new mtls approach 4

new mtls approach 3
new mtls approach 2
2025-11-29 23:09:03 +01:00 · 2025-11-29 23:07:32 +01:00 · 2025-11-29 22:58:40 +01:00 · 2025-11-29 22:55:42 +01:00 · 2025-11-29 22:19:12 +01:00 · 2025-11-29 22:02:11 +01:00
5 changed files with 62 additions and 102 deletions
--- a/.woodpecker/predeploy.yml
+++ b/.woodpecker/predeploy.yml
@@ -33,7 +33,6 @@ steps:
        --namespace=$NAMESPACE 
        --dry-run=client -o yaml | kubectl apply -f - 
      - kubectl apply -f deployment/configmap.yaml -n $NAMESPACE
-      - kubectl apply -f deployment/mtls-config.yaml -n $NAMESPACE
    when:
      event: [tag]

--- a/deployment/api-deployment.yaml
+++ b/deployment/api-deployment.yaml
@@ -100,31 +100,3 @@ spec:
    targetPort: 8001
    name: http
  type: ClusterIP
---
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: api-ingress
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-production-http
-    traefik.ingress.kubernetes.io/router.middlewares: homea2-mtls-auth@kubernetescrd,homea2-security-headers@kubernetescrd
-    traefik.ingress.kubernetes.io/router.tls.options: homea2-homea2-mtls@kubernetescrd
-    # Traefik 2 mTLS Configuration
-    traefik.ingress.kubernetes.io/router.tls.options: homea2-mtls@kubernetescrd
-    traefik.ingress.kubernetes.io/router.middlewares: homea2-mtls-auth@kubernetescrd
-spec:
-  tls:
-    - hosts:
-        - homea2-api.hottis.de
-      secretName: homea2-api-cert
-  rules:
-    - host: homea2-api.hottis.de
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: api
-                port:
-                  number: 80
--- a/deployment/ingress.yaml
+++ b/deployment/ingress.yaml
@@ -0,0 +1,62 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: homea2-cert
+spec:
+  secretName: homea2-cert
+  issuerRef:
+    name: letsencrypt-production-http
+    kind: ClusterIssuer
+  commonName: homea2.hottis.de
+  dnsNames:
+    - homea2.hottis.de
+    - homea2-api.hottis.de
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: TLSOption
+metadata:
+  name: mtls-required
+spec:
+  clientAuth:
+    clientAuthType: RequireAndVerifyClientCert
+    secretNames:
+      - mtls-ca-cert
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: ui
+spec:
+  entryPoints:
+    - websecure
+  tls:
+    secretName: homea2-cert
+    options:
+      name: mtls-required
+      namespace: homea2
+  routes:
+    - match: Host(`homea2.hottis.de`)
+      kind: Rule
+      services:
+        - name: ui
+          port: 80
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: api
+spec:
+  entryPoints:
+    - websecure
+  tls:
+    secretName: homea2-cert
+    options:
+      name: mtls-required
+      namespace: homea2
+  routes:
+    - match: Host(`homea2-api.hottis.de`)
+      kind: Rule
+      services:
+        - name: api
+          port: 80
+
--- a/deployment/mtls-config.yaml
+++ b/deployment/mtls-config.yaml
@@ -1,45 +0,0 @@
-apiVersion: traefik.containo.us/v1alpha1
-kind: TLSOption
-metadata:
-  name: homea2-mtls
-spec:
-  clientAuth:
-    secretNames:
-      - mtls-ca-cert
-    clientAuthType: RequireAndVerifyClientCert
-  minVersion: "VersionTLS12"
-  cipherSuites:
-    - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
-    - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
-    - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
-    - "TLS_RSA_WITH_AES_256_GCM_SHA384"
-    - "TLS_RSA_WITH_AES_128_GCM_SHA256"
---
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: mtls-auth
-spec:
-  headers:
-    customRequestHeaders:
-      X-Client-Cert: ""
-    customResponseHeaders:
-      X-mTLS-Verified: "true"
-  # Optional: Add IP whitelist for additional security
-  # ipWhiteList:
-  #   sourceRange:
-  #     - "10.0.0.0/8"
-  #     - "192.168.0.0/16"
---
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: security-headers
-spec:
-  headers:
-    customResponseHeaders:
-      X-Frame-Options: "SAMEORIGIN"
-      X-Content-Type-Options: "nosniff"
-      X-XSS-Protection: "1; mode=block"
-      Strict-Transport-Security: "max-age=31536000; includeSubDomains; preload"
-    contentSecurityPolicy: "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'"
--- a/deployment/ui-deployment.yaml
+++ b/deployment/ui-deployment.yaml
@@ -77,31 +77,3 @@ spec:
    targetPort: 8002
    name: http
  type: ClusterIP
---
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: ui-ingress
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-production-http
-    traefik.ingress.kubernetes.io/router.middlewares: homea2-mtls-auth@kubernetescrd,homea2-security-headers@kubernetescrd
-    traefik.ingress.kubernetes.io/router.tls.options: homea2-homea2-mtls@kubernetescrd
-    # Traefik 2 mTLS Configuration
-    traefik.ingress.kubernetes.io/router.tls.options: homea2-mtls@kubernetescrd
-    traefik.ingress.kubernetes.io/router.middlewares: homea2-mtls-auth@kubernetescrd
-spec:
-  tls:
-    - hosts:
-        - homea2.hottis.de
-      secretName: homea2-ui-cert
-  rules:
-    - host: homea2.hottis.de
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: ui
-                port:
-                  number: 80
Author	SHA1	Message	Date
Wolfgang Hottgenroth	0c2f3f2e83	new mtls approach 4 All checks were successful ci/woodpecker/push/build/4 Pipeline was successful Details ci/woodpecker/push/build/3 Pipeline was successful Details ci/woodpecker/push/predeploy Pipeline was successful Details ci/woodpecker/push/build/1 Pipeline was successful Details ci/woodpecker/push/build/2 Pipeline was successful Details ci/woodpecker/push/deploy/3 Pipeline was successful Details ci/woodpecker/push/deploy/4 Pipeline was successful Details ci/woodpecker/push/deploy/1 Pipeline was successful Details ci/woodpecker/push/deploy/2 Pipeline was successful Details ci/woodpecker/tag/predeploy Pipeline was successful Details ci/woodpecker/tag/build/4 Pipeline was successful Details ci/woodpecker/tag/build/1 Pipeline was successful Details ci/woodpecker/tag/build/2 Pipeline was successful Details ci/woodpecker/tag/build/3 Pipeline was successful Details ci/woodpecker/tag/deploy/3 Pipeline was successful Details ci/woodpecker/tag/deploy/2 Pipeline was successful Details ci/woodpecker/tag/deploy/4 Pipeline was successful Details ci/woodpecker/tag/deploy/1 Pipeline was successful Details	2025-11-29 23:09:03 +01:00
Wolfgang Hottgenroth	418f813e80	new mtls approach 3 All checks were successful ci/woodpecker/push/build/3 Pipeline was successful Details ci/woodpecker/push/predeploy Pipeline was successful Details ci/woodpecker/push/build/4 Pipeline was successful Details ci/woodpecker/push/build/1 Pipeline was successful Details ci/woodpecker/push/build/2 Pipeline was successful Details ci/woodpecker/push/deploy/4 Pipeline was successful Details ci/woodpecker/push/deploy/2 Pipeline was successful Details ci/woodpecker/push/deploy/1 Pipeline was successful Details ci/woodpecker/push/deploy/3 Pipeline was successful Details	2025-11-29 23:07:32 +01:00
Wolfgang Hottgenroth	2b2fd92923	new mtls approach 2 Some checks failed ci/woodpecker/push/build/4 Pipeline was successful Details ci/woodpecker/push/build/3 Pipeline failed Details ci/woodpecker/push/build/2 Pipeline failed Details ci/woodpecker/push/predeploy Pipeline failed Details ci/woodpecker/push/build/1 Pipeline failed Details ci/woodpecker/push/deploy/1 unknown status Details ci/woodpecker/push/deploy/2 unknown status Details ci/woodpecker/push/deploy/3 unknown status Details ci/woodpecker/push/deploy/4 unknown status Details ci/woodpecker/tag/predeploy Pipeline was successful Details ci/woodpecker/tag/build/1 Pipeline was successful Details ci/woodpecker/tag/build/4 Pipeline was successful Details ci/woodpecker/tag/build/2 Pipeline was successful Details ci/woodpecker/tag/build/3 Pipeline was successful Details ci/woodpecker/tag/deploy/3 Pipeline was successful Details ci/woodpecker/tag/deploy/2 Pipeline was successful Details ci/woodpecker/tag/deploy/1 Pipeline was successful Details ci/woodpecker/tag/deploy/4 Pipeline was successful Details	2025-11-29 22:58:40 +01:00
Wolfgang Hottgenroth	8fa81be750	new mtls approach All checks were successful ci/woodpecker/push/build/1 Pipeline was successful Details ci/woodpecker/push/build/4 Pipeline was successful Details ci/woodpecker/push/predeploy Pipeline was successful Details ci/woodpecker/push/build/3 Pipeline was successful Details ci/woodpecker/push/build/2 Pipeline was successful Details ci/woodpecker/push/deploy/3 Pipeline was successful Details ci/woodpecker/push/deploy/4 Pipeline was successful Details ci/woodpecker/push/deploy/2 Pipeline was successful Details ci/woodpecker/push/deploy/1 Pipeline was successful Details ci/woodpecker/tag/predeploy Pipeline was successful Details ci/woodpecker/tag/build/4 Pipeline was successful Details ci/woodpecker/tag/build/1 Pipeline was successful Details ci/woodpecker/tag/build/3 Pipeline was successful Details ci/woodpecker/tag/build/2 Pipeline was successful Details ci/woodpecker/tag/deploy/3 Pipeline was successful Details ci/woodpecker/tag/deploy/1 Pipeline was successful Details ci/woodpecker/tag/deploy/4 Pipeline was successful Details ci/woodpecker/tag/deploy/2 Pipeline was successful Details	2025-11-29 22:55:42 +01:00
Wolfgang Hottgenroth	205baa7e01	mtls fix 3 Some checks failed ci/woodpecker/push/build/4 Pipeline was successful Details ci/woodpecker/push/predeploy Pipeline was successful Details ci/woodpecker/push/build/3 Pipeline was successful Details ci/woodpecker/push/build/2 Pipeline failed Details ci/woodpecker/push/deploy/2 unknown status Details ci/woodpecker/push/deploy/3 unknown status Details ci/woodpecker/push/build/1 Pipeline failed Details ci/woodpecker/push/deploy/1 unknown status Details ci/woodpecker/push/deploy/4 unknown status Details ci/woodpecker/tag/predeploy Pipeline was successful Details ci/woodpecker/tag/build/4 Pipeline was successful Details ci/woodpecker/tag/build/1 Pipeline was successful Details ci/woodpecker/tag/build/3 Pipeline was successful Details ci/woodpecker/tag/build/2 Pipeline was successful Details ci/woodpecker/tag/deploy/1 Pipeline was successful Details ci/woodpecker/tag/deploy/2 Pipeline was successful Details ci/woodpecker/tag/deploy/4 Pipeline was successful Details ci/woodpecker/tag/deploy/3 Pipeline was successful Details	2025-11-29 22:19:12 +01:00
Wolfgang Hottgenroth	f3f9238d5f	mtls fix 2 Some checks failed ci/woodpecker/push/build/2 Pipeline was successful Details ci/woodpecker/push/build/1 Pipeline failed Details ci/woodpecker/push/predeploy Pipeline failed Details ci/woodpecker/push/build/3 Pipeline failed Details ci/woodpecker/push/build/4 Pipeline failed Details ci/woodpecker/push/deploy/1 unknown status Details ci/woodpecker/push/deploy/2 unknown status Details ci/woodpecker/push/deploy/3 unknown status Details ci/woodpecker/push/deploy/4 unknown status Details ci/woodpecker/tag/predeploy Pipeline was successful Details ci/woodpecker/tag/build/1 Pipeline was successful Details ci/woodpecker/tag/build/4 Pipeline was successful Details ci/woodpecker/tag/build/2 Pipeline was successful Details ci/woodpecker/tag/build/3 Pipeline was successful Details ci/woodpecker/tag/deploy/1 Pipeline was successful Details ci/woodpecker/tag/deploy/3 Pipeline was successful Details ci/woodpecker/tag/deploy/2 Pipeline was successful Details ci/woodpecker/tag/deploy/4 Pipeline was successful Details	2025-11-29 22:02:11 +01:00