maintenance: issue sentinel-only certificate for metis

services/maintenance/kustomization.yaml

@@ -35,6 +35,7 @@ resources:
   - node-image-sweeper-daemonset.yaml
   - image-sweeper-cronjob.yaml
   - metis-service.yaml
+  - metis-certificate.yaml
   - metis-ingress.yaml
 images:
   - name: registry.bstein.dev/bstein/ariadne

services/maintenance/metis-certificate.yaml

@@ -0,0 +1,13 @@
+# services/maintenance/metis-certificate.yaml
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: sentinel-tls
+  namespace: maintenance
+spec:
+  secretName: sentinel-tls
+  issuerRef:
+    kind: ClusterIssuer
+    name: letsencrypt
+  dnsNames:
+    - sentinel.bstein.dev

services/maintenance/metis-ingress.yaml

@@ -6,26 +6,15 @@ metadata:
   namespace: maintenance
   annotations:
     kubernetes.io/ingress.class: traefik
-    cert-manager.io/cluster-issuer: letsencrypt
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
     traefik.ingress.kubernetes.io/router.middlewares: sso-oauth2-proxy-errors@kubernetescrd,sso-oauth2-proxy-forward-auth@kubernetescrd
 spec:
   ingressClassName: traefik
   tls:
-    - hosts: ["metis.bstein.dev", "sentinel.bstein.dev"]
+    - hosts: ["sentinel.bstein.dev"]
-      secretName: metis-tls
+      secretName: sentinel-tls
   rules:
-    - host: metis.bstein.dev
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: metis
-                port:
-                  number: 80
     - host: sentinel.bstein.dev
       http:
         paths: