infra/kube-cascade
3
1
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add wildcard-tls, secret template, zerossl issuer

Browse Source
This commit is contained in:
James Andariese 2023-04-28 08:37:36 -05:00
parent d5156c033b
commit 2caec3a57a
8 changed files with 115 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
cert-manager/cloudflare-api-token-sealed-secret.yaml
View File

@ -1,22 +1,15 @@
{ kind: SealedSecret
"kind": "SealedSecret", apiVersion: bitnami.com/v1alpha1
"apiVersion": "bitnami.com/v1alpha1", metadata:
"metadata": { name: cloudflare-api-token
"name": "cloudflare-api-token", namespace: cert-manager
"namespace": "cert-manager", creationTimestamp: null
"creationTimestamp": null spec:
}, template:
"spec": { metadata:
"template": { name: cloudflare-api-token
"metadata": { namespace: cert-manager
"name": "cloudflare-api-token", creationTimestamp: null
"namespace": "cert-manager", type: Opaque
"creationTimestamp": null encryptedData:
}, api-token: AgCmPQS5DA42mTgIdzb65CSLsSICWMey+rQwM77Jb+Ac1bWLwQ7/sAADvH6MjajKHMO9/Xy352UtVjmOS2GA97EF/8i466q7xGsrxdWJX+otdQBg0r38CDNH9C8MLPq463imUYVNgPfyszrhSM0DeV64dGeeE1mGFQJyJbcjoKiFkhXsVPv62yMY2hBi4fWEba0Yy8Ue6JlAaLvoT8gHWUpJm4/3R3juCsu0hsKFQHrvVqzCC0muR7Ufq/OzBHXWbeooO4b4/+lIOl1GTUijwl/dBldhNvb3AIGGIiJezEFtwvdn6NN1Dgoxr1v0iPskdzCb9PUi7huF33CAeYowRm4YvjzdtM/dWY7PZJ6RrWoqDXtHNhyEqZmnD40vG6QUnXmMcn84tnz8IKF5Ht1mLqN/lTWYCYWgoRz07zpbRggjxhN++VSJsZ1LzVRNWTIw24JGoWQWIEK1i9ibf2c+0CMFKk1go+aPz83q+a6fRjWaz7Lem6YZDiqIgwAyK1FTME4UGxFYhehrKep2j8CHy7S8k+sU6De61EehHhbHanmjur+3N6RRa9vP+oJ13Ezh88FyOfNrAks8NqOfP5GBfZuLmr2r9kJdza1zzZ7J/5Nt/DyTzFMBRC5R12CTNC3SvIz12jg70Z0Paz2VfljuQVyY36Wn2qnxI3319bQpWaLVto9GVg7b9sGLTu13nIUAs+ZyogMorTVnS0nH8JD+NrpPq8qUiKKN1JhOoGs+nk9cCjUlCZwLOqyf
"type": "Opaque"
},
"encryptedData": {
"api-token": "AgCmPQS5DA42mTgIdzb65CSLsSICWMey+rQwM77Jb+Ac1bWLwQ7/sAADvH6MjajKHMO9/Xy352UtVjmOS2GA97EF/8i466q7xGsrxdWJX+otdQBg0r38CDNH9C8MLPq463imUYVNgPfyszrhSM0DeV64dGeeE1mGFQJyJbcjoKiFkhXsVPv62yMY2hBi4fWEba0Yy8Ue6JlAaLvoT8gHWUpJm4/3R3juCsu0hsKFQHrvVqzCC0muR7Ufq/OzBHXWbeooO4b4/+lIOl1GTUijwl/dBldhNvb3AIGGIiJezEFtwvdn6NN1Dgoxr1v0iPskdzCb9PUi7huF33CAeYowRm4YvjzdtM/dWY7PZJ6RrWoqDXtHNhyEqZmnD40vG6QUnXmMcn84tnz8IKF5Ht1mLqN/lTWYCYWgoRz07zpbRggjxhN++VSJsZ1LzVRNWTIw24JGoWQWIEK1i9ibf2c+0CMFKk1go+aPz83q+a6fRjWaz7Lem6YZDiqIgwAyK1FTME4UGxFYhehrKep2j8CHy7S8k+sU6De61EehHhbHanmjur+3N6RRa9vP+oJ13Ezh88FyOfNrAks8NqOfP5GBfZuLmr2r9kJdza1zzZ7J/5Nt/DyTzFMBRC5R12CTNC3SvIz12jg70Z0Paz2VfljuQVyY36Wn2qnxI3319bQpWaLVto9GVg7b9sGLTu13nIUAs+ZyogMorTVnS0nH8JD+NrpPq8qUiKKN1JhOoGs+nk9cCjUlCZwLOqyf"
}
}
}

31
cert-manager/zerossl-issuer.yaml Normal file
View File

@ -0,0 +1,31 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: zerossl
spec:
acme:
# ZeroSSL ACME server
server: https://acme.zerossl.com/v2/DV90
email: zerossl@strudelline.net
# name of a secret used to store the ACME account private key
privateKeySecretRef:
name: zerossl-prod
# for each cert-manager new EAB credencials are required
externalAccountBinding:
keyID: DvBIRvg60WXIE9lIg-6g3Q
keySecretRef:
name: zerossl-eab
key: key
# ACME DNS-01 provider configurations to verify domain
solvers:
- selector: {}
dns01:
cloudflare:
email: cloudflare@strudelline.net
apiTokenSecretRef:
name: cloudflare-api-token
key: api-token

16
cert-manager/zerossl-prod-sealed-secret.yaml Normal file
View File

@ -0,0 +1,16 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: zerossl-prod
namespace: cert-manager
spec:
encryptedData:
tls.key: AgC7pjUPZ7ol+gtMApnWy2+NroDpQgRLryj1M1qZbSTDT8vdua4z8zDoXDmi6g1i0VaHg1n6upzwVJ6WqQqlnYqeG+JzRWDeyP2G9aJF2DxvnukQxF15lPCwpKKO3qdQ4jBYPlHuPe3xFT0PLY6wDiTGDBQwHHyialTh5KQtMituYJUueYkfWo5WukMKEr66w0TjsvBY8EhV7cpRCddhtW1KnIpIuewb/bQDqXgbpaXMw4vHmeT+MwSjsIvWoN6dufsL7+IjGCJo0+gFb7P7Od/iwoqhQ5FyWWZWVgVxy07Socxlg0AIvophLaLboODDNZmyZ1NsVbARn9U7HA+PcZn75oY1qWVetDsbudr9esU4f7UxtdwQCb6MkCM/v0eUgizN5ttn0RLJWMlyNFzXYAnFcFg9amnY1UXWLYV+X+jFOifTFJg/S+KVhOWkH+xvkG161citPIyFNf5NEHTHHES04WAe9Onm/BvmWjZAjtQ9SdSkdC/O1uUmEqw4QRzFzQmo+Gm320zKXkku2S4LPgM5TbRB80plF95dWbac80Z4IM2gT7xnaovezLCTvK4F76rCkt6tAd/FZu2Ryo8VSSgbri1DGZ0DwFvG7ZgD7nif7JpO+9M7jIf2g+3osIUHxMhVygjj6fl0w5sYzsTbZCxk1Zdt7/Ifm2QY9Pvoh2R5kRrmZ7z2ho/2go0yhTgJ2t2iORRfQw8oPizUHGOzHfML5F5wQEi9sTAV2BaZLOMIByWU8co904+XcmD5wf2WZf1qyOKFl/HAyOUTboE+B2tzYIPwQmllTtD7Q2V/6QtGiq6GGEhZXrggOIKdrzO9LqE/0e259JELhfFARGfIXMfpfew4rfJfcstt7soBTyMe+kpGQ7tKcyXtQNMK5I+cAdgbMpcMwnOtMqhDolUDLIFdJyIdcooGFElRDs6ito4+Z5bFYp02pnNIcbm5kUAdrKE5YvF633BA6bALdY6u/axqe4aHci+5VBX/If8FBuQnvQVRryXCkRBPRFFN6dynC3NSfRXt4NqUUhfwXgCOyyK+HEbk5KnYNqTWKPaIRBScu0Xq//W/XQm72uDyRHApa72qDxhz4bftdxjPg7s4qc/DtL8BZfeKWGw78Nw49Dp/hDzLt6kdKEkpk6wri1Vx1sVse3rWUlHJ413YKUzk24ayc5HaZ4aQn8eKg6fcjLUqSt7ay17JxRak94woluUosW5WMWxYWiIBgyxqkHy3jogxIbpuchtGMOaetKAsWadepcG0/33RU7aeB0F2DJCRZZCYjYFgqdyIQbYDVjge/oAQ//6GWN+Y+TiseEq1gMOlVlZ+lZx3/fCG5rL3olbmPzC5kOp7M6xi7rcQDSxJL5STDJeb2THqqRhSlyKKpcftwsLNpl+vQoA+/mq9LuidIqHS7qRBd4y+ws8XfPdQdMIee2BSHT/F1qGzwPkV/AmpH3xA9hqpK3QvOwi9749DM3hTsJ7Gz118krlNQaCrElmvOR6EXsFQQMin476zG4G3jNLh4ClM6jX5JGuLsYCTJgX+a0emELvaTlCSJV7uhf/rMLTEHyJ21CE12e31VNr3algsfNcq5mqVoHtP6SlxdTRzNvdOAotiAPZ0sNYH9oqhhAt3IP1pay5VWYgSMLJENsUl/59wJm5V/mrwDtCKMPmen6jaPCRjCmi7Y7J4svdLU1ydP/2QTY29JW4fENA4BBeU5nRVWtPRdzBN87ZfCSrk2/zNGJ4agGkBZpekeABkZa51fims6Udsh2u9mwSCaHGpytyrlSdkgtxW9hrxkeRHrV8k0RlaAkGhC29u268jJEHcepOTCXo8vQy0X0LzEp/JwlEvIq6oJtnSaEldt/rVdXc735n69p1iAnGNY4knm2G4wETzkJzgvYaPRHBtOZffVIbtzMZJL2cnnQ1AtW3L/1Sqc+IBqtxToLk2yibKT7jrLNS0gb23YsaMW68XZmnGCOV89xS2iBDuc0rebeS7rSdZeitB8N/+3Oxtsnnx97BLJ8jgnMjxJEIHpTiPdQZPC7HcmZpUuBPU6fNFAUWb9RpPBP/0i3St1iMz9kxquEvz0z3nRiLFXaVlx2hqAoI0ZdNKNur6WDjddfmnLbC0l7b75NnpSBdVgtKbKoztAZ7y51lICNr5MwTitmkPM55aPHyJeYZsX8GilkWztq0MZuecuUAZmqCy0N5VTNeAGLjUZci10v93rv8F2w/iN0x7FNjxnVeREJtuIt51jkITGT9t/skWM7lwWd32Ao79hJvCyeNwkiGYiiXfmAOuyMH2kNk7DbpuTTjgIplnsZzCTtnhrfi+xdqOldbFkMnpbmkPyGQI2K0ac8KNC6b/DuV6S5QlnuesqMgFSVPzMOtNoBY/oBiYTMIvwPB19Ez8NDeph6Ny+LL4rO2caAHL82lYn9hxuXp/jxpXSilJPIBk7MzfnN34mVqK9rKv9rOFqEemMc+ZLwukhKEpycbZY1+5YtQswEDZ62oHenA659+J7SJb5bQcmT/GwAAiFIsWB8Q6c/7us+5PPgWho/IR4QFLY4ZwrGtm2u//lYcSqQupiJC2lTnFzI0Lf0fH8rnH+xMQZZNRWEqG7Ow+bAPjjXsBYjNAutEsyUHkYBUOsxvLzwL1KZz4osNJNZL3ylAWPyylhfB7BxUv5b2Utq7JWKd6C/rrgTyszdU3ddJOYj+g5FKPyIgmsHJCPoL2EJS6/u+Wm2CRbqvFw5p5mF8sl54bsYJK5BZIZRJn98CRk7AhEKFhpul8wCWrwZSAoR0Ko/Ee8DxinygTPavVGppuMngzOiPpnAiGTjps7Vx40J9jCIdtT4yM8fIqnnXwuxI8GZc63GvC9uURbY16wEwM+yKEB8yGcyaIwNRlvqt+3FAv/88Ea0bz5GPXFspQuDjAYgplvRF0HJPY83VCStzcAk+M5RFkgAoaBlRw
template:
metadata:
creationTimestamp: null
name: zerossl-prod
namespace: cert-manager
type: Opaque

6
wildcard-tls/disable-ns.sh Normal file
View File

@ -0,0 +1,6 @@
#!/bin/bash
kubectl label ns "$1" wildcard-tls.kn8v.com/copy=false --overwrite
echo deleting secret from namespace
kubectl delete -n "$1" secret/wildcard-tls

11
wildcard-tls/enable-ns.sh Normal file
View File

@ -0,0 +1,11 @@
#!/bin/bash
kubectl label ns "$1" wildcard-tls.kn8v.com/copy=true --overwrite
echo -n 'waiting for secret to exist...'
while true;do
kubectl get -n "$1" secret/wildcard-tls > /dev/null 2>&1 && break || echo -n .
sleep 2
done
echo done

15
wildcard-tls/ns-copy-secret-template.yaml Normal file
View File

@ -0,0 +1,15 @@
---
kind: Template
apiVersion: templating.flanksource.com/v1
metadata:
name: copy-wildcard-tls
spec:
source:
apiVersion: v1
kind: Secret
fieldSelector: "metadata.name==wildcard-tls,metadata.namespace==wildcard-tls"
copyToNamespaces:
# selects on the Namespace label
namespaceSelector:
matchLabels:
wildcard-tls.kn8v.com/copy: "true"

4
wildcard-tls/ns.yaml Normal file
View File

@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: wildcard-tls

17
wildcard-tls/wildcard-tls.yaml Normal file
View File

@ -0,0 +1,17 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: wildcard-tls
namespace: wildcard-tls
spec:
secretName: wildcard-tls-root
issuerRef:
name: zerossl
kind: ClusterIssuer
dnsNames:
- strudelline.net
- '*.strudelline.net'
- werts.us
- '*.werts.us'
- kn8v.com
- '*.kn8v.com'