ai-workspace-infra/gitops
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(gitops): switch postgresql tls to acme issuers

Browse Source
This commit is contained in:
Haitao Pan 2026-04-04 10:38:10 +08:00
parent e37a029c67
commit dffcda8063
4 changed files with 40 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
services/database/postgresql-tls/certificate.yaml
View File

@ -9,6 +9,6 @@ spec:
dnsNames: dnsNames:
- postgresql-prod.svc.plus - postgresql-prod.svc.plus
issuerRef: issuerRef:
name: svc-plus-selfsigned name: svc-plus-acme-http01
kind: ClusterIssuer kind: ClusterIssuer
group: cert-manager.io group: cert-manager.io

8
services/database/postgresql/README.md
View File

@ -24,5 +24,9 @@ expected Vault keys from local environment variables or existing K8s Secrets.
The ingress domain is `postgresql-prod.svc.plus` for this prod cluster. TLS for The ingress domain is `postgresql-prod.svc.plus` for this prod cluster. TLS for
`postgresql-tls` is now owned directly by cert-manager in both the `platform` `postgresql-tls` is now owned directly by cert-manager in both the `platform`
and `database` namespaces, so `stunnel-server` can mount the database-local and `database` namespaces, so `stunnel-server` can mount the database-local
Secret without any cross-namespace sync job. Do not commit the secret values to Secret without any cross-namespace sync job.
Git.
Default certificate issuance uses ACME HTTP-01 through the `caddy` ingress
class. A DNS-01 Cloudflare issuer is predeclared for future wildcard and
additional subdomain certificates, and `selfSigned` remains available for
internal temporary or fallback use.

32
services/platform/cert-manager/clusterissuer.yaml
View File

@ -4,3 +4,35 @@ metadata:
name: svc-plus-selfsigned name: svc-plus-selfsigned
spec: spec:
selfSigned: {} selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: svc-plus-acme-http01
spec:
acme:
email: manbuzhe2009@qq.com
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: svc-plus-acme-http01-account-key
solvers:
- http01:
ingress:
ingressClassName: caddy
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: svc-plus-acme-dns01-cloudflare
spec:
acme:
email: manbuzhe2009@qq.com
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: svc-plus-acme-dns01-cloudflare-account-key
solvers:
- dns01:
cloudflare:
apiTokenSecretRef:
name: cloudflare-api-token
key: api-token

2
services/platform/postgresql-tls/certificate.yaml
View File

@ -9,6 +9,6 @@ spec:
dnsNames: dnsNames:
- postgresql-prod.svc.plus - postgresql-prod.svc.plus
issuerRef: issuerRef:
name: svc-plus-selfsigned name: svc-plus-acme-http01
kind: ClusterIssuer kind: ClusterIssuer
group: cert-manager.io group: cert-manager.io