stt/infra-gravitee-apim
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Simplification of TLS config

Browse Source
This commit is contained in:
sttlab
2026-05-03 12:48:42 +00:00
parent 5a48150820
commit 4f1c251ff8
4 changed files with 97 additions and 75 deletions
Download Patch File Download Diff File Expand all files Collapse all files
deploy.sh
+43 -26
View File
@@ -1,9 +1,9 @@
#!/usr/bin/env bash
# Deploy Gravitee APIM OSS on a single-node k3s cluster
# Deploy Gravitee APIM OSS on a single-node k3s cluster.
# - Domain: *.gravitee.sttlab.pc
# - Ingress: nginx
# - TLS: cert-manager with namespace-scoped self-signed CA Issuer
# - Secrets: pre-created (run create-secrets.sh first)
# - Secrets: pre-created by secrets-create.sh
set -euo pipefail
@@ -12,7 +12,8 @@ SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
echo "==> Checking prerequisites"
command -v kubectl >/dev/null || { echo "kubectl not found"; exit 1; }
command -v helm >/dev/null || { echo "helm not found"; exit 1; }
command -v helm >/dev/null || { echo "helm not found"; exit 1; }
command -v htpasswd >/dev/null || { echo "htpasswd not found (required for admin BCrypt hash)"; exit 1; }
echo "==> Verifying cluster reachable"
kubectl cluster-info
@@ -28,14 +29,14 @@ kubectl get ingressclass nginx >/dev/null 2>&1 || {
echo "WARNING: 'nginx' IngressClass not found. Ensure nginx-ingress is installed."
}
echo "==> Step 1/5 : Create namespace"
echo "==> Step 1/6 : Create namespace"
kubectl create namespace "${NAMESPACE}" --dry-run=client -o yaml | kubectl apply -f -
echo "==> Step 2/5 : Create credential secrets (idempotent)"
"${SCRIPT_DIR}/create-secrets.sh"
echo "==> Step 2/6 : Create credential secrets (idempotent)"
"${SCRIPT_DIR}/secrets-create.sh"
echo "==> Step 3/5 : Apply cert-manager Issuer + Certificates"
kubectl apply -f "${SCRIPT_DIR}/manifests/cert-manager.yaml"
echo "==> Step 3/6 : Apply cert-manager Issuers + Certificates"
kubectl apply -f "${SCRIPT_DIR}/certificates.yml"
echo "==> Waiting for CA Issuer to be Ready"
kubectl -n "${NAMESPACE}" wait --for=condition=Ready issuer/gravitee-ca-issuer --timeout=120s
@@ -47,28 +48,41 @@ for cert in gravitee-ca console-tls portal-tls api-tls gateway-tls \
kubectl -n "${NAMESPACE}" wait --for=condition=Ready "certificate/${cert}" --timeout=180s
done
echo "==> Step 4/5 : Add Helm repos"
helm repo add bitnami https://charts.bitnami.com/bitnami
helm repo add elastic https://helm.elastic.co
helm repo add graviteeio https://helm.gravitee.io
echo "==> Creating gravitee-ca-trust secret (CA only, for nginx proxy-ssl-secret)"
kubectl -n "${NAMESPACE}" get secret gravitee-ca-tls -o jsonpath='{.data.ca\.crt}' | base64 -d | \
kubectl -n "${NAMESPACE}" create secret generic gravitee-ca-trust \
--from-file=ca.crt=/dev/stdin \
--dry-run=client -o yaml | kubectl apply -f -
echo "==> Step 4/6 : Configure nginx ingress controller (enable snippets)"
kubectl patch configmap ingress-nginx-controller -n ingress-nginx \
--type merge \
-p '{"data":{"allow-snippet-annotations":"true","annotations-risk-level":"Critical"}}'
kubectl rollout restart deployment/ingress-nginx-controller -n ingress-nginx
kubectl rollout status deployment/ingress-nginx-controller -n ingress-nginx --timeout=60s
echo "==> Step 5/6 : Add Helm repos"
helm repo add bitnami https://charts.bitnami.com/bitnami 2>/dev/null || true
helm repo add elastic https://helm.elastic.co 2>/dev/null || true
helm repo add graviteeio https://helm.gravitee.io 2>/dev/null || true
helm repo update
echo "==> Installing MongoDB"
helm upgrade --install mongodb bitnami/mongodb \
--namespace "${NAMESPACE}" \
--values "${SCRIPT_DIR}/values-mongodb.yaml" \
--values "${SCRIPT_DIR}/mongo-values.yml" \
--wait --timeout 10m
echo "==> Installing Elasticsearch"
helm upgrade --install elasticsearch elastic/elasticsearch \
--namespace "${NAMESPACE}" \
--values "${SCRIPT_DIR}/values-elasticsearch.yaml" \
--values "${SCRIPT_DIR}/elastic-values.yml" \
--wait --timeout 10m
echo "==> Step 5/5 : Installing Gravitee APIM"
echo "==> Step 6/6 : Installing Gravitee APIM"
helm upgrade --install graviteeio-apim graviteeio/apim \
--namespace "${NAMESPACE}" \
--values "${SCRIPT_DIR}/values-apim.yaml" \
--values "${SCRIPT_DIR}/apim-values.yml" \
--wait --timeout 15m
echo ""
@@ -76,15 +90,18 @@ echo "==> Deployment complete"
echo ""
kubectl get pods -n "${NAMESPACE}"
echo ""
echo "Add to /etc/hosts (replace <NODE_IP>):"
echo " <NODE_IP> gateway.gravitee.sttlab.pc console.gravitee.sttlab.pc portal.gravitee.sttlab.pc api.gravitee.sttlab.pc"
echo "Add to /etc/hosts (replace <NODE_IP> with your node IP):"
echo " <NODE_IP> console.gravitee.sttlab.pc portal.gravitee.sttlab.pc api.gravitee.sttlab.pc gateway.gravitee.sttlab.pc"
echo ""
echo "URLs (HTTPS, self-signed CA - trust gravitee-ca-tls/ca.crt in your browser):"
echo " - Console : https://console.gravitee.sttlab.pc"
echo " - Portal : https://portal.gravitee.sttlab.pc"
echo " - API : https://api.gravitee.sttlab.pc/management"
echo " - Gateway : https://gateway.gravitee.sttlab.pc"
echo ""
echo "To export the CA cert for your trust store:"
echo "Import the CA into your browser:"
echo " kubectl -n ${NAMESPACE} get secret gravitee-ca-tls -o jsonpath='{.data.ca\\.crt}' | base64 -d > gravitee-ca.crt"
echo ""
echo "Admin credentials:"
echo " Username: admin"
echo " Password: $(kubectl -n ${NAMESPACE} get secret gravitee-admin -o jsonpath='{.data.admin-password-plain}' | base64 -d)"
echo ""
echo "URLs:"
echo " Console : https://console.gravitee.sttlab.pc"
echo " Portal : https://portal.gravitee.sttlab.pc"
echo " API : https://api.gravitee.sttlab.pc/management"
echo " Gateway : https://gateway.gravitee.sttlab.pc"