From 21e189736cdad03d16b7bb0face3d04539b66fb7 Mon Sep 17 00:00:00 2001 From: James Andariese Date: Thu, 27 Apr 2023 21:07:31 -0500 Subject: [PATCH] add syno-tls --- syno-tls/ns.yaml | 4 ++++ syno-tls/regen.sh | 25 +++++++++++++++++++++++++ syno-tls/synology-tls.yaml | 17 +++++++++++++++++ 3 files changed, 46 insertions(+) create mode 100644 syno-tls/ns.yaml create mode 100644 syno-tls/regen.sh create mode 100644 syno-tls/synology-tls.yaml diff --git a/syno-tls/ns.yaml b/syno-tls/ns.yaml new file mode 100644 index 0000000..8b65a00 --- /dev/null +++ b/syno-tls/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: syno-tls diff --git a/syno-tls/regen.sh b/syno-tls/regen.sh new file mode 100644 index 0000000..16a31cc --- /dev/null +++ b/syno-tls/regen.sh @@ -0,0 +1,25 @@ +#!/bin/bash + +# this is not necessary, usually. there is a proxy in docker/haproxy which is +# the new reverse proxy on the synology. it has an update-tls.sh script which +# does the below but also loads it properly into the container. +# this is for debugging! + +set -e +set -x + +kubectl -n syno-tls replace --force -f synology-tls.yaml +kubectl -n syno-tls wait cert/syno-tls --for=condition=Ready + +SECRET="$(kubectl -n syno-tls get secret syno-tls -o json)" + +CRT="$(echo "$SECRET" | jq -r '.data["tls.crt"] | @base64d "\(.)"')" +KEY="$(echo "$SECRET" | jq -r '.data["tls.key"] | @base64d "\(.)"')" +CA="$( echo "$SECRET" | jq -r '.data["ca.crt"] | @base64d "\(.)"')" + +echo "$KEY" > tls.key +echo "$CRT" | awk '/-----BEGIN/ {seg+=1;blk=1} seg==1&&blk {print} /------END/ {blk=0}' > tls.crt +echo "$CRT" | awk '/-----BEGIN/ {seg+=1;blk=1} seg>1&&blk {print} /------END/ {blk=0}' > int.crt +echo "$CA" > ca.crt + +wait diff --git a/syno-tls/synology-tls.yaml b/syno-tls/synology-tls.yaml new file mode 100644 index 0000000..c55fa70 --- /dev/null +++ b/syno-tls/synology-tls.yaml @@ -0,0 +1,17 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: syno-tls + namespace: syno-tls +spec: + secretName: syno-tls + issuerRef: + name: zerossl + kind: ClusterIssuer + dnsNames: + - strudelline.net + - werts.us + - '*.strudelline.net' + - '*.minio.strudelline.net' + - '*.cascade.strudelline.net' + - '*.werts.us'