easylinux/Maison
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initialisation depot

Browse Source
This commit is contained in:
Serge NOEL
2026-02-10 12:12:11 +01:00
commit c3176e8d79
818 changed files with 52573 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

250
arti-api/auth-service/pipeline/TRAEFIK-DRONE-TLS-FIX.md Normal file
View File

@@ -0,0 +1,250 @@
# Traefik Certificate Fix for drone.aipice.local
The error indicates that Traefik is serving a default certificate instead of a proper certificate for `drone.aipice.local`.
## 🔍 Root Cause
```
x509: certificate is valid for a7b8f3b8fd415b0fbd62e803b96eec90.d8282a75d7bf97aa2eb0bd7c2d927f85.traefik.default, not drone.aipice.local
```
This means:
- Traefik is using a default/fallback certificate
- No proper certificate configured for `drone.aipice.local`
- The domain doesn't match the certificate
## 🚀 Solutions
### Solution 1: Create Proper IngressRoute for Drone
Create a proper Traefik IngressRoute for your Drone CI:
```yaml
---
# drone-ingressroute.yaml
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: drone-ci
namespace: drone # Adjust to your Drone namespace
spec:
entryPoints:
- websecure
routes:
- match: Host(`drone.aipice.local`)
kind: Rule
services:
- name: drone-server # Your Drone service name
port: 80
tls:
certResolver: letsencrypt
domains:
- main: drone.aipice.local
---
# If you need a wildcard certificate for *.aipice.local
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: wildcard-aipice-local
namespace: drone
spec:
secretName: wildcard-aipice-local-tls
issuerRef:
name: letsencrypt
kind: ClusterIssuer
commonName: "*.aipice.local"
dnsNames:
- "aipice.local"
- "*.aipice.local"
```
### Solution 2: Update Drone Helm Values (if using Helm)
If you're using Helm to deploy Drone:
```yaml
# drone-values.yaml
ingress:
enabled: true
className: traefik
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: letsencrypt
hosts:
- host: drone.aipice.local
paths:
- path: /
pathType: Prefix
tls:
- secretName: drone-aipice-local-tls
hosts:
- drone.aipice.local
```
### Solution 3: Manual Certificate Creation
Create a certificate manually for `drone.aipice.local`:
```yaml
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: drone-aipice-local-cert
namespace: drone
spec:
secretName: drone-tls-secret
issuerRef:
name: letsencrypt
kind: ClusterIssuer
commonName: drone.aipice.local
dnsNames:
- drone.aipice.local
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: drone-secure
namespace: drone
spec:
entryPoints:
- websecure
routes:
- match: Host(`drone.aipice.local`)
kind: Rule
services:
- name: drone-server
port: 80
tls:
secretName: drone-tls-secret
```
## 🔧 Quick Fix Commands
```bash
# 1. Check current Drone IngressRoute
kubectl get ingressroute -A | grep drone
# 2. Check current certificates
kubectl get certificates -A | grep drone
# 3. Check Traefik logs for certificate issues
kubectl logs -n traefik deployment/traefik | grep drone
# 4. Apply the fixed IngressRoute
kubectl apply -f drone-ingressroute.yaml
# 5. Wait for certificate to be issued
kubectl get certificate -n drone -w
```
## 🕵️ Debugging Steps
### Check Current Drone Service
```bash
# Find your Drone service
kubectl get svc -A | grep drone
# Check the service details
kubectl describe svc drone-server -n drone
```
### Check Traefik Configuration
```bash
# Check Traefik dashboard for routing
kubectl port-forward -n traefik svc/traefik 8080:8080
# Visit http://localhost:8080 to see routes
# Check IngressRoutes
kubectl get ingressroute -A -o yaml | grep -A 20 drone
```
### Verify Certificate Status
```bash
# Check certificate status
kubectl describe certificate -n drone
# Check certificate secret
kubectl get secret -n drone | grep tls
# Test certificate with openssl
openssl s_client -connect drone.aipice.local:443 -servername drone.aipice.local
```
## 🛠️ Alternative: Disable Certificate Verification
If you can't fix the certificate immediately, you can configure your Git service to skip certificate verification:
### For Gitea
```ini
# In Gitea app.ini
[webhook]
SKIP_TLS_VERIFY = true
ALLOWED_HOST_LIST = private
```
### For GitLab
```ruby
# In gitlab.rb
gitlab_rails['webhook_timeout'] = 30
gitlab_rails['outbound_requests_whitelist'] = ['192.168.100.0/24']
gitlab_rails['webhook_ssl_verification'] = false
```
### For GitHub (if self-hosted)
In webhook configuration:
- ☐ Enable SSL verification (uncheck this)
## 🎯 Complete Working Example
Here's a complete working configuration:
```yaml
---
# Complete Drone CI IngressRoute with proper TLS
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: drone-aipice-local
namespace: drone
labels:
app: drone-server
spec:
entryPoints:
- websecure
routes:
- match: Host(`drone.aipice.local`)
kind: Rule
services:
- name: drone-server
port: 80
middlewares:
- name: drone-headers
tls:
certResolver: letsencrypt
domains:
- main: drone.aipice.local
---
# Optional: Add security headers
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: drone-headers
namespace: drone
spec:
headers:
customRequestHeaders:
X-Forwarded-Proto: https
customResponseHeaders:
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
```
Apply this configuration and your webhooks should work properly with valid TLS certificates!