maintenance: issue sentinel-only certificate for metis

2026-03-31 17:01:23 -03:00 · 2026-03-31 17:01:23 -03:00 · 503cd62fdd
commit 503cd62fdd
parent 043999c847
3 changed files with 16 additions and 13 deletions
--- a/services/maintenance/kustomization.yaml
+++ b/services/maintenance/kustomization.yaml
@ -35,6 +35,7 @@ resources:
  - node-image-sweeper-daemonset.yaml
  - image-sweeper-cronjob.yaml
  - metis-service.yaml
+  - metis-certificate.yaml
  - metis-ingress.yaml
 images:
  - name: registry.bstein.dev/bstein/ariadne
--- a/services/maintenance/metis-certificate.yaml
+++ b/services/maintenance/metis-certificate.yaml
@ -0,0 +1,13 @@
+# services/maintenance/metis-certificate.yaml
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: sentinel-tls
+  namespace: maintenance
+spec:
+  secretName: sentinel-tls
+  issuerRef:
+    kind: ClusterIssuer
+    name: letsencrypt
+  dnsNames:
+    - sentinel.bstein.dev
--- a/services/maintenance/metis-ingress.yaml
+++ b/services/maintenance/metis-ingress.yaml
@ -6,26 +6,15 @@ metadata:
  namespace: maintenance
  annotations:
    kubernetes.io/ingress.class: traefik
-    cert-manager.io/cluster-issuer: letsencrypt
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.tls: "true"
    traefik.ingress.kubernetes.io/router.middlewares: sso-oauth2-proxy-errors@kubernetescrd,sso-oauth2-proxy-forward-auth@kubernetescrd
 spec:
  ingressClassName: traefik
  tls:
-    - hosts: ["metis.bstein.dev", "sentinel.bstein.dev"]
-      secretName: metis-tls
+    - hosts: ["sentinel.bstein.dev"]
+      secretName: sentinel-tls
  rules:
-    - host: metis.bstein.dev
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: metis
-                port:
-                  number: 80
    - host: sentinel.bstein.dev
      http:
        paths: