Maison/arti-api/auth-service/pipeline/TRAEFIK-DRONE-TLS-FIX.md

# Traefik Certificate Fix for drone.aipice.local

The error indicates that Traefik is serving a default certificate instead of a proper certificate for `drone.aipice.local`.

## 🔍 Root Cause

```
x509: certificate is valid for a7b8f3b8fd415b0fbd62e803b96eec90.d8282a75d7bf97aa2eb0bd7c2d927f85.traefik.default, not drone.aipice.local
```

This means:
- Traefik is using a default/fallback certificate
- No proper certificate configured for `drone.aipice.local`
- The domain doesn't match the certificate

## 🚀 Solutions

### Solution 1: Create Proper IngressRoute for Drone

Create a proper Traefik IngressRoute for your Drone CI:

```yaml
---
# drone-ingressroute.yaml
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: drone-ci
  namespace: drone  # Adjust to your Drone namespace
spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`drone.aipice.local`)
    kind: Rule
    services:
    - name: drone-server  # Your Drone service name
      port: 80
  tls:
    certResolver: letsencrypt
    domains:
    - main: drone.aipice.local
---
# If you need a wildcard certificate for *.aipice.local
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: wildcard-aipice-local
  namespace: drone
spec:
  secretName: wildcard-aipice-local-tls
  issuerRef:
    name: letsencrypt
    kind: ClusterIssuer
  commonName: "*.aipice.local"
  dnsNames:
  - "aipice.local"
  - "*.aipice.local"
```

### Solution 2: Update Drone Helm Values (if using Helm)

If you're using Helm to deploy Drone:

```yaml
# drone-values.yaml
ingress:
  enabled: true
  className: traefik
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.tls: "true"
    cert-manager.io/cluster-issuer: letsencrypt
  hosts:
    - host: drone.aipice.local
      paths:
        - path: /
          pathType: Prefix
  tls:
    - secretName: drone-aipice-local-tls
      hosts:
        - drone.aipice.local
```

### Solution 3: Manual Certificate Creation

Create a certificate manually for `drone.aipice.local`:

```yaml
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: drone-aipice-local-cert
  namespace: drone
spec:
  secretName: drone-tls-secret
  issuerRef:
    name: letsencrypt
    kind: ClusterIssuer
  commonName: drone.aipice.local
  dnsNames:
  - drone.aipice.local
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: drone-secure
  namespace: drone
spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`drone.aipice.local`)
    kind: Rule
    services:
    - name: drone-server
      port: 80
  tls:
    secretName: drone-tls-secret
```

## 🔧 Quick Fix Commands

```bash
# 1. Check current Drone IngressRoute
kubectl get ingressroute -A | grep drone

# 2. Check current certificates
kubectl get certificates -A | grep drone

# 3. Check Traefik logs for certificate issues
kubectl logs -n traefik deployment/traefik | grep drone

# 4. Apply the fixed IngressRoute
kubectl apply -f drone-ingressroute.yaml

# 5. Wait for certificate to be issued
kubectl get certificate -n drone -w
```

## 🕵️ Debugging Steps

### Check Current Drone Service

```bash
# Find your Drone service
kubectl get svc -A | grep drone

# Check the service details
kubectl describe svc drone-server -n drone
```

### Check Traefik Configuration

```bash
# Check Traefik dashboard for routing
kubectl port-forward -n traefik svc/traefik 8080:8080
# Visit http://localhost:8080 to see routes

# Check IngressRoutes
kubectl get ingressroute -A -o yaml | grep -A 20 drone
```

### Verify Certificate Status

```bash
# Check certificate status
kubectl describe certificate -n drone

# Check certificate secret
kubectl get secret -n drone | grep tls

# Test certificate with openssl
openssl s_client -connect drone.aipice.local:443 -servername drone.aipice.local
```

## 🛠️ Alternative: Disable Certificate Verification

If you can't fix the certificate immediately, you can configure your Git service to skip certificate verification:

### For Gitea

```ini
# In Gitea app.ini
[webhook]
SKIP_TLS_VERIFY = true
ALLOWED_HOST_LIST = private
```

### For GitLab

```ruby
# In gitlab.rb
gitlab_rails['webhook_timeout'] = 30
gitlab_rails['outbound_requests_whitelist'] = ['192.168.100.0/24']
gitlab_rails['webhook_ssl_verification'] = false
```

### For GitHub (if self-hosted)

In webhook configuration:
- ☐ Enable SSL verification (uncheck this)

## 🎯 Complete Working Example

Here's a complete working configuration:

```yaml
---
# Complete Drone CI IngressRoute with proper TLS
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: drone-aipice-local
  namespace: drone
  labels:
    app: drone-server
spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`drone.aipice.local`)
    kind: Rule
    services:
    - name: drone-server
      port: 80
    middlewares:
    - name: drone-headers
  tls:
    certResolver: letsencrypt
    domains:
    - main: drone.aipice.local
---
# Optional: Add security headers
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: drone-headers
  namespace: drone
spec:
  headers:
    customRequestHeaders:
      X-Forwarded-Proto: https
    customResponseHeaders:
      X-Frame-Options: DENY
      X-Content-Type-Options: nosniff
```

Apply this configuration and your webhooks should work properly with valid TLS certificates!