add wildcard-tls, secret template, zerossl issuer
This commit is contained in:
parent
d5156c033b
commit
2caec3a57a
|
@ -1,22 +1,15 @@
|
|||
{
|
||||
"kind": "SealedSecret",
|
||||
"apiVersion": "bitnami.com/v1alpha1",
|
||||
"metadata": {
|
||||
"name": "cloudflare-api-token",
|
||||
"namespace": "cert-manager",
|
||||
"creationTimestamp": null
|
||||
},
|
||||
"spec": {
|
||||
"template": {
|
||||
"metadata": {
|
||||
"name": "cloudflare-api-token",
|
||||
"namespace": "cert-manager",
|
||||
"creationTimestamp": null
|
||||
},
|
||||
"type": "Opaque"
|
||||
},
|
||||
"encryptedData": {
|
||||
"api-token": "AgCmPQS5DA42mTgIdzb65CSLsSICWMey+rQwM77Jb+Ac1bWLwQ7/sAADvH6MjajKHMO9/Xy352UtVjmOS2GA97EF/8i466q7xGsrxdWJX+otdQBg0r38CDNH9C8MLPq463imUYVNgPfyszrhSM0DeV64dGeeE1mGFQJyJbcjoKiFkhXsVPv62yMY2hBi4fWEba0Yy8Ue6JlAaLvoT8gHWUpJm4/3R3juCsu0hsKFQHrvVqzCC0muR7Ufq/OzBHXWbeooO4b4/+lIOl1GTUijwl/dBldhNvb3AIGGIiJezEFtwvdn6NN1Dgoxr1v0iPskdzCb9PUi7huF33CAeYowRm4YvjzdtM/dWY7PZJ6RrWoqDXtHNhyEqZmnD40vG6QUnXmMcn84tnz8IKF5Ht1mLqN/lTWYCYWgoRz07zpbRggjxhN++VSJsZ1LzVRNWTIw24JGoWQWIEK1i9ibf2c+0CMFKk1go+aPz83q+a6fRjWaz7Lem6YZDiqIgwAyK1FTME4UGxFYhehrKep2j8CHy7S8k+sU6De61EehHhbHanmjur+3N6RRa9vP+oJ13Ezh88FyOfNrAks8NqOfP5GBfZuLmr2r9kJdza1zzZ7J/5Nt/DyTzFMBRC5R12CTNC3SvIz12jg70Z0Paz2VfljuQVyY36Wn2qnxI3319bQpWaLVto9GVg7b9sGLTu13nIUAs+ZyogMorTVnS0nH8JD+NrpPq8qUiKKN1JhOoGs+nk9cCjUlCZwLOqyf"
|
||||
}
|
||||
}
|
||||
}
|
||||
kind: SealedSecret
|
||||
apiVersion: bitnami.com/v1alpha1
|
||||
metadata:
|
||||
name: cloudflare-api-token
|
||||
namespace: cert-manager
|
||||
creationTimestamp: null
|
||||
spec:
|
||||
template:
|
||||
metadata:
|
||||
name: cloudflare-api-token
|
||||
namespace: cert-manager
|
||||
creationTimestamp: null
|
||||
type: Opaque
|
||||
encryptedData:
|
||||
api-token: AgCmPQS5DA42mTgIdzb65CSLsSICWMey+rQwM77Jb+Ac1bWLwQ7/sAADvH6MjajKHMO9/Xy352UtVjmOS2GA97EF/8i466q7xGsrxdWJX+otdQBg0r38CDNH9C8MLPq463imUYVNgPfyszrhSM0DeV64dGeeE1mGFQJyJbcjoKiFkhXsVPv62yMY2hBi4fWEba0Yy8Ue6JlAaLvoT8gHWUpJm4/3R3juCsu0hsKFQHrvVqzCC0muR7Ufq/OzBHXWbeooO4b4/+lIOl1GTUijwl/dBldhNvb3AIGGIiJezEFtwvdn6NN1Dgoxr1v0iPskdzCb9PUi7huF33CAeYowRm4YvjzdtM/dWY7PZJ6RrWoqDXtHNhyEqZmnD40vG6QUnXmMcn84tnz8IKF5Ht1mLqN/lTWYCYWgoRz07zpbRggjxhN++VSJsZ1LzVRNWTIw24JGoWQWIEK1i9ibf2c+0CMFKk1go+aPz83q+a6fRjWaz7Lem6YZDiqIgwAyK1FTME4UGxFYhehrKep2j8CHy7S8k+sU6De61EehHhbHanmjur+3N6RRa9vP+oJ13Ezh88FyOfNrAks8NqOfP5GBfZuLmr2r9kJdza1zzZ7J/5Nt/DyTzFMBRC5R12CTNC3SvIz12jg70Z0Paz2VfljuQVyY36Wn2qnxI3319bQpWaLVto9GVg7b9sGLTu13nIUAs+ZyogMorTVnS0nH8JD+NrpPq8qUiKKN1JhOoGs+nk9cCjUlCZwLOqyf
|
||||
|
|
31
cert-manager/zerossl-issuer.yaml
Normal file
31
cert-manager/zerossl-issuer.yaml
Normal file
|
@ -0,0 +1,31 @@
|
|||
apiVersion: cert-manager.io/v1
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
name: zerossl
|
||||
spec:
|
||||
acme:
|
||||
# ZeroSSL ACME server
|
||||
server: https://acme.zerossl.com/v2/DV90
|
||||
email: zerossl@strudelline.net
|
||||
|
||||
# name of a secret used to store the ACME account private key
|
||||
privateKeySecretRef:
|
||||
name: zerossl-prod
|
||||
|
||||
# for each cert-manager new EAB credencials are required
|
||||
externalAccountBinding:
|
||||
keyID: DvBIRvg60WXIE9lIg-6g3Q
|
||||
keySecretRef:
|
||||
name: zerossl-eab
|
||||
key: key
|
||||
|
||||
# ACME DNS-01 provider configurations to verify domain
|
||||
solvers:
|
||||
- selector: {}
|
||||
dns01:
|
||||
cloudflare:
|
||||
email: cloudflare@strudelline.net
|
||||
apiTokenSecretRef:
|
||||
name: cloudflare-api-token
|
||||
key: api-token
|
||||
|
16
cert-manager/zerossl-prod-sealed-secret.yaml
Normal file
16
cert-manager/zerossl-prod-sealed-secret.yaml
Normal file
|
@ -0,0 +1,16 @@
|
|||
apiVersion: bitnami.com/v1alpha1
|
||||
kind: SealedSecret
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: zerossl-prod
|
||||
namespace: cert-manager
|
||||
spec:
|
||||
encryptedData:
|
||||
tls.key: AgC7pjUPZ7ol+gtMApnWy2+NroDpQgRLryj1M1qZbSTDT8vdua4z8zDoXDmi6g1i0VaHg1n6upzwVJ6WqQqlnYqeG+JzRWDeyP2G9aJF2DxvnukQxF15lPCwpKKO3qdQ4jBYPlHuPe3xFT0PLY6wDiTGDBQwHHyialTh5KQtMituYJUueYkfWo5WukMKEr66w0TjsvBY8EhV7cpRCddhtW1KnIpIuewb/bQDqXgbpaXMw4vHmeT+MwSjsIvWoN6dufsL7+IjGCJo0+gFb7P7Od/iwoqhQ5FyWWZWVgVxy07Socxlg0AIvophLaLboODDNZmyZ1NsVbARn9U7HA+PcZn75oY1qWVetDsbudr9esU4f7UxtdwQCb6MkCM/v0eUgizN5ttn0RLJWMlyNFzXYAnFcFg9amnY1UXWLYV+X+jFOifTFJg/S+KVhOWkH+xvkG161citPIyFNf5NEHTHHES04WAe9Onm/BvmWjZAjtQ9SdSkdC/O1uUmEqw4QRzFzQmo+Gm320zKXkku2S4LPgM5TbRB80plF95dWbac80Z4IM2gT7xnaovezLCTvK4F76rCkt6tAd/FZu2Ryo8VSSgbri1DGZ0DwFvG7ZgD7nif7JpO+9M7jIf2g+3osIUHxMhVygjj6fl0w5sYzsTbZCxk1Zdt7/Ifm2QY9Pvoh2R5kRrmZ7z2ho/2go0yhTgJ2t2iORRfQw8oPizUHGOzHfML5F5wQEi9sTAV2BaZLOMIByWU8co904+XcmD5wf2WZf1qyOKFl/HAyOUTboE+B2tzYIPwQmllTtD7Q2V/6QtGiq6GGEhZXrggOIKdrzO9LqE/0e259JELhfFARGfIXMfpfew4rfJfcstt7soBTyMe+kpGQ7tKcyXtQNMK5I+cAdgbMpcMwnOtMqhDolUDLIFdJyIdcooGFElRDs6ito4+Z5bFYp02pnNIcbm5kUAdrKE5YvF633BA6bALdY6u/axqe4aHci+5VBX/If8FBuQnvQVRryXCkRBPRFFN6dynC3NSfRXt4NqUUhfwXgCOyyK+HEbk5KnYNqTWKPaIRBScu0Xq//W/XQm72uDyRHApa72qDxhz4bftdxjPg7s4qc/DtL8BZfeKWGw78Nw49Dp/hDzLt6kdKEkpk6wri1Vx1sVse3rWUlHJ413YKUzk24ayc5HaZ4aQn8eKg6fcjLUqSt7ay17JxRak94woluUosW5WMWxYWiIBgyxqkHy3jogxIbpuchtGMOaetKAsWadepcG0/33RU7aeB0F2DJCRZZCYjYFgqdyIQbYDVjge/oAQ//6GWN+Y+TiseEq1gMOlVlZ+lZx3/fCG5rL3olbmPzC5kOp7M6xi7rcQDSxJL5STDJeb2THqqRhSlyKKpcftwsLNpl+vQoA+/mq9LuidIqHS7qRBd4y+ws8XfPdQdMIee2BSHT/F1qGzwPkV/AmpH3xA9hqpK3QvOwi9749DM3hTsJ7Gz118krlNQaCrElmvOR6EXsFQQMin476zG4G3jNLh4ClM6jX5JGuLsYCTJgX+a0emELvaTlCSJV7uhf/rMLTEHyJ21CE12e31VNr3algsfNcq5mqVoHtP6SlxdTRzNvdOAotiAPZ0sNYH9oqhhAt3IP1pay5VWYgSMLJENsUl/59wJm5V/mrwDtCKMPmen6jaPCRjCmi7Y7J4svdLU1ydP/2QTY29JW4fENA4BBeU5nRVWtPRdzBN87ZfCSrk2/zNGJ4agGkBZpekeABkZa51fims6Udsh2u9mwSCaHGpytyrlSdkgtxW9hrxkeRHrV8k0RlaAkGhC29u268jJEHcepOTCXo8vQy0X0LzEp/JwlEvIq6oJtnSaEldt/rVdXc735n69p1iAnGNY4knm2G4wETzkJzgvYaPRHBtOZffVIbtzMZJL2cnnQ1AtW3L/1Sqc+IBqtxToLk2yibKT7jrLNS0gb23YsaMW68XZmnGCOV89xS2iBDuc0rebeS7rSdZeitB8N/+3Oxtsnnx97BLJ8jgnMjxJEIHpTiPdQZPC7HcmZpUuBPU6fNFAUWb9RpPBP/0i3St1iMz9kxquEvz0z3nRiLFXaVlx2hqAoI0ZdNKNur6WDjddfmnLbC0l7b75NnpSBdVgtKbKoztAZ7y51lICNr5MwTitmkPM55aPHyJeYZsX8GilkWztq0MZuecuUAZmqCy0N5VTNeAGLjUZci10v93rv8F2w/iN0x7FNjxnVeREJtuIt51jkITGT9t/skWM7lwWd32Ao79hJvCyeNwkiGYiiXfmAOuyMH2kNk7DbpuTTjgIplnsZzCTtnhrfi+xdqOldbFkMnpbmkPyGQI2K0ac8KNC6b/DuV6S5QlnuesqMgFSVPzMOtNoBY/oBiYTMIvwPB19Ez8NDeph6Ny+LL4rO2caAHL82lYn9hxuXp/jxpXSilJPIBk7MzfnN34mVqK9rKv9rOFqEemMc+ZLwukhKEpycbZY1+5YtQswEDZ62oHenA659+J7SJb5bQcmT/GwAAiFIsWB8Q6c/7us+5PPgWho/IR4QFLY4ZwrGtm2u//lYcSqQupiJC2lTnFzI0Lf0fH8rnH+xMQZZNRWEqG7Ow+bAPjjXsBYjNAutEsyUHkYBUOsxvLzwL1KZz4osNJNZL3ylAWPyylhfB7BxUv5b2Utq7JWKd6C/rrgTyszdU3ddJOYj+g5FKPyIgmsHJCPoL2EJS6/u+Wm2CRbqvFw5p5mF8sl54bsYJK5BZIZRJn98CRk7AhEKFhpul8wCWrwZSAoR0Ko/Ee8DxinygTPavVGppuMngzOiPpnAiGTjps7Vx40J9jCIdtT4yM8fIqnnXwuxI8GZc63GvC9uURbY16wEwM+yKEB8yGcyaIwNRlvqt+3FAv/88Ea0bz5GPXFspQuDjAYgplvRF0HJPY83VCStzcAk+M5RFkgAoaBlRw
|
||||
template:
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: zerossl-prod
|
||||
namespace: cert-manager
|
||||
type: Opaque
|
||||
|
6
wildcard-tls/disable-ns.sh
Normal file
6
wildcard-tls/disable-ns.sh
Normal file
|
@ -0,0 +1,6 @@
|
|||
#!/bin/bash
|
||||
|
||||
kubectl label ns "$1" wildcard-tls.kn8v.com/copy=false --overwrite
|
||||
|
||||
echo deleting secret from namespace
|
||||
kubectl delete -n "$1" secret/wildcard-tls
|
11
wildcard-tls/enable-ns.sh
Normal file
11
wildcard-tls/enable-ns.sh
Normal file
|
@ -0,0 +1,11 @@
|
|||
#!/bin/bash
|
||||
|
||||
kubectl label ns "$1" wildcard-tls.kn8v.com/copy=true --overwrite
|
||||
|
||||
echo -n 'waiting for secret to exist...'
|
||||
|
||||
while true;do
|
||||
kubectl get -n "$1" secret/wildcard-tls > /dev/null 2>&1 && break || echo -n .
|
||||
sleep 2
|
||||
done
|
||||
echo done
|
15
wildcard-tls/ns-copy-secret-template.yaml
Normal file
15
wildcard-tls/ns-copy-secret-template.yaml
Normal file
|
@ -0,0 +1,15 @@
|
|||
---
|
||||
kind: Template
|
||||
apiVersion: templating.flanksource.com/v1
|
||||
metadata:
|
||||
name: copy-wildcard-tls
|
||||
spec:
|
||||
source:
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
fieldSelector: "metadata.name==wildcard-tls,metadata.namespace==wildcard-tls"
|
||||
copyToNamespaces:
|
||||
# selects on the Namespace label
|
||||
namespaceSelector:
|
||||
matchLabels:
|
||||
wildcard-tls.kn8v.com/copy: "true"
|
4
wildcard-tls/ns.yaml
Normal file
4
wildcard-tls/ns.yaml
Normal file
|
@ -0,0 +1,4 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: wildcard-tls
|
17
wildcard-tls/wildcard-tls.yaml
Normal file
17
wildcard-tls/wildcard-tls.yaml
Normal file
|
@ -0,0 +1,17 @@
|
|||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: wildcard-tls
|
||||
namespace: wildcard-tls
|
||||
spec:
|
||||
secretName: wildcard-tls-root
|
||||
issuerRef:
|
||||
name: zerossl
|
||||
kind: ClusterIssuer
|
||||
dnsNames:
|
||||
- strudelline.net
|
||||
- '*.strudelline.net'
|
||||
- werts.us
|
||||
- '*.werts.us'
|
||||
- kn8v.com
|
||||
- '*.kn8v.com'
|
Loading…
Reference in New Issue
Block a user