diff --git a/infra/overlays/upc-dev/kustomization.yaml b/infra/overlays/upc-dev/kustomization.yaml index fac7510..92234ff 100644 --- a/infra/overlays/upc-dev/kustomization.yaml +++ b/infra/overlays/upc-dev/kustomization.yaml @@ -4,6 +4,7 @@ resources: - ../../base - vaultwarden-postgresql - vaultwarden +- wildcard-tls-certificate.yaml # No patches needed — base already has "upc-dev" paths # upc-dev is the default/base cluster diff --git a/infra/overlays/upc-dev/wildcard-tls-certificate.yaml b/infra/overlays/upc-dev/wildcard-tls-certificate.yaml new file mode 100644 index 0000000..42d172a --- /dev/null +++ b/infra/overlays/upc-dev/wildcard-tls-certificate.yaml @@ -0,0 +1,38 @@ +--- +# Wildcard Certificate for *.forteapps.net +# This creates a certificate that covers ALL subdomains of forteapps.net +# Once created, you can use it for any app like: +# - myapp.forteapps.net +# - api.forteapps.net +# - git.forteapps.net +# - vaultwarden.forteapps.net +# - etc. +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: wildcard-forteapps-net + namespace: cert-manager # Can be in any namespace, cert-manager namespace is common +spec: + # The secret where the TLS certificate will be stored + # This secret can be referenced by IngressRoutes in any namespace + secretName: wildcard-forteapps-net-tls + + # Use the production issuer (use letsencrypt-staging for testing) + issuerRef: + name: letsencrypt-prod + kind: ClusterIssuer + + # DNS names this certificate will cover + # Both wildcard AND apex domain are recommended + dnsNames: + - '*.forteapps.net' # Covers: myapp.forteapps.net, api.forteapps.net, etc. + - 'forteapps.net' # Also include apex domain explicitly + # Optional: Configure certificate duration and renewal + duration: 2160h0m0s # 90 days (Let's Encrypt default) + renewBefore: 720h0m0s # Renew 30 days before expiry + + # Optional: Private key settings + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 4096 diff --git a/infra/values/base/databunker-values.yaml b/infra/values/base/databunker-values.yaml index c79a2f7..3591d53 100644 --- a/infra/values/base/databunker-values.yaml +++ b/infra/values/base/databunker-values.yaml @@ -22,7 +22,8 @@ ingress: # TLS configuration tls: enabled: true # Set to true to enable TLS - secretName: "databunker-tls" # Name of the secret containing TLS certificate + # secretName: "databunker-tls" # Name of the secret containing TLS certificate + secretName: "wildcard-forteapps-net-tls" # Name of the secret containing TLS certificate # Pin PostgreSQL password — chart uses randAlphaNum without lookup, # so each ArgoCD sync would regenerate the password while PVC keeps the old one.