From 38ab8e33641700029b435f756fa3854086d0bff0 Mon Sep 17 00:00:00 2001 From: Brad Stein Date: Fri, 12 Dec 2025 15:18:40 -0300 Subject: [PATCH] standardize cert issuers to letsencrypt --- clusters/oceanus/README.md | 5 ----- docs/topology.md | 9 ++++----- services/gitea/ingress.yaml | 2 +- services/jitsi/ingress.yaml | 2 +- services/pegasus/ingress.yaml | 2 +- services/vault/certificate.yaml | 2 +- services/zot/ingress.yaml | 2 +- 7 files changed, 9 insertions(+), 15 deletions(-) delete mode 100644 clusters/oceanus/README.md diff --git a/clusters/oceanus/README.md b/clusters/oceanus/README.md deleted file mode 100644 index d91b52f..0000000 --- a/clusters/oceanus/README.md +++ /dev/null @@ -1,5 +0,0 @@ -# Oceanus Cluster Scaffold - -This directory prepares the Flux and Kustomize layout for a future Oceanus-managed cluster. -Populate `flux-system/` with `gotk-components.yaml` and related manifests after running `flux bootstrap`. -Define node-specific resources under `infrastructure/modules/profiles/oceanus-validator/` and reference workloads in `applications/` as they come online. diff --git a/docs/topology.md b/docs/topology.md index 27b06f5..1e37235 100644 --- a/docs/topology.md +++ b/docs/topology.md @@ -2,15 +2,14 @@ | Hostname | Role / Function | Managed By | Notes | |------------|--------------------------------|---------------------|-------| +| titan-db | HA control plane database | Ansible | PostgreSQL / etcd backing services | | titan-0a | Kubernetes control-plane | Flux (atlas cluster)| HA leader, tainted for control only | | titan-0b | Kubernetes control-plane | Flux (atlas cluster)| Standby control node | | titan-0c | Kubernetes control-plane | Flux (atlas cluster)| Standby control node | | titan-04-19| Raspberry Pi workers | Flux (atlas cluster)| Workload nodes, labelled per hardware | +| titan-20&21| NVIDIA Jetson workers | Flux (atlas cluster)| Workload nodes, labelled per hardware | | titan-22 | GPU mini-PC (Jellyfin) | Flux + Ansible | NVIDIA runtime managed via `modules/profiles/atlas-ha` | +| titan-23 | Dedicated SUI validator Oceanus| Manual + Ansible | Baremetal validator workloads, exposes metrics to atlas | | titan-24 | Tethys hybrid node | Flux + Ansible | Runs SUI metrics via K8s, validator via Ansible | -| titan-db | HA control plane database | Ansible | PostgreSQL / etcd backing services | -| titan-jh | Jumphost & bastion | Ansible | Entry point / future KVM services | -| oceanus | Dedicated SUI validator host | Ansible / Flux prep | Baremetal validator workloads, exposes metrics to atlas; Kustomize scaffold under `clusters/oceanus/` | +| titan-jh | Jumphost & bastion & lesavka | Ansible | Entry point / future KVM services / custom kvm - lesavaka | | styx | Air-gapped workstation | Manual / Scripts | Remains isolated, scripts tracked in `hosts/styx` | - -Use the `clusters/` directory for cluster-scoped state and the `hosts/` directory for baremetal orchestration. diff --git a/services/gitea/ingress.yaml b/services/gitea/ingress.yaml index 375dba3..0077ba4 100644 --- a/services/gitea/ingress.yaml +++ b/services/gitea/ingress.yaml @@ -5,7 +5,7 @@ metadata: name: gitea-ingress namespace: gitea annotations: - cert-manager.io/cluster-issuer: "letsencrypt-prod" + cert-manager.io/cluster-issuer: letsencrypt nginx.ingress.kubernetes.io/ssl-redirect: "true" spec: tls: diff --git a/services/jitsi/ingress.yaml b/services/jitsi/ingress.yaml index c09b669..3336c37 100644 --- a/services/jitsi/ingress.yaml +++ b/services/jitsi/ingress.yaml @@ -5,7 +5,7 @@ metadata: name: jitsi namespace: jitsi annotations: - cert-manager.io/cluster-issuer: "letsencrypt-prod" + cert-manager.io/cluster-issuer: letsencrypt spec: ingressClassName: traefik tls: diff --git a/services/pegasus/ingress.yaml b/services/pegasus/ingress.yaml index 48d22c3..2ab7a2e 100644 --- a/services/pegasus/ingress.yaml +++ b/services/pegasus/ingress.yaml @@ -8,7 +8,7 @@ metadata: kubernetes.io/ingress.class: traefik traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.tls: "true" - cert-manager.io/cluster-issuer: letsencrypt-prod + cert-manager.io/cluster-issuer: letsencrypt spec: tls: - hosts: [ "pegasus.bstein.dev" ] diff --git a/services/vault/certificate.yaml b/services/vault/certificate.yaml index 983c7fe..2d32f65 100644 --- a/services/vault/certificate.yaml +++ b/services/vault/certificate.yaml @@ -8,7 +8,7 @@ spec: secretName: vault-server-tls issuerRef: kind: ClusterIssuer - name: letsencrypt-prod + name: letsencrypt commonName: secret.bstein.dev dnsNames: - secret.bstein.dev diff --git a/services/zot/ingress.yaml b/services/zot/ingress.yaml index 3425535..12f6c60 100644 --- a/services/zot/ingress.yaml +++ b/services/zot/ingress.yaml @@ -5,7 +5,7 @@ metadata: name: zot namespace: zot annotations: - cert-manager.io/cluster-issuer: letsencrypt-prod + cert-manager.io/cluster-issuer: letsencrypt traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.tls: "true" traefik.ingress.kubernetes.io/router.middlewares: zot-zot-resp-headers@kubernetescrd