Add MuffinLabs SSL configuration for hearth

Kubernetes manifests for muffinlabs.ai SSL via cert-manager: - Namespace - Certificate (Let's Encrypt via letsencrypt-production ClusterIssuer) - Traefik IngressRoute with TLS - HTTP to HTTPS redirect middleware - www to apex redirect middleware Part of RFC 0002: amplify-deployment Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-04 12:07:12 -05:00 · 2026-02-04 12:07:12 -05:00 · 1dfaf86783
commit 1dfaf86783
parent 3879d2fe35
3 changed files with 100 additions and 0 deletions
--- a/kubernetes/muffinlabs/certificate.yaml
+++ b/kubernetes/muffinlabs/certificate.yaml
@ -0,0 +1,13 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: muffinlabs-ai-tls
+  namespace: muffinlabs
+spec:
+  secretName: muffinlabs-ai-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  dnsNames:
+    - muffinlabs.ai
+    - www.muffinlabs.ai
--- a/kubernetes/muffinlabs/ingressroute.yaml
+++ b/kubernetes/muffinlabs/ingressroute.yaml
@ -0,0 +1,80 @@
+# Traefik IngressRoute for muffinlabs.ai with TLS
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: muffinlabs-web
+  namespace: muffinlabs
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`muffinlabs.ai`)
+      kind: Rule
+      services:
+        - name: muffinlabs-web
+          port: 80
+    - match: Host(`www.muffinlabs.ai`)
+      kind: Rule
+      middlewares:
+        - name: www-to-apex
+          namespace: muffinlabs
+      services:
+        - name: muffinlabs-web
+          port: 80
+  tls:
+    secretName: muffinlabs-ai-tls
+---
+# HTTP to HTTPS redirect
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: muffinlabs-web-http
+  namespace: muffinlabs
+spec:
+  entryPoints:
+    - web
+  routes:
+    - match: Host(`muffinlabs.ai`) || Host(`www.muffinlabs.ai`)
+      kind: Rule
+      middlewares:
+        - name: https-redirect
+          namespace: muffinlabs
+      services:
+        - name: muffinlabs-web
+          port: 80
+---
+# Middleware: www to apex redirect
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: www-to-apex
+  namespace: muffinlabs
+spec:
+  redirectRegex:
+    regex: ^https://www\.muffinlabs\.ai/(.*)
+    replacement: https://muffinlabs.ai/${1}
+    permanent: true
+---
+# Middleware: HTTP to HTTPS redirect
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: https-redirect
+  namespace: muffinlabs
+spec:
+  redirectScheme:
+    scheme: https
+    permanent: true
+---
+# Service (placeholder - will redirect to Amplify once deployed)
+apiVersion: v1
+kind: Service
+metadata:
+  name: muffinlabs-web
+  namespace: muffinlabs
+spec:
+  type: ExternalName
+  externalName: muffinlabs.ai.amplifyapp.com
+  ports:
+    - port: 80
+      targetPort: 443
--- a/kubernetes/muffinlabs/namespace.yaml
+++ b/kubernetes/muffinlabs/namespace.yaml
@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: muffinlabs
+  labels:
+    app.kubernetes.io/name: muffinlabs
+    app.kubernetes.io/part-of: muffinlabs-web