move issuer to configs

2026-02-04 04:59:54 +00:00 · 2025-12-18 06:12:31 -05:00
parent 8f4c2dc1b3
commit f1d0cbeedd
5 changed files with 28 additions and 17 deletions
--- a/infrastructure/configs/cert-manager/certificate-wildcard-cert-letsencrypt-prod.yaml
+++ b/infrastructure/configs/cert-manager/certificate-wildcard-cert-letsencrypt-prod.yaml
@@ -0,0 +1,20 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: letsencrypt-wildcard-cert-michaelthomson.dev
+  namespace: letsencrypt-wildcard-cert
+spec:
+  # secretName doesn't have to match the certificate name, but it may as well, for simplicity!
+  secretName: letsencrypt-wildcard-cert-michaelthomson.dev
+  secretTemplate:
+    annotations:
+      reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
+      reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: ""
+      reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
+      reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: ""
+  issuerRef:
+    name: letsencrypt-prod
+    kind: ClusterIssuer
+  dnsNames:
+    - "michaelthomson.dev"
+    - "*.michaelthomson.dev"
--- a/infrastructure/configs/cert-manager/cluster-issuer-letsencrypt-prod.yaml
+++ b/infrastructure/configs/cert-manager/cluster-issuer-letsencrypt-prod.yaml
@@ -0,0 +1,20 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    email: michael@michaelthomson.dev
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: letsencrypt-prod
+    solvers:
+    - selector:
+        dnsZones:
+          - "michaelthomson.dev"
+      dns01:
+        cloudflare:
+          email: michael@michaelthomson.dev
+          apiKeySecretRef:
+            name: secret
+            key: cloudflare_api_key
--- a/infrastructure/configs/longhorn/ingress.yaml
+++ b/infrastructure/configs/longhorn/ingress.yaml
@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: longhorn
+  namespace: longhorn-system
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+spec:
+  rules:
+  - host: longhorn.michaelthomson.dev
+    http:
+      paths:
+      - backend:
+          service:
+            name: longhorn-frontend
+            port:
+              number: 80
+        path: /
+        pathType: ImplementationSpecific
+  tls:
+  - hosts:
+    - longhorn.michaelthomson.dev
+    secretName: longhorn-tls