Use single multiple domains SSL instead of multiple certificates for each product

Author: Vadym Mudryi

README.md

@@ -252,6 +252,49 @@ Recommended way to install cert-manager is a helm chart, see official documentat
 
 ---
 
+### traefik custom changes
+
+traefik is used to proxy OpenCRVS services behind load balancer on kubernetes cluster.
+
+Please change default traefik certificate with your own wildcard or SANs certificate by following guide at https://doc.traefik.io/traefik/https/tls/#default-certificate
+
+If cert-manager is used create `Certificate manifest at traefik namespace:
+
+```yaml
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: k8s-opencrvs-dev-ssl
+  namespace: traefik
+spec:
+  dnsNames:
+  - '*.<your domain>'
+  - <your domain>
+  issuerRef:
+    kind: ClusterIssuer
+    name: <dns-cluster-issuer>
+  secretName: traefik-cert-tls
+```
+
+Make sure certificate was issued.
+```
+kubectl get cert
+```
+
+Create default tls store traefik:
+```yaml
+apiVersion: traefik.io/v1alpha1
+kind: TLSStore
+metadata:
+  name: default
+  namespace: traefik
+spec:
+  defaultCertificate:
+    secretName: traefik-cert-tls
+
+```
+
+
 ## [🚧 ] Manual deployment guide
 
 TODO: Add steps with middleware installation:

charts/dependencies/templates/minio.yaml

@@ -18,10 +18,6 @@ metadata:
 spec:
   entryPoints:
     - websecure
-  {{- if .Values.cert_manager.enabled }}
-  tls:
-    secretName: {{ .Values.hostname | replace "." "-" }}-tls
-  {{- end }}
   routes:
   - match: 'Host(`minio.{{ .Values.hostname }}`) || Host(`{{ .Values.hostname }}`)'
     kind: Rule

charts/dependencies/templates/wildcard-ssl.yaml

@@ -19,10 +19,6 @@ metadata:
 spec:
   entryPoints:
     - websecure
-  {{- if .Values.cert_manager.enabled }}
-  tls:
-    secretName: {{ .Values.hostname | replace "." "-" }}-tls
-  {{- end }}
   routes:
   - match: 'Host(`register.{{ .Values.hostname }}`) || Host(`{{ .Values.hostname }}`)'
     kind: Rule

charts/opencrvs-services/templates/client-deployment.yaml

@@ -19,10 +19,6 @@ metadata:
 spec:
   entryPoints:
     - websecure
-  {{- if .Values.cert_manager.enabled }}
-  tls:
-    secretName: {{ .Values.hostname | replace "." "-" }}-tls
-  {{- end }}
   routes:
   - match: 'Host(`config.{{ .Values.hostname }}`)'
     kind: Rule

charts/opencrvs-services/templates/config-deployment.yaml

@@ -19,10 +19,6 @@ metadata:
 spec:
   entryPoints:
     - websecure
-  {{- if .Values.cert_manager.enabled }}
-  tls:
-    secretName: {{ .Values.hostname | replace "." "-" }}-tls
-  {{- end }}
   routes:
   - match: 'Host(`countryconfig.{{ .Values.hostname }}`) && !Path(`/email`) && !Path(`/notification`) && !Path(`/dashboards/queries.json`)'
     kind: Rule

charts/opencrvs-services/templates/countryconfig-deployment.yaml

@@ -19,10 +19,6 @@ metadata:
 spec:
   entryPoints:
     - websecure
-  {{- if .Values.cert_manager.enabled }}
-  tls:
-    secretName: {{ .Values.hostname | replace "." "-" }}-tls
-  {{- end }}
   routes:
   - match: 'Host(`gateway.{{ .Values.hostname }}`)'
     kind: Rule
@@ -68,10 +64,6 @@ spec:
               value: "https://login.{{ .Values.hostname }}"
             - name: APPLICATION_CONFIG_URL
               value: "http://config.{{ .Release.Namespace }}.svc.cluster.local:2021"
-            - name: CERT_PUBLIC_KEY_PATH
-              value: /secrets/public-key.pem
-            - name: APPLICATION_CONFIG_URL
-              value: http://config.{{ .Release.Namespace }}.svc.cluster.local:2021 # FIXME: harcoded/
             - name: AUTH_URL
               value: http://auth.{{ .Release.Namespace }}.svc.cluster.local:4040
             - name: DOCUMENTS_URL

charts/opencrvs-services/templates/gateway-deployment.yaml

@@ -19,10 +19,6 @@ metadata:
 spec:
   entryPoints:
     - websecure
-  {{- if .Values.cert_manager.enabled }}
-  tls:
-    secretName: {{ .Values.hostname | replace "." "-" }}-tls
-  {{- end }}
   routes:
   - match: 'Host(`login.{{ .Values.hostname }}`)'
     kind: Rule

charts/opencrvs-services/templates/login-deployment.yaml

@@ -25,11 +25,6 @@ mongodb_host: mongodb-0.mongodb.opencrvs-deps-dev.svc.cluster.local
 # Example: hostname: opencrvs.localhost
 hostname: farajaland.com
 
-cert_manager:
-  enabled: false
-  # Check doc at: https://cert-manager.io/docs/configuration/issuers/
-  cluster_issuer: "<put issuer here>"
-
 # TODO: Check the usage and purpose of this variable.
 # Developer mode flag.
 dev_mode: false
@@ -61,7 +56,6 @@ config:
   env:
     DOMAIN: "*"
     CHECK_INVALID_TOKEN: true
-    NODE_ENV: production
   # Mapping for external secrets goes here:
   secrets: {}
 
@@ -78,7 +72,6 @@ countryconfig:
     # INFOBIP_GATEWAY_ENDPOINT: ""
     # INFOBIP_SENDER_ID: ""
 
-    NODE_ENV: production
     NOTIFICATION_TRANSPORT: email
 
     SENDER_EMAIL_ADDRESS: [email protected]
@@ -117,9 +110,6 @@ gateway:
     CONFIG_TOKEN_EXPIRY_SECONDS: "604800"
 
     MINIO_BUCKET: "ocrvs"
-
-    NODE_ENV: production
-
     COUNTRY: FAR
     DISABLE_RATE_LIMIT: "true"
     # # TODO: Check usage