Switch from homelab.local to coreworlds.io with split-horizon DNS and LAN-only access controls

- Migrate all ingress hostnames from *.homelab.local to *.coreworlds.io - Remove broken Traefik certresolver config (cert-manager handles TLS) - Add internal-only IP allowlist middleware for platform services - Add IngressRoutes for ArgoCD, Grafana, Longhorn (LAN-only via middleware) - Seal and add Cloudflare API token for cert-manager DNS-01 challenges - Update cert-manager ClusterIssuers with real email - Update k3s TLS SAN to k3s.coreworlds.io - Rewrite Ubiquiti docs for single-node topology and split-horizon DNS - Fix seal-secret.sh controller name to match Helm release - Add UCG DNS setup script using API key auth
2026-03-20 19:21:46 +00:00
parent 4135d2102e
commit 71442a0405
18 changed files with 292 additions and 92 deletions
--- a/infra/kubernetes/platform/cert-manager-config/cloudflare-api-token-sealed.yaml
+++ b/infra/kubernetes/platform/cert-manager-config/cloudflare-api-token-sealed.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: cloudflare-api-token
+  namespace: cert-manager
+spec:
+  encryptedData:
+    api-token: AgBhOS+L5bWj4YIxV+u6waATX0iT9EAOCoA2FNDcJfqcH4nICK7zUakh7KaWjrLIYqlNHOFU66a5MZiuNs9IGtDwNSRXBXsuYauJoI2NripYchZ4InswNdzN3CjE9kgOwShOjCAcJz+emogXJq5lSFGr9pIYeyaZ2NIxKR6kcqBmNB1lTBeAOB5c8h/xh/eKq66HEd2gcaXqYgpe+w9I90f1WjASqV92oj6CNT4XhExAmThia7olA5n0o9ogJjdIb9LND/AL/Hf6USGpdfpu7Dr4XfNG1JzyksSiZVIXDXFlO7N6fyWrhOFWCZFCzdIvVhnt8niqCgSY2LutodqMjkfUM7WXjflznqf1x7b8jMb/O6RIYTGkOs8Dno7FrrYXJXOVoumbbd4eBvRUunfsa3qIE6LYSDmb9b8qZx03XKoS4hvcNSXh9VPJYCCK1uRHH6sbAcRwyLalAkuysAtOqH7ZIhAo5GsBwSaQjNVQIxFnDbKtOpQIcS3+nnJcPMcMa56OAAxFDG16J+U16PI/KJzhO4ubBWNt60yALhTtWizygVCPSxtLOU78VbMmAdZwdkc9daOy2USVDSxgJd0EhTunoQYcZUuJqjzCTlfflGP9XJ7WgGItXhsnQTJZVk7Np4s/9KGZtnJVTYpFp94Jp3yPxDXcgJX+6I+YSkqjvq3iYNlVrF4NDyEUE8C00zDE+6zbybsth1t6xXsMWxEU3g1rLtBxYIppBuI0INCLTUCuCzKUSC9oQvXo9mAVXQjgJ4I1za01lA==
+  template:
+    metadata:
+      name: cloudflare-api-token
+      namespace: cert-manager
--- a/infra/kubernetes/platform/cert-manager-config/clusterissuer-letsencrypt.yaml
+++ b/infra/kubernetes/platform/cert-manager-config/clusterissuer-letsencrypt.yaml
@@ -9,7 +9,7 @@ metadata:
 spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
-    email: admin@homelab.local
+    email: julia.eloise@pm.me
    privateKeySecretRef:
      name: letsencrypt-staging-key
    solvers:
@@ -26,7 +26,7 @@ metadata:
 spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
-    email: admin@homelab.local
+    email: julia.eloise@pm.me
    privateKeySecretRef:
      name: letsencrypt-production-key
    solvers:
--- a/infra/kubernetes/platform/cert-manager-config/kustomization.yaml
+++ b/infra/kubernetes/platform/cert-manager-config/kustomization.yaml
@@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - clusterissuer-letsencrypt.yaml
+  - cloudflare-api-token-sealed.yaml
--- a/infra/kubernetes/platform/traefik/helmchartconfig.yaml
+++ b/infra/kubernetes/platform/traefik/helmchartconfig.yaml
@@ -22,5 +22,3 @@ spec:
    metrics:
      prometheus:
        entryPoint: metrics
-    additionalArguments:
-      - "--entrypoints.websecure.http.tls.certresolver=letsencrypt"
--- a/infra/kubernetes/platform/traefik/ingressroute-argocd.yaml
+++ b/infra/kubernetes/platform/traefik/ingressroute-argocd.yaml
@@ -0,0 +1,22 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: argocd
+  namespace: platform
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-production
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`argocd.coreworlds.io`)
+      kind: Rule
+      middlewares:
+        - name: internal-only
+          namespace: platform
+      services:
+        - name: argocd-server
+          namespace: argocd
+          port: 80
+  tls:
+    secretName: argocd-tls
--- a/infra/kubernetes/platform/traefik/ingressroute-grafana.yaml
+++ b/infra/kubernetes/platform/traefik/ingressroute-grafana.yaml
@@ -0,0 +1,22 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: grafana
+  namespace: platform
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-production
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`grafana.coreworlds.io`)
+      kind: Rule
+      middlewares:
+        - name: internal-only
+          namespace: platform
+      services:
+        - name: kube-prometheus-stack-grafana
+          namespace: observability
+          port: 80
+  tls:
+    secretName: grafana-tls
--- a/infra/kubernetes/platform/traefik/ingressroute-longhorn.yaml
+++ b/infra/kubernetes/platform/traefik/ingressroute-longhorn.yaml
@@ -0,0 +1,22 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: longhorn
+  namespace: platform
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-production
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`longhorn.coreworlds.io`)
+      kind: Rule
+      middlewares:
+        - name: internal-only
+          namespace: platform
+      services:
+        - name: longhorn-frontend
+          namespace: longhorn-system
+          port: 80
+  tls:
+    secretName: longhorn-tls
--- a/infra/kubernetes/platform/traefik/kustomization.yaml
+++ b/infra/kubernetes/platform/traefik/kustomization.yaml
@@ -3,3 +3,7 @@ kind: Kustomization
 resources:
  - helmchartconfig.yaml
  - middleware-default-headers.yaml
+  - middleware-internal-only.yaml
+  - ingressroute-argocd.yaml
+  - ingressroute-grafana.yaml
+  - ingressroute-longhorn.yaml
--- a/infra/kubernetes/platform/traefik/middleware-internal-only.yaml
+++ b/infra/kubernetes/platform/traefik/middleware-internal-only.yaml
@@ -0,0 +1,11 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: internal-only
+  namespace: platform
+spec:
+  ipAllowList:
+    sourceRange:
+      - 192.168.1.0/24
+      - 10.42.0.0/16
+      - 10.43.0.0/16