From fc5e97e7ae5d21416346c4e1f8e29223bcecaa6c Mon Sep 17 00:00:00 2001 From: SeanOMik Date: Thu, 13 Apr 2023 01:21:06 -0400 Subject: [PATCH] Use wildcard cert everywhere! --- cluster/apps/authentik/helm-release.yaml | 8 ++++++-- cluster/apps/management/guacamole/helm-release.yaml | 7 +++++-- cluster/apps/media/audiobookshelf/helm-release.yaml | 7 +++++-- cluster/apps/media/jellyfin/helm-release.yaml | 7 +++++-- cluster/apps/media/jellyseerr/helm-release.yaml | 7 +++++-- cluster/apps/media/kavita/helm-release.yaml | 7 +++++-- cluster/apps/media/komga/helm-release.yaml | 7 +++++-- cluster/apps/media/plex/helm-release.yaml | 9 ++++++--- cluster/apps/tools/hastebin/helm-release.yaml | 6 +++++- cluster/apps/tools/transfersh/helm-release.yaml | 6 +++++- cluster/apps/tools/vaultwarden/helm-release.yaml | 6 +++++- cluster/core/cert-manager/wildcard-cert.yaml | 4 ++-- 12 files changed, 59 insertions(+), 22 deletions(-) diff --git a/cluster/apps/authentik/helm-release.yaml b/cluster/apps/authentik/helm-release.yaml index 2fa42a3..4ce79da 100644 --- a/cluster/apps/authentik/helm-release.yaml +++ b/cluster/apps/authentik/helm-release.yaml @@ -58,10 +58,14 @@ spec: cert-manager.io/cluster-issuer: "letsencrypt-production" traefik.ingress.kubernetes.io/router.entrypoints: websecure hosts: - - host: auth.${SECRET_NEW_DOMAIN} + - host: &host "auth.${SECRET_NEW_DOMAIN}" paths: - - path: "/" + - path: / pathType: Prefix + tls: + - hosts: + - *host + secretName: wildcard-main-tls monitoring: enabled: false # temporarily disable monitoring \ No newline at end of file diff --git a/cluster/apps/management/guacamole/helm-release.yaml b/cluster/apps/management/guacamole/helm-release.yaml index fcfe346..4061d9c 100644 --- a/cluster/apps/management/guacamole/helm-release.yaml +++ b/cluster/apps/management/guacamole/helm-release.yaml @@ -44,13 +44,16 @@ spec: main: enabled: true annotations: - cert-manager.io/cluster-issuer: "letsencrypt-production" traefik.ingress.kubernetes.io/router.entrypoints: websecure hosts: - - host: "remote.${SECRET_NEW_DOMAIN}" + - host: &host "remote.${SECRET_NEW_DOMAIN}" paths: - path: / pathType: Prefix + tls: + - hosts: + - *host + secretName: wildcard-main-tls persistence: config: diff --git a/cluster/apps/media/audiobookshelf/helm-release.yaml b/cluster/apps/media/audiobookshelf/helm-release.yaml index a22cc99..ac31bf5 100644 --- a/cluster/apps/media/audiobookshelf/helm-release.yaml +++ b/cluster/apps/media/audiobookshelf/helm-release.yaml @@ -33,13 +33,16 @@ spec: main: enabled: true annotations: - cert-manager.io/cluster-issuer: "letsencrypt-production" traefik.ingress.kubernetes.io/router.entrypoints: websecure hosts: - - host: "audiobooks.${SECRET_NEW_DOMAIN}" + - host: &host "audiobooks.${SECRET_NEW_DOMAIN}" paths: - path: / pathType: Prefix + tls: + - hosts: + - *host + secretName: wildcard-main-tls persistence: config: diff --git a/cluster/apps/media/jellyfin/helm-release.yaml b/cluster/apps/media/jellyfin/helm-release.yaml index 8a5deb5..c271689 100644 --- a/cluster/apps/media/jellyfin/helm-release.yaml +++ b/cluster/apps/media/jellyfin/helm-release.yaml @@ -36,13 +36,16 @@ spec: main: enabled: true annotations: - cert-manager.io/cluster-issuer: "letsencrypt-production" traefik.ingress.kubernetes.io/router.entrypoints: websecure hosts: - - host: "watch.${SECRET_NEW_DOMAIN}" + - host: &host "watch.${SECRET_NEW_DOMAIN}" paths: - path: / pathType: Prefix + tls: + - hosts: + - *host + secretName: wildcard-main-tls persistence: config: diff --git a/cluster/apps/media/jellyseerr/helm-release.yaml b/cluster/apps/media/jellyseerr/helm-release.yaml index 253c307..cc43e8b 100644 --- a/cluster/apps/media/jellyseerr/helm-release.yaml +++ b/cluster/apps/media/jellyseerr/helm-release.yaml @@ -39,13 +39,16 @@ spec: main: enabled: true annotations: - cert-manager.io/cluster-issuer: "letsencrypt-production" traefik.ingress.kubernetes.io/router.entrypoints: websecure hosts: - - host: "request.${SECRET_NEW_DOMAIN}" + - host: &host "request.${SECRET_NEW_DOMAIN}" paths: - path: / pathType: Prefix + tls: + - hosts: + - *host + secretName: wildcard-main-tls persistence: config: diff --git a/cluster/apps/media/kavita/helm-release.yaml b/cluster/apps/media/kavita/helm-release.yaml index 0701f31..d11b573 100644 --- a/cluster/apps/media/kavita/helm-release.yaml +++ b/cluster/apps/media/kavita/helm-release.yaml @@ -30,13 +30,16 @@ spec: main: enabled: true annotations: - cert-manager.io/cluster-issuer: "letsencrypt-production" traefik.ingress.kubernetes.io/router.entrypoints: websecure hosts: - - host: "books.${SECRET_NEW_DOMAIN}" + - host: &host "books.${SECRET_NEW_DOMAIN}" paths: - path: / pathType: Prefix + tls: + - hosts: + - *host + secretName: wildcard-main-tls persistence: config: enabled: true diff --git a/cluster/apps/media/komga/helm-release.yaml b/cluster/apps/media/komga/helm-release.yaml index 8f2f2ca..f25f958 100644 --- a/cluster/apps/media/komga/helm-release.yaml +++ b/cluster/apps/media/komga/helm-release.yaml @@ -32,13 +32,16 @@ spec: main: enabled: true annotations: - cert-manager.io/cluster-issuer: "letsencrypt-production" traefik.ingress.kubernetes.io/router.entrypoints: websecure hosts: - - host: "comics.${SECRET_NEW_DOMAIN}" + - host: &host "comics.${SECRET_NEW_DOMAIN}" paths: - path: / pathType: Prefix + tls: + - hosts: + - *host + secretName: wildcard-main-tls persistence: config: enabled: true diff --git a/cluster/apps/media/plex/helm-release.yaml b/cluster/apps/media/plex/helm-release.yaml index 239ec04..f7848e1 100644 --- a/cluster/apps/media/plex/helm-release.yaml +++ b/cluster/apps/media/plex/helm-release.yaml @@ -47,13 +47,16 @@ spec: main: enabled: true annotations: - cert-manager.io/cluster-issuer: "letsencrypt-production" - traefik.ingress.kubernetes.io/router.entrypoints: websecure #,plex + traefik.ingress.kubernetes.io/router.entrypoints: websecure hosts: - - host: "plex.${SECRET_NEW_DOMAIN}" + - host: &host "plex.${SECRET_NEW_DOMAIN}" paths: - path: / pathType: Prefix + tls: + - hosts: + - *host + secretName: wildcard-main-tls persistence: config: diff --git a/cluster/apps/tools/hastebin/helm-release.yaml b/cluster/apps/tools/hastebin/helm-release.yaml index 788d127..f0a410f 100644 --- a/cluster/apps/tools/hastebin/helm-release.yaml +++ b/cluster/apps/tools/hastebin/helm-release.yaml @@ -53,10 +53,14 @@ spec: cert-manager.io/cluster-issuer: "letsencrypt-production" traefik.ingress.kubernetes.io/router.entrypoints: websecure hosts: - - host: "paste.${SECRET_NEW_DOMAIN}" + - host: &host "paste.${SECRET_NEW_DOMAIN}" paths: - path: / pathType: Prefix + tls: + - hosts: + - *host + secretName: wildcard-main-tls resources: requests: diff --git a/cluster/apps/tools/transfersh/helm-release.yaml b/cluster/apps/tools/transfersh/helm-release.yaml index 186d62f..739b057 100644 --- a/cluster/apps/tools/transfersh/helm-release.yaml +++ b/cluster/apps/tools/transfersh/helm-release.yaml @@ -49,10 +49,14 @@ spec: cert-manager.io/cluster-issuer: "letsencrypt-production" traefik.ingress.kubernetes.io/router.entrypoints: websecure hosts: - - host: "upload.${SECRET_NEW_DOMAIN}" + - host: &host "upload.${SECRET_NEW_DOMAIN}" paths: - path: / pathType: Prefix + tls: + - hosts: + - *host + secretName: wildcard-main-tls persistence: storage: diff --git a/cluster/apps/tools/vaultwarden/helm-release.yaml b/cluster/apps/tools/vaultwarden/helm-release.yaml index 36456bb..538f6ae 100644 --- a/cluster/apps/tools/vaultwarden/helm-release.yaml +++ b/cluster/apps/tools/vaultwarden/helm-release.yaml @@ -36,10 +36,14 @@ spec: cert-manager.io/cluster-issuer: "letsencrypt-production" traefik.ingress.kubernetes.io/router.entrypoints: websecure hosts: - - host: "bitwarden.${SECRET_NEW_DOMAIN}" + - host: &host "bitwarden.${SECRET_NEW_DOMAIN}" paths: - path: / pathType: Prefix + tls: + - hosts: + - *host + secretName: wildcard-main-tls persistence: data: diff --git a/cluster/core/cert-manager/wildcard-cert.yaml b/cluster/core/cert-manager/wildcard-cert.yaml index 9065224..82167c1 100644 --- a/cluster/core/cert-manager/wildcard-cert.yaml +++ b/cluster/core/cert-manager/wildcard-cert.yaml @@ -8,13 +8,13 @@ spec: secretTemplate: annotations: - replicator.v1.mittwald.de/replicate-to: "traefik,download" + replicator.v1.mittwald.de/replicate-to: "traefik,download,media,tools,management,authentik" duration: 2160h # 90d renewBefore: 360h # 15d issuerRef: - name: letsencrypt-staging + name: letsencrypt-prod kind: ClusterIssuer dnsNames: