luneski/onelab-k8s-1.27
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ingress: TLS via cert-manager (letsencrypt-prod) for onelab.k8s.selair.it

Browse Source 
Made-with: Cursor
This commit is contained in:
timotheereausanofi
2026-03-20 10:29:50 +01:00
parent 279829cfee
commit 9cb1b10d6c
4 changed files with 16 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
gitops/README.md
View File

@@ -54,6 +54,8 @@ Helm 3.19 may return empty content for `.Files.Get` on Windows; this chart uses
Enable `ingress.enabled` and set `ingress.host` (and optional TLS). Traffic is sent to Service **`revproxy`** (internal nginx). On k3s, `ingress.className: traefik` matches the default controller. Enable `ingress.enabled` and set `ingress.host` (and optional TLS). Traffic is sent to Service **`revproxy`** (internal nginx). On k3s, `ingress.className: traefik` matches the default controller.
For **cert-manager**, set `ingress.tls: true`, `ingress.tlsSecretName`, and `ingress.certManager.clusterIssuer` (e.g. `letsencrypt-prod`). Ensure a **DNS A/CNAME** for `ingress.host` points to your ingress before the ACME challenge runs.
## Not migrated in this chart ## Not migrated in this chart
- **Edge proxy stack** (`app/proxy/docker-compose.yml`, host 80/443 Swarm mode) — replaced for K8s by this **Ingress** + `revproxy`; optional **cert-manager** for TLS at the Ingress. - **Edge proxy stack** (`app/proxy/docker-compose.yml`, host 80/443 Swarm mode) — replaced for K8s by this **Ingress** + `revproxy`; optional **cert-manager** for TLS at the Ingress.

3
gitops/charts/onelab/templates/ingress.yaml
View File

@@ -7,6 +7,9 @@ metadata:
{{- include "onelab.labels" . | nindent 4 }} {{- include "onelab.labels" . | nindent 4 }}
annotations: annotations:
argocd.argoproj.io/sync-wave: {{ .Values.syncWaves.apps | quote }} argocd.argoproj.io/sync-wave: {{ .Values.syncWaves.apps | quote }}
{{- if .Values.ingress.certManager.clusterIssuer }}
cert-manager.io/cluster-issuer: {{ .Values.ingress.certManager.clusterIssuer | quote }}
{{- end }}
{{- with .Values.ingress.annotations }} {{- with .Values.ingress.annotations }}
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}

3
gitops/charts/onelab/values.yaml
View File

@@ -97,6 +97,9 @@ ingress:
annotations: {} annotations: {}
tls: false tls: false
tlsSecretName: "" tlsSecretName: ""
certManager:
# When set, adds cert-manager.io/cluster-issuer annotation (TLS secret is created automatically).
clusterIssuer: ""
# Replica counts (api.apidevice etc. override defaults in templates/workloads.yaml via this map) # Replica counts (api.apidevice etc. override defaults in templates/workloads.yaml via this map)
replicas: replicas:

15
gitops/values/k3s-example.yaml
View File

@@ -23,8 +23,8 @@ postgresql:
password: "DBPasswordPlaceholder" password: "DBPasswordPlaceholder"
onelab: onelab:
# Match how users reach the UI (Ingress host); use https:// when ingress.tls is true. # Public URL (must match ingress host + scheme).
domain: "http://onelab.local" domain: "https://onelab.k8s.selair.it"
secrets: secrets:
authTokenKey: "TokenAuthPlaceholder" authTokenKey: "TokenAuthPlaceholder"
monitoringToken: "TokenMonitoringPlaceholder" monitoringToken: "TokenMonitoringPlaceholder"
@@ -40,11 +40,12 @@ revproxy:
ingress: ingress:
enabled: true enabled: true
className: traefik className: traefik
# Set DNS or /etc/hosts to this host pointing at your ingress (e.g. worker external IP or LB). host: onelab.k8s.selair.it
host: onelab.local
path: / path: /
pathType: Prefix pathType: Prefix
tls: true
# cert-manager writes the certificate into this Secret in the release namespace
tlsSecretName: onelab-tls-k8s-selair
certManager:
clusterIssuer: letsencrypt-prod
annotations: {} annotations: {}
tls: false
# tls: true
# tlsSecretName: onelab-tls # create with cert-manager or kubectl