feat(k8s-peterg): Enable HTTPS/TLS

2025-11-10 15:33:29 +01:00 · 2025-11-10 15:33:29 +01:00 · 3116815125
commit 3116815125
parent 0a45af4610
5 changed files with 51 additions and 22 deletions
--- a/k8s-peterg/argocd/httproute.yaml
+++ b/k8s-peterg/argocd/httproute.yaml
@ -8,9 +8,9 @@ spec:
  parentRefs:
    - name: internal
      namespace: kube-system
-      sectionName: http
+      sectionName: https
  hostnames:
-    - "argocd.k8s.peterg.nl"
+    - "argocd.peterg.nl"
  rules:
    - backendRefs:
        - name: argocd-server
--- a/k8s-peterg/argocd/patches/configmap.yaml
+++ b/k8s-peterg/argocd/patches/configmap.yaml
@ -16,6 +16,7 @@ data:
        issuer: $argocd-authentik-provider:dex.authentik.issuer
        clientID: $argocd-authentik-app:dex.authentik.clientID
        clientSecret: $argocd-authentik-app:dex.authentik.clientSecret
        isecureEnableGroups: true
        scopes:
          - openid
          - profile
--- a/k8s-peterg/cilium/gateways.yaml
+++ b/k8s-peterg/cilium/gateways.yaml
@ -25,7 +25,7 @@ spec:
      tls:
        certificateRefs:
          - kind: Secret
-            name: selfsigned-cert-tls
+            name: tls-wildcard-peterg-nl
 ---
 apiVersion: gateway.networking.k8s.io/v1
 kind: Gateway
@ -52,4 +52,4 @@ spec:
      tls:
        certificateRefs:
          - kind: Secret
-            name: selfsigned-cert-tls
+            name: tls-wildcard-peterg-nl
--- a/k8s-peterg/cilium/httproute.yaml
+++ b/k8s-peterg/cilium/httproute.yaml
@ -1,19 +1,19 @@
-# ---
+---
-# apiVersion: gateway.networking.k8s.io/v1
+apiVersion: gateway.networking.k8s.io/v1
-# kind: HTTPRoute
+kind: HTTPRoute
-# metadata:
+metadata:
-#   name: http-filter-redirect
+  name: http-filter-redirect
-# spec:
+spec:
-#   parentRefs:
+  parentRefs:
-#   - name: shared
+    - name: public
-#     sectionName: http
+      sectionName: http
-#   - name: internal
+    - name: internal
-#     sectionName: http
+      sectionName: http
-#   rules:
+  rules:
-#   - filters:
+    - filters:
-#     - type: RequestRedirect
+        - type: RequestRedirect
-#       requestRedirect:
+          requestRedirect:
-#         scheme: https
+            scheme: https
 ---
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
@ -24,9 +24,9 @@ spec:
  parentRefs:
    - name: internal
      namespace: kube-system
-      sectionName: http
+      sectionName: https
  hostnames:
-    - "hubble.k8s.peterg.nl"
+    - "hubble.peterg.nl"
  rules:
    - backendRefs:
        - name: hubble-ui
--- a/k8s-peterg/external-secrets-operator/clustersecrets.yaml
+++ b/k8s-peterg/external-secrets-operator/clustersecrets.yaml
@ -0,0 +1,28 @@
 ---
 apiVersion: external-secrets.io/v1
 kind: ClusterExternalSecret
 metadata:
  name: tls-wildcard-peterg-nl
 spec:
  externalSecretName: tls-wildcard-peterg-nl
  externalSecretSpec:
    secretStoreRef:
      name: 1password-wheatley 
      kind: ClusterSecretStore
    target:
      name: tls-wildcard-peterg-nl
      creationPolicy: Owner
      template:
        type: kubernetes.io/tls
        data:
          tls.crt: "{{ .crt }}"
          tls.key: "{{ .key }}"
    data:
      - secretKey: key
        remoteRef:
          key: tls-wildcard-peterg-nl
          property: key
      - secretKey: crt
        remoteRef:
          key: tls-wildcard-peterg-nl 
          property: crt