feat(s9n): add s9n.no domain

vehagn · vehagn · commit 61bdf5efe001 · 2026-04-04T20:51:54.000+02:00
Signed-off-by: Vegard Hagen &lt;vegard@stonegarden.dev&gt;
diff --git a/k8s/apps/dev/project.yaml b/k8s/apps/dev/project.yaml
@@ -11,6 +11,8 @@ spec:
       server: '*'
     - namespace: 'whoami'
       server: '*'
+    - namespace: 's9n'
+      server: '*'
   clusterResourceWhitelist:
     - group: '*'
       kind: '*'
diff --git a/k8s/apps/dev/s9n/deployment.yaml b/k8s/apps/dev/s9n/deployment.yaml
@@ -0,0 +1,47 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: s9n
+  namespace: s9n
+  labels:
+    app: s9n
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: s9n
+  template:
+    metadata:
+      namespace: whoami
+      labels:
+        app: s9n
+    spec:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
+        runAsGroup: 65534
+        fsGroup: 65534
+        fsGroupChangePolicy: OnRootMismatch
+        seccompProfile:
+          type: RuntimeDefault
+      containers:
+        - name: static-web-server
+          image: docker.io/joseluisq/static-web-server:2.42.0-alpine
+          imagePullPolicy: Always
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            capabilities:
+              drop: [ "ALL" ]
+          envFrom:
+            - configMapRef:
+                name: sws-config
+          ports:
+            - name: http
+              containerPort: 8080
+          resources:
+            requests:
+              cpu: 10m
+              memory: 64Mi
+            limits:
+              memory: 128Mi
diff --git a/k8s/apps/dev/s9n/http-route.yaml b/k8s/apps/dev/s9n/http-route.yaml
@@ -0,0 +1,14 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: s9n
+  namespace: s9n
+spec:
+  parentRefs:
+    - { name: external, namespace: gateway }
+    - { name: internal, namespace: gateway }
+  hostnames: [ "s9n.no" ]
+  rules:
+    - backendRefs: [ { name: s9n, port: 80 } ]
+      matches:
+        - path: { type: PathPrefix, value: / }
diff --git a/k8s/apps/dev/s9n/kustomization.yaml b/k8s/apps/dev/s9n/kustomization.yaml
@@ -0,0 +1,16 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+configMapGenerator:
+  - name: sws-config
+    namespace: s9n
+    literals:
+      - TZ=Europe/Oslo
+      - SERVER_LOG_LEVEL=warn
+      - SERVER_PORT=8080
+
+resources:
+  - ns.yaml
+  - svc.yaml
+  - http-route.yaml
+  - deployment.yaml
diff --git a/k8s/apps/dev/s9n/ns.yaml b/k8s/apps/dev/s9n/ns.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: s9n
diff --git a/k8s/apps/dev/s9n/svc.yaml b/k8s/apps/dev/s9n/svc.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: s9n
+  namespace: s9n
+spec:
+  selector:
+    app: s9n
+  ports:
+    - name: web
+      port: 80
+      targetPort: http
diff --git a/k8s/infra/controllers/cert-manager/cf-api-s9n-no.yaml b/k8s/infra/controllers/cert-manager/cf-api-s9n-no.yaml
@@ -0,0 +1,12 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: cf-api-s9n-no
+  namespace: cert-manager
+spec:
+  encryptedData:
+    api-token: AgDDwZlDZUOXSHfWTUbSjOG8cqgyO5aMC54Ez7z4bbT4kXJmXcCC/Q8bsLxjkaC9OR+eVAhe7SDT7gwSXw0MnYZh8mUPGoQyX+BWlRS8GKwofIQimroJsimOdFNEeh7r8KbnBaREViP06fk/IYbaQfMYHhyjME46V6xfGJ0L2XYZdA+qGAx6OtA5vP7wBKctHFFG1FVEdQ1lmHUS0hJo+g72wqBtNX4PSW66k5BlKCvWrShtggXeSAnzCjTlblBL1CKzCUBMgkBMZX49v1OmSWTa4+8ID0GGsCD2m2HV5RP1CDziFhGDAh4rpU4bYnjPwJP1UxTelHyRcRO3eIHG7XailRYwEmiirPRNlxiKlS+mtum8N0ivWGd7qBugrYAG5Gs8nl7SvQ+xsuH8mnxhzymmkfOfst41SWMJm1mOcThXolN+LKG6aEIGQtMU/Vm9iRIfGwyM3moJeeACwfy/7Evvaup2Wa85tdFUa18v7DOxOQJZbpZHqFf7ADrQernCPakAT8Fm6u9+of0cx3H1T9QbOzpue/lnu27Yr8RLawkGzxFOrPTEi3DE9cD1WGcRtl8QRHhQtBebV35wzsjcVAQXnsbDOc6NRzujGCkTOAoh8ljmwpLaidbvC6fs8j+kSxI9zphlm9YBuN9FaxNk4vvJS6ImObFg9vv7xL+uRyRbH/HWy4ekrwSNa4q/frB18cbYs094DizckZFPcDEjlpEeUyAYoIYp6dvluE4ibrNCkuOaqZ7ONP3K+lF+4h+7DoA/OgF4fA==
+  template:
+    metadata:
+      name: cf-api-s9n-no
+      namespace: cert-manager
diff --git a/k8s/infra/controllers/cert-manager/cf-api-stonegarden-dev.yaml b/k8s/infra/controllers/cert-manager/cf-api-stonegarden-dev.yaml
@@ -0,0 +1,12 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: cf-api-stonegarden-dev
+  namespace: cert-manager
+spec:
+  encryptedData:
+    api-token: AgACBLUukTt7Q0kM7sAKSL7sd3kOAZknWZiHlehozenVWuGsV7xXiu0fvc3RdUFsAu8kZhoWwwYv+68LDMQy6etioGwDi95Ch1JjBGJJoP+4dEnCNzAfaqRAGMU+LV4x1C3uHY7tqgMtMGwhpwQKyUDQiMlksnuWc+FIQovG09btpCSUP1/M1nOztDaVvH4NCJgAqZ8cbPriO3azuNNDpXG90kFeRmqi3u5i3x06FqpOeZO6gILok0HcOQ93yLJrx/oYzMlW3FU1G9Rbb4YWw2zdUBN4uEtE5on4hRaUqjGXnPMOmIVBCwIAdu8dLwLg15chKnBiqtzWC17HU0asOubpnGOBq9isaPFfWW8ZeCmDvgOTDgxM4yMG2GhxmWNv2J0EjMCJkCZLhi5BFypTtIw8smA6YdCDqU2K/iKY4Ih54u1w/s+zzIlEZIBPRrRW7KxtaIV+Zm2AIRIqndbHrU6nh5C8FNZadIomQnYBccclpsOdkKbaDcq5XwJ8pp8K3YgZHkunywtPrgX/YaC18gh6Xg0qg1YhzrGj3WFE4fSP4WbCK0wg9jyZQC2tggr1qXhOrYW7YLdysdodnfTnnJh52Y9VBFD7Bh6XuCz/xRibaXjJOJaFoTL+DgUGDRny9YXsU6PDS/D2S61wHd1+J2fh4AXSwa/WMzQtMYYWMeq9pAdDRPkkxLX7u8i4dwOnOS3aLqbGaP+EL6Lh02EA44NCxuwbo1odRuuLjXY/7fSzhQihM/LIzLEZm1VyFz52nNoo8Mcd1A==
+  template:
+    metadata:
+      name: cf-api-stonegarden-dev
+      namespace: cert-manager
diff --git a/k8s/infra/controllers/cert-manager/cloudflare-api-token.yaml b/k8s/infra/controllers/cert-manager/cloudflare-api-token.yaml
diff --git a/k8s/infra/controllers/cert-manager/cluster-issuer-s9n-no.yaml b/k8s/infra/controllers/cert-manager/cluster-issuer-s9n-no.yaml
@@ -0,0 +1,16 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: s9n-no
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: veghag@gmail.com
+    privateKeySecretRef:
+      name: cloudflare-key
+    solvers:
+      - dns01:
+          cloudflare:
+            apiTokenSecretRef:
+              name: cf-api-s9n-no
+              key: api-token
diff --git a/k8s/infra/controllers/cert-manager/cluster-issuer-stonegarden-dev.yaml b/k8s/infra/controllers/cert-manager/cluster-issuer-stonegarden-dev.yaml
@@ -12,5 +12,5 @@ spec:
       - dns01:
           cloudflare:
             apiTokenSecretRef:
-              name: cloudflare-api-token
+              name: cf-api-stonegarden-dev
               key: api-token
diff --git a/k8s/infra/controllers/cert-manager/kustomization.yaml b/k8s/infra/controllers/cert-manager/kustomization.yaml
@@ -3,8 +3,10 @@ kind: Kustomization
 
 resources:
   - ns.yaml
-  - cloudflare-api-token.yaml
-  - cluster-issuer.yaml
+  - cf-api-s9n-no.yaml
+  - cluster-issuer-s9n-no.yaml
+  - cf-api-stonegarden-dev.yaml
+  - cluster-issuer-stonegarden-dev.yaml
   - selfsigned-bootstrap-issuer.yaml
   - stonegarden-root-ca.yaml
   - stonegarden-ca-issuer.yaml
diff --git a/k8s/infra/network/gateway/cert-s9n-no.yaml b/k8s/infra/network/gateway/cert-s9n-no.yaml
@@ -0,0 +1,20 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: cert-s9n-no
+  namespace: gateway
+spec:
+  dnsNames:
+    - s9n.no
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: s9n-no
+  privateKey:
+    algorithm: ECDSA
+    encoding: PKCS8
+    size: 256
+  secretName: cert-s9n-no
+  usages:
+    - digital signature
+    - key encipherment
diff --git a/k8s/infra/network/gateway/gw-external.yaml b/k8s/infra/network/gateway/gw-external.yaml
@@ -37,3 +37,14 @@ spec:
       allowedRoutes:
         namespaces:
           from: All
+    - protocol: HTTPS
+      port: 443
+      name: s9n-no
+      hostname: s9n.no
+      tls:
+        certificateRefs:
+          - kind: Secret
+            name: cert-s9n-no
+      allowedRoutes:
+        namespaces:
+          from: All
diff --git a/k8s/infra/network/gateway/kustomization.yaml b/k8s/infra/network/gateway/kustomization.yaml
@@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
+  - cert-s9n-no.yaml
   - cert-stonegarden.yaml
   - gateway-class.yaml
   - ns.yaml
