blogs/cert-manager-tls/yelb-gw.yaml

apiVersion: v1 kind: Namespace metadata: name: yelb labels: appmesh.k8s.aws/sidecarInjectorWebhook: enabled mesh: yelb gateway: yelb-gw --- apiVersion: appmesh.k8s.aws/v1beta2 kind: VirtualGateway metadata: name: yelb-gw namespace: yelb spec: backendDefaults: clientPolicy: tls: validation: trust: file: certificateChain: /etc/keys/yelb/ca.crt namespaceSelector: matchLabels: gateway: yelb-gw podSelector: matchLabels: app: yelb-gw listeners: - portMapping: port: 8443 protocol: http tls: certificate: file: certificateChain: /etc/keys/yelb/tls.crt privateKey: /etc/keys/yelb/tls.key mode: STRICT --- apiVersion: appmesh.k8s.aws/v1beta2 kind: GatewayRoute metadata: name: gateway-route namespace: yelb spec: httpRoute: match: prefix: "/" action: target: virtualService: virtualServiceRef: name: yelb-ui --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: yelb-cert-gw namespace: yelb spec: dnsNames: - "yelb-gw.yelb.svc.cluster.local" secretName: yelb-tls-gw issuerRef: name: ca-issuer --- apiVersion: apps/v1 kind: Deployment metadata: name: yelb-gw namespace: yelb spec: replicas: 1 selector: matchLabels: app: yelb-gw template: metadata: labels: app: yelb-gw spec: containers: - name: envoy image: {{ENVOY_IMAGE}} ports: - containerPort: 8443 volumeMounts: - mountPath: "/etc/keys/yelb" name: yelb-tls-gw readOnly: true volumes: - name: yelb-tls-gw secret: secretName: yelb-tls-gw --- apiVersion: appmesh.k8s.aws/v1beta2 kind: VirtualNode metadata: name: yelb-ui namespace: yelb spec: awsName: yelb-ui-virtual-node podSelector: matchLabels: app: yelb-ui listeners: - portMapping: port: 80 protocol: http tls: certificate: file: certificateChain: /etc/keys/yelb/tls.crt privateKey: /etc/keys/yelb/tls.key mode: STRICT serviceDiscovery: dns: hostname: yelb-ui.yelb.svc.cluster.local backendDefaults: clientPolicy: tls: validation: trust: file: certificateChain: /etc/keys/yelb/ca.crt backends: - virtualService: virtualServiceRef: name: yelb-appserver --- apiVersion: v1 kind: Service metadata: name: yelb-gw namespace: yelb annotations: service.beta.kubernetes.io/aws-load-balancer-type: "nlb" service.beta.kubernetes.io/aws-load-balancer-ssl-cert: {{LB_CERT_ARN}} service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "ssl" spec: type: LoadBalancer ports: - port: 443 targetPort: 8443 name: https selector: app: yelb-gw ---

blogs/cert-manager-tls/yelb-gw.yaml (148 lines of code) (raw):