tls and ingresses for all

2025-12-14 20:18:23 +01:00 · 2025-12-14 20:18:23 +01:00 · 70466cd500
commit 70466cd500
parent 6f5d415cc4
7 changed files with 117 additions and 39 deletions
--- a/apps/drawio/drawio-ingress.yaml
+++ b/apps/drawio/drawio-ingress.yaml
@ -0,0 +1,34 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: drawio
+  namespace: default
+  annotations:
+    # 1. Enable cert-manager for automatic TLS
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    
+    # 2. NGINX Annotation for the specific ingress class
+    # (redundant if using ingressClassName but good practice)
+    kubernetes.io/ingress.class: "nginx"
+spec:
+  # Ensure this matches the ingress class name of your running NGINX controller
+  ingressClassName: nginx 
+  
+  # TLS configuration
+  tls:
+    - hosts:
+        - drawio.sebastians-co.de
+      secretName: drawio-tls # cert-manager will create and manage this secret
+  
+  # Routing rules
+  rules:
+    - host: drawio.sebastians-co.de
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: drawio # Name of the Service above
+                port:
+                  number: 8080 # The port the Service exposes
--- a/apps/drawio/service.yaml
+++ b/apps/drawio/service.yaml
@ -2,11 +2,13 @@ apiVersion: v1
 kind: Service
 metadata:
  name: drawio
+  namespace: default
 spec:
-  type: NodePort
+  type: ClusterIP
  selector:
    app: drawio
  ports:
-    - port: 8080
+    - name: http
+      port: 8080
      targetPort: 8080
-      nodePort: 30880
+      protocol: TCP
--- a/apps/elasticsearch/elasticsearch-ingress.yaml
+++ b/apps/elasticsearch/elasticsearch-ingress.yaml
@ -0,0 +1,33 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: elasticsearch
+  namespace: default
+  annotations:
+    # 1. Enable cert-manager for automatic TLS
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    
+    # 2. Annotation for the NGINX Ingress Controller class
+    kubernetes.io/ingress.class: "nginx"
+
+    # CRITICAL: Since ES is running without internal TLS, we omit the
+    # nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" annotation.
+spec:
+  ingressClassName: nginx 
+  
+  tls:
+    - hosts:
+        - elasticsearch.sebastians-co.de
+      secretName: elasticsearch-tls # cert-manager will create this secret
+  
+  rules:
+    - host: elasticsearch.sebastians-co.de
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: elasticsearch
+                port:
+                  number: 9200
--- a/apps/elasticsearch/service.yaml
+++ b/apps/elasticsearch/service.yaml
@ -1,8 +1,8 @@
-
 apiVersion: v1
 kind: Service
 metadata:
  name: elasticsearch
+  namespace: default
 spec:
  selector:
    app: elasticsearch
@ -13,18 +13,3 @@ spec:
    - port: 9300
      targetPort: 9300
      name: transport
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: elasticsearch-nodeport
-spec:
-  type: NodePort
-  selector:
-    app: elasticsearch
-  ports:
-    - name: http
-      port: 9200
-      targetPort: 9200
-      nodePort: 32200
-
--- a/apps/rabbitmq/rabbitmq-ingress.yaml
+++ b/apps/rabbitmq/rabbitmq-ingress.yaml
@ -0,0 +1,35 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: rabbitmq-management
+  namespace: default
+  annotations:
+    # 1. Enable cert-manager for automatic TLS
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    
+    # 2. NGINX Annotation for the specific ingress class
+    kubernetes.io/ingress.class: "nginx"
+
+    # 3. CRUCIAL: RabbitMQ Management UI works best at the root path (/). 
+    #    If you use a subpath (e.g., /rabbitmq), you would need to add 
+    #    nginx.ingress.kubernetes.io/rewrite-target: /$1
+    #    and set the management.path_prefix in the RabbitMQ config.
+spec:
+  ingressClassName: nginx 
+  
+  tls:
+    - hosts:
+        - rabbitmq.ziffeldogip.de
+      secretName: rabbitmq-management-tls # cert-manager will create this secret
+  
+  rules:
+    - host: rabbitmq.ziffeldogip.de
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: rabbitmq # Name of the ClusterIP Service
+                port:
+                  number: 15672 # The internal Management UI port
--- a/apps/rabbitmq/service.yaml
+++ b/apps/rabbitmq/service.yaml
@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
  name: rabbitmq
+  namespace: default
 spec:
  selector:
    app: rabbitmq
@ -12,25 +13,6 @@ spec:
    - name: mqtt
      port: 1883
      targetPort: 1883
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: rabbitmq-management
-spec:
-  type: NodePort
-  selector:
-    app: rabbitmq
-  ports:
    - name: management
      port: 15672
      targetPort: 15672
-      nodePort: 31672
-    - name: amqp
-      port: 5672
-      targetPort: 5672
-      nodePort: 30672
-    - name: mqtt
-      port: 1883
-      targetPort: 1883
-      nodePort: 30883
--- a/auth/authentik-values.yaml
+++ b/auth/authentik-values.yaml
@ -12,8 +12,15 @@ server:
        # Specify kubernetes ingress controller class name
        ingressClassName: nginx
        enabled: true
+        annotations:
+          cert-manager.io/cluster-issuer: "letsencrypt-prod"
+          kubernetes.io/ingress.class: "nginx"
        hosts:
-            - ziffeldogip.de
+            - login.ziffeldogip.de
+        tls:
+          - secretName: authentik-tls-cert # Cert-manager will create this secret
+            hosts:
+              - login.ziffeldogip.de

 postgresql:
    enabled: true