Values "jitsi-meet" "jvb" "publicIP") .Values.fqdn }}
+---
 apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRoute
 metadata:
-  name: jitsi-web
-  namespace: {{ .Release.Namespace }}
+  name: jitsi-websecure
 spec:
  entryPoints:
    - websecure
  routes:
    - kind: Rule
-      match: Host(`{{ .Values.fqdn }}`)
+      match: Host(`{{ $hostname }}`) && PathPrefix(`/`)
      services:
        - name: {{ .Release.Name }}-jitsi-meet-web
          port: 80
+  {{- if .Values.fqdn }}
  tls:
    certResolver: {{ .Values.certResolver }}
+  {{- else }}
+  tls: {}
+  {{- end }}
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: jitsi-web
+spec:
+  entryPoints:
+    - web
+  routes:
+    - kind: Rule
+      match: Host(`{{ $hostname }}`) && PathPrefix(`/`)
+      middlewares:
+        - name: jitsi-web-redirectscheme
+      services:
+        - name: {{ .Release.Name }}-jitsi-meet-web
+          port: 80
--- a/jitsi/templates/middleware-redirect.yaml
+++ b/jitsi/templates/middleware-redirect.yaml
@ -0,0 +1,7 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: jitsi-web-redirectscheme
+spec:
+  redirectScheme:
+    scheme: https
--- a/jitsi/templates/middleware-redirectregex-any.yaml
+++ b/jitsi/templates/middleware-redirectregex-any.yaml
@ -1,8 +0,0 @@
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: any-redirectregex
-spec:
-  redirectRegex:
-    regex: ^http://[^/]+/(.*)
-    replacement: https://{{ .Values.fqdn }}/${1}
--- a/tlsstore.yaml
+++ b/tlsstore.yaml
@ -0,0 +1,8 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: TLSStore
+metadata:
+  name: default
+  namespace: default
+spec:
+  defaultCertificate:
+    secretName: tls-secret