Set up cert-manager wildcard certs

infrastructure/prod/authelia/forward-auth-middleware.yaml

@@ -5,7 +5,7 @@ metadata:
   namespace: auth
 spec:
   forwardAuth:
-    address: 'http://authelia.auth.svc.cluster.local/api/verify?rd=https://auth.namesny.com'
+    address: 'http://authelia.auth.svc.cluster.local/api/verify?rd=https://auth.example.com'
     trustForwardHeader: true
     authResponseHeaders:
     - "Remote-User"

infrastructure/prod/authelia/ingress.yaml

@@ -7,7 +7,7 @@ spec:
   entryPoints:
     - websecure
   routes:
-  - match: Host(`auth.namesny.com`)
+  - match: Host(`auth.example.com`)
     kind: Rule
     services:
     - name: authelia

infrastructure/prod/authelia/values.yaml

@@ -1,4 +1,4 @@
-domain: 'namesny.com'
+domain: 'example.com'
 configMap:
   authentication_backend:
     file:
@@ -13,7 +13,7 @@ configMap:
       enabled: false
   access_control:
     rules:
-      - domain: '*.namesny.com'
+      - domain: '*.example.com'
         policy: one_factor
   session:
     redis:

infrastructure/prod/cert-manager/issuer.yaml

@@ -1,7 +1,7 @@
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
-  name: letsencrypt-prod
+  name: cloudflare-prod
 spec:
   acme:
     email: admin@example.com

infrastructure/prod/cert-manager/kustomization.yaml

@@ -2,3 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ../../base/cert-manager
+  - secret.enc.yaml
+  - issuer.yaml

infrastructure/prod/cert-manager/secret.enc.yaml

@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: cloudflare-api-token-secret
+    namespace: cert-manager
+type: Opaque
+stringData:
+    api-token: ENC[AES256_GCM,data:Urnj7HrYPocHC+h2k75e/H9WDxmh8iF9mReyeWyuB+oOlGKn534SdA==,iv:TTKtIJa4ixQhq9Mh3KeB1VcqoTHFceQJzkSm1gqg3So=,tag:RnckzpR2BRcp8U/J+qX5Lg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1jk99rtxq3ep2xj2w886cchddf7jypqpwkr3dszg5dzq93gn8cy9qyc786m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEZWprTlZDbUhFdU12bkc3
+            RVlFVjk0dHNyc21ZVHRzaTZlSTlENDB4MVJjCkFWV1RKcXU2Nk1jeSt4eG9nV0or
+            UVJmcHNMdnNGd2Jxc2h4M0FoY0RyTmMKLS0tIE9SZ2R3OFZOTVBncVAyUDFyS2Jz
+            THljamdxWFVpaVdtZFpiQXV0SjdicE0KgvRRtxMKub4V0xQTDU7De+7Es7vLbHn+
+            BkIKFMqJRnFk32vcPdoXqMlKIncZ3SV0/DSo0L0A/8gKYDN5uQlKVA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-09-23T19:59:37Z"
+    mac: ENC[AES256_GCM,data:6gM7IN2Ktv/ckSLXdexX19GgbnRnQHAreRzcTdwgW0ptuW05zjW6sZXT3OBg6RyQ1Ua8d33XgNcIgz9w/mB80UsB2oudCdOTOcvxclS/oIts+4Bs0cCsEPpP57LjG68RCyRZAEetnSr7q/0urbTqWxIX8kK5nV4NaumZrfAqqN8=,iv:Swsc8oEgw/4GFBeRmbELq+VIJBxqiE1TPAvi3F+Dpng=,tag:lRKnB0v4atLreLlCg5QX0Q==,type:str]
+    pgp: []
+    unencrypted_regex: ^(apiVersion|metadata|kind|type)$
+    version: 3.9.0

infrastructure/prod/cert-manager/secret.yaml

@@ -1,8 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: cloudflare-api-token-secret
-  namespace: cert-manager
-type: Opaque
-stringData:
-  api-token: your-cloudflare-api-token

infrastructure/prod/traefik/certificate.yaml

@@ -0,0 +1,13 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: wildcard-nmsny-dev
+  namespace: traefik
+spec:
+  secretName: wildcard-nmsny-dev-tls
+  dnsNames:
+    - "example.com"
+    - "*.example.com"
+  issuerRef:
+    name: cloudflare-prod
+    kind: Issuer

infrastructure/prod/traefik/values.yaml

@@ -13,7 +13,7 @@ logs:
 ingressRoute:
   dashboard:
     enabled: true
-    matchRule: Host(`traefik.namesny.com`)
+    matchRule: Host(`traefik.example.com`)
     entryPoints: ["websecure"]
     middlewares:
       - name: "auth-authelia@kubernetescrd"
@@ -33,3 +33,7 @@ ports:
 service:
   spec:
     externalTrafficPolicy: Local
+tlsStore:
+  default:
+    defaultCertificate:
+      secretName: wildcard-nmsny-dev-tls