From 1dfaf8678386a54020d0c6c6b19f427e6ba6569f Mon Sep 17 00:00:00 2001 From: Eric Garcia Date: Wed, 4 Feb 2026 12:07:12 -0500 Subject: [PATCH] Add MuffinLabs SSL configuration for hearth Kubernetes manifests for muffinlabs.ai SSL via cert-manager: - Namespace - Certificate (Let's Encrypt via letsencrypt-production ClusterIssuer) - Traefik IngressRoute with TLS - HTTP to HTTPS redirect middleware - www to apex redirect middleware Part of RFC 0002: amplify-deployment Co-Authored-By: Claude Opus 4.5 --- kubernetes/muffinlabs/certificate.yaml | 13 ++++ kubernetes/muffinlabs/ingressroute.yaml | 80 +++++++++++++++++++++++++ kubernetes/muffinlabs/namespace.yaml | 7 +++ 3 files changed, 100 insertions(+) create mode 100644 kubernetes/muffinlabs/certificate.yaml create mode 100644 kubernetes/muffinlabs/ingressroute.yaml create mode 100644 kubernetes/muffinlabs/namespace.yaml diff --git a/kubernetes/muffinlabs/certificate.yaml b/kubernetes/muffinlabs/certificate.yaml new file mode 100644 index 0000000..d68e045 --- /dev/null +++ b/kubernetes/muffinlabs/certificate.yaml @@ -0,0 +1,13 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: muffinlabs-ai-tls + namespace: muffinlabs +spec: + secretName: muffinlabs-ai-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + dnsNames: + - muffinlabs.ai + - www.muffinlabs.ai diff --git a/kubernetes/muffinlabs/ingressroute.yaml b/kubernetes/muffinlabs/ingressroute.yaml new file mode 100644 index 0000000..55b1bf3 --- /dev/null +++ b/kubernetes/muffinlabs/ingressroute.yaml @@ -0,0 +1,80 @@ +# Traefik IngressRoute for muffinlabs.ai with TLS +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: muffinlabs-web + namespace: muffinlabs +spec: + entryPoints: + - websecure + routes: + - match: Host(`muffinlabs.ai`) + kind: Rule + services: + - name: muffinlabs-web + port: 80 + - match: Host(`www.muffinlabs.ai`) + kind: Rule + middlewares: + - name: www-to-apex + namespace: muffinlabs + services: + - name: muffinlabs-web + port: 80 + tls: + secretName: muffinlabs-ai-tls +--- +# HTTP to HTTPS redirect +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: muffinlabs-web-http + namespace: muffinlabs +spec: + entryPoints: + - web + routes: + - match: Host(`muffinlabs.ai`) || Host(`www.muffinlabs.ai`) + kind: Rule + middlewares: + - name: https-redirect + namespace: muffinlabs + services: + - name: muffinlabs-web + port: 80 +--- +# Middleware: www to apex redirect +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: www-to-apex + namespace: muffinlabs +spec: + redirectRegex: + regex: ^https://www\.muffinlabs\.ai/(.*) + replacement: https://muffinlabs.ai/${1} + permanent: true +--- +# Middleware: HTTP to HTTPS redirect +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: https-redirect + namespace: muffinlabs +spec: + redirectScheme: + scheme: https + permanent: true +--- +# Service (placeholder - will redirect to Amplify once deployed) +apiVersion: v1 +kind: Service +metadata: + name: muffinlabs-web + namespace: muffinlabs +spec: + type: ExternalName + externalName: muffinlabs.ai.amplifyapp.com + ports: + - port: 80 + targetPort: 443 diff --git a/kubernetes/muffinlabs/namespace.yaml b/kubernetes/muffinlabs/namespace.yaml new file mode 100644 index 0000000..b173bce --- /dev/null +++ b/kubernetes/muffinlabs/namespace.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: muffinlabs + labels: + app.kubernetes.io/name: muffinlabs + app.kubernetes.io/part-of: muffinlabs-web