studio/sbbb
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
efe574f48eadd86344c2ea24c637b233ca85ca09
sbbb/overlays/production/cert-manager.yaml
Sienna Meridian Satterwhite fcb80f1f37 feat(devtools): deploy Penpot + MCP server, wildcard TLS via DNS-01 
Penpot (designer.sunbeam.pt):
- Frontend/backend/exporter deployments with OIDC-only auth via Hydra
- VSO-managed DB, S3, and app secrets from OpenBao
- PostgreSQL user/db in CNPG postInitSQL
- Hydra Maester enabledNamespaces extended to devtools

Penpot MCP server (mcp-designer.sunbeam.pt):
- Pre-built Node.js image pushed to Gitea registry
- Auth-gated via Pingora auth_request → Hydra /userinfo
- WebSocket path for browser plugin connection

Wildcard TLS:
- Switched cert-manager from HTTP-01 (per-SAN) to DNS-01 via Scaleway webhook
- Certificate collapsed to *.sunbeam.pt + sunbeam.pt
- Added scaleway-certmanager-webhook Helm chart
- VSO secret for Scaleway DNS API credentials in cert-manager namespace
- Added cert-manager to OpenBao VSO auth role
2026-04-04 12:53:27 +01:00

70 lines
1.9 KiB
YAML
Raw Blame History

# cert-manager issuers and wildcard certificate for production TLS.
#
# Uses DNS-01 via Scaleway DNS webhook for wildcard support.
# No more per-subdomain SANs — *.DOMAIN_SUFFIX covers everything.
#
# ACME_EMAIL is substituted by sunbeam apply.
---
# Let's Encrypt staging — untrusted cert but no rate limits. Use for initial setup.
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: ACME_EMAIL
privateKeySecretRef:
name: letsencrypt-staging-account-key
solvers:
- dns01:
webhook:
groupName: acme.scaleway.com
solverName: scaleway
config:
accessKeySecretRef:
key: SCW_ACCESS_KEY
name: scaleway-secret
secretKeySecretRef:
key: SCW_SECRET_KEY
name: scaleway-secret
---
# Let's Encrypt production — trusted cert, strict rate limits.
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-production
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: ACME_EMAIL
privateKeySecretRef:
name: letsencrypt-production-account-key
solvers:
- dns01:
webhook:
groupName: acme.scaleway.com
solverName: scaleway
config:
accessKeySecretRef:
key: SCW_ACCESS_KEY
name: scaleway-secret
secretKeySecretRef:
key: SCW_SECRET_KEY
name: scaleway-secret
---
# Wildcard certificate covering all subdomains.
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: pingora-tls
namespace: ingress
spec:
secretName: pingora-tls
issuerRef:
name: letsencrypt-production
kind: ClusterIssuer
dnsNames:
- DOMAIN_SUFFIX
- "*.DOMAIN_SUFFIX"
Reference in New Issue View Git Blame Copy Permalink