Use wildcard cert everywhere!

2023-04-13 01:21:06 -04:00 · 2023-04-13 01:21:06 -04:00 · fc5e97e7ae
parent f2252bd6c8
commit fc5e97e7ae
12 changed files with 59 additions and 22 deletions
--- a/cluster/apps/authentik/helm-release.yaml
+++ b/cluster/apps/authentik/helm-release.yaml
@ -58,10 +58,14 @@ spec:
        cert-manager.io/cluster-issuer: "letsencrypt-production"
        traefik.ingress.kubernetes.io/router.entrypoints: websecure
      hosts:
-        - host: auth.${SECRET_NEW_DOMAIN}
+        - host: &host "auth.${SECRET_NEW_DOMAIN}"
          paths:
-            - path: "/"
+            - path: /
              pathType: Prefix
      tls:
        - hosts:
            - *host
          secretName: wildcard-main-tls
    monitoring:
      enabled: false # temporarily disable monitoring
--- a/cluster/apps/management/guacamole/helm-release.yaml
+++ b/cluster/apps/management/guacamole/helm-release.yaml
@ -44,13 +44,16 @@ spec:
      main:
        enabled: true
        annotations:
          cert-manager.io/cluster-issuer: "letsencrypt-production"
          traefik.ingress.kubernetes.io/router.entrypoints: websecure
        hosts:
-          - host: "remote.${SECRET_NEW_DOMAIN}"
+          - host: &host "remote.${SECRET_NEW_DOMAIN}"
            paths:
              - path: /
                pathType: Prefix
        tls:
          - hosts:
              - *host
            secretName: wildcard-main-tls
    persistence:
      config:
--- a/cluster/apps/media/audiobookshelf/helm-release.yaml
+++ b/cluster/apps/media/audiobookshelf/helm-release.yaml
@ -33,13 +33,16 @@ spec:
      main:
        enabled: true
        annotations:
          cert-manager.io/cluster-issuer: "letsencrypt-production"
          traefik.ingress.kubernetes.io/router.entrypoints: websecure
        hosts:
-          - host: "audiobooks.${SECRET_NEW_DOMAIN}"
+          - host: &host "audiobooks.${SECRET_NEW_DOMAIN}"
            paths:
              - path: /
                pathType: Prefix
        tls:
          - hosts:
              - *host
            secretName: wildcard-main-tls
    persistence:
      config:
--- a/cluster/apps/media/jellyfin/helm-release.yaml
+++ b/cluster/apps/media/jellyfin/helm-release.yaml
@ -36,13 +36,16 @@ spec:
      main:
        enabled: true
        annotations:
          cert-manager.io/cluster-issuer: "letsencrypt-production"
          traefik.ingress.kubernetes.io/router.entrypoints: websecure
        hosts:
-          - host: "watch.${SECRET_NEW_DOMAIN}"
+          - host: &host "watch.${SECRET_NEW_DOMAIN}"
            paths:
              - path: /
                pathType: Prefix
        tls:
          - hosts:
              - *host
            secretName: wildcard-main-tls
    persistence:
      config:
--- a/cluster/apps/media/jellyseerr/helm-release.yaml
+++ b/cluster/apps/media/jellyseerr/helm-release.yaml
@ -39,13 +39,16 @@ spec:
      main:
        enabled: true
        annotations:
          cert-manager.io/cluster-issuer: "letsencrypt-production"
          traefik.ingress.kubernetes.io/router.entrypoints: websecure
        hosts:
-          - host: "request.${SECRET_NEW_DOMAIN}"
+          - host: &host "request.${SECRET_NEW_DOMAIN}"
            paths:
              - path: /
                pathType: Prefix
        tls:
          - hosts:
              - *host
            secretName: wildcard-main-tls
    persistence:
      config:
--- a/cluster/apps/media/kavita/helm-release.yaml
+++ b/cluster/apps/media/kavita/helm-release.yaml
@ -30,13 +30,16 @@ spec:
      main:
        enabled: true
        annotations:
          cert-manager.io/cluster-issuer: "letsencrypt-production"
          traefik.ingress.kubernetes.io/router.entrypoints: websecure
        hosts:
-          - host: "books.${SECRET_NEW_DOMAIN}"
+          - host: &host "books.${SECRET_NEW_DOMAIN}"
            paths:
              - path: /
                pathType: Prefix
        tls:
          - hosts:
              - *host
            secretName: wildcard-main-tls
    persistence:
      config:
        enabled: true
--- a/cluster/apps/media/komga/helm-release.yaml
+++ b/cluster/apps/media/komga/helm-release.yaml
@ -32,13 +32,16 @@ spec:
      main:
        enabled: true
        annotations:
          cert-manager.io/cluster-issuer: "letsencrypt-production"
          traefik.ingress.kubernetes.io/router.entrypoints: websecure
        hosts:
-          - host: "comics.${SECRET_NEW_DOMAIN}"
+          - host: &host "comics.${SECRET_NEW_DOMAIN}"
            paths:
              - path: /
                pathType: Prefix
        tls:
          - hosts:
              - *host
            secretName: wildcard-main-tls
    persistence:
      config:
        enabled: true
--- a/cluster/apps/media/plex/helm-release.yaml
+++ b/cluster/apps/media/plex/helm-release.yaml
@ -47,13 +47,16 @@ spec:
      main:
        enabled: true
        annotations:
-          cert-manager.io/cluster-issuer: "letsencrypt-production"
+          traefik.ingress.kubernetes.io/router.entrypoints: websecure
          traefik.ingress.kubernetes.io/router.entrypoints: websecure #,plex
        hosts:
-          - host: "plex.${SECRET_NEW_DOMAIN}"
+          - host: &host "plex.${SECRET_NEW_DOMAIN}"
            paths:
              - path: /
                pathType: Prefix
        tls:
          - hosts:
              - *host
            secretName: wildcard-main-tls
    persistence:
      config:
--- a/cluster/apps/tools/hastebin/helm-release.yaml
+++ b/cluster/apps/tools/hastebin/helm-release.yaml
@ -53,10 +53,14 @@ spec:
          cert-manager.io/cluster-issuer: "letsencrypt-production"
          traefik.ingress.kubernetes.io/router.entrypoints: websecure
        hosts:
-          - host: "paste.${SECRET_NEW_DOMAIN}"
+          - host: &host "paste.${SECRET_NEW_DOMAIN}"
            paths:
              - path: /
                pathType: Prefix
        tls:
          - hosts:
              - *host
            secretName: wildcard-main-tls
    resources:
      requests:
--- a/cluster/apps/tools/transfersh/helm-release.yaml
+++ b/cluster/apps/tools/transfersh/helm-release.yaml
@ -49,10 +49,14 @@ spec:
          cert-manager.io/cluster-issuer: "letsencrypt-production"
          traefik.ingress.kubernetes.io/router.entrypoints: websecure
        hosts:
-          - host: "upload.${SECRET_NEW_DOMAIN}"
+          - host: &host "upload.${SECRET_NEW_DOMAIN}"
            paths:
              - path: /
                pathType: Prefix
        tls:
          - hosts:
              - *host
            secretName: wildcard-main-tls
    persistence:
      storage:
--- a/cluster/apps/tools/vaultwarden/helm-release.yaml
+++ b/cluster/apps/tools/vaultwarden/helm-release.yaml
@ -36,10 +36,14 @@ spec:
          cert-manager.io/cluster-issuer: "letsencrypt-production"
          traefik.ingress.kubernetes.io/router.entrypoints: websecure
        hosts:
-          - host: "bitwarden.${SECRET_NEW_DOMAIN}"
+          - host: &host "bitwarden.${SECRET_NEW_DOMAIN}"
            paths:
              - path: /
                pathType: Prefix
        tls:
          - hosts:
              - *host
            secretName: wildcard-main-tls
    persistence:
      data:
--- a/cluster/core/cert-manager/wildcard-cert.yaml
+++ b/cluster/core/cert-manager/wildcard-cert.yaml
@ -8,13 +8,13 @@ spec:
  secretTemplate:
    annotations:
-      replicator.v1.mittwald.de/replicate-to: "traefik,download"
+      replicator.v1.mittwald.de/replicate-to: "traefik,download,media,tools,management,authentik"
  duration: 2160h # 90d
  renewBefore: 360h # 15d
  issuerRef:
-    name: letsencrypt-staging
+    name: letsencrypt-prod
    kind: ClusterIssuer
  dnsNames: