feat(gitops): switch postgresql tls to acme issuers
This commit is contained in:
parent
e37a029c67
commit
dffcda8063
@ -9,6 +9,6 @@ spec:
|
||||
dnsNames:
|
||||
- postgresql-prod.svc.plus
|
||||
issuerRef:
|
||||
name: svc-plus-selfsigned
|
||||
name: svc-plus-acme-http01
|
||||
kind: ClusterIssuer
|
||||
group: cert-manager.io
|
||||
|
||||
@ -24,5 +24,9 @@ expected Vault keys from local environment variables or existing K8s Secrets.
|
||||
The ingress domain is `postgresql-prod.svc.plus` for this prod cluster. TLS for
|
||||
`postgresql-tls` is now owned directly by cert-manager in both the `platform`
|
||||
and `database` namespaces, so `stunnel-server` can mount the database-local
|
||||
Secret without any cross-namespace sync job. Do not commit the secret values to
|
||||
Git.
|
||||
Secret without any cross-namespace sync job.
|
||||
|
||||
Default certificate issuance uses ACME HTTP-01 through the `caddy` ingress
|
||||
class. A DNS-01 Cloudflare issuer is predeclared for future wildcard and
|
||||
additional subdomain certificates, and `selfSigned` remains available for
|
||||
internal temporary or fallback use.
|
||||
|
||||
@ -4,3 +4,35 @@ metadata:
|
||||
name: svc-plus-selfsigned
|
||||
spec:
|
||||
selfSigned: {}
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
name: svc-plus-acme-http01
|
||||
spec:
|
||||
acme:
|
||||
email: manbuzhe2009@qq.com
|
||||
server: https://acme-v02.api.letsencrypt.org/directory
|
||||
privateKeySecretRef:
|
||||
name: svc-plus-acme-http01-account-key
|
||||
solvers:
|
||||
- http01:
|
||||
ingress:
|
||||
ingressClassName: caddy
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
name: svc-plus-acme-dns01-cloudflare
|
||||
spec:
|
||||
acme:
|
||||
email: manbuzhe2009@qq.com
|
||||
server: https://acme-v02.api.letsencrypt.org/directory
|
||||
privateKeySecretRef:
|
||||
name: svc-plus-acme-dns01-cloudflare-account-key
|
||||
solvers:
|
||||
- dns01:
|
||||
cloudflare:
|
||||
apiTokenSecretRef:
|
||||
name: cloudflare-api-token
|
||||
key: api-token
|
||||
|
||||
@ -9,6 +9,6 @@ spec:
|
||||
dnsNames:
|
||||
- postgresql-prod.svc.plus
|
||||
issuerRef:
|
||||
name: svc-plus-selfsigned
|
||||
name: svc-plus-acme-http01
|
||||
kind: ClusterIssuer
|
||||
group: cert-manager.io
|
||||
|
||||
Loading…
Reference in New Issue
Block a user