Sienna Meridian Satterwhite
cdddc334ff
Ingress: - Deploy custom sunbeam-proxy (Pingora/Rust) replacing nginx placeholder - HTTPS termination with mkcert (local) / rustls-acme (production) - Host-prefix routing with path-based sub-routing for auth virtual host: /oauth2 + /.well-known + /userinfo → Hydra, /kratos → Kratos (prefix stripped), default → login-ui - HTTP→HTTPS redirect, WebSocket passthrough, JSON audit logging, OTEL stub - cert-manager HTTP-01 ACME challenge routing via Ingress watcher - RBAC for Ingress watcher (pingora-watcher ClusterRole) - local overlay: hostPorts 80/443, LiveKit TURN demoted to ClusterIP to avoid klipper conflict Infrastructure: - socket_vmnet shared network for host↔VM reachability (192.168.105.2) - local-up.sh: cert-manager installation, eth1-based LIMA_IP detection, correct DOMAIN_SUFFIX sed substitution - Postfix MTA in lasuite namespace: outbound relay via Scaleway TEM, accepts SMTP from cluster pods - Kratos SMTP courier pointed at postfix.lasuite.svc.cluster.local:25 - Production overlay: cert-manager ClusterIssuer, ACME-enabled Pingora values
59 lines
2.1 KiB
YAML
59 lines
2.1 KiB
YAML
# cert-manager resources for production TLS.
|
|
#
|
|
# Prerequisites:
|
|
# cert-manager must be installed in the cluster before applying this overlay:
|
|
# kubectl apply -f https://github.com/cert-manager/cert-manager/releases/latest/download/cert-manager.yaml
|
|
#
|
|
# DOMAIN_SUFFIX and ACME_EMAIL are substituted by sed at deploy time.
|
|
# See overlays/production/kustomization.yaml for the deploy command.
|
|
---
|
|
# ClusterIssuer: Let's Encrypt production via HTTP-01 challenge.
|
|
#
|
|
# cert-manager creates one Ingress per challenged domain. The pingora proxy
|
|
# watches these Ingresses and routes /.well-known/acme-challenge/<token>
|
|
# requests to the per-domain solver Service, so multi-SAN certificates are
|
|
# issued correctly even when all domain challenges run in parallel.
|
|
apiVersion: cert-manager.io/v1
|
|
kind: ClusterIssuer
|
|
metadata:
|
|
name: letsencrypt-production
|
|
spec:
|
|
acme:
|
|
server: https://acme-v02.api.letsencrypt.org/directory
|
|
email: ACME_EMAIL
|
|
privateKeySecretRef:
|
|
name: letsencrypt-production-account-key
|
|
solvers:
|
|
- http01:
|
|
ingress:
|
|
# ingressClassName is intentionally blank: cert-manager still creates
|
|
# the Ingress object (which the proxy watches), but no ingress
|
|
# controller needs to act on it — the proxy handles routing itself.
|
|
ingressClassName: ""
|
|
---
|
|
# Certificate: single multi-SAN cert covering all proxy subdomains.
|
|
# cert-manager issues it via HTTP-01, stores it in pingora-tls Secret, and
|
|
# renews it automatically ~30 days before expiry. The watcher in sunbeam-proxy
|
|
# detects the Secret update and triggers a graceful upgrade so the new cert is
|
|
# loaded without dropping any connections.
|
|
apiVersion: cert-manager.io/v1
|
|
kind: Certificate
|
|
metadata:
|
|
name: pingora-tls
|
|
namespace: ingress
|
|
spec:
|
|
secretName: pingora-tls
|
|
issuerRef:
|
|
name: letsencrypt-production
|
|
kind: ClusterIssuer
|
|
dnsNames:
|
|
- docs.DOMAIN_SUFFIX
|
|
- meet.DOMAIN_SUFFIX
|
|
- drive.DOMAIN_SUFFIX
|
|
- mail.DOMAIN_SUFFIX
|
|
- chat.DOMAIN_SUFFIX
|
|
- people.DOMAIN_SUFFIX
|
|
- src.DOMAIN_SUFFIX
|
|
- auth.DOMAIN_SUFFIX
|
|
- s3.DOMAIN_SUFFIX
|