cd6b7857ba
- localization-svc: defaultLocale ru, resolveLocale only by geo - web-svc: DEFAULT_LOCALE ru, layout lang=ru, embeddedTranslations fallback ru - countryToLocale: default ru when no country or unknown country Co-authored-by: Cursor <cursoragent@cursor.com>
87 lines
3.6 KiB
Bash
Executable File
87 lines
3.6 KiB
Bash
Executable File
#!/usr/bin/env bash
|
||
# Настройка SSL в Kubernetes для gooseek.ru
|
||
# Запуск из корня репозитория: ./deploy/k3s/ssl/setup-kubernetes.sh
|
||
#
|
||
# Вариант A: cert-manager (автоматические сертификаты Let's Encrypt)
|
||
# Вариант B: ручные сертификаты (certbot на сервере → apply-secret.sh)
|
||
|
||
set -e
|
||
|
||
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
||
REPO_ROOT="$(cd "$SCRIPT_DIR/../../.." && pwd)"
|
||
CERT_MANAGER_VERSION="v1.13.0"
|
||
|
||
usage() {
|
||
echo "Использование: $0 [cert-manager|manual]"
|
||
echo ""
|
||
echo " cert-manager — установить cert-manager и настроить автоматические сертификаты (рекомендуется)"
|
||
echo " manual — применить ingress с ручным Secret (нужны fullchain.pem, privkey.pem в backup/)"
|
||
echo ""
|
||
echo "Без аргумента — cert-manager"
|
||
}
|
||
|
||
apply_cert_manager() {
|
||
echo "=== 1. Установка cert-manager ==="
|
||
kubectl apply -f "https://github.com/cert-manager/cert-manager/releases/download/${CERT_MANAGER_VERSION}/cert-manager.yaml"
|
||
echo "Ожидание готовности cert-manager (до 2 мин)..."
|
||
kubectl wait --for=condition=Available deployment/cert-manager -n cert-manager --timeout=120s 2>/dev/null || true
|
||
kubectl wait --for=condition=Available deployment/cert-manager-webhook -n cert-manager --timeout=120s 2>/dev/null || true
|
||
kubectl wait --for=condition=Available deployment/cert-manager-cainjector -n cert-manager --timeout=120s 2>/dev/null || true
|
||
|
||
echo ""
|
||
echo "=== 2. ClusterIssuer Let's Encrypt ==="
|
||
kubectl apply -f "$SCRIPT_DIR/cert-manager-issuer.yaml"
|
||
|
||
echo ""
|
||
echo "=== 3. Production Ingress (cert-manager создаст Secret gooseek-tls) ==="
|
||
kubectl apply -f "$REPO_ROOT/deploy/k3s/ingress-production.yaml"
|
||
|
||
echo ""
|
||
echo "=== Готово ==="
|
||
echo "Сертификат будет получен в течение 1–2 минут."
|
||
echo "Проверка: kubectl get certificate -n gooseek"
|
||
echo "Проверка: kubectl get secret gooseek-tls -n gooseek"
|
||
}
|
||
|
||
apply_manual() {
|
||
if [[ ! -f "$SCRIPT_DIR/backup/fullchain.pem" ]] || [[ ! -f "$SCRIPT_DIR/backup/privkey.pem" ]]; then
|
||
echo "Ошибка: нужны fullchain.pem и privkey.pem в $SCRIPT_DIR/backup/"
|
||
echo "См. deploy/k3s/ssl/README.md — получите сертификат через certbot на сервере"
|
||
exit 1
|
||
fi
|
||
|
||
echo "=== 1. Secret gooseek-tls из backup ==="
|
||
"$SCRIPT_DIR/apply-secret.sh"
|
||
|
||
echo ""
|
||
echo "=== 2. Production Ingress (ручной Secret) ==="
|
||
kubectl apply -f "$REPO_ROOT/deploy/k3s/ingress-production-manual.yaml"
|
||
|
||
echo ""
|
||
echo "=== Готово ==="
|
||
}
|
||
|
||
# Проверка namespace
|
||
if ! kubectl get namespace gooseek &>/dev/null; then
|
||
echo "Создание namespace gooseek..."
|
||
kubectl apply -f "$REPO_ROOT/deploy/k3s/namespace.yaml"
|
||
fi
|
||
|
||
# Проверка ingress-nginx
|
||
if ! kubectl get deployment -n ingress-nginx ingress-nginx-controller &>/dev/null 2>&1; then
|
||
echo "Внимание: ingress-nginx не найден. Установите:"
|
||
echo " kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.2/deploy/static/provider/cloud/deploy.yaml"
|
||
echo ""
|
||
read -p "Продолжить? (y/n) " -n 1 -r
|
||
echo
|
||
[[ $REPLY =~ ^[Yy]$ ]] || exit 1
|
||
fi
|
||
|
||
MODE="${1:-cert-manager}"
|
||
case "$MODE" in
|
||
cert-manager) apply_cert_manager ;;
|
||
manual) apply_manual ;;
|
||
-h|--help) usage; exit 0 ;;
|
||
*) echo "Неизвестный режим: $MODE"; usage; exit 1 ;;
|
||
esac
|