cert-manager: Configure ACME DNS.01 for dch-ca
Since transitioning to externalIPs for TCP services, it is no longer possible to use the HTTP.01 ACME challenge to issue certificates for services hosted in the cluster, because the ingress controller does not listen on those addresses. Thus, we have to switch to using the DNS.01 challenge. I had avoided using it before because of the complexity of managing dynamic DNS records with the Samba AD server, but this was actually pretty to work around. I created a new DNS zone on the firewall specifically for ACME challenges. Names in the AD-managed zone have CNAME records for their corresponding *_acme-challenge* labels pointing to this new zone. The new zone has dynamic updates enabled, which _cert-manager_ supports using the RFC2136 plugin. For now, this is only enabled for _rabbitmq.pyrocufflink.blue_. I will transition the other names soon.
This commit is contained in:
@@ -12,6 +12,18 @@ spec:
|
|||||||
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ4RENDQVdxZ0F3SUJBZ0lVYkh6MnRzc2EwOXpzSGsrRWRHRDNRS3ByTUtRd0NnWUlLb1pJemowRUF3UXcKUURFTE1Ba0dBMVVFQmhNQ1ZWTXhHREFXQmdOVkJBb01EMFIxYzNScGJpQkRMaUJJWVhSamFERVhNQlVHQTFVRQpBd3dPUkVOSUlGSnZiM1FnUTBFZ1VqSXdIaGNOTWpNd09USTBNakExTXpBNVdoY05ORE13T1RFNU1qQTFNekE1CldqQkFNUXN3Q1FZRFZRUUdFd0pWVXpFWU1CWUdBMVVFQ2d3UFJIVnpkR2x1SUVNdUlFaGhkR05vTVJjd0ZRWUQKVlFRRERBNUVRMGdnVW05dmRDQkRRU0JTTWpCWk1CTUdCeXFHU000OUFnRUdDQ3FHU000OUF3RUhBMElBQkUyRApOSkhSY2p1QTE5Wm9wckJLYXhJZlV4QWJ6NkxpZ003ZGd0TzYraXNhTWx4UkFWSm1zSVRBRElFLzIyUnJVRGdECk9ma3QyaVpUVWpNcnozQXhYaFdqUWpCQU1CMEdBMVVkRGdRV0JCVE0rZDhrYjFrb0dtS1J0SnM0Z045ellhKzYKb1RBU0JnTlZIUk1CQWY4RUNEQUdBUUgvQWdFQk1Bc0dBMVVkRHdRRUF3SUJCakFLQmdncWhrak9QUVFEQkFOSQpBREJGQWlFQTJLYThtTWlBRkxtckZXdDBkQW1sMjQ3cmUyK2k0VVBoeUhjT0JmTksrZ29DSUh2K3ZFdzdDSFpRCmlySWE2OTduZmU0S2lYSU13SGxBTVMxKzFRWm9oRkRDCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
|
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ4RENDQVdxZ0F3SUJBZ0lVYkh6MnRzc2EwOXpzSGsrRWRHRDNRS3ByTUtRd0NnWUlLb1pJemowRUF3UXcKUURFTE1Ba0dBMVVFQmhNQ1ZWTXhHREFXQmdOVkJBb01EMFIxYzNScGJpQkRMaUJJWVhSamFERVhNQlVHQTFVRQpBd3dPUkVOSUlGSnZiM1FnUTBFZ1VqSXdIaGNOTWpNd09USTBNakExTXpBNVdoY05ORE13T1RFNU1qQTFNekE1CldqQkFNUXN3Q1FZRFZRUUdFd0pWVXpFWU1CWUdBMVVFQ2d3UFJIVnpkR2x1SUVNdUlFaGhkR05vTVJjd0ZRWUQKVlFRRERBNUVRMGdnVW05dmRDQkRRU0JTTWpCWk1CTUdCeXFHU000OUFnRUdDQ3FHU000OUF3RUhBMElBQkUyRApOSkhSY2p1QTE5Wm9wckJLYXhJZlV4QWJ6NkxpZ003ZGd0TzYraXNhTWx4UkFWSm1zSVRBRElFLzIyUnJVRGdECk9ma3QyaVpUVWpNcnozQXhYaFdqUWpCQU1CMEdBMVVkRGdRV0JCVE0rZDhrYjFrb0dtS1J0SnM0Z045ellhKzYKb1RBU0JnTlZIUk1CQWY4RUNEQUdBUUgvQWdFQk1Bc0dBMVVkRHdRRUF3SUJCakFLQmdncWhrak9QUVFEQkFOSQpBREJGQWlFQTJLYThtTWlBRkxtckZXdDBkQW1sMjQ3cmUyK2k0VVBoeUhjT0JmTksrZ29DSUh2K3ZFdzdDSFpRCmlySWE2OTduZmU0S2lYSU13SGxBTVMxKzFRWm9oRkRDCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
|
||||||
|
|
||||||
solvers:
|
solvers:
|
||||||
|
- dns01:
|
||||||
|
cnameStrategy: Follow
|
||||||
|
rfc2136:
|
||||||
|
nameserver: 172.30.0.1
|
||||||
|
tsigSecretSecretRef:
|
||||||
|
name: pyrocufflink-tsig
|
||||||
|
key: cert-manager.tsig.key
|
||||||
|
tsigKeyName: cert-manager
|
||||||
|
tsigAlgorithm: HMACSHA512
|
||||||
|
selector:
|
||||||
|
dnsNames:
|
||||||
|
- rabbitmq.pyrocufflink.blue
|
||||||
- http01:
|
- http01:
|
||||||
ingress:
|
ingress:
|
||||||
ingressClassName: nginx
|
ingressClassName: nginx
|
||||||
|
|||||||
@@ -7,6 +7,7 @@ resources:
|
|||||||
- certificates.yaml
|
- certificates.yaml
|
||||||
- cert-exporter.yaml
|
- cert-exporter.yaml
|
||||||
- dch-ca-issuer.yaml
|
- dch-ca-issuer.yaml
|
||||||
|
- secrets.yaml
|
||||||
|
|
||||||
configMapGenerator:
|
configMapGenerator:
|
||||||
- name: cert-exporter
|
- name: cert-exporter
|
||||||
|
|||||||
13
cert-manager/secrets.yaml
Normal file
13
cert-manager/secrets.yaml
Normal file
@@ -0,0 +1,13 @@
|
|||||||
|
---
|
||||||
|
apiVersion: bitnami.com/v1alpha1
|
||||||
|
kind: SealedSecret
|
||||||
|
metadata:
|
||||||
|
name: pyrocufflink-tsig
|
||||||
|
namespace: cert-manager
|
||||||
|
spec:
|
||||||
|
encryptedData:
|
||||||
|
cert-manager.tsig.key: AgAf1dVezJ0ytOdGI5rzCJ35rAVpY114pQJgIzqAKsKkRVE6kwWXjoFj94ZgDsjpOedAp1zdNB1UQnu0n10ayuz/NUYb74wkXcu0RRy6Ve06SJjI01f7lHP2/a4cnW+0et/Xzin0RQ/3hHmZUk5aCwV/FCLs0D5LdFixHf+sbMCzhyIYrQ64x0YH9YqBTRgXkEx94+PUuxi9ZyLuKiepd/K4UF+L5rF2zWt9DVKOmdbilzd5RqdQSgEyoOOpmcbDKHm1s17KHWSJb44rvxj7vg2fmXXwEvEW5SiQdrhmywOcqqhXEbE1ZEvBrVt3GgrjZHeTyL0Gx4jugiqSR/WulY7ak4+ZkDF80OS5RzciYeVMDdNxst48Xdkc2F7E93GGWCeIN5gig0oCFcB18BRF3aO4AB+fqh0IWBSiBCGinbjvX684TF9BGPuKMj01ORW3fFnRfbeE4gYTrdBKFi1ltG6VxJ6X9i5ztLIQBcH48btf7uMjQsC79GPq35CCWBprqnNBvi81lJtGVaVqY6hNIvyQIO+fEReMk/Mp0N+KxWlWVY/vK+ck2KWkgXaui3xkM4jbB6RiXWZXrUW4y+XyDs+sTziwYRRz03MU9NC58do9MBnOeM+fJqioMyQq81/mXKtcxIsvJadJ7WsYQKdqa/gVE5D/ybJ2qrtbEQqgCXnyowIIIOVvvWilhzh/zjQgtRiLHlsbLmvRX5aZm1Z048CMDFPh8CxcHlVwz7FUviJzbNoqENh1PE6HhKwFqpGxtjjR6X3LEi8iLvLNg05EUzLNJD1+SCi0imhQPGesJZtr/h1xqI9utB4NjA==
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
name: pyrocufflink-tsig
|
||||||
|
namespace: cert-manager
|
||||||
Reference in New Issue
Block a user