cert-manager: Configure ACME DNS.01 for dch-ca
Since transitioning to externalIPs for TCP services, it is no longer possible to use the HTTP.01 ACME challenge to issue certificates for services hosted in the cluster, because the ingress controller does not listen on those addresses. Thus, we have to switch to using the DNS.01 challenge. I had avoided using it before because of the complexity of managing dynamic DNS records with the Samba AD server, but this was actually pretty to work around. I created a new DNS zone on the firewall specifically for ACME challenges. Names in the AD-managed zone have CNAME records for their corresponding *_acme-challenge* labels pointing to this new zone. The new zone has dynamic updates enabled, which _cert-manager_ supports using the RFC2136 plugin. For now, this is only enabled for _rabbitmq.pyrocufflink.blue_. I will transition the other names soon.pull/38/head
parent
4243823ba5
commit
2b6830f131
|
|
@ -12,6 +12,18 @@ spec:
|
|||
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ4RENDQVdxZ0F3SUJBZ0lVYkh6MnRzc2EwOXpzSGsrRWRHRDNRS3ByTUtRd0NnWUlLb1pJemowRUF3UXcKUURFTE1Ba0dBMVVFQmhNQ1ZWTXhHREFXQmdOVkJBb01EMFIxYzNScGJpQkRMaUJJWVhSamFERVhNQlVHQTFVRQpBd3dPUkVOSUlGSnZiM1FnUTBFZ1VqSXdIaGNOTWpNd09USTBNakExTXpBNVdoY05ORE13T1RFNU1qQTFNekE1CldqQkFNUXN3Q1FZRFZRUUdFd0pWVXpFWU1CWUdBMVVFQ2d3UFJIVnpkR2x1SUVNdUlFaGhkR05vTVJjd0ZRWUQKVlFRRERBNUVRMGdnVW05dmRDQkRRU0JTTWpCWk1CTUdCeXFHU000OUFnRUdDQ3FHU000OUF3RUhBMElBQkUyRApOSkhSY2p1QTE5Wm9wckJLYXhJZlV4QWJ6NkxpZ003ZGd0TzYraXNhTWx4UkFWSm1zSVRBRElFLzIyUnJVRGdECk9ma3QyaVpUVWpNcnozQXhYaFdqUWpCQU1CMEdBMVVkRGdRV0JCVE0rZDhrYjFrb0dtS1J0SnM0Z045ellhKzYKb1RBU0JnTlZIUk1CQWY4RUNEQUdBUUgvQWdFQk1Bc0dBMVVkRHdRRUF3SUJCakFLQmdncWhrak9QUVFEQkFOSQpBREJGQWlFQTJLYThtTWlBRkxtckZXdDBkQW1sMjQ3cmUyK2k0VVBoeUhjT0JmTksrZ29DSUh2K3ZFdzdDSFpRCmlySWE2OTduZmU0S2lYSU13SGxBTVMxKzFRWm9oRkRDCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
|
||||
|
||||
solvers:
|
||||
- dns01:
|
||||
cnameStrategy: Follow
|
||||
rfc2136:
|
||||
nameserver: 172.30.0.1
|
||||
tsigSecretSecretRef:
|
||||
name: pyrocufflink-tsig
|
||||
key: cert-manager.tsig.key
|
||||
tsigKeyName: cert-manager
|
||||
tsigAlgorithm: HMACSHA512
|
||||
selector:
|
||||
dnsNames:
|
||||
- rabbitmq.pyrocufflink.blue
|
||||
- http01:
|
||||
ingress:
|
||||
ingressClassName: nginx
|
||||
|
|
|
|||
|
|
@ -7,6 +7,7 @@ resources:
|
|||
- certificates.yaml
|
||||
- cert-exporter.yaml
|
||||
- dch-ca-issuer.yaml
|
||||
- secrets.yaml
|
||||
|
||||
configMapGenerator:
|
||||
- name: cert-exporter
|
||||
|
|
|
|||
|
|
@ -0,0 +1,13 @@
|
|||
---
|
||||
apiVersion: bitnami.com/v1alpha1
|
||||
kind: SealedSecret
|
||||
metadata:
|
||||
name: pyrocufflink-tsig
|
||||
namespace: cert-manager
|
||||
spec:
|
||||
encryptedData:
|
||||
cert-manager.tsig.key: AgAf1dVezJ0ytOdGI5rzCJ35rAVpY114pQJgIzqAKsKkRVE6kwWXjoFj94ZgDsjpOedAp1zdNB1UQnu0n10ayuz/NUYb74wkXcu0RRy6Ve06SJjI01f7lHP2/a4cnW+0et/Xzin0RQ/3hHmZUk5aCwV/FCLs0D5LdFixHf+sbMCzhyIYrQ64x0YH9YqBTRgXkEx94+PUuxi9ZyLuKiepd/K4UF+L5rF2zWt9DVKOmdbilzd5RqdQSgEyoOOpmcbDKHm1s17KHWSJb44rvxj7vg2fmXXwEvEW5SiQdrhmywOcqqhXEbE1ZEvBrVt3GgrjZHeTyL0Gx4jugiqSR/WulY7ak4+ZkDF80OS5RzciYeVMDdNxst48Xdkc2F7E93GGWCeIN5gig0oCFcB18BRF3aO4AB+fqh0IWBSiBCGinbjvX684TF9BGPuKMj01ORW3fFnRfbeE4gYTrdBKFi1ltG6VxJ6X9i5ztLIQBcH48btf7uMjQsC79GPq35CCWBprqnNBvi81lJtGVaVqY6hNIvyQIO+fEReMk/Mp0N+KxWlWVY/vK+ck2KWkgXaui3xkM4jbB6RiXWZXrUW4y+XyDs+sTziwYRRz03MU9NC58do9MBnOeM+fJqioMyQq81/mXKtcxIsvJadJ7WsYQKdqa/gVE5D/ybJ2qrtbEQqgCXnyowIIIOVvvWilhzh/zjQgtRiLHlsbLmvRX5aZm1Z048CMDFPh8CxcHlVwz7FUviJzbNoqENh1PE6HhKwFqpGxtjjR6X3LEi8iLvLNg05EUzLNJD1+SCi0imhQPGesJZtr/h1xqI9utB4NjA==
|
||||
template:
|
||||
metadata:
|
||||
name: pyrocufflink-tsig
|
||||
namespace: cert-manager
|
||||
Loading…
Reference in New Issue