feat: cert-manager ca for internal certs, enable tls for postgres

also fix: incorrect namespace for wildcard cert

kubernetes/common/apps/cert-manager/certs/files/ca/ca-cert.yaml

@@ -0,0 +1,16 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: ca-cert
+  namespace: cert-manager
+spec:
+  isCA: true
+  commonName: cluster-ca
+  secretName: ca-cert-secret
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: self-signed-issuer
+    kind: ClusterIssuer
+    group: cert-manager.io

kubernetes/common/apps/cert-manager/certs/files/ca/ca-issuer.yaml

@@ -0,0 +1,7 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: ca-issuer
+spec:
+  ca:
+    secretName: ca-cert-secret

kubernetes/common/apps/cert-manager/certs/files/ca/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ./self-signed-issuer.yaml
+- ./ca-cert.yaml
+- ./ca-issuer.yaml

kubernetes/common/apps/cert-manager/certs/files/ca/self-signed-issuer.yaml

@@ -0,0 +1,6 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: self-signed-issuer
+spec:
+  selfSigned: {}

kubernetes/common/apps/cert-manager/certs/files/kustomization.yaml

@@ -4,4 +4,4 @@ resources:
 - ./cloudflare-cred.sops.yaml
 - ./letsencrypt-prod.yaml
 - ./letsencrypt-stage.yaml
-- ./wildcard-cert.yaml
+- ./ca

kubernetes/common/apps/traefik/app/ks.yaml

@@ -1,25 +0,0 @@
-# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: traefik
-  namespace: flux-system
-spec:
-  timeout: 5m
-  interval: 10m
-  path: ./kubernetes/common/apps/traefik/app/files
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: home-cluster
-  decryption:
-    provider: sops
-    secretRef:
-      name: sops-gpg
-  postBuild:
-    substitute: {}
-    substituteFrom:
-      - kind: ConfigMap
-        name: cluster-settings
-      - kind: Secret
-        name: cluster-secrets

kubernetes/common/apps/traefik/extra/ks.yaml

@@ -1,30 +0,0 @@
-
----
-# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: traefik-default-tls
-  namespace: flux-system
-spec:
-  timeout: 5m
-  interval: 10m
-  path: ./kubernetes/common/apps/traefik/extra/files
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: home-cluster
-  decryption:
-    provider: sops
-    secretRef:
-      name: sops-gpg
-  dependsOn:
-  - name: traefik
-    namespace: flux-system
-  postBuild:
-    substitute: {}
-    substituteFrom:
-      - kind: ConfigMap
-        name: cluster-settings
-      - kind: Secret
-        name: cluster-secrets

kubernetes/main/apps/database/postgresql/cert.yaml

@@ -0,0 +1,17 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: postgres-cert
+  namespace: database
+spec:
+  secretName: postgres-cert
+
+  duration: 2160h # 90d
+  renewBefore: 360h # 15d
+
+  issuerRef:
+    name: cluster-ca-issuer
+    kind: ClusterIssuer
+
+  dnsNames:
+  - postgresql.database

kubernetes/main/apps/database/postgresql/helm-release.yaml

@@ -20,6 +20,12 @@ spec:
         adminPasswordKey: "adminPassword"
         replicationPasswordKey: "replicationPassword"
 
+    tls:
+      enabled: true
+      certificatesSecret: postgres-cert
+      certFilename: "tls.crt"
+      certKeyFilename: "tls.key"
+
     serviceMonitor:
       enabled: true
       labels:
@@ -39,4 +45,5 @@ spec:
     readReplicas:
       containerSecurityContext:
         enabled: true
-        runAsUser: 10000
+        runAsUser: 10000
+    

kubernetes/main/apps/database/postgresql/kustomization.yaml

@@ -3,5 +3,6 @@ kind: Kustomization
 resources:
 - ./pgsql-pv.yaml
 - ./pgsql.sops.yaml
+- ./cert.yaml
 - ./helm-release.yaml
 #- ./pgadmin4

kubernetes/main/core/kustomization.yaml

@@ -5,7 +5,7 @@ resources:
 - ./helm-repositories.yaml
 - ../../common/apps/cert-manager
 - ../../common/apps/metallb
-- ../../common/apps/traefik
+- ./traefik/ks.yaml
 # storage
 - ./longhorn
 - ./openebs

kubernetes/main/core/traefik/app/wildcard-cert.yaml

@@ -0,0 +1,19 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: wildcard-main-cert
+  namespace: traefik
+spec:
+  secretName: wildcard-main-tls
+
+  duration: 2160h # 90d
+  renewBefore: 360h # 15d
+
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+
+  dnsNames:
+    - "${SECRET_NEW_DOMAIN}"
+    - "*.${SECRET_NEW_DOMAIN}"
+    - "*.internal.${SECRET_NEW_DOMAIN}"

kubernetes/main/core/traefik/ks.yaml

@@ -0,0 +1,56 @@
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: traefik
+  namespace: flux-system
+spec:
+  timeout: 5m
+  interval: 10m
+  path: ./kubernetes/main/core/traefik/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-cluster
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg
+  dependsOn:
+    - name: cert-manager-certificates
+  postBuild:
+    substitute: {}
+    substituteFrom:
+      - kind: ConfigMap
+        name: cluster-settings
+      - kind: Secret
+        name: cluster-secrets
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: traefik-extra
+  namespace: flux-system
+spec:
+  timeout: 5m
+  interval: 10m
+  path: ./kubernetes/main/core/traefik/extra
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-cluster
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg
+  dependsOn:
+  - name: traefik
+    namespace: flux-system
+  postBuild:
+    substitute: {}
+    substituteFrom:
+      - kind: ConfigMap
+        name: cluster-settings
+      - kind: Secret
+        name: cluster-secrets

kubernetes/thin/apps/nginx/ks.yaml

@@ -1,6 +1,35 @@
 # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
+metadata:
+  name: nginx-wildcard-cert
+  namespace: flux-system
+spec:
+  targetNamespace: nginx
+  timeout: 5m
+  interval: 10m
+  path: ./kubernetes/thin/apps/nginx/wildcard-cert
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-cluster
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg
+  dependsOn:
+    - name: cert-manager-certificates
+  postBuild:
+    substitute: {}
+    substituteFrom:
+      - kind: ConfigMap
+        name: cluster-settings
+      - kind: Secret
+        name: cluster-secrets
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
 metadata:
   name: nginx-external
   namespace: flux-system
@@ -17,6 +46,8 @@ spec:
     provider: sops
     secretRef:
       name: sops-gpg
+  dependsOn:
+    - name: nginx-wildcard-cert
   postBuild:
     substitute: {}
     substituteFrom:
@@ -44,6 +75,8 @@ spec:
     provider: sops
     secretRef:
       name: sops-gpg
+  dependsOn:
+    - name: nginx-wildcard-cert
   postBuild:
     substitute: {}
     substituteFrom:

kubernetes/thin/apps/nginx/wildcard-cert/kustomization.yaml

@@ -1,5 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- ./app/ks.yaml
-- ./extra/ks.yaml
+- ./wildcard-cert.yaml