add wildcard-tls, secret template, zerossl issuer

cert-manager/cloudflare-api-token-sealed-secret.yaml

@@ -1,22 +1,15 @@
-{
-  "kind": "SealedSecret",
-  "apiVersion": "bitnami.com/v1alpha1",
-  "metadata": {
-    "name": "cloudflare-api-token",
-    "namespace": "cert-manager",
-    "creationTimestamp": null
-  },
-  "spec": {
-    "template": {
-      "metadata": {
-        "name": "cloudflare-api-token",
-        "namespace": "cert-manager",
-        "creationTimestamp": null
-      },
-      "type": "Opaque"
-    },
-    "encryptedData": {
-      "api-token": "AgCmPQS5DA42mTgIdzb65CSLsSICWMey+rQwM77Jb+Ac1bWLwQ7/sAADvH6MjajKHMO9/Xy352UtVjmOS2GA97EF/8i466q7xGsrxdWJX+otdQBg0r38CDNH9C8MLPq463imUYVNgPfyszrhSM0DeV64dGeeE1mGFQJyJbcjoKiFkhXsVPv62yMY2hBi4fWEba0Yy8Ue6JlAaLvoT8gHWUpJm4/3R3juCsu0hsKFQHrvVqzCC0muR7Ufq/OzBHXWbeooO4b4/+lIOl1GTUijwl/dBldhNvb3AIGGIiJezEFtwvdn6NN1Dgoxr1v0iPskdzCb9PUi7huF33CAeYowRm4YvjzdtM/dWY7PZJ6RrWoqDXtHNhyEqZmnD40vG6QUnXmMcn84tnz8IKF5Ht1mLqN/lTWYCYWgoRz07zpbRggjxhN++VSJsZ1LzVRNWTIw24JGoWQWIEK1i9ibf2c+0CMFKk1go+aPz83q+a6fRjWaz7Lem6YZDiqIgwAyK1FTME4UGxFYhehrKep2j8CHy7S8k+sU6De61EehHhbHanmjur+3N6RRa9vP+oJ13Ezh88FyOfNrAks8NqOfP5GBfZuLmr2r9kJdza1zzZ7J/5Nt/DyTzFMBRC5R12CTNC3SvIz12jg70Z0Paz2VfljuQVyY36Wn2qnxI3319bQpWaLVto9GVg7b9sGLTu13nIUAs+ZyogMorTVnS0nH8JD+NrpPq8qUiKKN1JhOoGs+nk9cCjUlCZwLOqyf"
-    }
-  }
-}
+kind: SealedSecret
+apiVersion: bitnami.com/v1alpha1
+metadata:
+  name: cloudflare-api-token
+  namespace: cert-manager
+  creationTimestamp: null
+spec:
+  template:
+    metadata:
+      name: cloudflare-api-token
+      namespace: cert-manager
+      creationTimestamp: null
+    type: Opaque
+  encryptedData:
+    api-token: AgCmPQS5DA42mTgIdzb65CSLsSICWMey+rQwM77Jb+Ac1bWLwQ7/sAADvH6MjajKHMO9/Xy352UtVjmOS2GA97EF/8i466q7xGsrxdWJX+otdQBg0r38CDNH9C8MLPq463imUYVNgPfyszrhSM0DeV64dGeeE1mGFQJyJbcjoKiFkhXsVPv62yMY2hBi4fWEba0Yy8Ue6JlAaLvoT8gHWUpJm4/3R3juCsu0hsKFQHrvVqzCC0muR7Ufq/OzBHXWbeooO4b4/+lIOl1GTUijwl/dBldhNvb3AIGGIiJezEFtwvdn6NN1Dgoxr1v0iPskdzCb9PUi7huF33CAeYowRm4YvjzdtM/dWY7PZJ6RrWoqDXtHNhyEqZmnD40vG6QUnXmMcn84tnz8IKF5Ht1mLqN/lTWYCYWgoRz07zpbRggjxhN++VSJsZ1LzVRNWTIw24JGoWQWIEK1i9ibf2c+0CMFKk1go+aPz83q+a6fRjWaz7Lem6YZDiqIgwAyK1FTME4UGxFYhehrKep2j8CHy7S8k+sU6De61EehHhbHanmjur+3N6RRa9vP+oJ13Ezh88FyOfNrAks8NqOfP5GBfZuLmr2r9kJdza1zzZ7J/5Nt/DyTzFMBRC5R12CTNC3SvIz12jg70Z0Paz2VfljuQVyY36Wn2qnxI3319bQpWaLVto9GVg7b9sGLTu13nIUAs+ZyogMorTVnS0nH8JD+NrpPq8qUiKKN1JhOoGs+nk9cCjUlCZwLOqyf

cert-manager/zerossl-issuer.yaml

@@ -0,0 +1,31 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: zerossl
+spec:
+  acme:
+    # ZeroSSL ACME server
+    server: https://acme.zerossl.com/v2/DV90
+    email: zerossl@strudelline.net
+
+    # name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: zerossl-prod
+
+    # for each cert-manager new EAB credencials are required
+    externalAccountBinding:
+      keyID: DvBIRvg60WXIE9lIg-6g3Q
+      keySecretRef:
+        name: zerossl-eab
+        key: key
+
+    # ACME DNS-01 provider configurations to verify domain
+    solvers:
+    - selector: {}
+      dns01:
+        cloudflare:
+          email: cloudflare@strudelline.net
+          apiTokenSecretRef:
+            name: cloudflare-api-token
+            key: api-token
+

cert-manager/zerossl-prod-sealed-secret.yaml

@@ -0,0 +1,16 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: zerossl-prod
+  namespace: cert-manager
+spec:
+  encryptedData:
+    tls.key: AgC7pjUPZ7ol+gtMApnWy2+NroDpQgRLryj1M1qZbSTDT8vdua4z8zDoXDmi6g1i0VaHg1n6upzwVJ6WqQqlnYqeG+JzRWDeyP2G9aJF2DxvnukQxF15lPCwpKKO3qdQ4jBYPlHuPe3xFT0PLY6wDiTGDBQwHHyialTh5KQtMituYJUueYkfWo5WukMKEr66w0TjsvBY8EhV7cpRCddhtW1KnIpIuewb/bQDqXgbpaXMw4vHmeT+MwSjsIvWoN6dufsL7+IjGCJo0+gFb7P7Od/iwoqhQ5FyWWZWVgVxy07Socxlg0AIvophLaLboODDNZmyZ1NsVbARn9U7HA+PcZn75oY1qWVetDsbudr9esU4f7UxtdwQCb6MkCM/v0eUgizN5ttn0RLJWMlyNFzXYAnFcFg9amnY1UXWLYV+X+jFOifTFJg/S+KVhOWkH+xvkG161citPIyFNf5NEHTHHES04WAe9Onm/BvmWjZAjtQ9SdSkdC/O1uUmEqw4QRzFzQmo+Gm320zKXkku2S4LPgM5TbRB80plF95dWbac80Z4IM2gT7xnaovezLCTvK4F76rCkt6tAd/FZu2Ryo8VSSgbri1DGZ0DwFvG7ZgD7nif7JpO+9M7jIf2g+3osIUHxMhVygjj6fl0w5sYzsTbZCxk1Zdt7/Ifm2QY9Pvoh2R5kRrmZ7z2ho/2go0yhTgJ2t2iORRfQw8oPizUHGOzHfML5F5wQEi9sTAV2BaZLOMIByWU8co904+XcmD5wf2WZf1qyOKFl/HAyOUTboE+B2tzYIPwQmllTtD7Q2V/6QtGiq6GGEhZXrggOIKdrzO9LqE/0e259JELhfFARGfIXMfpfew4rfJfcstt7soBTyMe+kpGQ7tKcyXtQNMK5I+cAdgbMpcMwnOtMqhDolUDLIFdJyIdcooGFElRDs6ito4+Z5bFYp02pnNIcbm5kUAdrKE5YvF633BA6bALdY6u/axqe4aHci+5VBX/If8FBuQnvQVRryXCkRBPRFFN6dynC3NSfRXt4NqUUhfwXgCOyyK+HEbk5KnYNqTWKPaIRBScu0Xq//W/XQm72uDyRHApa72qDxhz4bftdxjPg7s4qc/DtL8BZfeKWGw78Nw49Dp/hDzLt6kdKEkpk6wri1Vx1sVse3rWUlHJ413YKUzk24ayc5HaZ4aQn8eKg6fcjLUqSt7ay17JxRak94woluUosW5WMWxYWiIBgyxqkHy3jogxIbpuchtGMOaetKAsWadepcG0/33RU7aeB0F2DJCRZZCYjYFgqdyIQbYDVjge/oAQ//6GWN+Y+TiseEq1gMOlVlZ+lZx3/fCG5rL3olbmPzC5kOp7M6xi7rcQDSxJL5STDJeb2THqqRhSlyKKpcftwsLNpl+vQoA+/mq9LuidIqHS7qRBd4y+ws8XfPdQdMIee2BSHT/F1qGzwPkV/AmpH3xA9hqpK3QvOwi9749DM3hTsJ7Gz118krlNQaCrElmvOR6EXsFQQMin476zG4G3jNLh4ClM6jX5JGuLsYCTJgX+a0emELvaTlCSJV7uhf/rMLTEHyJ21CE12e31VNr3algsfNcq5mqVoHtP6SlxdTRzNvdOAotiAPZ0sNYH9oqhhAt3IP1pay5VWYgSMLJENsUl/59wJm5V/mrwDtCKMPmen6jaPCRjCmi7Y7J4svdLU1ydP/2QTY29JW4fENA4BBeU5nRVWtPRdzBN87ZfCSrk2/zNGJ4agGkBZpekeABkZa51fims6Udsh2u9mwSCaHGpytyrlSdkgtxW9hrxkeRHrV8k0RlaAkGhC29u268jJEHcepOTCXo8vQy0X0LzEp/JwlEvIq6oJtnSaEldt/rVdXc735n69p1iAnGNY4knm2G4wETzkJzgvYaPRHBtOZffVIbtzMZJL2cnnQ1AtW3L/1Sqc+IBqtxToLk2yibKT7jrLNS0gb23YsaMW68XZmnGCOV89xS2iBDuc0rebeS7rSdZeitB8N/+3Oxtsnnx97BLJ8jgnMjxJEIHpTiPdQZPC7HcmZpUuBPU6fNFAUWb9RpPBP/0i3St1iMz9kxquEvz0z3nRiLFXaVlx2hqAoI0ZdNKNur6WDjddfmnLbC0l7b75NnpSBdVgtKbKoztAZ7y51lICNr5MwTitmkPM55aPHyJeYZsX8GilkWztq0MZuecuUAZmqCy0N5VTNeAGLjUZci10v93rv8F2w/iN0x7FNjxnVeREJtuIt51jkITGT9t/skWM7lwWd32Ao79hJvCyeNwkiGYiiXfmAOuyMH2kNk7DbpuTTjgIplnsZzCTtnhrfi+xdqOldbFkMnpbmkPyGQI2K0ac8KNC6b/DuV6S5QlnuesqMgFSVPzMOtNoBY/oBiYTMIvwPB19Ez8NDeph6Ny+LL4rO2caAHL82lYn9hxuXp/jxpXSilJPIBk7MzfnN34mVqK9rKv9rOFqEemMc+ZLwukhKEpycbZY1+5YtQswEDZ62oHenA659+J7SJb5bQcmT/GwAAiFIsWB8Q6c/7us+5PPgWho/IR4QFLY4ZwrGtm2u//lYcSqQupiJC2lTnFzI0Lf0fH8rnH+xMQZZNRWEqG7Ow+bAPjjXsBYjNAutEsyUHkYBUOsxvLzwL1KZz4osNJNZL3ylAWPyylhfB7BxUv5b2Utq7JWKd6C/rrgTyszdU3ddJOYj+g5FKPyIgmsHJCPoL2EJS6/u+Wm2CRbqvFw5p5mF8sl54bsYJK5BZIZRJn98CRk7AhEKFhpul8wCWrwZSAoR0Ko/Ee8DxinygTPavVGppuMngzOiPpnAiGTjps7Vx40J9jCIdtT4yM8fIqnnXwuxI8GZc63GvC9uURbY16wEwM+yKEB8yGcyaIwNRlvqt+3FAv/88Ea0bz5GPXFspQuDjAYgplvRF0HJPY83VCStzcAk+M5RFkgAoaBlRw
+  template:
+    metadata:
+      creationTimestamp: null
+      name: zerossl-prod
+      namespace: cert-manager
+    type: Opaque
+

wildcard-tls/disable-ns.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+kubectl label ns "$1" wildcard-tls.kn8v.com/copy=false --overwrite
+
+echo deleting secret from namespace
+kubectl delete -n "$1" secret/wildcard-tls

wildcard-tls/enable-ns.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+kubectl label ns "$1" wildcard-tls.kn8v.com/copy=true --overwrite
+
+echo -n 'waiting for secret to exist...'
+
+while true;do
+  kubectl get -n "$1" secret/wildcard-tls > /dev/null 2>&1 && break || echo -n .
+  sleep 2
+done
+echo done

wildcard-tls/ns-copy-secret-template.yaml

@@ -0,0 +1,15 @@
+---
+kind: Template
+apiVersion: templating.flanksource.com/v1
+metadata:
+  name: copy-wildcard-tls
+spec:
+  source:
+    apiVersion: v1
+    kind: Secret 
+    fieldSelector: "metadata.name==wildcard-tls,metadata.namespace==wildcard-tls"
+  copyToNamespaces:
+    # selects on the Namespace label 
+    namespaceSelector:
+      matchLabels:
+        wildcard-tls.kn8v.com/copy: "true"

wildcard-tls/ns.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: wildcard-tls

wildcard-tls/wildcard-tls.yaml

@@ -0,0 +1,17 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: wildcard-tls
+  namespace: wildcard-tls
+spec:
+  secretName: wildcard-tls-root
+  issuerRef:
+    name: zerossl
+    kind: ClusterIssuer
+  dnsNames:
+  - strudelline.net
+  - '*.strudelline.net'
+  - werts.us
+  - '*.werts.us'
+  - kn8v.com
+  - '*.kn8v.com'