update TLS config on ingresses

2025-09-21 08:53:07 -04:00
parent 373b3fad7d
commit 3060d7fbb5
10 changed files with 29 additions and 10 deletions
--- a/ansible-5/roles/prod.k3s/defaults/main.yml
+++ b/ansible-5/roles/prod.k3s/defaults/main.yml
@@ -45,7 +45,7 @@ apps:
    enabled: true

  stash:
-    enabled: true
+    enabled: false
    state: present
    namespace: stashapp

@@ -93,7 +93,7 @@ apps:
    state: absent

  funkwhale:
-    enabled: false
+    enabled: true
    namespace: funkwhale
    state: present

--- a/ansible-5/roles/prod.k3s/files/cert-manager/certificate.xai-corp.stg.yaml
+++ b/ansible-5/roles/prod.k3s/files/cert-manager/certificate.xai-corp.stg.yaml
@@ -14,10 +14,11 @@ spec:
  dnsNames:
    - xai-corp.net
    - www.xai-corp.net
-    - sql.xai-corp.net
+
  acme:
    config:
      - http01:
          ingressClass: traefik
        domains:
          - xai-corp.net
+          - www.xai-corp.net
--- a/ansible-5/roles/prod.k3s/files/funkwhale/values.yaml
+++ b/ansible-5/roles/prod.k3s/files/funkwhale/values.yaml
@@ -14,6 +14,8 @@ ingress:
  #  protocol: https
  tls: # < placing a host in the TLS config will determine what ends up in the cert's subjectAltNames
    - secretName: xai-corp-production-tls
+      hosts:
+        - funkwhale.xai-corp.net

 replicaCount: 1

--- a/ansible-5/roles/prod.k3s/files/gitea/values.yaml
+++ b/ansible-5/roles/prod.k3s/files/gitea/values.yaml
@@ -13,19 +13,23 @@ image:
  registry: ""
  repository: gitea/gitea
  # Overrides the image tag whose default is the chart appVersion.
-#  tag: "1.22.0"
+  tag: "1.24"
  pullPolicy: Always
  rootless: true # only possible when running 1.14 or later

 ingress:
  enabled: true
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-production
  hosts:
    - host: git.xai-corp.net
      paths:
        - path: /
          pathType: Prefix
  tls: # < placing a host in the TLS config will determine what ends up in the cert's subjectAltNames
-    - secretName: xai-corp-production-tls
+    - secretName: xai-corp-production-tls-funkwhale
+      hosts:
+        - git.xai-corp.net

 persistence:
  enabled: true
--- a/ansible-5/roles/prod.k3s/files/nextcloud/values.yaml
+++ b/ansible-5/roles/prod.k3s/files/nextcloud/values.yaml
@@ -3,7 +3,7 @@

 image:
  repository: nextcloud
-  tag: "29.0.6" #https://hub.docker.com/_/nextcloud/tags?page=1&name=28.
+  tag: "30.0.15" #https://hub.docker.com/_/nextcloud/tags?page=1&name=28.
  flavor: apache
 #  pullSecrets: regcred

@@ -14,9 +14,12 @@ ingress:
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.tls: "true"
    traefik.ingress.kubernetes.io/custom-response-headers: "Access-Control-Allow-Origin:*||Access-Control-Allow-Methods:GET,POST,OPTIONS||Access-Control-Allow-Headers:DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range||Access-Control-Expose-Headers:Content-Length,Content-Range"
+    cert-manager.io/cluster-issuer: letsencrypt-production

  tls: # < placing a host in the TLS config will determine what ends up in the cert's subjectAltNames
-    - secretName: xai-corp-production-tls
+    - secretName: xai-corp-production-tls-xaibox
+      hosts:
+        - xaibox.xai-corp.net

 nextcloud:
 #  image: xaicorp/nextcloud
--- a/ansible-5/roles/prod.k3s/files/stash/proxy-values.yaml
+++ b/ansible-5/roles/prod.k3s/files/stash/proxy-values.yaml
@@ -33,6 +33,8 @@ ingress:
  # Warning! The configuration is dependant on your current k8s API version capabilities (networking.k8s.io/v1)
  tls: # < placing a host in the TLS config will determine what ends up in the cert's subjectAltNames
    - secretName: xai-corp-production-tls
+      hosts:
+        - stash.xai-corp.net
  annotations:
    ingress.kubernetes.io/force-hsts: "true"
    ingress.kubernetes.io/hsts-max-age: "315360000"
--- a/ansible-5/roles/prod.k3s/files/stash/values.yaml
+++ b/ansible-5/roles/prod.k3s/files/stash/values.yaml
@@ -9,10 +9,13 @@ image:

 ingress:
  main:
-    enabled: false
+    enabled: true
    hosts:
      - host: stash.xai-corp.net
        paths:
          - path: /
    tls: # < placing a host in the TLS config will determine what ends up in the cert's subjectAltNames
      - secretName: xai-corp-production-tls
+        hosts:
+          - stash.xai-corp.net
+
--- a/ansible-5/roles/prod.k3s/tasks/deployments/cert_manager.yml
+++ b/ansible-5/roles/prod.k3s/tasks/deployments/cert_manager.yml
@@ -5,7 +5,8 @@
    kubeconfig_path: "/etc/rancher/k3s/k3s.yaml"
    atomic: true
    name: cert-manager
-    chart_ref: jetstack/cert-manager
+    chart_ref: oci://quay.io/jetstack/charts/cert-manager
+    chart_version: "v1.18.2"
    release_namespace: cert-manager
    create_namespace: true
    release_values:
--- a/ansible-5/roles/prod.k3s/tasks/main.yml
+++ b/ansible-5/roles/prod.k3s/tasks/main.yml
@@ -12,7 +12,7 @@
  when: apps.hello_world.enabled

 - name: deploy cert_manager
-  include_tasks: cert_manager.yml
+  include_tasks: deployments/cert_manager.yml
  when: apps.cert_manager.enabled

 - name: deploy stash