roger/k3s-cluster
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix tls: use letsencrypt-prod cluster-issuer for jellyfin/n8n/qbittorrent/myorg/phoenix/fava

Browse Source 
The ingresses referenced a Cloudflare OriginIssuer 'prod-issuer' whose CRD
and controller are not installed in the cluster, so cert-manager could not
issue certs and Traefik served a default cert (invalid SSL). Switch to the
existing letsencrypt-prod ClusterIssuer with specific hostnames + per-app
secrets, matching the working ingresses (http-01 cannot issue wildcards).
This commit is contained in:
Roger Oriol
2026-06-23 11:46:38 +02:00
parent 872d2d0622
commit 66433ff0b1
6 changed files with 16 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
fava/ingress.yaml
View File

@@ -7,9 +7,7 @@ metadata:
annotations: annotations:
kubernetes.io/ingress.class: "traefik" kubernetes.io/ingress.class: "traefik"
traefik.ingress.kubernetes.io/redirect-entry-point: https traefik.ingress.kubernetes.io/redirect-entry-point: https
cert-manager.io/issuer: prod-issuer cert-manager.io/cluster-issuer: letsencrypt-prod
cert-manager.io/issuer-kind: OriginIssuer
cert-manager.io/issuer-group: cert-manager.k8s.cloudflare.com
spec: spec:
tls: tls:
- hosts: - hosts:

8
jellyfin/ingress.yaml
View File

@@ -7,14 +7,12 @@ metadata:
kubernetes.io/ingress.class: "traefik" kubernetes.io/ingress.class: "traefik"
traefik.ingress.kubernetes.io/redirect-entry-point: https traefik.ingress.kubernetes.io/redirect-entry-point: https
traefik.ingress.kubernetes.io/compress: "true" traefik.ingress.kubernetes.io/compress: "true"
cert-manager.io/issuer: prod-issuer cert-manager.io/cluster-issuer: letsencrypt-prod
cert-manager.io/issuer-kind: OriginIssuer
cert-manager.io/issuer-group: cert-manager.k8s.cloudflare.com
spec: spec:
tls: tls:
- hosts: - hosts:
- "*.rogi.casa" - jellyfin.rogi.casa
secretName: rogicasa-tls secretName: jellyfin-tls
rules: rules:
- host: jellyfin.rogi.casa - host: jellyfin.rogi.casa
http: http:

8
myorg-assistant/ingress.yaml
View File

@@ -10,14 +10,12 @@ metadata:
traefik.ingress.kubernetes.io/redirect-entry-point: https traefik.ingress.kubernetes.io/redirect-entry-point: https
# Optional: enable compression # Optional: enable compression
traefik.ingress.kubernetes.io/compress: "true" traefik.ingress.kubernetes.io/compress: "true"
cert-manager.io/issuer: prod-issuer cert-manager.io/cluster-issuer: letsencrypt-prod
cert-manager.io/issuer-kind: OriginIssuer
cert-manager.io/issuer-group: cert-manager.k8s.cloudflare.com
spec: spec:
tls: tls:
- hosts: - hosts:
- "*.rogi.casa" - myorg.rogi.casa
secretName: rogicasa-tls secretName: myorg-tls
rules: rules:
- host: myorg.rogi.casa - host: myorg.rogi.casa
http: http:

8
n8n/ingress.yaml
View File

@@ -10,14 +10,12 @@ metadata:
traefik.ingress.kubernetes.io/redirect-entry-point: https traefik.ingress.kubernetes.io/redirect-entry-point: https
# Optional: enable compression # Optional: enable compression
traefik.ingress.kubernetes.io/compress: "true" traefik.ingress.kubernetes.io/compress: "true"
cert-manager.io/issuer: prod-issuer cert-manager.io/cluster-issuer: letsencrypt-prod
cert-manager.io/issuer-kind: OriginIssuer
cert-manager.io/issuer-group: cert-manager.k8s.cloudflare.com
spec: spec:
tls: tls:
- hosts: - hosts:
- "*.rogi.casa" - n8n.rogi.casa
secretName: rogicasa-tls secretName: n8n-tls
rules: rules:
- host: n8n.rogi.casa - host: n8n.rogi.casa
http: http:

8
phoenix/ingress.yaml
View File

@@ -10,14 +10,12 @@ metadata:
traefik.ingress.kubernetes.io/redirect-entry-point: https traefik.ingress.kubernetes.io/redirect-entry-point: https
# Optional: enable compression # Optional: enable compression
traefik.ingress.kubernetes.io/compress: "true" traefik.ingress.kubernetes.io/compress: "true"
cert-manager.io/issuer: prod-issuer cert-manager.io/cluster-issuer: letsencrypt-prod
cert-manager.io/issuer-kind: OriginIssuer
cert-manager.io/issuer-group: cert-manager.k8s.cloudflare.com
spec: spec:
tls: tls:
- hosts: - hosts:
- "*.rogi.casa" - phoenix.rogi.casa
secretName: rogicasa-tls secretName: phoenix-tls
rules: rules:
- host: phoenix.rogi.casa - host: phoenix.rogi.casa
http: http:

8
qbittorrent/ingress.yaml
View File

@@ -7,14 +7,12 @@ metadata:
kubernetes.io/ingress.class: "traefik" kubernetes.io/ingress.class: "traefik"
traefik.ingress.kubernetes.io/redirect-entry-point: https traefik.ingress.kubernetes.io/redirect-entry-point: https
traefik.ingress.kubernetes.io/compress: "true" traefik.ingress.kubernetes.io/compress: "true"
cert-manager.io/issuer: prod-issuer cert-manager.io/cluster-issuer: letsencrypt-prod
cert-manager.io/issuer-kind: OriginIssuer
cert-manager.io/issuer-group: cert-manager.k8s.cloudflare.com
spec: spec:
tls: tls:
- hosts: - hosts:
- "*.rogi.casa" - qbittorrent.rogi.casa
secretName: rogicasa-tls secretName: qbittorrent-tls
rules: rules:
- host: qbittorrent.rogi.casa - host: qbittorrent.rogi.casa
http: http: