diff --git a/infrastructure/prod/authelia/forward-auth-middleware.yaml b/infrastructure/prod/authelia/forward-auth-middleware.yaml index 64a5796..b710533 100644 --- a/infrastructure/prod/authelia/forward-auth-middleware.yaml +++ b/infrastructure/prod/authelia/forward-auth-middleware.yaml @@ -5,7 +5,7 @@ metadata: namespace: auth spec: forwardAuth: - address: 'http://authelia.auth.svc.cluster.local/api/verify?rd=https://auth.namesny.com' + address: 'http://authelia.auth.svc.cluster.local/api/verify?rd=https://auth.example.com' trustForwardHeader: true authResponseHeaders: - "Remote-User" diff --git a/infrastructure/prod/authelia/ingress.yaml b/infrastructure/prod/authelia/ingress.yaml index fe87728..60ceb70 100644 --- a/infrastructure/prod/authelia/ingress.yaml +++ b/infrastructure/prod/authelia/ingress.yaml @@ -7,7 +7,7 @@ spec: entryPoints: - websecure routes: - - match: Host(`auth.namesny.com`) + - match: Host(`auth.example.com`) kind: Rule services: - name: authelia diff --git a/infrastructure/prod/authelia/values.yaml b/infrastructure/prod/authelia/values.yaml index 47ca455..4ff16b7 100644 --- a/infrastructure/prod/authelia/values.yaml +++ b/infrastructure/prod/authelia/values.yaml @@ -1,4 +1,4 @@ -domain: 'namesny.com' +domain: 'example.com' configMap: authentication_backend: file: @@ -13,7 +13,7 @@ configMap: enabled: false access_control: rules: - - domain: '*.namesny.com' + - domain: '*.example.com' policy: one_factor session: redis: diff --git a/infrastructure/prod/cert-manager/issuer.yaml b/infrastructure/prod/cert-manager/issuer.yaml index 6dcfeed..a63cd5e 100644 --- a/infrastructure/prod/cert-manager/issuer.yaml +++ b/infrastructure/prod/cert-manager/issuer.yaml @@ -1,7 +1,7 @@ apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: - name: letsencrypt-prod + name: cloudflare-prod spec: acme: email: admin@example.com diff --git a/infrastructure/prod/cert-manager/kustomization.yaml b/infrastructure/prod/cert-manager/kustomization.yaml index 79a86a0..d12f9e0 100644 --- a/infrastructure/prod/cert-manager/kustomization.yaml +++ b/infrastructure/prod/cert-manager/kustomization.yaml @@ -2,3 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ../../base/cert-manager + - secret.enc.yaml + - issuer.yaml diff --git a/infrastructure/prod/cert-manager/secret.enc.yaml b/infrastructure/prod/cert-manager/secret.enc.yaml new file mode 100644 index 0000000..d63551a --- /dev/null +++ b/infrastructure/prod/cert-manager/secret.enc.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Secret +metadata: + name: cloudflare-api-token-secret + namespace: cert-manager +type: Opaque +stringData: + api-token: ENC[AES256_GCM,data:Urnj7HrYPocHC+h2k75e/H9WDxmh8iF9mReyeWyuB+oOlGKn534SdA==,iv:TTKtIJa4ixQhq9Mh3KeB1VcqoTHFceQJzkSm1gqg3So=,tag:RnckzpR2BRcp8U/J+qX5Lg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1jk99rtxq3ep2xj2w886cchddf7jypqpwkr3dszg5dzq93gn8cy9qyc786m + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEZWprTlZDbUhFdU12bkc3 + RVlFVjk0dHNyc21ZVHRzaTZlSTlENDB4MVJjCkFWV1RKcXU2Nk1jeSt4eG9nV0or + UVJmcHNMdnNGd2Jxc2h4M0FoY0RyTmMKLS0tIE9SZ2R3OFZOTVBncVAyUDFyS2Jz + THljamdxWFVpaVdtZFpiQXV0SjdicE0KgvRRtxMKub4V0xQTDU7De+7Es7vLbHn+ + BkIKFMqJRnFk32vcPdoXqMlKIncZ3SV0/DSo0L0A/8gKYDN5uQlKVA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-09-23T19:59:37Z" + mac: ENC[AES256_GCM,data:6gM7IN2Ktv/ckSLXdexX19GgbnRnQHAreRzcTdwgW0ptuW05zjW6sZXT3OBg6RyQ1Ua8d33XgNcIgz9w/mB80UsB2oudCdOTOcvxclS/oIts+4Bs0cCsEPpP57LjG68RCyRZAEetnSr7q/0urbTqWxIX8kK5nV4NaumZrfAqqN8=,iv:Swsc8oEgw/4GFBeRmbELq+VIJBxqiE1TPAvi3F+Dpng=,tag:lRKnB0v4atLreLlCg5QX0Q==,type:str] + pgp: [] + unencrypted_regex: ^(apiVersion|metadata|kind|type)$ + version: 3.9.0 diff --git a/infrastructure/prod/cert-manager/secret.yaml b/infrastructure/prod/cert-manager/secret.yaml deleted file mode 100644 index efe8777..0000000 --- a/infrastructure/prod/cert-manager/secret.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: cloudflare-api-token-secret - namespace: cert-manager -type: Opaque -stringData: - api-token: your-cloudflare-api-token \ No newline at end of file diff --git a/infrastructure/prod/traefik/certificate.yaml b/infrastructure/prod/traefik/certificate.yaml new file mode 100644 index 0000000..fb89140 --- /dev/null +++ b/infrastructure/prod/traefik/certificate.yaml @@ -0,0 +1,13 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: wildcard-nmsny-dev + namespace: traefik +spec: + secretName: wildcard-nmsny-dev-tls + dnsNames: + - "example.com" + - "*.example.com" + issuerRef: + name: cloudflare-prod + kind: Issuer \ No newline at end of file diff --git a/infrastructure/prod/traefik/values.yaml b/infrastructure/prod/traefik/values.yaml index 83ee781..b89310e 100644 --- a/infrastructure/prod/traefik/values.yaml +++ b/infrastructure/prod/traefik/values.yaml @@ -13,7 +13,7 @@ logs: ingressRoute: dashboard: enabled: true - matchRule: Host(`traefik.namesny.com`) + matchRule: Host(`traefik.example.com`) entryPoints: ["websecure"] middlewares: - name: "auth-authelia@kubernetescrd" @@ -33,3 +33,7 @@ ports: service: spec: externalTrafficPolicy: Local +tlsStore: + default: + defaultCertificate: + secretName: wildcard-nmsny-dev-tls