new tls wildcard

2026-05-29 21:58:34 +02:00
parent 6d874111da
commit a7106bc8f4
3 changed files with 41 additions and 1 deletions
--- a/infra/overlays/upc-dev/kustomization.yaml
+++ b/infra/overlays/upc-dev/kustomization.yaml
@@ -4,6 +4,7 @@ resources:
 - ../../base
 - vaultwarden-postgresql
 - vaultwarden
+- wildcard-tls-certificate.yaml

 # No patches needed — base already has "upc-dev" paths
 # upc-dev is the default/base cluster
--- a/infra/overlays/upc-dev/wildcard-tls-certificate.yaml
+++ b/infra/overlays/upc-dev/wildcard-tls-certificate.yaml
@@ -0,0 +1,38 @@
+---
+# Wildcard Certificate for *.forteapps.net
+# This creates a certificate that covers ALL subdomains of forteapps.net
+# Once created, you can use it for any app like:
+#   - myapp.forteapps.net
+#   - api.forteapps.net
+#   - git.forteapps.net
+#   - vaultwarden.forteapps.net
+#   - etc.
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: wildcard-forteapps-net
+  namespace: cert-manager # Can be in any namespace, cert-manager namespace is common
+spec:
+  # The secret where the TLS certificate will be stored
+  # This secret can be referenced by IngressRoutes in any namespace
+  secretName: wildcard-forteapps-net-tls
+
+  # Use the production issuer (use letsencrypt-staging for testing)
+  issuerRef:
+    name: letsencrypt-prod
+    kind: ClusterIssuer
+
+  # DNS names this certificate will cover
+  # Both wildcard AND apex domain are recommended
+  dnsNames:
+  - '*.forteapps.net' # Covers: myapp.forteapps.net, api.forteapps.net, etc.
+  - 'forteapps.net' # Also include apex domain explicitly
+  # Optional: Configure certificate duration and renewal
+  duration: 2160h0m0s # 90 days (Let's Encrypt default)
+  renewBefore: 720h0m0s # Renew 30 days before expiry
+
+  # Optional: Private key settings
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS1
+    size: 4096
--- a/infra/values/base/databunker-values.yaml
+++ b/infra/values/base/databunker-values.yaml
@@ -22,7 +22,8 @@ ingress:
  # TLS configuration
  tls:
    enabled: true # Set to true to enable TLS
-    secretName: "databunker-tls" # Name of the secret containing TLS certificate
+    #    secretName: "databunker-tls" # Name of the secret containing TLS certificate
+    secretName: "wildcard-forteapps-net-tls" # Name of the secret containing TLS certificate

 # Pin PostgreSQL password — chart uses randAlphaNum without lookup,
 # so each ArgoCD sync would regenerate the password while PVC keeps the old one.