Add step-ca TLS certs for mysql, php, desktop, signage, fc-landing
RKE2 Traefik has no ACME certResolver configured, so IngressRoutes
using certResolver: step-ca silently fall back to the Traefik default
self-signed cert. Fix by using cert-manager Certificate resources with
the step-ca-acme ClusterIssuer and tls.secretName in IngressRoutes.
- fc-landing: Add Certificate, change tls: {} to tls.secretName
- fc-mysql: New app (Certificate + IngressRoute only)
- fc-php: New app (Certificate + IngressRoute only)
- fc-desktop: New app (Certificate + IngressRoute only)
- fc-signage: New app (Certificate + IngressRoute, plus HTTP route for players)
Deployments/Services for mysql/php/desktop/signage are managed by
deploy scripts, not ArgoCD. These apps only manage TLS + ingress.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Andrew Stoltz
32
apps/fc-desktop/fc-desktop.yaml
Normal file
32
apps/fc-desktop/fc-desktop.yaml
Normal file
@@ -0,0 +1,32 @@
|
||||
# FlowerCore Remote Desktop — TLS + Ingress
|
||||
# Deployment and Service managed by deploy script (not ArgoCD)
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: remotedesktop-web-tls
|
||||
namespace: fc-desktop
|
||||
spec:
|
||||
secretName: remotedesktop-web-tls
|
||||
issuerRef:
|
||||
name: step-ca-acme
|
||||
kind: ClusterIssuer
|
||||
dnsNames:
|
||||
- desktop.iamworkin.lan
|
||||
---
|
||||
apiVersion: traefik.io/v1alpha1
|
||||
kind: IngressRoute
|
||||
metadata:
|
||||
name: remotedesktop-web
|
||||
namespace: fc-desktop
|
||||
spec:
|
||||
entryPoints:
|
||||
- websecure
|
||||
routes:
|
||||
- match: Host(`desktop.iamworkin.lan`)
|
||||
kind: Rule
|
||||
services:
|
||||
- name: remotedesktop-web
|
||||
port: 8080
|
||||
tls:
|
||||
secretName: remotedesktop-web-tls
|
||||
@@ -256,6 +256,20 @@ spec:
|
||||
targetPort: 80
|
||||
name: http
|
||||
---
|
||||
# TLS Certificate for internal LAN access
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: fc-landing-tls
|
||||
namespace: fc-system
|
||||
spec:
|
||||
secretName: fc-landing-tls
|
||||
issuerRef:
|
||||
name: step-ca-acme
|
||||
kind: ClusterIssuer
|
||||
dnsNames:
|
||||
- flowercore.iamworkin.lan
|
||||
---
|
||||
# Internal IngressRoute (LAN access)
|
||||
apiVersion: traefik.io/v1alpha1
|
||||
kind: IngressRoute
|
||||
@@ -271,7 +285,8 @@ spec:
|
||||
services:
|
||||
- name: fc-landing
|
||||
port: 80
|
||||
tls: {}
|
||||
tls:
|
||||
secretName: fc-landing-tls
|
||||
---
|
||||
# Public IngressRoute (flowercore.io with Cloudflare origin cert)
|
||||
apiVersion: traefik.io/v1alpha1
|
||||
|
||||
32
apps/fc-mysql/fc-mysql.yaml
Normal file
32
apps/fc-mysql/fc-mysql.yaml
Normal file
@@ -0,0 +1,32 @@
|
||||
# FlowerCore MySQL Manager — TLS + Ingress
|
||||
# Deployment and Service managed by deploy script (not ArgoCD)
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: mysql-web-tls
|
||||
namespace: fc-mysql
|
||||
spec:
|
||||
secretName: mysql-web-tls
|
||||
issuerRef:
|
||||
name: step-ca-acme
|
||||
kind: ClusterIssuer
|
||||
dnsNames:
|
||||
- mysql.iamworkin.lan
|
||||
---
|
||||
apiVersion: traefik.io/v1alpha1
|
||||
kind: IngressRoute
|
||||
metadata:
|
||||
name: mysql-web
|
||||
namespace: fc-mysql
|
||||
spec:
|
||||
entryPoints:
|
||||
- websecure
|
||||
routes:
|
||||
- match: Host(`mysql.iamworkin.lan`)
|
||||
kind: Rule
|
||||
services:
|
||||
- name: mysql-web
|
||||
port: 5300
|
||||
tls:
|
||||
secretName: mysql-web-tls
|
||||
32
apps/fc-php/fc-php.yaml
Normal file
32
apps/fc-php/fc-php.yaml
Normal file
@@ -0,0 +1,32 @@
|
||||
# FlowerCore PHP Manager — TLS + Ingress
|
||||
# Deployment and Service managed by deploy script (not ArgoCD)
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: php-web-tls
|
||||
namespace: fc-php
|
||||
spec:
|
||||
secretName: php-web-tls
|
||||
issuerRef:
|
||||
name: step-ca-acme
|
||||
kind: ClusterIssuer
|
||||
dnsNames:
|
||||
- php.iamworkin.lan
|
||||
---
|
||||
apiVersion: traefik.io/v1alpha1
|
||||
kind: IngressRoute
|
||||
metadata:
|
||||
name: php-web
|
||||
namespace: fc-php
|
||||
spec:
|
||||
entryPoints:
|
||||
- websecure
|
||||
routes:
|
||||
- match: Host(`php.iamworkin.lan`)
|
||||
kind: Rule
|
||||
services:
|
||||
- name: php-web
|
||||
port: 5400
|
||||
tls:
|
||||
secretName: php-web-tls
|
||||
48
apps/fc-signage/fc-signage.yaml
Normal file
48
apps/fc-signage/fc-signage.yaml
Normal file
@@ -0,0 +1,48 @@
|
||||
# FlowerCore Digital Signage — TLS + Ingress
|
||||
# Deployment and Service managed by deploy script (not ArgoCD)
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: signage-web-tls
|
||||
namespace: fc-signage
|
||||
spec:
|
||||
secretName: signage-web-tls
|
||||
issuerRef:
|
||||
name: step-ca-acme
|
||||
kind: ClusterIssuer
|
||||
dnsNames:
|
||||
- signage.iamworkin.lan
|
||||
---
|
||||
apiVersion: traefik.io/v1alpha1
|
||||
kind: IngressRoute
|
||||
metadata:
|
||||
name: signage-web
|
||||
namespace: fc-signage
|
||||
spec:
|
||||
entryPoints:
|
||||
- websecure
|
||||
routes:
|
||||
- match: Host(`signage.iamworkin.lan`)
|
||||
kind: Rule
|
||||
services:
|
||||
- name: signage-web
|
||||
port: 5190
|
||||
tls:
|
||||
secretName: signage-web-tls
|
||||
---
|
||||
# HTTP route for signage players that may not use TLS
|
||||
apiVersion: traefik.io/v1alpha1
|
||||
kind: IngressRoute
|
||||
metadata:
|
||||
name: signage-web-http
|
||||
namespace: fc-signage
|
||||
spec:
|
||||
entryPoints:
|
||||
- web
|
||||
routes:
|
||||
- match: Host(`signage.iamworkin.lan`)
|
||||
kind: Rule
|
||||
services:
|
||||
- name: signage-web
|
||||
port: 5190
|
||||
Reference in New Issue
Block a user