Initial commit.

2025-04-27 14:57:00 -07:00
commit 84376fb3d5
63 changed files with 5645 additions and 0 deletions
--- a/infrastructure_setup/cert-manager/internal-wildcard-certificate.yaml
+++ b/infrastructure_setup/cert-manager/internal-wildcard-certificate.yaml
@@ -0,0 +1,19 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: wildcard-internal-sovereign-cloud
+  namespace: internal
+spec:
+  secretName: wildcard-internal-sovereign-cloud-tls
+  dnsNames:
+  - "*.internal.${DOMAIN}"
+  - "internal.${DOMAIN}"
+  issuerRef:
+    name: letsencrypt-prod
+    kind: ClusterIssuer
+  duration: 2160h # 90 days
+  renewBefore: 360h # 15 days
+  privateKey:
+    algorithm: RSA
+    size: 2048
--- a/infrastructure_setup/cert-manager/letsencrypt-prod-dns01.yaml
+++ b/infrastructure_setup/cert-manager/letsencrypt-prod-dns01.yaml
@@ -0,0 +1,26 @@
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    email: ${EMAIL}
+    privateKeySecretRef:
+      name: letsencrypt-prod
+    server: https://acme-v02.api.letsencrypt.org/directory
+    solvers:
+    # DNS-01 solver for wildcard certificates
+    - dns01:
+        cloudflare:
+          email: ${EMAIL}
+          apiTokenSecretRef:
+            name: cloudflare-api-token
+            key: api-token
+      selector:
+        dnsZones:
+        - "${CLOUDFLARE_DOMAIN}" # This will cover all subdomains
+    # Keep the HTTP-01 solver for non-wildcard certificates
+    - http01:
+        ingress:
+          class: traefik
--- a/infrastructure_setup/cert-manager/letsencrypt-staging-dns01.yaml
+++ b/infrastructure_setup/cert-manager/letsencrypt-staging-dns01.yaml
@@ -0,0 +1,26 @@
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    email: ${EMAIL}
+    privateKeySecretRef:
+      name: letsencrypt-staging
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    solvers:
+    # DNS-01 solver for wildcard certificates
+    - dns01:
+        cloudflare:
+          email: ${EMAIL}
+          apiTokenSecretRef:
+            name: cloudflare-api-token
+            key: api-token
+      selector:
+        dnsZones:
+        - "${DOMAIN}" # This will cover all subdomains
+    # Keep the HTTP-01 solver for non-wildcard certificates
+    - http01:
+        ingress:
+          class: traefik
--- a/infrastructure_setup/cert-manager/wildcard-certificate.yaml
+++ b/infrastructure_setup/cert-manager/wildcard-certificate.yaml
@@ -0,0 +1,19 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: wildcard-sovereign-cloud
+  namespace: default
+spec:
+  secretName: wildcard-sovereign-cloud-tls
+  dnsNames:
+  - "*.${DOMAIN}"
+  - "${DOMAIN}"
+  issuerRef:
+    name: letsencrypt-prod
+    kind: ClusterIssuer
+  duration: 2160h # 90 days
+  renewBefore: 360h # 15 days
+  privateKey:
+    algorithm: RSA
+    size: 2048