ronnibaslund/dezky
1
0
Fork 0
Code Issues 37 Pull Requests Actions Packages Projects 1 Releases Wiki Activity
Files
406e2ca78bdf4605528bed2f7f3b60ff7128d6aa
dezky/infrastructure/production/fleet/traefik/helmchartconfig.yaml
T
Ronni Baslund 406e2ca78b
ci / typecheck (map[dir:apps/booking name:booking]) (push) Has been cancelled
Details
ci / typecheck (map[dir:apps/website name:website]) (push) Has been cancelled
Details
ci / typecheck (map[dir:apps/portal name:portal]) (push) Has been cancelled
Details
ci / typecheck (map[dir:services/platform-api name:platform-api]) (push) Has been cancelled
Details
ci / test (push) Has been cancelled
Details
feat(infra): deploy Authentik (auth.dezky.eu) + global HTTP→HTTPS redirect 
- Authentik on the in-cluster Postgres/Redis (mirrors the dev compose config:
  external DB/Redis, error-reporting off, update-check off, bootstrap admin),
  via the k3s Helm controller; Ingress + cert-manager letsencrypt-prod. Live at
  https://auth.dezky.eu (image 2026.5.2). Secrets generated on-box (Bitwarden).
- Traefik HelmChartConfig: global :80 -> :443 (308) redirect via
  additionalArguments (to=:443, HTTP-01-safe).
- RUNBOOK updated.

Deferred (mirror remaining dev bits): OIDC app blueprints (portal/operator with
prod URLs) + the cosmetic "Powered by Dezky" rebrand.
2026-06-08 19:00:07 +02:00

25 lines
1.1 KiB
YAML
Raw Blame History

# Customise the k3s-bundled Traefik: redirect ALL HTTP (:80) → HTTPS (:443)
# globally, for every Ingress on the cluster.
#
# k3s manages Traefik via a HelmChart named 'traefik' in kube-system; a
# HelmChartConfig of the same name MERGES these values into it (k3s re-runs the
# install). We inject the redirect as Traefik static-config args
# (additionalArguments) — version-independent, unlike the chart's
# ports.web.redirectTo value which didn't render on this chart version.
#
# HTTP-01 ACME is unaffected: Let's Encrypt follows the 308 to HTTPS, so
# cert-manager challenges still validate.
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: traefik
namespace: kube-system
spec:
valuesContent: |-
additionalArguments:
# to=:443 (NOT 'websecure') — the websecure entrypoint listens on :8443
# internally, which isn't exposed; redirect to the public 443 instead.
- "--entrypoints.web.http.redirections.entrypoint.to=:443"
- "--entrypoints.web.http.redirections.entrypoint.scheme=https"
- "--entrypoints.web.http.redirections.entrypoint.permanent=true"
Reference in New Issue View Git Blame Copy Permalink