From 3116815125407b08546d37c63479b5851bdfee5b Mon Sep 17 00:00:00 2001 From: pgijsbertsen <117165507+pgijsbertsen@users.noreply.github.com> Date: Mon, 10 Nov 2025 15:33:29 +0100 Subject: [PATCH] feat(k8s-peterg): Enable HTTPS/TLS --- k8s-peterg/argocd/httproute.yaml | 4 +-- k8s-peterg/argocd/patches/configmap.yaml | 1 + k8s-peterg/cilium/gateways.yaml | 4 +-- k8s-peterg/cilium/httproute.yaml | 36 +++++++++---------- .../clustersecrets.yaml | 28 +++++++++++++++ 5 files changed, 51 insertions(+), 22 deletions(-) create mode 100644 k8s-peterg/external-secrets-operator/clustersecrets.yaml diff --git a/k8s-peterg/argocd/httproute.yaml b/k8s-peterg/argocd/httproute.yaml index 6609743..98a6820 100644 --- a/k8s-peterg/argocd/httproute.yaml +++ b/k8s-peterg/argocd/httproute.yaml @@ -8,9 +8,9 @@ spec: parentRefs: - name: internal namespace: kube-system - sectionName: http + sectionName: https hostnames: - - "argocd.k8s.peterg.nl" + - "argocd.peterg.nl" rules: - backendRefs: - name: argocd-server diff --git a/k8s-peterg/argocd/patches/configmap.yaml b/k8s-peterg/argocd/patches/configmap.yaml index c2a345a..61ead9d 100644 --- a/k8s-peterg/argocd/patches/configmap.yaml +++ b/k8s-peterg/argocd/patches/configmap.yaml @@ -16,6 +16,7 @@ data: issuer: $argocd-authentik-provider:dex.authentik.issuer clientID: $argocd-authentik-app:dex.authentik.clientID clientSecret: $argocd-authentik-app:dex.authentik.clientSecret + isecureEnableGroups: true scopes: - openid - profile diff --git a/k8s-peterg/cilium/gateways.yaml b/k8s-peterg/cilium/gateways.yaml index 61eb002..72e55a8 100644 --- a/k8s-peterg/cilium/gateways.yaml +++ b/k8s-peterg/cilium/gateways.yaml @@ -25,7 +25,7 @@ spec: tls: certificateRefs: - kind: Secret - name: selfsigned-cert-tls + name: tls-wildcard-peterg-nl --- apiVersion: gateway.networking.k8s.io/v1 kind: Gateway @@ -52,4 +52,4 @@ spec: tls: certificateRefs: - kind: Secret - name: selfsigned-cert-tls + name: tls-wildcard-peterg-nl diff --git a/k8s-peterg/cilium/httproute.yaml b/k8s-peterg/cilium/httproute.yaml index d93c08e..6795784 100644 --- a/k8s-peterg/cilium/httproute.yaml +++ b/k8s-peterg/cilium/httproute.yaml @@ -1,19 +1,19 @@ -# --- -# apiVersion: gateway.networking.k8s.io/v1 -# kind: HTTPRoute -# metadata: -# name: http-filter-redirect -# spec: -# parentRefs: -# - name: shared -# sectionName: http -# - name: internal -# sectionName: http -# rules: -# - filters: -# - type: RequestRedirect -# requestRedirect: -# scheme: https +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: http-filter-redirect +spec: + parentRefs: + - name: public + sectionName: http + - name: internal + sectionName: http + rules: + - filters: + - type: RequestRedirect + requestRedirect: + scheme: https --- apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute @@ -24,9 +24,9 @@ spec: parentRefs: - name: internal namespace: kube-system - sectionName: http + sectionName: https hostnames: - - "hubble.k8s.peterg.nl" + - "hubble.peterg.nl" rules: - backendRefs: - name: hubble-ui diff --git a/k8s-peterg/external-secrets-operator/clustersecrets.yaml b/k8s-peterg/external-secrets-operator/clustersecrets.yaml new file mode 100644 index 0000000..31537ae --- /dev/null +++ b/k8s-peterg/external-secrets-operator/clustersecrets.yaml @@ -0,0 +1,28 @@ +--- +apiVersion: external-secrets.io/v1 +kind: ClusterExternalSecret +metadata: + name: tls-wildcard-peterg-nl +spec: + externalSecretName: tls-wildcard-peterg-nl + externalSecretSpec: + secretStoreRef: + name: 1password-wheatley + kind: ClusterSecretStore + target: + name: tls-wildcard-peterg-nl + creationPolicy: Owner + template: + type: kubernetes.io/tls + data: + tls.crt: "{{ .crt }}" + tls.key: "{{ .key }}" + data: + - secretKey: key + remoteRef: + key: tls-wildcard-peterg-nl + property: key + - secretKey: crt + remoteRef: + key: tls-wildcard-peterg-nl + property: crt