ronnibaslund/dezky
1
0
Fork 0
Code Issues 37 Pull Requests Actions Packages Projects 1 Releases Wiki Activity
Files
46970b7e999a1fe0306a43dbb44445e1e7e68ffc
dezky/infrastructure/production/fleet/cert-manager/README.md
T
Ronni Baslund 153d7053ca
ci / typecheck (map[dir:apps/website name:website]) (push) Failing after 10m58s
Details
ci / typecheck (map[dir:apps/portal name:portal]) (push) Failing after 11m56s
Details
ci / typecheck (map[dir:apps/booking name:booking]) (push) Failing after 14m0s
Details
ci / typecheck (map[dir:services/platform-api name:platform-api]) (push) Has been cancelled
Details
ci / test (push) Has been cancelled
Details
feat(infra): k3s foundation — cert-manager, Longhorn config, in-cluster data tier 
Adds the production cluster foundation (authored + applied live on node1):
- cert-manager via the k3s HelmChart controller + letsencrypt staging/prod
  ClusterIssuers (HTTP-01 / Traefik).
- Longhorn config for single-node (values: replica=1, default StorageClass,
  Retain) + backup-to-Hetzner-Object-Storage credential template.
- In-cluster data tier (dezky-data): Postgres 16 (with Authentik+OCIS DB init),
  MongoDB 7, Redis 7 as StatefulSets on Longhorn, + secret template.
- bootstrap.sh: install open-iscsi/nfs-common + enable iscsid (Longhorn prereq).
- RUNBOOK.md: full reproducible node1 build order.

Real secrets are generated on-box and kept in Bitwarden — never in git.
2026-06-08 18:39:31 +02:00

1.2 KiB
Raw Blame History

fleet/cert-manager — TLS for the cluster

cert-manager + ACME ClusterIssuers. Installs via the k3s built-in Helm controller (no Helm CLI needed), then defines letsencrypt-staging and letsencrypt-prod (HTTP-01 through the bundled Traefik).

Apply order (matters — issuers need the CRDs first)

# 1) Install cert-manager
kubectl apply -f cert-manager.yaml

# 2) Wait until it's up (CRDs + webhook ready)
kubectl -n cert-manager rollout status deploy/cert-manager-webhook --timeout=180s
kubectl -n cert-manager get pods

# 3) Create the issuers
kubectl apply -f cluster-issuer.yaml
kubectl get clusterissuer            # both should report READY=True

Notes

  • ACME email is info@dezky.eu — change in cluster-issuer.yaml if needed.
  • Test with letsencrypt-staging first (set an Ingress annotation cert-manager.io/cluster-issuer: letsencrypt-staging) to avoid burning the strict prod rate limits, then switch the apps to letsencrypt-prod.
  • HTTP-01 requires each hostname's DNS A record → 46.4.78.187 and port 80 open (already true). A cert won't issue until DNS resolves.
  • The app Ingresses (fleet/apps/) already reference letsencrypt-prod.
Reference in New Issue View Git Blame Copy Permalink