Switch from homelab.local to coreworlds.io with split-horizon DNS and LAN-only access controls

- Migrate all ingress hostnames from *.homelab.local to *.coreworlds.io - Remove broken Traefik certresolver config (cert-manager handles TLS) - Add internal-only IP allowlist middleware for platform services - Add IngressRoutes for ArgoCD, Grafana, Longhorn (LAN-only via middleware) - Seal and add Cloudflare API token for cert-manager DNS-01 challenges - Update cert-manager ClusterIssuers with real email - Update k3s TLS SAN to k3s.coreworlds.io - Rewrite Ubiquiti docs for single-node topology and split-horizon DNS - Fix seal-secret.sh controller name to match Helm release - Add UCG DNS setup script using API key auth
2026-03-20 19:21:46 +00:00
parent 4135d2102e
commit 71442a0405
18 changed files with 292 additions and 92 deletions
--- a/infra/kubernetes/platform/cert-manager-config/cloudflare-api-token-sealed.yaml
+++ b/infra/kubernetes/platform/cert-manager-config/cloudflare-api-token-sealed.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: cloudflare-api-token
+  namespace: cert-manager
+spec:
+  encryptedData:
+    api-token: AgBhOS+L5bWj4YIxV+u6waATX0iT9EAOCoA2FNDcJfqcH4nICK7zUakh7KaWjrLIYqlNHOFU66a5MZiuNs9IGtDwNSRXBXsuYauJoI2NripYchZ4InswNdzN3CjE9kgOwShOjCAcJz+emogXJq5lSFGr9pIYeyaZ2NIxKR6kcqBmNB1lTBeAOB5c8h/xh/eKq66HEd2gcaXqYgpe+w9I90f1WjASqV92oj6CNT4XhExAmThia7olA5n0o9ogJjdIb9LND/AL/Hf6USGpdfpu7Dr4XfNG1JzyksSiZVIXDXFlO7N6fyWrhOFWCZFCzdIvVhnt8niqCgSY2LutodqMjkfUM7WXjflznqf1x7b8jMb/O6RIYTGkOs8Dno7FrrYXJXOVoumbbd4eBvRUunfsa3qIE6LYSDmb9b8qZx03XKoS4hvcNSXh9VPJYCCK1uRHH6sbAcRwyLalAkuysAtOqH7ZIhAo5GsBwSaQjNVQIxFnDbKtOpQIcS3+nnJcPMcMa56OAAxFDG16J+U16PI/KJzhO4ubBWNt60yALhTtWizygVCPSxtLOU78VbMmAdZwdkc9daOy2USVDSxgJd0EhTunoQYcZUuJqjzCTlfflGP9XJ7WgGItXhsnQTJZVk7Np4s/9KGZtnJVTYpFp94Jp3yPxDXcgJX+6I+YSkqjvq3iYNlVrF4NDyEUE8C00zDE+6zbybsth1t6xXsMWxEU3g1rLtBxYIppBuI0INCLTUCuCzKUSC9oQvXo9mAVXQjgJ4I1za01lA==
+  template:
+    metadata:
+      name: cloudflare-api-token
+      namespace: cert-manager
--- a/infra/kubernetes/platform/cert-manager-config/clusterissuer-letsencrypt.yaml
+++ b/infra/kubernetes/platform/cert-manager-config/clusterissuer-letsencrypt.yaml
@@ -9,7 +9,7 @@ metadata:
 spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
-    email: admin@homelab.local
+    email: julia.eloise@pm.me
    privateKeySecretRef:
      name: letsencrypt-staging-key
    solvers:
@@ -26,7 +26,7 @@ metadata:
 spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
-    email: admin@homelab.local
+    email: julia.eloise@pm.me
    privateKeySecretRef:
      name: letsencrypt-production-key
    solvers:
--- a/infra/kubernetes/platform/cert-manager-config/kustomization.yaml
+++ b/infra/kubernetes/platform/cert-manager-config/kustomization.yaml
@@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - clusterissuer-letsencrypt.yaml
+  - cloudflare-api-token-sealed.yaml