ingress: TLS via cert-manager (letsencrypt-prod) for onelab.k8s.selair.it

Made-with: Cursor
2026-03-20 10:29:50 +01:00
parent 279829cfee
commit 9cb1b10d6c
4 changed files with 16 additions and 7 deletions
--- a/gitops/README.md
+++ b/gitops/README.md
@@ -54,6 +54,8 @@ Helm 3.19 may return empty content for `.Files.Get` on Windows; this chart uses

 Enable `ingress.enabled` and set `ingress.host` (and optional TLS). Traffic is sent to Service **`revproxy`** (internal nginx). On k3s, `ingress.className: traefik` matches the default controller.

+For **cert-manager**, set `ingress.tls: true`, `ingress.tlsSecretName`, and `ingress.certManager.clusterIssuer` (e.g. `letsencrypt-prod`). Ensure a **DNS A/CNAME** for `ingress.host` points to your ingress before the ACME challenge runs.
+
 ## Not migrated in this chart

 - **Edge proxy stack** (`app/proxy/docker-compose.yml`, host 80/443 Swarm mode) — replaced for K8s by this **Ingress** + `revproxy`; optional **cert-manager** for TLS at the Ingress.
--- a/gitops/charts/onelab/templates/ingress.yaml
+++ b/gitops/charts/onelab/templates/ingress.yaml
@@ -7,6 +7,9 @@ metadata:
    {{- include "onelab.labels" . | nindent 4 }}
  annotations:
    argocd.argoproj.io/sync-wave: {{ .Values.syncWaves.apps | quote }}
+    {{- if .Values.ingress.certManager.clusterIssuer }}
+    cert-manager.io/cluster-issuer: {{ .Values.ingress.certManager.clusterIssuer | quote }}
+    {{- end }}
    {{- with .Values.ingress.annotations }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
--- a/gitops/charts/onelab/values.yaml
+++ b/gitops/charts/onelab/values.yaml
@@ -97,6 +97,9 @@ ingress:
  annotations: {}
  tls: false
  tlsSecretName: ""
+  certManager:
+    # When set, adds cert-manager.io/cluster-issuer annotation (TLS secret is created automatically).
+    clusterIssuer: ""

 # Replica counts (api.apidevice etc. override defaults in templates/workloads.yaml via this map)
 replicas:
--- a/gitops/values/k3s-example.yaml
+++ b/gitops/values/k3s-example.yaml
@@ -23,8 +23,8 @@ postgresql:
    password: "DBPasswordPlaceholder"

 onelab:
-  # Match how users reach the UI (Ingress host); use https:// when ingress.tls is true.
-  domain: "http://onelab.local"
+  # Public URL (must match ingress host + scheme).
+  domain: "https://onelab.k8s.selair.it"
  secrets:
    authTokenKey: "TokenAuthPlaceholder"
    monitoringToken: "TokenMonitoringPlaceholder"
@@ -40,11 +40,12 @@ revproxy:
 ingress:
  enabled: true
  className: traefik
-  # Set DNS or /etc/hosts to this host pointing at your ingress (e.g. worker external IP or LB).
-  host: onelab.local
+  host: onelab.k8s.selair.it
  path: /
  pathType: Prefix
+  tls: true
+  # cert-manager writes the certificate into this Secret in the release namespace
+  tlsSecretName: onelab-tls-k8s-selair
+  certManager:
+    clusterIssuer: letsencrypt-prod
  annotations: {}
-  tls: false
-  # tls: true
-  # tlsSecretName: onelab-tls   # create with cert-manager or kubectl