step-ca: Add Ingress resource

It turns out, `step ca renew` _can_ renew certificates without mTLS; it has a `--mtls=false` command-line argument that configures it to use a JWT signed by the certificate, instead of using the certificate at the transport layer. This allows clients to renew their certificates without needing another authentication mechanism, even with the TLS-terminating proxy.
2024-07-27 13:07:26 -05:00 · 2024-07-27 13:07:26 -05:00 · a26857819a
parent 079c3871b9
commit a26857819a
1 changed files with 25 additions and 0 deletions
--- a/step-ca/ingress.yaml
+++ b/step-ca/ingress.yaml
@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: step-ca
+  labels:
+    app.kubernetes.io/name: step-ca
+    app.kubernetes.io/component: step-ca
+    app.kubernetes.io/part-of: step-ca
+  annotations:
+    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: ca.pyrocufflink.blue
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: step-ca
+            port:
+              name: step-ca