chore: cert-manager TLS, cleanup

2026-01-27 10:18:27 +00:00 · 2024-02-08 20:53:17 +08:00
parent 1181399b36
commit dadb807453
15 changed files with 75 additions and 18 deletions
--- a/.rtx.toml
+++ b/.rtx.toml
@@ -9,7 +9,7 @@ KUBECTL_COMMAND_HEADERS = "true"
 # kubectx = [""]
 # kustomize = [""]
 # kubecolor = [""]
-flux2 = ["2.1.2"]
+flux2 = ["2.2.3"]
 talosctl = ["1.5.4", "1.3.6"]
 talhelper = ["1.16.2"]
 cilium-cli= ["0.15.14"]
--- a/archive/kube/deploy/apps/livestream/deps/tls.yaml
+++ b/archive/kube/deploy/apps/livestream/deps/tls.yaml
@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://crds.jank.ing/cert-manager.io/certificate_v1.json
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
--- a/kube/deploy/apps/authentik/app/tls.yaml
+++ b/kube/deploy/apps/authentik/app/tls.yaml
@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://crds.jank.ing/cert-manager.io/certificate_v1.json
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -15,5 +16,5 @@ spec:
  commonName: ${DNS_MAIN}
  dnsNames:
    - ${DNS_MAIN}
-    - '*.${DNS_MAIN}'
-    - '*.tinfoil.${DNS_MAIN}'
+    - "*.${DNS_MAIN}"
+    - "*.tinfoil.${DNS_MAIN}"
--- a/kube/deploy/apps/default/deps/tls.yaml
+++ b/kube/deploy/apps/default/deps/tls.yaml
@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://crds.jank.ing/cert-manager.io/certificate_v1.json
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -15,5 +16,5 @@ spec:
  commonName: ${DNS_MAIN}
  dnsNames:
    - ${DNS_MAIN}
-    - '*.${DNS_MAIN}'
-    - '*.default.${DNS_MAIN}'
+    - "*.${DNS_MAIN}"
+    - "*.default.${DNS_MAIN}"
--- a/kube/deploy/apps/gotosocial/app/tls.yaml
+++ b/kube/deploy/apps/gotosocial/app/tls.yaml
@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://crds.jank.ing/cert-manager.io/certificate_v1.json
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
--- a/kube/deploy/apps/headscale/app/tls.yaml
+++ b/kube/deploy/apps/headscale/app/tls.yaml
@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://crds.jank.ing/cert-manager.io/certificate_v1.json
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
--- a/kube/deploy/apps/kah/deps/tls.yaml
+++ b/kube/deploy/apps/kah/deps/tls.yaml
@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://crds.jank.ing/cert-manager.io/certificate_v1.json
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -14,4 +15,4 @@ spec:
    name: letsencrypt-production
    kind: ClusterIssuer
  dnsNames:
-    - '*.${DNS_KAH}'
+    - "*.${DNS_KAH}"
--- a/kube/deploy/apps/kanidm/deps/tls.yaml
+++ b/kube/deploy/apps/kanidm/deps/tls.yaml
@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://crds.jank.ing/cert-manager.io/certificate_v1.json
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -15,5 +16,5 @@ spec:
  commonName: ${DNS_SHORT}
  dnsNames:
    - ${DNS_SHORT}
-    - '*.${DNS_SHORT}'
-    - '*.damn.${DNS_SHORT}'
+    - "*.${DNS_SHORT}"
+    - "*.damn.${DNS_SHORT}"
--- a/kube/deploy/core/ingress/_deps/certs.yaml
+++ b/kube/deploy/core/ingress/_deps/certs.yaml
@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://crds.jank.ing/cert-manager.io/certificate_v1.json
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -6,6 +7,10 @@ metadata:
  namespace: ingress
 spec:
  secretName: "short-domain-tls"
+  secretTemplate:
+    annotations:
+      reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
+      reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
  additionalOutputFormats:
    - type: CombinedPEM
    - type: DER
@@ -21,6 +26,7 @@ spec:
    - "${DNS_SHORT}"
    - "*.${DNS_SHORT}"
 ---
+# yaml-language-server: $schema=https://crds.jank.ing/cert-manager.io/certificate_v1.json
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -28,6 +34,10 @@ metadata:
  namespace: ingress
 spec:
  secretName: "long-domain-tls"
+  secretTemplate:
+    annotations:
+      reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
+      reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
  additionalOutputFormats:
    - type: CombinedPEM
    - type: DER
@@ -43,6 +53,7 @@ spec:
    - "${DNS_MAIN}"
    - "*.${DNS_MAIN}"
 ---
+# yaml-language-server: $schema=https://crds.jank.ing/cert-manager.io/certificate_v1.json
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -50,6 +61,10 @@ metadata:
  namespace: ingress
 spec:
  secretName: "vpn-tls"
+  secretTemplate:
+    annotations:
+      reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
+      reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
  additionalOutputFormats:
    - type: CombinedPEM
    - type: DER
@@ -64,6 +79,7 @@ spec:
    - "${DNS_VPN}"
    - "*.${DNS_VPN}"
 ---
+# yaml-language-server: $schema=https://crds.jank.ing/cert-manager.io/certificate_v1.json
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -71,6 +87,10 @@ metadata:
  namespace: ingress
 spec:
  secretName: "stream-tls"
+  secretTemplate:
+    annotations:
+      reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
+      reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
  additionalOutputFormats:
    - type: CombinedPEM
    - type: DER
@@ -85,6 +105,7 @@ spec:
    - "${DNS_STREAM}"
    - "*.${DNS_STREAM}"
 ---
+# yaml-language-server: $schema=https://crds.jank.ing/cert-manager.io/certificate_v1.json
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -92,6 +113,10 @@ metadata:
  namespace: ingress
 spec:
  secretName: "me-tls"
+  secretTemplate:
+    annotations:
+      reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
+      reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
  additionalOutputFormats:
    - type: CombinedPEM
    - type: DER
@@ -106,6 +131,7 @@ spec:
    - "${DNS_ME}"
    - "*.${DNS_ME}"
 ---
+# yaml-language-server: $schema=https://crds.jank.ing/cert-manager.io/certificate_v1.json
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -113,6 +139,10 @@ metadata:
  namespace: ingress
 spec:
  secretName: "home-tls"
+  secretTemplate:
+    annotations:
+      reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
+      reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
  additionalOutputFormats:
    - type: CombinedPEM
    - type: DER
@@ -125,4 +155,4 @@ spec:
    rotationPolicy: Always
  dnsNames:
    - "${DNS_HOME}"
-    - "*.${DNS_HOME}"
+    - "*.${DNS_HOME}"
--- a/kube/deploy/core/secrets/onepassword-connect/app/tls.yaml
+++ b/kube/deploy/core/secrets/onepassword-connect/app/tls.yaml
@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://crds.jank.ing/cert-manager.io/certificate_v1.json
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
--- a/kube/repos/flux/helm/app-template/helmrepo.yaml
+++ b/kube/repos/flux/helm/app-template/helmrepo.yaml
--- a/kube/repos/flux/helm/emberstack.yaml
+++ b/kube/repos/flux/helm/emberstack.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: emberstack-charts
+  namespace: flux-system
+spec:
+  interval: 1h
+  timeout: 3m0s
+  url: https://emberstack.github.io/helm-charts/
--- a/kube/repos/flux/helm/stakater/helmrepo.yaml
+++ b/kube/repos/flux/helm/stakater/helmrepo.yaml
--- a/kube/templates/test/app/es.yaml
+++ b/kube/templates/test/app/es.yaml
@@ -0,0 +1,18 @@
+---
+# yaml-language-server: $schema=https://crds.jank.ing/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: &name ${APPNAME}-secrets
+  namespace: ${APPNAME}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: 1p
+  dataFrom:
+    - extract:
+        key: "${APPNAME} (${CLUSTER_NAME})"
+  target:
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    name: *name
--- a/kube/templates/test/app/secrets.yaml
+++ b/kube/templates/test/app/secrets.yaml
@@ -1,9 +0,0 @@
---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: "${APPNAME}-secrets"
-  namespace: "${APPNAME}"
-type: Opaque
-stringData:
-