Files
k8s-manifests/zona-exclusion/deployment.yaml
T
chemavxandClaude Opus 4.8 48ed88cc8d zona-exclusion: serve www + 301 redirect to apex, add www to TLS SAN
Adds www.zonadeexclusion.com to the Ingress (rules + tls hosts) so cert-manager
re-issues zona-exclusion-tls covering apex + www via HTTP-01, and a Traefik
redirectRegex Middleware that 301s www -> apex (ES canonical = apex). Mirrors the
EN redirect-to-www-https middleware, inverted. DNS for www was fixed in Phase 1
(stale explicit A removed; now resolves via the favonia wildcard).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-23 06:55:56 +00:00

164 lines
4.4 KiB
YAML

---
apiVersion: v1
kind: Namespace
metadata:
name: zona-exclusion
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
annotations:
# Never let ArgoCD prune this PVC: it holds persistent app data.
argocd.argoproj.io/sync-options: Prune=false
name: zona-exclusion-data
namespace: zona-exclusion
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 20Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: zona-exclusion
namespace: zona-exclusion
labels:
app: zona-exclusion
spec:
replicas: 1
# Single-replica Ghost on a RWO local-path SQLite DB: Recreate avoids two Ghost
# processes briefly sharing one ghost.db during a roll (RollingUpdate corruption risk).
strategy:
type: Recreate
selector:
matchLabels:
app: zona-exclusion
template:
metadata:
labels:
app: zona-exclusion
spec:
containers:
- name: zona-exclusion
image: ghost:5-alpine
imagePullPolicy: Always
env:
- name: url
value: "https://zonadeexclusion.com"
- name: NODE_ENV
value: "production"
- name: mail__transport
value: "SMTP"
- name: mail__options__host
value: "smtp.gmail.com"
- name: mail__options__port
value: "587"
- name: mail__options__auth__user
valueFrom:
secretKeyRef:
name: zona-exclusion-secrets-infisical
key: smtp-user
- name: mail__options__auth__pass
valueFrom:
secretKeyRef:
name: zona-exclusion-secrets-infisical
key: smtp-pass
- name: mail__from
value: "Zona de Exclusión <chemavx@gmail.com>"
- name: database__client
value: "sqlite3"
- name: database__connection__filename
value: "/var/lib/ghost/content/data/ghost.db"
volumeMounts:
- name: data
mountPath: /var/lib/ghost/content
resources:
requests:
memory: "256Mi"
cpu: "100m"
limits:
memory: "512Mi"
cpu: "500m"
volumes:
- name: data
persistentVolumeClaim:
claimName: zona-exclusion-data
---
apiVersion: v1
kind: Service
metadata:
name: zona-exclusion
namespace: zona-exclusion
spec:
selector:
app: zona-exclusion
ports:
- port: 80
targetPort: 2368
---
# www -> apex (canonical) 301 redirect. Mirrors EN's redirect-to-www-https,
# INVERTED: ES canonical is the APEX. The regex matches only the www host, so
# the apex router (created from the same Ingress) is a no-op and serves normally.
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: redirect-www-to-apex
namespace: zona-exclusion
spec:
redirectRegex:
permanent: true
regex: ^https?://www\.zonadeexclusion\.com/(.*)
replacement: https://zonadeexclusion.com/${1}
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: zona-exclusion
namespace: zona-exclusion
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
traefik.ingress.kubernetes.io/router.entrypoints: websecure
# Applied to all routers from this Ingress; the regex no-ops on the apex,
# so only www.zonadeexclusion.com is 301'd to the apex.
traefik.ingress.kubernetes.io/router.middlewares: zona-exclusion-redirect-www-to-apex@kubernetescrd
spec:
ingressClassName: traefik
rules:
- host: zonadeexclusion.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: zona-exclusion
port:
number: 80
- host: www.zonadeexclusion.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: zona-exclusion
port:
number: 80
tls:
- hosts:
- zonadeexclusion.com
- www.zonadeexclusion.com
secretName: zona-exclusion-tls
# Secret gestionado manualmente — NO añadir aquí para evitar que ArgoCD sobreescriba.
# kubectl create secret generic zona-exclusion-secrets \
# --from-literal=smtp-user=chemavx@gmail.com \
# --from-literal=smtp-pass=YOUR_APP_PASSWORD \
# -n zona-exclusion