cert-manager: Install cert-manager

*cert-manager* manages certificates. More specifically, it is an ACME client, which generates certificate-signing requests, submits them to a certificate authority, and stores the signed certificate in Kubernetes secrets. The certificates it manages are defined by Kubernetes Custom Resources, either defined manually or automatically for Ingress resources with particular annotations. The *cert-manager* deployment consists primarily of two services: *cert-manager* itself, which monitors Kubernetes resources and manages certificate requests, and the *cert-manager-webhook*, which validates Kubernetes resources for *cert-manager*. There is also a third component, *cainjector*, we do not need it. The primary configuration for *cert-manager* is done through Issuer and ClusterIssuer resources. These define how certificates are issued: the certificate authority to use and how to handle ACME challenges. For our purposes, we will be using ZeroSSL to issue certificates, verified via the DNS.01 challenge through BIND running on the gateway firewall.
2023-04-23 15:54:30 -05:00 · 2023-04-23 15:54:30 -05:00 · 5e251153c7
parent 4952e6f278
commit 5e251153c7
4 changed files with 5578 additions and 0 deletions
--- a/cert-manager/.gitignore
+++ b/cert-manager/.gitignore
@ -0,0 +1,2 @@
+cert-manager.key
+zerossl.secret
--- a/cert-manager/cert-manager.yaml
+++ b/cert-manager/cert-manager.yaml
--- a/cert-manager/cluster-issuer.yaml
+++ b/cert-manager/cluster-issuer.yaml
@ -0,0 +1,26 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: zerossl
+spec:
+  acme:
+    server: https://acme.zerossl.com/v2/DV90
+    email: zerossl@dustinhatch.me
+    externalAccountBinding:
+      keyID: f06nxtk433oeVdcaDLp9Iw
+      keySecretRef:
+        name: zerossl-eab
+        key: secret
+    privateKeySecretRef:
+      name: zerossl-prod
+
+    solvers:
+    - dns01:
+        cnameStrategy: Follow
+        rfc2136:
+          nameserver: 172.30.0.1
+          tsigKeyName: cert-manager
+          tsigAlgorithm: HMACSHA512
+          tsigSecretSecretRef:
+            name: cert-manager-tsig
+            key: cert-manager.key
--- a/cert-manager/kustomization.yaml
+++ b/cert-manager/kustomization.yaml
@ -0,0 +1,21 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- cert-manager.yaml
+- cluster-issuer.yaml
+
+secretGenerator:
+- name: cert-manager-tsig
+  namespace: cert-manager
+  files:
+  - cert-manager.key
+  options:
+    disableNameSuffixHash: true
+
+- name: zerossl-eab
+  namespace: cert-manager
+  envs:
+  - zerossl.secret
+  options:
+    disableNameSuffixHash: true