From 11ade14ac91b55c19dc98486e38164daa201145a Mon Sep 17 00:00:00 2001 From: SeanOMik Date: Fri, 25 Aug 2023 00:11:57 -0400 Subject: [PATCH] fix: most services had invalid certificates --- .../apps/monitoring/zfs-exporter/alerts.yaml | 1 + cluster/core/cert-manager/helm-release.yaml | 22 +++---- .../core/networking/traefik/helm-release.yaml | 62 ++++--------------- 3 files changed, 23 insertions(+), 62 deletions(-) diff --git a/cluster/apps/monitoring/zfs-exporter/alerts.yaml b/cluster/apps/monitoring/zfs-exporter/alerts.yaml index a873f28..69de454 100644 --- a/cluster/apps/monitoring/zfs-exporter/alerts.yaml +++ b/cluster/apps/monitoring/zfs-exporter/alerts.yaml @@ -2,6 +2,7 @@ apiVersion: monitoring.coreos.com/v1 kind: PrometheusRule metadata: name: zfs-exporter-rules + namespace: monitoring labels: release: kube-prometheus-stack spec: diff --git a/cluster/core/cert-manager/helm-release.yaml b/cluster/core/cert-manager/helm-release.yaml index e5a02ba..8b238f2 100644 --- a/cluster/core/cert-manager/helm-release.yaml +++ b/cluster/core/cert-manager/helm-release.yaml @@ -15,14 +15,14 @@ spec: namespace: flux-system values: installCRDs: false -# webhook: -# enabled: true -# extraArgs: -# - --dns01-recursive-nameservers=1.1.1.1:53,9.9.9.9:53 -# - --dns01-recursive-nameservers-only -# replicaCount: 1 -# podDnsPolicy: "None" -# podDnsConfig: -# nameservers: -# - "1.1.1.1" -# - "9.9.9.9" \ No newline at end of file + webhook: + enabled: true + extraArgs: + - --dns01-recursive-nameservers=1.1.1.1:53,9.9.9.9:53 + - --dns01-recursive-nameservers-only + replicaCount: 1 + podDnsPolicy: "None" + podDnsConfig: + nameservers: + - "1.1.1.1" + - "9.9.9.9" \ No newline at end of file diff --git a/cluster/core/networking/traefik/helm-release.yaml b/cluster/core/networking/traefik/helm-release.yaml index dc9800c..0b85406 100644 --- a/cluster/core/networking/traefik/helm-release.yaml +++ b/cluster/core/networking/traefik/helm-release.yaml @@ -29,83 +29,38 @@ spec: allowCrossNamespace: false allowExternalNameServices: false allowEmptyServices: false - # ingressClass: traefik-internal - # labelSelector: environment=production,method=traefik namespaces: [] - # - "default" kubernetesIngress: enabled: true allowExternalNameServices: false allowEmptyServices: false - # ingressClass: traefik-internal - # labelSelector: environment=production,method=traefik namespaces: [] - # - "default" - # IP used for Kubernetes Ingress endpoints publishedService: enabled: false - # Published Kubernetes Service to copy status from. Format: namespace/servicename - # By default this Traefik service - # pathOverride: "" - - service: - annotations: - metallb.universe.tf/allow-shared-ip: "main-ip-192.168.87.10" - spec: - loadBalancerIP: "192.168.87.10" - -# ports: -# traefik: -# port: 9000 -# expose: true -# exposedPort: 9000 -# # The port protocol (TCP/UDP) -# protocol: TCP -# web: -# port: 8000 -# expose: true -# exposedPort: 80 -# redirectTo: websecure -# protocol: TCP -# websecure: -# port: 8443 -# expose: true -# exposedPort: 443 -# protocol: TCP -# tls: -# enabled: true -# #certResolver: cloudflare -# metrics: -# port: 9100 -# expose: true -# exposedPort: 9100 -# protocol: TCP ports: traefik: port: 9000 - expose: true + expose: false exposedPort: 9000 - hostIP: 192.168.87.10 - # The port protocol (TCP/UDP) protocol: TCP + web: port: 8000 + nodePort: 30080 expose: true - exposedPort: 80 redirectTo: websecure - hostIP: 192.168.87.10 protocol: TCP + websecure: port: 8443 + nodePort: 30443 expose: true - exposedPort: 443 - hostIP: 192.168.87.10 protocol: TCP tls: enabled: true - #certResolver: cloudflare + metrics: port: 9100 expose: false @@ -121,6 +76,11 @@ spec: enabled: true isDefaultClass: true + tlsStore: + default: + defaultCertificate: + secretName: wildcard-main-tls + metrics: prometheus: entryPoint: metrics