From a26857819ac9c304e72a2661730a93380347dfa1 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sat, 27 Jul 2024 13:07:26 -0500
Subject: [PATCH] step-ca: Add Ingress resource

It turns out, `step ca renew` _can_ renew certificates without mTLS; it
has a `--mtls=false` command-line argument that configures it to use
a JWT signed by the certificate, instead of using the certificate at
the transport layer.  This allows clients to renew their certificates
without needing another authentication mechanism, even with the
TLS-terminating proxy.
---
 step-ca/ingress.yaml | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 step-ca/ingress.yaml

diff --git a/step-ca/ingress.yaml b/step-ca/ingress.yaml
new file mode 100644
index 0000000..9355a7b
--- /dev/null
+++ b/step-ca/ingress.yaml
@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: step-ca
+  labels:
+    app.kubernetes.io/name: step-ca
+    app.kubernetes.io/component: step-ca
+    app.kubernetes.io/part-of: step-ca
+  annotations:
+    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: ca.pyrocufflink.blue
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: step-ca
+            port:
+              name: step-ca