From 1c187f4caecf6f285e28bb87f0383b660d6543c9 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 28 Jun 2026 12:28:05 +1000 Subject: [PATCH] Use explicit Certificate resource with dnsNames for multi-domain TLS --- apps/base/authentik/certificate.yaml | 18 ++++++++++++++++++ apps/base/authentik/gateway.yaml | 3 --- apps/base/authentik/kustomization.yaml | 1 + 3 files changed, 19 insertions(+), 3 deletions(-) create mode 100644 apps/base/authentik/certificate.yaml diff --git a/apps/base/authentik/certificate.yaml b/apps/base/authentik/certificate.yaml new file mode 100644 index 0000000..1430751 --- /dev/null +++ b/apps/base/authentik/certificate.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: authentik-tls + namespace: authentik +spec: + secretName: authentik-tls + issuerRef: + kind: ClusterIssuer + name: vault-issuer + commonName: identity.unkin.net + dnsNames: + - identity.unkin.net + - identity.k8s.syd1.au.unkin.net + privateKey: + algorithm: RSA + size: 4096 diff --git a/apps/base/authentik/gateway.yaml b/apps/base/authentik/gateway.yaml index bc13062..4c6a633 100644 --- a/apps/base/authentik/gateway.yaml +++ b/apps/base/authentik/gateway.yaml @@ -5,9 +5,6 @@ metadata: labels: traefik.io/instance: internal annotations: - cert-manager.io/cluster-issuer: vault-issuer - cert-manager.io/common-name: identity.unkin.net - cert-manager.io/private-key-size: "4096" external-dns.alpha.kubernetes.io/hostname: identity.unkin.net,identity.k8s.syd1.au.unkin.net external-dns.alpha.kubernetes.io/target: 198.18.200.4 name: authentik diff --git a/apps/base/authentik/kustomization.yaml b/apps/base/authentik/kustomization.yaml index 3c58eee..340420c 100644 --- a/apps/base/authentik/kustomization.yaml +++ b/apps/base/authentik/kustomization.yaml @@ -3,6 +3,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: + - certificate.yaml - cnpg_cluster.yaml - cnpg_pooler.yaml - gateway.yaml