feat(networking): Use cluster domain env var

eaglesemanation · Mar 26, 2024 · db45526 · db45526
1 parent eb0dee4
commit db45526
Showing 22 changed files with 76 additions and 76 deletions.
diff --git a/k8s/apps/network/cilium/ingress.k8s.yaml b/k8s/apps/network/cilium/ingress.k8s.yaml
@@ -13,7 +13,7 @@ spec:
     - websecure
   routes:
     - kind: Rule
-      match: Host(`hubble.emnt.dev`)
+      match: Host(`hubble.${CLUSTER_DOMAIN}`)
       middlewares:
         - name: authentik
           namespace: authentik
@@ -22,7 +22,7 @@ spec:
           namespace: cilium
           port: 80
     - kind: Rule
-      match: "Host(`hubble.emnt.dev`) && PathPrefix(`/outpost.goauthentik.io/`)"
+      match: "Host(`hubble.${CLUSTER_DOMAIN}`) && PathPrefix(`/outpost.goauthentik.io/`)"
       services:
         - name: authentik-server
           namespace: authentik

diff --git a/k8s/apps/network/external-services/klipper/ingress.k8s.yaml b/k8s/apps/network/external-services/klipper/ingress.k8s.yaml
@@ -14,7 +14,7 @@ spec:
     - websecure
   routes:
     - kind: Rule
-      match: Host(`mainsail.emnt.dev`)
+      match: Host(`mainsail.${CLUSTER_DOMAIN}`)
       middlewares:
         - name: authentik
           namespace: authentik
@@ -23,7 +23,7 @@ spec:
           namespace: klipper
           port: http
     - kind: Rule
-      match: "Host(`mainsail.emnt.dev`) && PathPrefix(`/outpost.goauthentik.io/`)"
+      match: "Host(`mainsail.${CLUSTER_DOMAIN}`) && PathPrefix(`/outpost.goauthentik.io/`)"
       services:
         - name: authentik-server
           namespace: authentik

diff --git a/k8s/apps/network/external-services/opnsense/ingress.k8s.yaml b/k8s/apps/network/external-services/opnsense/ingress.k8s.yaml
@@ -6,7 +6,7 @@ metadata:
 spec:
   ingressClassName: ingress-internal-traefik
   rules:
-    - host: opnsense.emnt.dev
+    - host: opnsense.${CLUSTER_DOMAIN}
       http:
         paths:
           - path: /

diff --git a/k8s/apps/network/external-services/truenas/ingress.k8s.yaml b/k8s/apps/network/external-services/truenas/ingress.k8s.yaml
@@ -6,7 +6,7 @@ metadata:
 spec:
   ingressClassName: ingress-internal-traefik
   rules:
-    - host: nas.emnt.dev
+    - host: nas.${CLUSTER_DOMAIN}
       http:
         paths:
           - path: /
@@ -25,7 +25,7 @@ metadata:
 spec:
   ingressClassName: ingress-internal-traefik
   rules:
-    - host: minio.emnt.dev
+    - host: minio.${CLUSTER_DOMAIN}
       http:
         paths:
           - path: /
@@ -35,7 +35,7 @@ spec:
                 name: truenas
                 port:
                   number: 9000
-    - host: minio-console.emnt.dev
+    - host: minio-console.${CLUSTER_DOMAIN}
       http:
         paths:
           - path: /

diff --git a/k8s/apps/network/headscale/acl.yaml b/k8s/apps/network/headscale/acl.yaml
@@ -55,14 +55,14 @@ acls:
       ]
 groups:
   group:gateways:
-    - emnt.dev
+    - ${CLUSTER_DOMAIN}
 tagOwners:
   tag:shared:
     - eaglesemanation # TODO: Replace with autogroup:members when possible
 autoApprovers:
   routes:
     192.168.25.0/24:
-      - emnt.dev
+      - ${CLUSTER_DOMAIN}
   exitNode:
     - group:gateways
 randomizeClientPort: true
diff --git a/k8s/apps/network/headscale/config.yaml b/k8s/apps/network/headscale/config.yaml
@@ -3,7 +3,7 @@
 #
 # https://myheadscale.example.com:443
 #
-server_url: https://headscale.emnt.dev
+server_url: https://headscale.${CLUSTER_DOMAIN}
 # Address to listen to / bind to on the server
 #
 # For production:
@@ -187,7 +187,7 @@ dns_config:
   # list of search domains and the DNS to query for each one.
   #
   restricted_nameservers:
-    emnt.dev:
+    ${CLUSTER_DOMAIN}:
       - ${SVC_DNS_ADDR}
   # Search domains to inject.
   domains: []
@@ -209,7 +209,7 @@ dns_config:
   # `base_domain` must be a FQDNs, without the trailing dot.
   # The FQDN of the hosts will be
   # `hostname.user.base_domain` (e.g., _myhost.myuser.example.com_).
-  base_domain: ts.emnt.dev
+  base_domain: ts.${CLUSTER_DOMAIN}
 # Unix socket used for the CLI to connect without authentication
 # Note: for production you will want to set this to something like:
 unix_socket: /var/run/headscale/headscale.sock
@@ -221,7 +221,7 @@ unix_socket_permission: "0770"
 # OpenID Connect
 oidc:
   only_start_if_oidc_is_available: true
-  issuer: https://authentik.emnt.dev/application/o/headscale/
+  issuer: https://authentik.${CLUSTER_DOMAIN}/application/o/headscale/
   client_id: "SZlkZgtylJLH4y3XOUKOd902gnRuhgfMzsmi0mCc"
   # Will be provided through env var HEADSCALE_OIDC_CLIENT_SECRET
   #client_secret: "your-oidc-client-secret"

diff --git a/k8s/apps/network/headscale/ingress.k8s.yaml b/k8s/apps/network/headscale/ingress.k8s.yaml
@@ -9,7 +9,7 @@ metadata:
 spec:
   ingressClassName: ingress-external-traefik
   rules:
-    - host: headscale.emnt.dev
+    - host: headscale.${CLUSTER_DOMAIN}
       http:
         paths:
           - path: /

diff --git a/k8s/apps/network/ingress/dashboard-ingress.k8s.yaml b/k8s/apps/network/ingress/dashboard-ingress.k8s.yaml
@@ -11,15 +11,15 @@ spec:
     - websecure
   routes:
     - kind: Rule
-      match: Host(`traefik-internal.emnt.dev`)
+      match: Host(`traefik-internal.${CLUSTER_DOMAIN}`)
       middlewares:
         - name: authentik
           namespace: authentik
       services:
         - name: api@internal
           kind: TraefikService
     - kind: Rule
-      match: Host(`traefik-internal.emnt.dev`) && PathPrefix(`/outpost.goauthentik.io/`)
+      match: Host(`traefik-internal.${CLUSTER_DOMAIN}`) && PathPrefix(`/outpost.goauthentik.io/`)
       services:
         - name: authentik-server
           namespace: authentik
@@ -38,15 +38,15 @@ spec:
     - websecure
   routes:
     - kind: Rule
-      match: Host(`traefik-external.emnt.dev`)
+      match: Host(`traefik-external.${CLUSTER_DOMAIN}`)
       middlewares:
         - name: authentik
           namespace: authentik
       services:
         - name: api@internal
           kind: TraefikService
     - kind: Rule
-      match: Host(`traefik-external.emnt.dev`) && PathPrefix(`/outpost.goauthentik.io/`)
+      match: Host(`traefik-external.${CLUSTER_DOMAIN}`) && PathPrefix(`/outpost.goauthentik.io/`)
       services:
         - name: authentik-server
           namespace: authentik

diff --git a/k8s/apps/network/ingress/internal-to-external.k8s.yaml b/k8s/apps/network/ingress/internal-to-external.k8s.yaml
@@ -11,7 +11,7 @@ spec:
     - websecure
   routes:
     - kind: Rule
-      match: HostRegexp(`{subdomain:.+}.emnt.dev`)
+      match: HostRegexp(`{subdomain:.+}.${CLUSTER_DOMAIN}`)
       priority: 1 # Lower number - lower priority
       services:
         - name: ingress-external-traefik

diff --git a/k8s/apps/network/ingress/wildcard-cert.k8s.yaml b/k8s/apps/network/ingress/wildcard-cert.k8s.yaml
@@ -6,7 +6,7 @@ metadata:
   namespace: ingress
 spec:
   dnsNames:
-    - "*.emnt.dev"
+    - "*.${CLUSTER_DOMAIN}"
   issuerRef:
     name: letsencrypt-prod
     kind: ClusterIssuer

diff --git a/k8s/apps/network/kube-system/coredns-config.k8s.yaml b/k8s/apps/network/kube-system/coredns-config.k8s.yaml
@@ -25,15 +25,15 @@ data:
             ${KLIPPER_ADDR} ${KLIPPER_URL}
             fallthrough
         }
-        file /etc/coredns/emnt.dev.db emnt.dev
+        file /etc/coredns/cluster_domain.db ${CLUSTER_DOMAIN}
         forward . /etc/resolv.conf
         cache 30
         loop
         reload
         loadbalance
     }
-  emnt.dev.db: |-
-    $ORIGIN emnt.dev.
+  cluster_domain.db: |-
+    $ORIGIN ${CLUSTER_DOMAIN}.
     @   3600 IN SOA edward.ns.cloudflare.com. nia.ns.cloudflare.com. (
                     2023071923 ; serial
                     7200       ; refresh (2 hours)

diff --git a/k8s/apps/network/kube-system/coredns-deployment.k8s.yaml b/k8s/apps/network/kube-system/coredns-deployment.k8s.yaml
@@ -26,5 +26,5 @@ spec:
             items:
               - key: Corefile
                 path: Corefile
-              - key: emnt.dev.db
-                path: emnt.dev.db
+              - key: cluster_domain.db
+                path: cluster_domain.db
diff --git a/k8s/apps/network/mailserver/config-autodiscover.k8s.yaml b/k8s/apps/network/mailserver/config-autodiscover.k8s.yaml
@@ -7,12 +7,12 @@ metadata:
     app.kubernetes.io/name: autodiscover-email-settings
     app.kubernetes.io/instance: autodiscover-email-settings
 data:
-  COMPANY_NAME: emnt.dev
-  SUPPORT_URL: https://autodiscover.emnt.dev
-  DOMAIN: emnt.dev
-  IMAP_HOST: mail.emnt.dev
+  COMPANY_NAME: ${CLUSTER_DOMAIN}
+  SUPPORT_URL: https://autodiscover.${CLUSTER_DOMAIN}
+  DOMAIN: ${CLUSTER_DOMAIN}
+  IMAP_HOST: mail.${CLUSTER_DOMAIN}
   IMAP_PORT: "993"
   IMAP_SOCKET: SSL
-  SMTP_HOST: mail.emnt.dev
+  SMTP_HOST: mail.${CLUSTER_DOMAIN}
   SMTP_PORT: "587"
   SMTP_SOCKET: STARTTLS
diff --git a/k8s/apps/network/mailserver/config/dkim_signing.conf b/k8s/apps/network/mailserver/config/dkim_signing.conf
@@ -7,14 +7,14 @@ use_redis = false; # don't change unless Redis also provides the DKIM keys
 use_esld = true;
 check_pubkey = true;
 domain {
-    emnt.dev {
+    ${CLUSTER_DOMAIN} {
         selectors [
             {
-                path = "/tmp/docker-mailserver/rspamd/keys/emnt.dev.rsa.private";
+                path = "/tmp/docker-mailserver/rspamd/keys/cluster_domain.rsa.private";
                 selector = "dkim-rsa";
             },
             {
-                path = "/tmp/docker-mailserver/rspamd/keys/emnt.dev.ed25519.private";
+                path = "/tmp/docker-mailserver/rspamd/keys/cluster_domain.ed25519.private";
                 selector = "dkim-ed25519";
             }
       ]

diff --git a/k8s/apps/network/mailserver/config/postfix-virtual.cf b/k8s/apps/network/mailserver/config/postfix-virtual.cf
@@ -1 +1 @@
-postmaster@emnt.dev dmarc.report@emnt.dev
+postmaster@${CLUSTER_DOMAIN} dmarc.report@${CLUSTER_DOMAIN}
diff --git a/k8s/apps/network/mailserver/deployment.k8s.yaml b/k8s/apps/network/mailserver/deployment.k8s.yaml
@@ -111,12 +111,12 @@ spec:
               mountPath: /tmp/healthcheck.sh
               readOnly: true
             - name: secrets
-              subPath: emnt.dev.rsa.private
-              mountPath: /tmp/docker-mailserver/rspamd/keys/emnt.dev.rsa.private
+              subPath: cluster_domain.rsa.private
+              mountPath: /tmp/docker-mailserver/rspamd/keys/cluster_domain.rsa.private
               readOnly: true
             - name: secrets
-              subPath: emnt.dev.ed25519.private
-              mountPath: /tmp/docker-mailserver/rspamd/keys/emnt.dev.ed25519.private
+              subPath: cluster_domain.ed25519.private
+              mountPath: /tmp/docker-mailserver/rspamd/keys/cluster_domain.ed25519.private
               readOnly: true
             - name: secrets
               subPath: postfix-accounts.cf

diff --git a/k8s/apps/network/mailserver/env.k8s.yaml b/k8s/apps/network/mailserver/env.k8s.yaml
@@ -9,9 +9,9 @@ metadata:
 data:
   TLS_LEVEL: modern
   POSTSCREEN_ACTION: drop
-  OVERRIDE_HOSTNAME: mail.emnt.dev
+  OVERRIDE_HOSTNAME: mail.${CLUSTER_DOMAIN}
   FAIL2BAN_BLOCKTYPE: drop
-  POSTMASTER_ADDRESS: postmaster@emnt.dev
+  POSTMASTER_ADDRESS: postmaster@${CLUSTER_DOMAIN}
   UPDATE_CHECK_INTERVAL: 10d
   POSTFIX_INET_PROTOCOLS: ipv4
   ONE_DIR: '1'
@@ -29,6 +29,6 @@ data:
   ENABLE_UPDATE_CHECK: '1'
   SUPERVISOR_LOGLEVEL: warn
   SSL_TYPE: manual
-  SSL_DOMAIN: '*.emnt.dev'
+  SSL_DOMAIN: '*.${CLUSTER_DOMAIN}'
   SSL_CERT_PATH: /secrets/ssl/rsa/tls.crt
   SSL_KEY_PATH: /secrets/ssl/rsa/tls.key
diff --git a/k8s/apps/network/mailserver/ingress.k8s.yaml b/k8s/apps/network/mailserver/ingress.k8s.yaml
@@ -9,7 +9,7 @@ metadata:
 spec:
   ingressClassName: ingress-internal-traefik
   rules:
-    - host: rspamd.emnt.dev
+    - host: rspamd.${CLUSTER_DOMAIN}
       http:
         paths:
           - path: /
@@ -31,7 +31,7 @@ metadata:
 spec:
   ingressClassName: ingress-external-traefik
   rules:
-    - host: autodiscover.emnt.dev
+    - host: autodiscover.${CLUSTER_DOMAIN}
       http:
         paths:
           - path: /
@@ -41,7 +41,7 @@ spec:
                 name: autodiscover-mailserver
                 port:
                   name: http
-    - host: autoconfig.emnt.dev
+    - host: autoconfig.${CLUSTER_DOMAIN}
       http:
         paths:
           - path: /

diff --git a/k8s/apps/network/mailserver/secrets.sops.yaml b/k8s/apps/network/mailserver/secrets.sops.yaml
diff --git a/k8s/apps/network/pihole/helmrelease.k8s.yaml b/k8s/apps/network/pihole/helmrelease.k8s.yaml
@@ -31,7 +31,7 @@ spec:
         traefik.ingress.kubernetes.io/router.middlewares: pihole-addprefix@kubernetescrd
       path: /
       hosts:
-        - pihole.emnt.dev
+        - pihole.${CLUSTER_DOMAIN}
     persistentVolumeClaim:
       enabled: false
       storageClass: freenas-api-nfs-csi
@@ -45,7 +45,7 @@ spec:
       customSettings:
         - edns-packet-max=1232
       customDnsEntries:
-        - "address=/emnt.dev/${SVC_INGRESS_INTERNAL_ADDR}"
+        - "address=/${CLUSTER_DOMAIN}/${SVC_INGRESS_INTERNAL_ADDR}"
     DNS1: "${SVC_UNBOUND_ADDR}#5335"
     DNS2: null
     extraEnvVars:

diff --git a/k8s/apps/network/unifi-controller/ingress.k8s.yaml b/k8s/apps/network/unifi-controller/ingress.k8s.yaml
@@ -14,7 +14,7 @@ spec:
     - websecure
   routes:
     - kind: Rule
-      match: Host(`unifi.emnt.dev`)
+      match: Host(`unifi.${CLUSTER_DOMAIN}`)
       services:
         - name: unifi-controller-tcp
           namespace: unifi-controller

diff --git a/k8s/flux/ingress.k8s.yaml b/k8s/flux/ingress.k8s.yaml
@@ -9,7 +9,7 @@ metadata:
 spec:
   ingressClassName: ingress-external-traefik
   rules:
-    - host: flux-webhooks.emnt.dev
+    - host: flux-webhooks.${CLUSTER_DOMAIN}
       http:
         paths:
           - path: /
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		postmaster@emnt.dev dmarc.report@emnt.dev
		postmaster@${CLUSTER_DOMAIN} dmarc.report@${CLUSTER_DOMAIN}