From 2caec3a57a9b3864e3b40d0dd0fcd8e46db78a9b Mon Sep 17 00:00:00 2001 From: James Andariese Date: Fri, 28 Apr 2023 08:37:36 -0500 Subject: [PATCH] add wildcard-tls, secret template, zerossl issuer --- .../cloudflare-api-token-sealed-secret.yaml | 37 ++++++++----------- cert-manager/zerossl-issuer.yaml | 31 ++++++++++++++++ cert-manager/zerossl-prod-sealed-secret.yaml | 16 ++++++++ wildcard-tls/disable-ns.sh | 6 +++ wildcard-tls/enable-ns.sh | 11 ++++++ wildcard-tls/ns-copy-secret-template.yaml | 15 ++++++++ wildcard-tls/ns.yaml | 4 ++ wildcard-tls/wildcard-tls.yaml | 17 +++++++++ 8 files changed, 115 insertions(+), 22 deletions(-) create mode 100644 cert-manager/zerossl-issuer.yaml create mode 100644 cert-manager/zerossl-prod-sealed-secret.yaml create mode 100644 wildcard-tls/disable-ns.sh create mode 100644 wildcard-tls/enable-ns.sh create mode 100644 wildcard-tls/ns-copy-secret-template.yaml create mode 100644 wildcard-tls/ns.yaml create mode 100644 wildcard-tls/wildcard-tls.yaml diff --git a/cert-manager/cloudflare-api-token-sealed-secret.yaml b/cert-manager/cloudflare-api-token-sealed-secret.yaml index 554e264..bc44294 100644 --- a/cert-manager/cloudflare-api-token-sealed-secret.yaml +++ b/cert-manager/cloudflare-api-token-sealed-secret.yaml @@ -1,22 +1,15 @@ -{ - "kind": "SealedSecret", - "apiVersion": "bitnami.com/v1alpha1", - "metadata": { - "name": "cloudflare-api-token", - "namespace": "cert-manager", - "creationTimestamp": null - }, - "spec": { - "template": { - "metadata": { - "name": "cloudflare-api-token", - "namespace": "cert-manager", - "creationTimestamp": null - }, - "type": "Opaque" - }, - "encryptedData": { - "api-token": "AgCmPQS5DA42mTgIdzb65CSLsSICWMey+rQwM77Jb+Ac1bWLwQ7/sAADvH6MjajKHMO9/Xy352UtVjmOS2GA97EF/8i466q7xGsrxdWJX+otdQBg0r38CDNH9C8MLPq463imUYVNgPfyszrhSM0DeV64dGeeE1mGFQJyJbcjoKiFkhXsVPv62yMY2hBi4fWEba0Yy8Ue6JlAaLvoT8gHWUpJm4/3R3juCsu0hsKFQHrvVqzCC0muR7Ufq/OzBHXWbeooO4b4/+lIOl1GTUijwl/dBldhNvb3AIGGIiJezEFtwvdn6NN1Dgoxr1v0iPskdzCb9PUi7huF33CAeYowRm4YvjzdtM/dWY7PZJ6RrWoqDXtHNhyEqZmnD40vG6QUnXmMcn84tnz8IKF5Ht1mLqN/lTWYCYWgoRz07zpbRggjxhN++VSJsZ1LzVRNWTIw24JGoWQWIEK1i9ibf2c+0CMFKk1go+aPz83q+a6fRjWaz7Lem6YZDiqIgwAyK1FTME4UGxFYhehrKep2j8CHy7S8k+sU6De61EehHhbHanmjur+3N6RRa9vP+oJ13Ezh88FyOfNrAks8NqOfP5GBfZuLmr2r9kJdza1zzZ7J/5Nt/DyTzFMBRC5R12CTNC3SvIz12jg70Z0Paz2VfljuQVyY36Wn2qnxI3319bQpWaLVto9GVg7b9sGLTu13nIUAs+ZyogMorTVnS0nH8JD+NrpPq8qUiKKN1JhOoGs+nk9cCjUlCZwLOqyf" - } - } -} +kind: SealedSecret +apiVersion: bitnami.com/v1alpha1 +metadata: + name: cloudflare-api-token + namespace: cert-manager + creationTimestamp: null +spec: + template: + metadata: + name: cloudflare-api-token + namespace: cert-manager + creationTimestamp: null + type: Opaque + encryptedData: + api-token: AgCmPQS5DA42mTgIdzb65CSLsSICWMey+rQwM77Jb+Ac1bWLwQ7/sAADvH6MjajKHMO9/Xy352UtVjmOS2GA97EF/8i466q7xGsrxdWJX+otdQBg0r38CDNH9C8MLPq463imUYVNgPfyszrhSM0DeV64dGeeE1mGFQJyJbcjoKiFkhXsVPv62yMY2hBi4fWEba0Yy8Ue6JlAaLvoT8gHWUpJm4/3R3juCsu0hsKFQHrvVqzCC0muR7Ufq/OzBHXWbeooO4b4/+lIOl1GTUijwl/dBldhNvb3AIGGIiJezEFtwvdn6NN1Dgoxr1v0iPskdzCb9PUi7huF33CAeYowRm4YvjzdtM/dWY7PZJ6RrWoqDXtHNhyEqZmnD40vG6QUnXmMcn84tnz8IKF5Ht1mLqN/lTWYCYWgoRz07zpbRggjxhN++VSJsZ1LzVRNWTIw24JGoWQWIEK1i9ibf2c+0CMFKk1go+aPz83q+a6fRjWaz7Lem6YZDiqIgwAyK1FTME4UGxFYhehrKep2j8CHy7S8k+sU6De61EehHhbHanmjur+3N6RRa9vP+oJ13Ezh88FyOfNrAks8NqOfP5GBfZuLmr2r9kJdza1zzZ7J/5Nt/DyTzFMBRC5R12CTNC3SvIz12jg70Z0Paz2VfljuQVyY36Wn2qnxI3319bQpWaLVto9GVg7b9sGLTu13nIUAs+ZyogMorTVnS0nH8JD+NrpPq8qUiKKN1JhOoGs+nk9cCjUlCZwLOqyf diff --git a/cert-manager/zerossl-issuer.yaml b/cert-manager/zerossl-issuer.yaml new file mode 100644 index 0000000..995a6d6 --- /dev/null +++ b/cert-manager/zerossl-issuer.yaml @@ -0,0 +1,31 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: zerossl +spec: + acme: + # ZeroSSL ACME server + server: https://acme.zerossl.com/v2/DV90 + email: zerossl@strudelline.net + + # name of a secret used to store the ACME account private key + privateKeySecretRef: + name: zerossl-prod + + # for each cert-manager new EAB credencials are required + externalAccountBinding: + keyID: DvBIRvg60WXIE9lIg-6g3Q + keySecretRef: + name: zerossl-eab + key: key + + # ACME DNS-01 provider configurations to verify domain + solvers: + - selector: {} + dns01: + cloudflare: + email: cloudflare@strudelline.net + apiTokenSecretRef: + name: cloudflare-api-token + key: api-token + diff --git a/cert-manager/zerossl-prod-sealed-secret.yaml b/cert-manager/zerossl-prod-sealed-secret.yaml new file mode 100644 index 0000000..ed34e74 --- /dev/null +++ b/cert-manager/zerossl-prod-sealed-secret.yaml @@ -0,0 +1,16 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: zerossl-prod + namespace: cert-manager +spec: + encryptedData: + tls.key: AgC7pjUPZ7ol+gtMApnWy2+NroDpQgRLryj1M1qZbSTDT8vdua4z8zDoXDmi6g1i0VaHg1n6upzwVJ6WqQqlnYqeG+JzRWDeyP2G9aJF2DxvnukQxF15lPCwpKKO3qdQ4jBYPlHuPe3xFT0PLY6wDiTGDBQwHHyialTh5KQtMituYJUueYkfWo5WukMKEr66w0TjsvBY8EhV7cpRCddhtW1KnIpIuewb/bQDqXgbpaXMw4vHmeT+MwSjsIvWoN6dufsL7+IjGCJo0+gFb7P7Od/iwoqhQ5FyWWZWVgVxy07Socxlg0AIvophLaLboODDNZmyZ1NsVbARn9U7HA+PcZn75oY1qWVetDsbudr9esU4f7UxtdwQCb6MkCM/v0eUgizN5ttn0RLJWMlyNFzXYAnFcFg9amnY1UXWLYV+X+jFOifTFJg/S+KVhOWkH+xvkG161citPIyFNf5NEHTHHES04WAe9Onm/BvmWjZAjtQ9SdSkdC/O1uUmEqw4QRzFzQmo+Gm320zKXkku2S4LPgM5TbRB80plF95dWbac80Z4IM2gT7xnaovezLCTvK4F76rCkt6tAd/FZu2Ryo8VSSgbri1DGZ0DwFvG7ZgD7nif7JpO+9M7jIf2g+3osIUHxMhVygjj6fl0w5sYzsTbZCxk1Zdt7/Ifm2QY9Pvoh2R5kRrmZ7z2ho/2go0yhTgJ2t2iORRfQw8oPizUHGOzHfML5F5wQEi9sTAV2BaZLOMIByWU8co904+XcmD5wf2WZf1qyOKFl/HAyOUTboE+B2tzYIPwQmllTtD7Q2V/6QtGiq6GGEhZXrggOIKdrzO9LqE/0e259JELhfFARGfIXMfpfew4rfJfcstt7soBTyMe+kpGQ7tKcyXtQNMK5I+cAdgbMpcMwnOtMqhDolUDLIFdJyIdcooGFElRDs6ito4+Z5bFYp02pnNIcbm5kUAdrKE5YvF633BA6bALdY6u/axqe4aHci+5VBX/If8FBuQnvQVRryXCkRBPRFFN6dynC3NSfRXt4NqUUhfwXgCOyyK+HEbk5KnYNqTWKPaIRBScu0Xq//W/XQm72uDyRHApa72qDxhz4bftdxjPg7s4qc/DtL8BZfeKWGw78Nw49Dp/hDzLt6kdKEkpk6wri1Vx1sVse3rWUlHJ413YKUzk24ayc5HaZ4aQn8eKg6fcjLUqSt7ay17JxRak94woluUosW5WMWxYWiIBgyxqkHy3jogxIbpuchtGMOaetKAsWadepcG0/33RU7aeB0F2DJCRZZCYjYFgqdyIQbYDVjge/oAQ//6GWN+Y+TiseEq1gMOlVlZ+lZx3/fCG5rL3olbmPzC5kOp7M6xi7rcQDSxJL5STDJeb2THqqRhSlyKKpcftwsLNpl+vQoA+/mq9LuidIqHS7qRBd4y+ws8XfPdQdMIee2BSHT/F1qGzwPkV/AmpH3xA9hqpK3QvOwi9749DM3hTsJ7Gz118krlNQaCrElmvOR6EXsFQQMin476zG4G3jNLh4ClM6jX5JGuLsYCTJgX+a0emELvaTlCSJV7uhf/rMLTEHyJ21CE12e31VNr3algsfNcq5mqVoHtP6SlxdTRzNvdOAotiAPZ0sNYH9oqhhAt3IP1pay5VWYgSMLJENsUl/59wJm5V/mrwDtCKMPmen6jaPCRjCmi7Y7J4svdLU1ydP/2QTY29JW4fENA4BBeU5nRVWtPRdzBN87ZfCSrk2/zNGJ4agGkBZpekeABkZa51fims6Udsh2u9mwSCaHGpytyrlSdkgtxW9hrxkeRHrV8k0RlaAkGhC29u268jJEHcepOTCXo8vQy0X0LzEp/JwlEvIq6oJtnSaEldt/rVdXc735n69p1iAnGNY4knm2G4wETzkJzgvYaPRHBtOZffVIbtzMZJL2cnnQ1AtW3L/1Sqc+IBqtxToLk2yibKT7jrLNS0gb23YsaMW68XZmnGCOV89xS2iBDuc0rebeS7rSdZeitB8N/+3Oxtsnnx97BLJ8jgnMjxJEIHpTiPdQZPC7HcmZpUuBPU6fNFAUWb9RpPBP/0i3St1iMz9kxquEvz0z3nRiLFXaVlx2hqAoI0ZdNKNur6WDjddfmnLbC0l7b75NnpSBdVgtKbKoztAZ7y51lICNr5MwTitmkPM55aPHyJeYZsX8GilkWztq0MZuecuUAZmqCy0N5VTNeAGLjUZci10v93rv8F2w/iN0x7FNjxnVeREJtuIt51jkITGT9t/skWM7lwWd32Ao79hJvCyeNwkiGYiiXfmAOuyMH2kNk7DbpuTTjgIplnsZzCTtnhrfi+xdqOldbFkMnpbmkPyGQI2K0ac8KNC6b/DuV6S5QlnuesqMgFSVPzMOtNoBY/oBiYTMIvwPB19Ez8NDeph6Ny+LL4rO2caAHL82lYn9hxuXp/jxpXSilJPIBk7MzfnN34mVqK9rKv9rOFqEemMc+ZLwukhKEpycbZY1+5YtQswEDZ62oHenA659+J7SJb5bQcmT/GwAAiFIsWB8Q6c/7us+5PPgWho/IR4QFLY4ZwrGtm2u//lYcSqQupiJC2lTnFzI0Lf0fH8rnH+xMQZZNRWEqG7Ow+bAPjjXsBYjNAutEsyUHkYBUOsxvLzwL1KZz4osNJNZL3ylAWPyylhfB7BxUv5b2Utq7JWKd6C/rrgTyszdU3ddJOYj+g5FKPyIgmsHJCPoL2EJS6/u+Wm2CRbqvFw5p5mF8sl54bsYJK5BZIZRJn98CRk7AhEKFhpul8wCWrwZSAoR0Ko/Ee8DxinygTPavVGppuMngzOiPpnAiGTjps7Vx40J9jCIdtT4yM8fIqnnXwuxI8GZc63GvC9uURbY16wEwM+yKEB8yGcyaIwNRlvqt+3FAv/88Ea0bz5GPXFspQuDjAYgplvRF0HJPY83VCStzcAk+M5RFkgAoaBlRw + template: + metadata: + creationTimestamp: null + name: zerossl-prod + namespace: cert-manager + type: Opaque + diff --git a/wildcard-tls/disable-ns.sh b/wildcard-tls/disable-ns.sh new file mode 100644 index 0000000..ff9b6b0 --- /dev/null +++ b/wildcard-tls/disable-ns.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +kubectl label ns "$1" wildcard-tls.kn8v.com/copy=false --overwrite + +echo deleting secret from namespace +kubectl delete -n "$1" secret/wildcard-tls diff --git a/wildcard-tls/enable-ns.sh b/wildcard-tls/enable-ns.sh new file mode 100644 index 0000000..3d6f22f --- /dev/null +++ b/wildcard-tls/enable-ns.sh @@ -0,0 +1,11 @@ +#!/bin/bash + +kubectl label ns "$1" wildcard-tls.kn8v.com/copy=true --overwrite + +echo -n 'waiting for secret to exist...' + +while true;do + kubectl get -n "$1" secret/wildcard-tls > /dev/null 2>&1 && break || echo -n . + sleep 2 +done +echo done diff --git a/wildcard-tls/ns-copy-secret-template.yaml b/wildcard-tls/ns-copy-secret-template.yaml new file mode 100644 index 0000000..c3779ae --- /dev/null +++ b/wildcard-tls/ns-copy-secret-template.yaml @@ -0,0 +1,15 @@ +--- +kind: Template +apiVersion: templating.flanksource.com/v1 +metadata: + name: copy-wildcard-tls +spec: + source: + apiVersion: v1 + kind: Secret + fieldSelector: "metadata.name==wildcard-tls,metadata.namespace==wildcard-tls" + copyToNamespaces: + # selects on the Namespace label + namespaceSelector: + matchLabels: + wildcard-tls.kn8v.com/copy: "true" diff --git a/wildcard-tls/ns.yaml b/wildcard-tls/ns.yaml new file mode 100644 index 0000000..0e0c06d --- /dev/null +++ b/wildcard-tls/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: wildcard-tls diff --git a/wildcard-tls/wildcard-tls.yaml b/wildcard-tls/wildcard-tls.yaml new file mode 100644 index 0000000..758e594 --- /dev/null +++ b/wildcard-tls/wildcard-tls.yaml @@ -0,0 +1,17 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: wildcard-tls + namespace: wildcard-tls +spec: + secretName: wildcard-tls-root + issuerRef: + name: zerossl + kind: ClusterIssuer + dnsNames: + - strudelline.net + - '*.strudelline.net' + - werts.us + - '*.werts.us' + - kn8v.com + - '*.kn8v.com'