feat: implement global wildcard ingress certificate for *.apps.makeitwork.cloud

xnoto · xnoto · commit db6f858fad1f · 2026-02-24T21:33:40.000-07:00
diff --git a/operators/cert-manager/ingress-patch.yaml b/operators/cert-manager/ingress-patch.yaml
@@ -0,0 +1,12 @@
+---
+# Patch default IngressController to use the wildcard certificate
+apiVersion: operator.openshift.io/v1
+kind: IngressController
+metadata:
+  name: default
+  namespace: openshift-ingress-operator
+  annotations:
+    argocd.argoproj.io/sync-wave: "4"
+spec:
+  defaultCertificate:
+    name: wildcard-apps-makeitwork-cloud-tls
diff --git a/operators/cert-manager/kustomization.yaml b/operators/cert-manager/kustomization.yaml
@@ -8,5 +8,6 @@ resources:
   - wildcard-certificate.yaml
   - openshift-ingress-config.yaml
   - apiserver-config.yaml
+  - ingress-patch.yaml
 generators:
   - ksops-cert-manager-secrets.yaml
diff --git a/operators/cert-manager/wildcard-certificate.yaml b/operators/cert-manager/wildcard-certificate.yaml
@@ -1,11 +1,30 @@
 ---
 # Wildcard certificate for *.apps.makeitwork.cloud
-# Created in openshift-config for use by componentRoutes (console, oauth)
-# External apps (*.makeitwork.cloud) use Cloudflare Tunnel which handles TLS at the edge
+# Created in openshift-ingress for use as default ingress certificate
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
   name: wildcard-apps-makeitwork-cloud
+  namespace: openshift-ingress
+  annotations:
+    argocd.argoproj.io/sync-wave: "3"
+spec:
+  secretName: wildcard-apps-makeitwork-cloud-tls
+  issuerRef:
+    name: letsencrypt-cloudflare
+    kind: ClusterIssuer
+  commonName: "*.apps.makeitwork.cloud"
+  dnsNames:
+    - "*.apps.makeitwork.cloud"
+  # Renew 30 days before expiry
+  renewBefore: 720h
+---
+# Wildcard certificate for *.apps.makeitwork.cloud (Copy for openshift-config)
+# Required because OpenShift config resources cannot reference secrets in other namespaces
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: wildcard-apps-makeitwork-cloud-config
   namespace: openshift-config
   annotations:
     argocd.argoproj.io/sync-wave: "3"
diff --git a/workloads/ollama/ollama.yaml b/workloads/ollama/ollama.yaml
@@ -111,20 +111,3 @@ spec:
   tls:
     termination: edge
     insecureEdgeTerminationPolicy: Redirect
-    certificate: "" # Use default ingress certificate
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: ollama-cert
-  namespace: ollama
-  annotations:
-    argocd.argoproj.io/sync-wave: "2"
-spec:
-  secretName: ollama-tls
-  issuerRef:
-    name: letsencrypt-cloudflare
-    kind: ClusterIssuer
-  commonName: "ollama.apps.makeitwork.cloud"
-  dnsNames:
-    - "ollama.apps.makeitwork.cloud"
