bluejay/bluejay-infra
1
0
Fork 0
Code Issues Pull Requests 14 Actions Packages Projects Releases Wiki Activity

Add step-ca TLS certs for mysql, php, desktop, signage, fc-landing

Browse Source 
RKE2 Traefik has no ACME certResolver configured, so IngressRoutes
using certResolver: step-ca silently fall back to the Traefik default
self-signed cert. Fix by using cert-manager Certificate resources with
the step-ca-acme ClusterIssuer and tls.secretName in IngressRoutes.

- fc-landing: Add Certificate, change tls: {} to tls.secretName
- fc-mysql: New app (Certificate + IngressRoute only)
- fc-php: New app (Certificate + IngressRoute only)
- fc-desktop: New app (Certificate + IngressRoute only)
- fc-signage: New app (Certificate + IngressRoute, plus HTTP route for players)

Deployments/Services for mysql/php/desktop/signage are managed by
deploy scripts, not ArgoCD. These apps only manage TLS + ingress.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Andrew Stoltz
2026-04-08 18:20:23 -05:00
parent 8f8290e0da
commit 8f59322329
5 changed files with 160 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
apps/fc-desktop/fc-desktop.yaml Normal file
View File

@@ -0,0 +1,32 @@
# FlowerCore Remote Desktop — TLS + Ingress
# Deployment and Service managed by deploy script (not ArgoCD)
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: remotedesktop-web-tls
namespace: fc-desktop
spec:
secretName: remotedesktop-web-tls
issuerRef:
name: step-ca-acme
kind: ClusterIssuer
dnsNames:
- desktop.iamworkin.lan
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: remotedesktop-web
namespace: fc-desktop
spec:
entryPoints:
- websecure
routes:
- match: Host(`desktop.iamworkin.lan`)
kind: Rule
services:
- name: remotedesktop-web
port: 8080
tls:
secretName: remotedesktop-web-tls

17
apps/fc-landing/fc-landing.yaml
View File

@@ -256,6 +256,20 @@ spec:
targetPort: 80 targetPort: 80
name: http name: http
--- ---
# TLS Certificate for internal LAN access
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: fc-landing-tls
namespace: fc-system
spec:
secretName: fc-landing-tls
issuerRef:
name: step-ca-acme
kind: ClusterIssuer
dnsNames:
- flowercore.iamworkin.lan
---
# Internal IngressRoute (LAN access) # Internal IngressRoute (LAN access)
apiVersion: traefik.io/v1alpha1 apiVersion: traefik.io/v1alpha1
kind: IngressRoute kind: IngressRoute
@@ -271,7 +285,8 @@ spec:
services: services:
- name: fc-landing - name: fc-landing
port: 80 port: 80
tls: {} tls:
secretName: fc-landing-tls
--- ---
# Public IngressRoute (flowercore.io with Cloudflare origin cert) # Public IngressRoute (flowercore.io with Cloudflare origin cert)
apiVersion: traefik.io/v1alpha1 apiVersion: traefik.io/v1alpha1

32
apps/fc-mysql/fc-mysql.yaml Normal file
View File

@@ -0,0 +1,32 @@
# FlowerCore MySQL Manager — TLS + Ingress
# Deployment and Service managed by deploy script (not ArgoCD)
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: mysql-web-tls
namespace: fc-mysql
spec:
secretName: mysql-web-tls
issuerRef:
name: step-ca-acme
kind: ClusterIssuer
dnsNames:
- mysql.iamworkin.lan
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: mysql-web
namespace: fc-mysql
spec:
entryPoints:
- websecure
routes:
- match: Host(`mysql.iamworkin.lan`)
kind: Rule
services:
- name: mysql-web
port: 5300
tls:
secretName: mysql-web-tls

32
apps/fc-php/fc-php.yaml Normal file
View File

@@ -0,0 +1,32 @@
# FlowerCore PHP Manager — TLS + Ingress
# Deployment and Service managed by deploy script (not ArgoCD)
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: php-web-tls
namespace: fc-php
spec:
secretName: php-web-tls
issuerRef:
name: step-ca-acme
kind: ClusterIssuer
dnsNames:
- php.iamworkin.lan
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: php-web
namespace: fc-php
spec:
entryPoints:
- websecure
routes:
- match: Host(`php.iamworkin.lan`)
kind: Rule
services:
- name: php-web
port: 5400
tls:
secretName: php-web-tls

48
apps/fc-signage/fc-signage.yaml Normal file
View File

@@ -0,0 +1,48 @@
# FlowerCore Digital Signage — TLS + Ingress
# Deployment and Service managed by deploy script (not ArgoCD)
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: signage-web-tls
namespace: fc-signage
spec:
secretName: signage-web-tls
issuerRef:
name: step-ca-acme
kind: ClusterIssuer
dnsNames:
- signage.iamworkin.lan
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: signage-web
namespace: fc-signage
spec:
entryPoints:
- websecure
routes:
- match: Host(`signage.iamworkin.lan`)
kind: Rule
services:
- name: signage-web
port: 5190
tls:
secretName: signage-web-tls
---
# HTTP route for signage players that may not use TLS
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: signage-web-http
namespace: fc-signage
spec:
entryPoints:
- web
routes:
- match: Host(`signage.iamworkin.lan`)
kind: Rule
services:
- name: signage-web
port: 5190