prod and staging for tls in loadbalancer

Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>
rewrite
Tuan-Dat Tran 2024-10-04 00:00:02 +02:00
parent c0e81ee277
commit ed980f816f
2 changed files with 23 additions and 8 deletions

View File

@ -2,8 +2,8 @@ include /etc/nginx/modules-enabled/*.conf;
events {} events {}
# TCP Load Balancing for the K3s API
stream { stream {
# TCP Load Balancing for the K3s API
upstream k3s_servers { upstream k3s_servers {
{% for ip in k3s_server_ips %} {% for ip in k3s_server_ips %}
server {{ ip }}:{{k3s.loadbalancer.default_port}}; server {{ ip }}:{{k3s.loadbalancer.default_port}};
@ -14,6 +14,17 @@ stream {
listen {{k3s.loadbalancer.default_port}}; listen {{k3s.loadbalancer.default_port}};
proxy_pass k3s_servers; proxy_pass k3s_servers;
} }
upstream dns_servers {
{% for ip in k3s_server_ips %}
server {{ ip }}:53;
{% endfor %}
}
server {
listen 53 udp;
proxy_pass dns_servers;
}
} }
http { http {
@ -43,9 +54,9 @@ http {
} }
server { server {
listen 443; listen 443 ssl;
server_name staging.k3s.seyshiro.de *.staging.k3s.seyshiro.de server_name staging.k3s.seyshiro.de *.staging.k3s.seyshiro.de;
ssl_certificate /etc/nginx/ssl/staging_tls.crt; ssl_certificate /etc/nginx/ssl/staging_tls.crt;
ssl_certificate_key /etc/nginx/ssl/staging_tls.key; ssl_certificate_key /etc/nginx/ssl/staging_tls.key;
@ -59,9 +70,9 @@ http {
} }
server { server {
listen 443; listen 443 ssl;
server_name production.k3s.seyshiro.de *.production.k3s.seyshiro.de server_name k3s.seyshiro.de *.k3s.seyshiro.de;
ssl_certificate /etc/nginx/ssl/production_tls.crt; ssl_certificate /etc/nginx/ssl/production_tls.crt;
ssl_certificate_key /etc/nginx/ssl/production_tls.key; ssl_certificate_key /etc/nginx/ssl/production_tls.key;
@ -74,3 +85,5 @@ http {
} }
} }
} }

View File

@ -1,13 +1,15 @@
#!/bin/bash #!/bin/bash
kubectl -n staging get secret k3s-seyshiro-de-staging-tls -o jsonpath='{.data.tls\.crt}' | base64 -d >staging_tls.crt kubectl -n staging get secret k3s-seyshiro-de-tls -o jsonpath='{.data.tls\.crt}' | base64 -d >staging_tls.crt
kubectl -n staging get secret k3s-seyshiro-de-staging-tls -o jsonpath='{.data.tls\.key}' | base64 -d >staging_tls.key kubectl -n staging get secret k3s-seyshiro-de-tls -o jsonpath='{.data.tls\.key}' | base64 -d >staging_tls.key
kubectl -n production get secret k3s-seyshiro-de-tls -o jsonpath='{.data.tls\.crt}' | base64 -d >production_tls.crt kubectl -n production get secret k3s-seyshiro-de-tls -o jsonpath='{.data.tls\.crt}' | base64 -d >production_tls.crt
kubectl -n production get secret k3s-seyshiro-de-tls -o jsonpath='{.data.tls\.key}' | base64 -d >production_tls.key kubectl -n production get secret k3s-seyshiro-de-tls -o jsonpath='{.data.tls\.key}' | base64 -d >production_tls.key
scp ./{production,staging}_tls.{crt,key} k3s-loadbalancer:~ scp ./{production,staging}_tls.{crt,key} k3s-loadbalancer:~
rm ./{production,staging}_tls.{crt,key}
# onsite # on k3s-loadbalancer
# chmod 600 ./{production,staging}_tls.{crt,key} # chmod 600 ./{production,staging}_tls.{crt,key}
# sudo chown root:root ./{production,staging}_tls.{crt,key}
# sudo mv ./{production,staging}_tls.{crt,key} /etc/nginx/ssl/ # sudo mv ./{production,staging}_tls.{crt,key} /etc/nginx/ssl/