Took things from the teslamate branch that are needed for the domains…

… to work

Signed-off-by: Carlos Ravelo <[email protected]>

apps/Bitwarden.yaml

@@ -57,12 +57,12 @@ spec:
       main:
         enabled: true
         hosts:
-        - host: p.${CLUSTER_DOMAIN_NAME}
+        - host: ${BITWARDEN_SUBDOMAIN}.${CLUSTER_DOMAIN_NAME}
           paths:
           - path: /
         tls:
         - hosts:
-          - p.${CLUSTER_DOMAIN_NAME}
+          - ${BITWARDEN_SUBDOMAIN}.${CLUSTER_DOMAIN_NAME}
           secretName: internal-ingress-cert
         annotations:
           kubernetes.io/ingress.class: "nginx"

apps/HomeAssistant.yaml

@@ -27,18 +27,18 @@ spec:
       main:
         enabled: true
         hosts:
-        - host: hass.${CLUSTER_DOMAIN_NAME}
+        - host: ${HASS_SUBDOMAIN}.${CLUSTER_DOMAIN_NAME}
           paths:
           - path: /
         tls:
         - hosts:
-          - hass.${CLUSTER_DOMAIN_NAME}
+          - ${HASS_SUBDOMAIN}.${CLUSTER_DOMAIN_NAME}
           secretName: internal-ingress-cert
         annotations:
           kubernetes.io/ingress.class: "nginx"
           nginx.org/websocket-services: home-assistant
           forecastle.stakater.com/expose: "true"
-          forecastle.stakater.com/icon: "https://hass.${CLUSTER_DOMAIN_NAME}/static/icons/favicon-192x192.png"
+          forecastle.stakater.com/icon: "https://${HASS_SUBDOMAIN}.${CLUSTER_DOMAIN_NAME}/static/icons/favicon-192x192.png"
           forecastle.stakater.com/appName: "Home Assistant"
     persistence:
       config:

clusters/gandazgul/ClusterKustomization.yaml

@@ -27,6 +27,8 @@ spec:
       PHOTOS_GID: "1000"
       # The time zone to apply to all containers
       CLUSTER_TIME_ZONE: America/New_York
+      BITWARDEN_SUBDOMAIN: "pass"
+      HASS_SUBDOMAIN: "ha"
     substituteFrom:
     # substitutions can also come from a config map or secret
     #    - kind: ConfigMap

infrastructure/cert-manager/controller/CertManager.yaml

@@ -19,3 +19,5 @@ spec:
     installCRDs: true
     extraArgs:
       - --max-concurrent-challenges=2
+      - --dns01-recursive-nameservers-only
+      - --dns01-recursive-nameservers=1.1.1.1:53,8.8.8.8:53

infrastructure/cert-manager/issuers/LetsEncryptProdCloudflareIssuer.yaml

@@ -0,0 +1,69 @@
+# while querying the Cloudflare API for POST \"/zones/1d3db8f84a9c4282a53b065902f5f8f2/dns_records\"
+# Error: 1038: You cannot use this API for domains with a .cf, .ga, .gq, .ml, or .tk TLD (top-level domain). To configure the DNS settings for this domain, use the Cloudflare Dashboard.
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-cloudflare-prod
+spec:
+  acme:
+    # The ACME server URL
+    server: https://acme-v02.api.letsencrypt.org/directory
+    # Email address used for ACME registration
+    email: ${EMAIL}
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: letsencrypt-prod
+    # Enable the HTTP-01 challenge provider
+    solvers:
+    # An empty 'selector' means that this solver matches all domains
+    - selector: { }
+      dns01:
+        cloudflare:
+          apiTokenSecretRef:
+            name: cloudflare-api-token-secret
+            key: api-token
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cloudflare-api-token-secret
+  namespace: kube-system
+stringData:
+  api-token: ${CLOUDFLARE_API_TOKEN}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: internal-ingress-cert
+  namespace: kube-system
+spec:
+  dnsNames:
+  - "*.${CLUSTER_DOMAIN_NAME}"
+  - ${CLUSTER_DOMAIN_NAME}
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: letsencrypt-cloudflare-prod
+  secretName: internal-ingress-cert
+  usages:
+  - digital signature
+  - key encipherment
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: internal-ingress-cert
+  namespace: default
+spec:
+  dnsNames:
+    - "*.${CLUSTER_DOMAIN_NAME}"
+    - ${CLUSTER_DOMAIN_NAME}
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: letsencrypt-cloudflare-prod
+  secretName: internal-ingress-cert
+  usages:
+    - digital signature
+    - key encipherment

infrastructure/cert-manager/issuers/LetsEncryptProdDNSIssuer.yaml

@@ -40,38 +40,38 @@ stringData:
       }
     }
 ---
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: internal-ingress-cert
-  namespace: kube-system
-spec:
-  dnsNames:
-  - "*.${CLUSTER_DOMAIN_NAME}"
-  - ${CLUSTER_DOMAIN_NAME}
-  issuerRef:
-    group: cert-manager.io
-    kind: ClusterIssuer
-    name: letsencrypt-dns01-prod
-  secretName: internal-ingress-cert
-  usages:
-  - digital signature
-  - key encipherment
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: internal-ingress-cert
-  namespace: default
-spec:
-  dnsNames:
-    - "*.${CLUSTER_DOMAIN_NAME}"
-    - ${CLUSTER_DOMAIN_NAME}
-  issuerRef:
-    group: cert-manager.io
-    kind: ClusterIssuer
-    name: letsencrypt-dns01-prod
-  secretName: internal-ingress-cert
-  usages:
-    - digital signature
-    - key encipherment
+#apiVersion: cert-manager.io/v1
+#kind: Certificate
+#metadata:
+#  name: internal-ingress-cert
+#  namespace: kube-system
+#spec:
+#  dnsNames:
+#  - "*.${CLUSTER_DOMAIN_NAME}"
+#  - ${CLUSTER_DOMAIN_NAME}
+#  issuerRef:
+#    group: cert-manager.io
+#    kind: ClusterIssuer
+#    name: letsencrypt-dns01-prod
+#  secretName: internal-ingress-cert
+#  usages:
+#  - digital signature
+#  - key encipherment
+#---
+#apiVersion: cert-manager.io/v1
+#kind: Certificate
+#metadata:
+#  name: internal-ingress-cert
+#  namespace: default
+#spec:
+#  dnsNames:
+#    - "*.${CLUSTER_DOMAIN_NAME}"
+#    - ${CLUSTER_DOMAIN_NAME}
+#  issuerRef:
+#    group: cert-manager.io
+#    kind: ClusterIssuer
+#    name: letsencrypt-dns01-prod
+#  secretName: internal-ingress-cert
+#  usages:
+#    - digital signature
+#    - key encipherment