add syno-tls

syno-tls/ns.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: syno-tls

syno-tls/regen.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+
+# this is not necessary, usually.  there is a proxy in docker/haproxy which is
+# the new reverse proxy on the synology.  it has an update-tls.sh script which
+# does the below but also loads it properly into the container.
+# this is for debugging!
+
+set -e
+set -x
+
+kubectl -n syno-tls replace --force -f synology-tls.yaml
+kubectl -n syno-tls wait cert/syno-tls --for=condition=Ready
+
+SECRET="$(kubectl -n syno-tls get secret syno-tls -o json)"
+
+CRT="$(echo "$SECRET" | jq -r '.data["tls.crt"] | @base64d "\(.)"')"
+KEY="$(echo "$SECRET" | jq -r '.data["tls.key"] | @base64d "\(.)"')"
+CA="$( echo "$SECRET" | jq -r '.data["ca.crt"] | @base64d "\(.)"')"
+
+echo "$KEY" > tls.key
+echo "$CRT" | awk '/-----BEGIN/ {seg+=1;blk=1} seg==1&&blk {print} /------END/ {blk=0}' > tls.crt
+echo "$CRT" | awk '/-----BEGIN/ {seg+=1;blk=1} seg>1&&blk {print} /------END/ {blk=0}' > int.crt
+echo "$CA" > ca.crt
+
+wait

syno-tls/synology-tls.yaml

@@ -0,0 +1,17 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: syno-tls
+  namespace: syno-tls
+spec:
+  secretName: syno-tls
+  issuerRef:
+    name: zerossl
+    kind: ClusterIssuer
+  dnsNames:
+  - strudelline.net
+  - werts.us
+  - '*.strudelline.net'
+  - '*.minio.strudelline.net'
+  - '*.cascade.strudelline.net'
+  - '*.werts.us'