Switch to wildcard *.k-space.ee certificate

argocd/values.yaml

@@ -16,7 +16,6 @@ server:
   ingress:
     enabled: true
     annotations:
-      cert-manager.io/cluster-issuer: default
       external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
       traefik.ingress.kubernetes.io/router.entrypoints: websecure
       traefik.ingress.kubernetes.io/router.tls: "true"
@@ -24,8 +23,7 @@ server:
     - argocd.k-space.ee
     tls:
      - hosts:
-       - argocd.k-space.ee
-       secretName: argocd-server-tls
+       - "*.k-space.ee"
   configEnabled: true
   config:
     admin.enabled: "false"

authelia/application.yml

@@ -295,7 +295,6 @@ metadata:
   labels:
     app.kubernetes.io/name: authelia
   annotations:
-    cert-manager.io/cluster-issuer: default
     external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
     kubernetes.io/tls-acme: "true"
     traefik.ingress.kubernetes.io/router.entryPoints: websecure
@@ -315,8 +314,7 @@ spec:
                   number: 80
   tls:
     - hosts:
-        - auth.k-space.ee
-      secretName: authelia-tls
+        - "*.k-space.ee"
 ---
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware

camtiler/application.yml

@@ -182,12 +182,6 @@ metadata:
   annotations:
     kubernetes.io/ingress.class: traefik
 
-    # Following specifies the certificate issuer defined in
-    # ../cert-manager/issuer.yml
-    # This is where the HTTPS certificates for the
-    # `tls:` section below are obtained from
-    cert-manager.io/cluster-issuer: default
-
     # This tells Traefik this Ingress object is associated with the
     # https:// entrypoint
     # Global http:// to https:// redirect is enabled in
@@ -234,8 +228,7 @@ spec:
                   number: 3003
   tls:
     - hosts:
-        - cams.k-space.ee
-      secretName: camtiler-tls
+        - "*.k-space.ee"
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
@@ -371,7 +364,6 @@ metadata:
   name: minio
   annotations:
     kubernetes.io/ingress.class: traefik
-    cert-manager.io/cluster-issuer: default
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
     external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
@@ -389,8 +381,7 @@ spec:
                   number: 80
   tls:
     - hosts:
-        - cams-s3.k-space.ee
-      secretName: cams-s3-tls
+        - "*.k-space.ee"
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition

drone/application.yml

@@ -83,7 +83,6 @@ kind: Ingress
 metadata:
   name: drone
   annotations:
-    cert-manager.io/cluster-issuer: default
     external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
     kubernetes.io/ingress.class: traefik
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
@@ -91,8 +90,7 @@ metadata:
 spec:
   tls:
     - hosts:
-        - "drone.k-space.ee"
-      secretName: drone-tls
+        - "*.k-space.ee"
   rules:
     - host: "drone.k-space.ee"
       http:

elastic-system/application.yml

@@ -283,7 +283,6 @@ metadata:
   name: kibana
   annotations:
     kubernetes.io/ingress.class: traefik
-    cert-manager.io/cluster-issuer: default
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.middlewares: traefik-sso@kubernetescrd
     traefik.ingress.kubernetes.io/router.tls: "true"
@@ -302,8 +301,7 @@ spec:
               number: 5601
   tls:
   - hosts:
-    - kibana.k-space.ee
-    secretName: kibana-tls
+    - "*.k-space.ee"
 ---
 apiVersion: monitoring.coreos.com/v1
 kind: PodMonitor

etherpad/application.yml

@@ -79,7 +79,6 @@ metadata:
   namespace: etherpad
   annotations:
     kubernetes.io/ingress.class: traefik
-    cert-manager.io/cluster-issuer: default
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
     external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
@@ -97,8 +96,7 @@ spec:
               number: 9001
   tls:
   - hosts:
-    - pad.k-space.ee
-    secretName: pad-tls
+    - "*.k-space.ee"
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy

harbor/application.yml

@@ -1001,7 +1001,6 @@ metadata:
   labels:
     app: harbor
   annotations:
-    cert-manager.io/cluster-issuer: default
     external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
     ingress.kubernetes.io/proxy-body-size: "0"
     ingress.kubernetes.io/ssl-redirect: "true"
@@ -1012,9 +1011,8 @@ metadata:
     traefik.ingress.kubernetes.io/router.tls: "true"
 spec:
   tls:
-  - secretName: harbor-tls
-    hosts:
-    - harbor.k-space.ee
+  - hosts:
+    - "*.k-space.ee"
   rules:
   - http:
       paths:

kubernetes-dashboard/application.yml

@@ -269,7 +269,6 @@ metadata:
     certManager: "true"
     rewriteTarget: "true"
   annotations:
-    cert-manager.io/cluster-issuer: default
     external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
     kubernetes.io/ingress.class: traefik
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
@@ -289,5 +288,4 @@ spec:
                   number: 80
   tls:
     - hosts:
-      - dashboard.k-space.ee
-      secretName: dashboard-tls
+      - "*.k-space.ee"

longhorn-system/application-extras.yml

@@ -5,7 +5,6 @@ metadata:
   namespace: longhorn-system
   annotations:
     kubernetes.io/ingress.class: traefik
-    cert-manager.io/cluster-issuer: default
     external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.middlewares: traefik-sso@kubernetescrd
@@ -24,9 +23,7 @@ spec:
               number: 80
   tls:
   - hosts:
-    - longhorn.k-space.ee
-    secretName: longhorn-tls
-
+    - "*.k-space.ee"
 ---
 apiVersion: monitoring.coreos.com/v1
 kind: PodMonitor

phpmyadmin/application.yml

@@ -40,7 +40,6 @@ metadata:
   name: phpmyadmin
   annotations:
     kubernetes.io/ingress.class: traefik
-    cert-manager.io/cluster-issuer: default
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.middlewares: traefik-sso@kubernetescrd
     traefik.ingress.kubernetes.io/router.tls: "true"
@@ -59,8 +58,7 @@ spec:
               number: 80
   tls:
   - hosts:
-    - phpmyadmin.k-space.ee
-    secretName: phpmyadmin-tls
+    - "*.k-space.ee"
 ---
 apiVersion: v1
 kind: Service

prometheus-operator/application.yml

@@ -399,7 +399,6 @@ kind: Ingress
 metadata:
   name: prometheus
   annotations:
-    cert-manager.io/cluster-issuer: default
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
     external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
@@ -418,15 +417,13 @@ spec:
               number: 9090
   tls:
   - hosts:
-    - prom.k-space.ee
-    secretName: prom-tls
+    - "*.k-space.ee"
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: alertmanager
   annotations:
-    cert-manager.io/cluster-issuer: default
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
     external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
@@ -445,8 +442,7 @@ spec:
               number: 9093
   tls:
   - hosts:
-    - am.k-space.ee
-    secretName: alertmanager-tls
+    - "*.k-space.ee"
 ---
 apiVersion: monitoring.coreos.com/v1
 kind: PodMonitor

traefik/application-extras.yml

@@ -64,8 +64,16 @@ spec:
               number: 9000
   tls:
   - hosts:
-    - traefik.k-space.ee
-    secretName: traefik-tls
+    - "*.k-space.ee"
+    secretName: wildcard-tls
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: TLSStore
+metadata:
+  name: default
+spec:
+  defaultCertificate:
+    secretName: wildcard-tls
 ---
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware

traefik/proxmox.yml

@@ -104,7 +104,6 @@ metadata:
   name: pve
   annotations:
     kubernetes.io/ingress.class: traefik
-    cert-manager.io/cluster-issuer: default
     external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.middlewares: traefik-sso@kubernetescrd,traefik-proxmox-redirect@kubernetescrd
@@ -147,9 +146,7 @@ spec:
               number: 8006
   tls:
   - hosts:
-    - pve.k-space.ee
-    - proxmox.k-space.ee
-    secretName: pve-tls
+    - "*.k-space.ee"
 ---
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware

traefik/voron.yml

@@ -17,7 +17,6 @@ metadata:
   name: voron
   annotations:
     kubernetes.io/ingress.class: traefik
-    cert-manager.io/cluster-issuer: default
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.middlewares: traefik-sso@kubernetescrd
     traefik.ingress.kubernetes.io/router.tls: "true"
@@ -36,5 +35,4 @@ spec:
               name: http
   tls:
   - hosts:
-    - voron.k-space.ee
-    secretName: voron-tls
+    - "*.k-space.ee"

traefik/whoami.yml

@@ -41,7 +41,6 @@ kind: Ingress
 metadata:
   name: whoami
   annotations:
-    cert-manager.io/cluster-issuer: default
     external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
     kubernetes.io/ingress.class: traefik
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
@@ -50,8 +49,7 @@ metadata:
 spec:
   tls:
   - hosts:
-    - "whoami.k-space.ee"
-    secretName: whoami-tls
+    - "*.k-space.ee"
   rules:
   - host: "whoami.k-space.ee"
     http:

wildduck/application.yml

@@ -104,7 +104,6 @@ metadata:
   namespace: wildduck
   annotations:
     kubernetes.io/ingress.class: traefik
-    cert-manager.io/cluster-issuer: default
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.middlewares: traefik-sso@kubernetescrd
     traefik.ingress.kubernetes.io/router.tls: "true"
@@ -123,8 +122,7 @@ spec:
               number: 80
   tls:
   - hosts:
-    - webmail.k-space.ee
-    secretName: webmail-tls
+    - "*.k-space.ee"
 ---
 apiVersion: codemowers.io/v1alpha1
 kind: KeyDBCluster