From 4686108f421ee4e6c18c9f5f02e9a140c5bba969 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lauri=20V=C3=B5sandi?= Date: Fri, 14 Oct 2022 14:26:03 +0300 Subject: [PATCH] Switch to wildcard *.k-space.ee certificate --- argocd/values.yaml | 4 +--- authelia/application.yml | 4 +--- camtiler/application.yml | 13 ++----------- drone/application.yml | 4 +--- elastic-system/application.yml | 4 +--- etherpad/application.yml | 4 +--- harbor/application.yml | 6 ++---- kubernetes-dashboard/application.yml | 4 +--- longhorn-system/application-extras.yml | 5 +---- phpmyadmin/application.yml | 4 +--- prometheus-operator/application.yml | 8 ++------ traefik/application-extras.yml | 12 ++++++++++-- traefik/proxmox.yml | 5 +---- traefik/voron.yml | 4 +--- traefik/whoami.yml | 4 +--- wildduck/application.yml | 4 +--- 16 files changed, 28 insertions(+), 61 deletions(-) diff --git a/argocd/values.yaml b/argocd/values.yaml index a99491e..2bbed09 100644 --- a/argocd/values.yaml +++ b/argocd/values.yaml @@ -16,7 +16,6 @@ server: ingress: enabled: true annotations: - cert-manager.io/cluster-issuer: default external-dns.alpha.kubernetes.io/target: traefik.k-space.ee traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.tls: "true" @@ -24,8 +23,7 @@ server: - argocd.k-space.ee tls: - hosts: - - argocd.k-space.ee - secretName: argocd-server-tls + - "*.k-space.ee" configEnabled: true config: admin.enabled: "false" diff --git a/authelia/application.yml b/authelia/application.yml index e1c2019..81230d5 100644 --- a/authelia/application.yml +++ b/authelia/application.yml @@ -295,7 +295,6 @@ metadata: labels: app.kubernetes.io/name: authelia annotations: - cert-manager.io/cluster-issuer: default external-dns.alpha.kubernetes.io/target: traefik.k-space.ee kubernetes.io/tls-acme: "true" traefik.ingress.kubernetes.io/router.entryPoints: websecure @@ -315,8 +314,7 @@ spec: number: 80 tls: - hosts: - - auth.k-space.ee - secretName: authelia-tls + - "*.k-space.ee" --- apiVersion: traefik.containo.us/v1alpha1 kind: Middleware diff --git a/camtiler/application.yml b/camtiler/application.yml index 7f2a1ae..c506cd0 100644 --- a/camtiler/application.yml +++ b/camtiler/application.yml @@ -182,12 +182,6 @@ metadata: annotations: kubernetes.io/ingress.class: traefik - # Following specifies the certificate issuer defined in - # ../cert-manager/issuer.yml - # This is where the HTTPS certificates for the - # `tls:` section below are obtained from - cert-manager.io/cluster-issuer: default - # This tells Traefik this Ingress object is associated with the # https:// entrypoint # Global http:// to https:// redirect is enabled in @@ -234,8 +228,7 @@ spec: number: 3003 tls: - hosts: - - cams.k-space.ee - secretName: camtiler-tls + - "*.k-space.ee" --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy @@ -371,7 +364,6 @@ metadata: name: minio annotations: kubernetes.io/ingress.class: traefik - cert-manager.io/cluster-issuer: default traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.tls: "true" external-dns.alpha.kubernetes.io/target: traefik.k-space.ee @@ -389,8 +381,7 @@ spec: number: 80 tls: - hosts: - - cams-s3.k-space.ee - secretName: cams-s3-tls + - "*.k-space.ee" --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition diff --git a/drone/application.yml b/drone/application.yml index 1816f9e..eefc8ee 100644 --- a/drone/application.yml +++ b/drone/application.yml @@ -83,7 +83,6 @@ kind: Ingress metadata: name: drone annotations: - cert-manager.io/cluster-issuer: default external-dns.alpha.kubernetes.io/target: traefik.k-space.ee kubernetes.io/ingress.class: traefik traefik.ingress.kubernetes.io/router.entrypoints: websecure @@ -91,8 +90,7 @@ metadata: spec: tls: - hosts: - - "drone.k-space.ee" - secretName: drone-tls + - "*.k-space.ee" rules: - host: "drone.k-space.ee" http: diff --git a/elastic-system/application.yml b/elastic-system/application.yml index 053fa30..725060e 100644 --- a/elastic-system/application.yml +++ b/elastic-system/application.yml @@ -283,7 +283,6 @@ metadata: name: kibana annotations: kubernetes.io/ingress.class: traefik - cert-manager.io/cluster-issuer: default traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.middlewares: traefik-sso@kubernetescrd traefik.ingress.kubernetes.io/router.tls: "true" @@ -302,8 +301,7 @@ spec: number: 5601 tls: - hosts: - - kibana.k-space.ee - secretName: kibana-tls + - "*.k-space.ee" --- apiVersion: monitoring.coreos.com/v1 kind: PodMonitor diff --git a/etherpad/application.yml b/etherpad/application.yml index 6748e36..1104f88 100644 --- a/etherpad/application.yml +++ b/etherpad/application.yml @@ -79,7 +79,6 @@ metadata: namespace: etherpad annotations: kubernetes.io/ingress.class: traefik - cert-manager.io/cluster-issuer: default traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.tls: "true" external-dns.alpha.kubernetes.io/target: traefik.k-space.ee @@ -97,8 +96,7 @@ spec: number: 9001 tls: - hosts: - - pad.k-space.ee - secretName: pad-tls + - "*.k-space.ee" --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy diff --git a/harbor/application.yml b/harbor/application.yml index c2bbdbf..b713744 100644 --- a/harbor/application.yml +++ b/harbor/application.yml @@ -1001,7 +1001,6 @@ metadata: labels: app: harbor annotations: - cert-manager.io/cluster-issuer: default external-dns.alpha.kubernetes.io/target: traefik.k-space.ee ingress.kubernetes.io/proxy-body-size: "0" ingress.kubernetes.io/ssl-redirect: "true" @@ -1012,9 +1011,8 @@ metadata: traefik.ingress.kubernetes.io/router.tls: "true" spec: tls: - - secretName: harbor-tls - hosts: - - harbor.k-space.ee + - hosts: + - "*.k-space.ee" rules: - http: paths: diff --git a/kubernetes-dashboard/application.yml b/kubernetes-dashboard/application.yml index b7dcb84..8021881 100644 --- a/kubernetes-dashboard/application.yml +++ b/kubernetes-dashboard/application.yml @@ -269,7 +269,6 @@ metadata: certManager: "true" rewriteTarget: "true" annotations: - cert-manager.io/cluster-issuer: default external-dns.alpha.kubernetes.io/target: traefik.k-space.ee kubernetes.io/ingress.class: traefik traefik.ingress.kubernetes.io/router.entrypoints: websecure @@ -289,5 +288,4 @@ spec: number: 80 tls: - hosts: - - dashboard.k-space.ee - secretName: dashboard-tls + - "*.k-space.ee" diff --git a/longhorn-system/application-extras.yml b/longhorn-system/application-extras.yml index 5bd6c53..4fb6f0d 100644 --- a/longhorn-system/application-extras.yml +++ b/longhorn-system/application-extras.yml @@ -5,7 +5,6 @@ metadata: namespace: longhorn-system annotations: kubernetes.io/ingress.class: traefik - cert-manager.io/cluster-issuer: default external-dns.alpha.kubernetes.io/target: traefik.k-space.ee traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.middlewares: traefik-sso@kubernetescrd @@ -24,9 +23,7 @@ spec: number: 80 tls: - hosts: - - longhorn.k-space.ee - secretName: longhorn-tls - + - "*.k-space.ee" --- apiVersion: monitoring.coreos.com/v1 kind: PodMonitor diff --git a/phpmyadmin/application.yml b/phpmyadmin/application.yml index 7b44e03..3efb2c9 100644 --- a/phpmyadmin/application.yml +++ b/phpmyadmin/application.yml @@ -40,7 +40,6 @@ metadata: name: phpmyadmin annotations: kubernetes.io/ingress.class: traefik - cert-manager.io/cluster-issuer: default traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.middlewares: traefik-sso@kubernetescrd traefik.ingress.kubernetes.io/router.tls: "true" @@ -59,8 +58,7 @@ spec: number: 80 tls: - hosts: - - phpmyadmin.k-space.ee - secretName: phpmyadmin-tls + - "*.k-space.ee" --- apiVersion: v1 kind: Service diff --git a/prometheus-operator/application.yml b/prometheus-operator/application.yml index d884ec3..c54feee 100644 --- a/prometheus-operator/application.yml +++ b/prometheus-operator/application.yml @@ -399,7 +399,6 @@ kind: Ingress metadata: name: prometheus annotations: - cert-manager.io/cluster-issuer: default traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.tls: "true" external-dns.alpha.kubernetes.io/target: traefik.k-space.ee @@ -418,15 +417,13 @@ spec: number: 9090 tls: - hosts: - - prom.k-space.ee - secretName: prom-tls + - "*.k-space.ee" --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: alertmanager annotations: - cert-manager.io/cluster-issuer: default traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.tls: "true" external-dns.alpha.kubernetes.io/target: traefik.k-space.ee @@ -445,8 +442,7 @@ spec: number: 9093 tls: - hosts: - - am.k-space.ee - secretName: alertmanager-tls + - "*.k-space.ee" --- apiVersion: monitoring.coreos.com/v1 kind: PodMonitor diff --git a/traefik/application-extras.yml b/traefik/application-extras.yml index 029a890..dfa2422 100644 --- a/traefik/application-extras.yml +++ b/traefik/application-extras.yml @@ -64,8 +64,16 @@ spec: number: 9000 tls: - hosts: - - traefik.k-space.ee - secretName: traefik-tls + - "*.k-space.ee" + secretName: wildcard-tls +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: TLSStore +metadata: + name: default +spec: + defaultCertificate: + secretName: wildcard-tls --- apiVersion: traefik.containo.us/v1alpha1 kind: Middleware diff --git a/traefik/proxmox.yml b/traefik/proxmox.yml index af7a9db..28a6ba2 100644 --- a/traefik/proxmox.yml +++ b/traefik/proxmox.yml @@ -104,7 +104,6 @@ metadata: name: pve annotations: kubernetes.io/ingress.class: traefik - cert-manager.io/cluster-issuer: default external-dns.alpha.kubernetes.io/target: traefik.k-space.ee traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.middlewares: traefik-sso@kubernetescrd,traefik-proxmox-redirect@kubernetescrd @@ -147,9 +146,7 @@ spec: number: 8006 tls: - hosts: - - pve.k-space.ee - - proxmox.k-space.ee - secretName: pve-tls + - "*.k-space.ee" --- apiVersion: traefik.containo.us/v1alpha1 kind: Middleware diff --git a/traefik/voron.yml b/traefik/voron.yml index d19a37f..1c73275 100644 --- a/traefik/voron.yml +++ b/traefik/voron.yml @@ -17,7 +17,6 @@ metadata: name: voron annotations: kubernetes.io/ingress.class: traefik - cert-manager.io/cluster-issuer: default traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.middlewares: traefik-sso@kubernetescrd traefik.ingress.kubernetes.io/router.tls: "true" @@ -36,5 +35,4 @@ spec: name: http tls: - hosts: - - voron.k-space.ee - secretName: voron-tls + - "*.k-space.ee" diff --git a/traefik/whoami.yml b/traefik/whoami.yml index ef4ec0f..31bc552 100644 --- a/traefik/whoami.yml +++ b/traefik/whoami.yml @@ -41,7 +41,6 @@ kind: Ingress metadata: name: whoami annotations: - cert-manager.io/cluster-issuer: default external-dns.alpha.kubernetes.io/target: traefik.k-space.ee kubernetes.io/ingress.class: traefik traefik.ingress.kubernetes.io/router.entrypoints: websecure @@ -50,8 +49,7 @@ metadata: spec: tls: - hosts: - - "whoami.k-space.ee" - secretName: whoami-tls + - "*.k-space.ee" rules: - host: "whoami.k-space.ee" http: diff --git a/wildduck/application.yml b/wildduck/application.yml index 14ea52f..8e7a3e2 100644 --- a/wildduck/application.yml +++ b/wildduck/application.yml @@ -104,7 +104,6 @@ metadata: namespace: wildduck annotations: kubernetes.io/ingress.class: traefik - cert-manager.io/cluster-issuer: default traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.middlewares: traefik-sso@kubernetescrd traefik.ingress.kubernetes.io/router.tls: "true" @@ -123,8 +122,7 @@ spec: number: 80 tls: - hosts: - - webmail.k-space.ee - secretName: webmail-tls + - "*.k-space.ee" --- apiVersion: codemowers.io/v1alpha1 kind: KeyDBCluster