From 8f59322329893b18f47e3dd7fbc83cab7316dbed Mon Sep 17 00:00:00 2001 From: Andrew Stoltz Date: Wed, 8 Apr 2026 18:20:23 -0500 Subject: [PATCH] Add step-ca TLS certs for mysql, php, desktop, signage, fc-landing RKE2 Traefik has no ACME certResolver configured, so IngressRoutes using certResolver: step-ca silently fall back to the Traefik default self-signed cert. Fix by using cert-manager Certificate resources with the step-ca-acme ClusterIssuer and tls.secretName in IngressRoutes. - fc-landing: Add Certificate, change tls: {} to tls.secretName - fc-mysql: New app (Certificate + IngressRoute only) - fc-php: New app (Certificate + IngressRoute only) - fc-desktop: New app (Certificate + IngressRoute only) - fc-signage: New app (Certificate + IngressRoute, plus HTTP route for players) Deployments/Services for mysql/php/desktop/signage are managed by deploy scripts, not ArgoCD. These apps only manage TLS + ingress. Co-Authored-By: Claude Opus 4.6 (1M context) --- apps/fc-desktop/fc-desktop.yaml | 32 ++++++++++++++++++++++ apps/fc-landing/fc-landing.yaml | 17 +++++++++++- apps/fc-mysql/fc-mysql.yaml | 32 ++++++++++++++++++++++ apps/fc-php/fc-php.yaml | 32 ++++++++++++++++++++++ apps/fc-signage/fc-signage.yaml | 48 +++++++++++++++++++++++++++++++++ 5 files changed, 160 insertions(+), 1 deletion(-) create mode 100644 apps/fc-desktop/fc-desktop.yaml create mode 100644 apps/fc-mysql/fc-mysql.yaml create mode 100644 apps/fc-php/fc-php.yaml create mode 100644 apps/fc-signage/fc-signage.yaml diff --git a/apps/fc-desktop/fc-desktop.yaml b/apps/fc-desktop/fc-desktop.yaml new file mode 100644 index 0000000..dc49ae5 --- /dev/null +++ b/apps/fc-desktop/fc-desktop.yaml @@ -0,0 +1,32 @@ +# FlowerCore Remote Desktop — TLS + Ingress +# Deployment and Service managed by deploy script (not ArgoCD) +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: remotedesktop-web-tls + namespace: fc-desktop +spec: + secretName: remotedesktop-web-tls + issuerRef: + name: step-ca-acme + kind: ClusterIssuer + dnsNames: + - desktop.iamworkin.lan +--- +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: remotedesktop-web + namespace: fc-desktop +spec: + entryPoints: + - websecure + routes: + - match: Host(`desktop.iamworkin.lan`) + kind: Rule + services: + - name: remotedesktop-web + port: 8080 + tls: + secretName: remotedesktop-web-tls diff --git a/apps/fc-landing/fc-landing.yaml b/apps/fc-landing/fc-landing.yaml index ad6b4bc..f6d2c34 100644 --- a/apps/fc-landing/fc-landing.yaml +++ b/apps/fc-landing/fc-landing.yaml @@ -256,6 +256,20 @@ spec: targetPort: 80 name: http --- +# TLS Certificate for internal LAN access +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: fc-landing-tls + namespace: fc-system +spec: + secretName: fc-landing-tls + issuerRef: + name: step-ca-acme + kind: ClusterIssuer + dnsNames: + - flowercore.iamworkin.lan +--- # Internal IngressRoute (LAN access) apiVersion: traefik.io/v1alpha1 kind: IngressRoute @@ -271,7 +285,8 @@ spec: services: - name: fc-landing port: 80 - tls: {} + tls: + secretName: fc-landing-tls --- # Public IngressRoute (flowercore.io with Cloudflare origin cert) apiVersion: traefik.io/v1alpha1 diff --git a/apps/fc-mysql/fc-mysql.yaml b/apps/fc-mysql/fc-mysql.yaml new file mode 100644 index 0000000..35e386d --- /dev/null +++ b/apps/fc-mysql/fc-mysql.yaml @@ -0,0 +1,32 @@ +# FlowerCore MySQL Manager — TLS + Ingress +# Deployment and Service managed by deploy script (not ArgoCD) +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: mysql-web-tls + namespace: fc-mysql +spec: + secretName: mysql-web-tls + issuerRef: + name: step-ca-acme + kind: ClusterIssuer + dnsNames: + - mysql.iamworkin.lan +--- +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: mysql-web + namespace: fc-mysql +spec: + entryPoints: + - websecure + routes: + - match: Host(`mysql.iamworkin.lan`) + kind: Rule + services: + - name: mysql-web + port: 5300 + tls: + secretName: mysql-web-tls diff --git a/apps/fc-php/fc-php.yaml b/apps/fc-php/fc-php.yaml new file mode 100644 index 0000000..feb5614 --- /dev/null +++ b/apps/fc-php/fc-php.yaml @@ -0,0 +1,32 @@ +# FlowerCore PHP Manager — TLS + Ingress +# Deployment and Service managed by deploy script (not ArgoCD) +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: php-web-tls + namespace: fc-php +spec: + secretName: php-web-tls + issuerRef: + name: step-ca-acme + kind: ClusterIssuer + dnsNames: + - php.iamworkin.lan +--- +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: php-web + namespace: fc-php +spec: + entryPoints: + - websecure + routes: + - match: Host(`php.iamworkin.lan`) + kind: Rule + services: + - name: php-web + port: 5400 + tls: + secretName: php-web-tls diff --git a/apps/fc-signage/fc-signage.yaml b/apps/fc-signage/fc-signage.yaml new file mode 100644 index 0000000..fcafe8e --- /dev/null +++ b/apps/fc-signage/fc-signage.yaml @@ -0,0 +1,48 @@ +# FlowerCore Digital Signage — TLS + Ingress +# Deployment and Service managed by deploy script (not ArgoCD) +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: signage-web-tls + namespace: fc-signage +spec: + secretName: signage-web-tls + issuerRef: + name: step-ca-acme + kind: ClusterIssuer + dnsNames: + - signage.iamworkin.lan +--- +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: signage-web + namespace: fc-signage +spec: + entryPoints: + - websecure + routes: + - match: Host(`signage.iamworkin.lan`) + kind: Rule + services: + - name: signage-web + port: 5190 + tls: + secretName: signage-web-tls +--- +# HTTP route for signage players that may not use TLS +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: signage-web-http + namespace: fc-signage +spec: + entryPoints: + - web + routes: + - match: Host(`signage.iamworkin.lan`) + kind: Rule + services: + - name: signage-web + port: 5190