cert-manager: Add cert-exporter CronJob

The `cert-exporter` tool fetches certificates from Kubernetes Secret resources and commits them to a Git repository. This allows certificates managed by *cert-manager* to be used outside the Kubernetes cluster, e.g. for services running on other virtual machines.
2023-04-23 15:55:22 -05:00 · 2023-04-23 15:55:22 -05:00 · 7a27855e51
parent e3d9fc2489
commit 7a27855e51
3 changed files with 103 additions and 0 deletions
--- a/cert-manager/.gitignore
+++ b/cert-manager/.gitignore
@ -1,2 +1,3 @@
+cert-exporter.pem
 cert-manager.key
 zerossl.secret
--- a/cert-manager/cert-exporter.yaml
+++ b/cert-manager/cert-exporter.yaml
@ -0,0 +1,94 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cert-exporter
+  namespace: cert-manager
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cert-exporter
+  namespace: cert-manager
+data:
+  config.yml: |
+    git_repo: gitea@git.pyrocufflink.blue:dustin/certs.git
+    certs:
+    - name: pyrocufflink-cert
+      namespace: default
+      key: certificates/_.pyrocufflink.net.key
+      cert: certificates/_.pyrocufflink.net.crt
+      bundle: certificates/_.pyrocufflink.net.pem
+  known-hosts-command.ssh_config: |
+    KnownHostsCommand /usr/bin/curl -fsL https://files.pyrocufflink.blue/ssh_known_hosts
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cert-exporter
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - get
+  resourceNames:
+  - pyrocufflink-cert
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cert-exporter
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cert-exporter
+subjects:
+- kind: ServiceAccount
+  name: cert-exporter
+  namespace: cert-manager
+
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: cert-exporter
+  namespace: cert-manager
+spec:
+  timeZone: America/Chicago
+  schedule: '27 20 * * *'
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+          - image: git.pyrocufflink.net/containerimages/cert-exporter
+            name: cert-exporter
+            volumeMounts:
+            - mountPath: /etc/cert-exporter/config.yml
+              name: config
+              subPath: config.yml
+              readOnly: true
+            - mountPath: /home/cert-exporter/.ssh/id_ed25519
+              name: sshkeys
+              subPath: cert-exporter.pem
+              readOnly: true
+            - mountPath: /etc/ssh/ssh_config.d/known-hosts-command.conf
+              name: config
+              subPath: known-hosts-command.ssh_config
+              readOnly: true
+          securityContext:
+            fsGroup: 1000
+          serviceAccount: cert-exporter
+          volumes:
+          - name: config
+            configMap:
+              name: cert-exporter
+          - name: sshkeys
+            secret:
+              secretName: cert-exporter-sshkey
+              defaultMode: 00440
+          restartPolicy: Never
--- a/cert-manager/kustomization.yaml
+++ b/cert-manager/kustomization.yaml
@ -5,6 +5,7 @@ resources:
 - cert-manager.yaml
 - cluster-issuer.yaml
 - certificates.yaml
+- cert-exporter.yaml

 secretGenerator:
 - name: cert-manager-tsig
@ -20,3 +21,10 @@ secretGenerator:
  - zerossl.secret
  options:
    disableNameSuffixHash: true
+
+- name: cert-exporter-sshkey
+  namespace: cert-manager
+  files:
+  - cert-exporter.pem
+  options:
+    disableNameSuffixHash: true