Switch from homelab.local to coreworlds.io with split-horizon DNS and LAN-only access controls

- Migrate all ingress hostnames from *.homelab.local to *.coreworlds.io - Remove broken Traefik certresolver config (cert-manager handles TLS) - Add internal-only IP allowlist middleware for platform services - Add IngressRoutes for ArgoCD, Grafana, Longhorn (LAN-only via middleware) - Seal and add Cloudflare API token for cert-manager DNS-01 challenges - Update cert-manager ClusterIssuers with real email - Update k3s TLS SAN to k3s.coreworlds.io - Rewrite Ubiquiti docs for single-node topology and split-horizon DNS - Fix seal-secret.sh controller name to match Helm release - Add UCG DNS setup script using API key auth
2026-03-20 19:21:46 +00:00
parent 4135d2102e
commit 71442a0405
18 changed files with 292 additions and 92 deletions
--- a/infra/kubernetes/platform/traefik/helmchartconfig.yaml
+++ b/infra/kubernetes/platform/traefik/helmchartconfig.yaml
@@ -22,5 +22,3 @@ spec:
    metrics:
      prometheus:
        entryPoint: metrics
-    additionalArguments:
-      - "--entrypoints.websecure.http.tls.certresolver=letsencrypt"
--- a/infra/kubernetes/platform/traefik/ingressroute-argocd.yaml
+++ b/infra/kubernetes/platform/traefik/ingressroute-argocd.yaml
@@ -0,0 +1,22 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: argocd
+  namespace: platform
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-production
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`argocd.coreworlds.io`)
+      kind: Rule
+      middlewares:
+        - name: internal-only
+          namespace: platform
+      services:
+        - name: argocd-server
+          namespace: argocd
+          port: 80
+  tls:
+    secretName: argocd-tls
--- a/infra/kubernetes/platform/traefik/ingressroute-grafana.yaml
+++ b/infra/kubernetes/platform/traefik/ingressroute-grafana.yaml
@@ -0,0 +1,22 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: grafana
+  namespace: platform
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-production
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`grafana.coreworlds.io`)
+      kind: Rule
+      middlewares:
+        - name: internal-only
+          namespace: platform
+      services:
+        - name: kube-prometheus-stack-grafana
+          namespace: observability
+          port: 80
+  tls:
+    secretName: grafana-tls
--- a/infra/kubernetes/platform/traefik/ingressroute-longhorn.yaml
+++ b/infra/kubernetes/platform/traefik/ingressroute-longhorn.yaml
@@ -0,0 +1,22 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: longhorn
+  namespace: platform
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-production
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`longhorn.coreworlds.io`)
+      kind: Rule
+      middlewares:
+        - name: internal-only
+          namespace: platform
+      services:
+        - name: longhorn-frontend
+          namespace: longhorn-system
+          port: 80
+  tls:
+    secretName: longhorn-tls
--- a/infra/kubernetes/platform/traefik/kustomization.yaml
+++ b/infra/kubernetes/platform/traefik/kustomization.yaml
@@ -3,3 +3,7 @@ kind: Kustomization
 resources:
  - helmchartconfig.yaml
  - middleware-default-headers.yaml
+  - middleware-internal-only.yaml
+  - ingressroute-argocd.yaml
+  - ingressroute-grafana.yaml
+  - ingressroute-longhorn.yaml
--- a/infra/kubernetes/platform/traefik/middleware-internal-only.yaml
+++ b/infra/kubernetes/platform/traefik/middleware-internal-only.yaml
@@ -0,0 +1,11 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: internal-only
+  namespace: platform
+spec:
+  ipAllowList:
+    sourceRange:
+      - 192.168.1.0/24
+      - 10.42.0.0/16
+      - 10.43.0.0/16