update certs

2025-12-14 22:27:45 -07:00
parent e733a2584b
commit c28540cd44
18 changed files with 334 additions and 59 deletions
--- a/traefik/values.yaml.gotmpl
+++ b/traefik/values.yaml.gotmpl
@@ -1,11 +1,5 @@
 deployment:
-  initContainers:
-    - name: volume-permissions
-      image: busybox:latest
-      command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json"]
-      volumeMounts:
-        - name: data
-          mountPath: /data
+  replicas: 2

 resources:
  requests:
@@ -16,20 +10,33 @@ resources:
    memory: 128Mi

 updateStrategy:
-  type: Recreate
-    
-env:
- - name: HETZNER_API_KEY
-   valueFrom:
-     secretKeyRef:
-       name: hetzner-api-key
-       key: token
+  type: RollingUpdate
+  rollingUpdate:
+    maxUnavailable: 1
+    maxSurge: 1

+podDisruptionBudget:
+  enabled: true
+  minAvailable: 1
+
+affinity:
+  podAntiAffinity:
+    preferredDuringSchedulingIgnoredDuringExecution:
+      - weight: 100
+        podAffinityTerm:
+          labelSelector:
+            matchExpressions:
+              - key: app.kubernetes.io/name
+                operator: In
+                values:
+                  - traefik
+          topologyKey: kubernetes.io/hostname
+    
 additionalArguments:
 - "--api.basePath=/fog/traefik"

 persistence:
-  enabled: true
+  enabled: false
    
 logs:
  format: json    
@@ -49,7 +56,7 @@ ingressRoute:
    middlewares:
      - name: traefik-dashboard-auth
    tls:
-      certResolver: letsencrypt
+      secretName: fog-incngrnt-ca-tls

 ports:
  websecure:
@@ -99,12 +106,53 @@ extraObjects:
      redirectScheme:
        scheme: https
        permanent: true
+  - apiVersion: cert-manager.io/v1
+    kind: Certificate
+    metadata:
+      name: fog-incngrnt-ca
+      namespace: traefik
+    spec:
+      secretName: fog-incngrnt-ca-tls
+      issuerRef:
+        name: letsencrypt-incngrnt
+        kind: ClusterIssuer
+      dnsNames:
+        - fog.incngrnt.ca

-certificatesResolvers:
-  letsencrypt:
-    acme:
-      dnschallenge:
-        provider: hetzner
-        delaybeforecheck: 30
-      email: {{ requiredEnv "ACME_EMAIL" }}
-      storage: /data/acme.json 
+# other certs
+  - apiVersion: cert-manager.io/v1
+    kind: Certificate
+    metadata:
+      name: goatchat-ca
+      namespace: goatchat
+    spec:
+      secretName: goatchat-ca-tls
+      issuerRef:
+        name: letsencrypt-goatchat
+        kind: ClusterIssuer
+      dnsNames:
+        - goatchat.ca
+  - apiVersion: cert-manager.io/v1
+    kind: Certificate
+    metadata:
+      name: incngrnt-ca
+      namespace: incngrnt-web
+    spec:
+      secretName: incngrnt-ca-tls
+      issuerRef:
+        name: letsencrypt-incngrnt
+        kind: ClusterIssuer
+      dnsNames:
+        - incngrnt.ca
+  - apiVersion: cert-manager.io/v1
+    kind: Certificate
+    metadata:
+      name: photos-incngrnt-ca
+      namespace: immich
+    spec:
+      secretName: photos-incngrnt-ca-tls
+      issuerRef:
+        name: letsencrypt-incngrnt
+        kind: ClusterIssuer
+      dnsNames:
+        - photos.incngrnt.ca