websites: Manage dcow cert via Ingress annotation

Now that the reverse proxy for Internet-facing sites uses TLS passthrough, the certificate for the _darkchestofwonders.us_ Ingress needs to be correct. Since Ingress resources can only use either the default certificate (_*.pyrocufflink.blue_) or a certificate from their same namespace, we have to move the Certificate and its corresponding Secret into the _websites_ namespace. Fortunately, this is easy enoug to do, by setting the appropriate annotations on the Ingress. To keep the existing certificate (until it expires), I moved the Secret manually: ```sh kubectl get secret dcow-cert -o yaml | grep -v namespace | kubectl create -n websites -f - ```
2024-08-24 11:27:37 -05:00 · 2024-08-24 11:27:37 -05:00 · a443929c0c
parent 78afee9abc
commit a443929c0c
3 changed files with 7 additions and 24 deletions
--- a/cert-manager/cert-exporter.yaml
+++ b/cert-manager/cert-exporter.yaml
@ -33,11 +33,6 @@ data:
      key: certificates/tabitha.biz.key
      cert: certificates/tabitha.biz.crt
      bundle: certificates/tabitha.biz.pem
-    - name: dcow-cert
-      namespace: default
-      key: certificates/darkchestofwonders.us.key
-      cert: certificates/darkchestofwonders.us.crt
-      bundle: certificates/darkchestofwonders.us.pem
    - name: chmod777-cert
      namespace: default
      key: certificates/chmod777.sh.key
@ -71,7 +66,6 @@ rules:
  - dustinhatchname-cert
  - hatchchat-cert
  - tabitha-cert
-  - dcow-cert
  - chmod777-cert
  - dustinandtabitha-cert
  - hlc-cert
--- a/cert-manager/certificates.yaml
+++ b/cert-manager/certificates.yaml
@ -71,24 +71,6 @@ spec:
    algorithm: ECDSA
    rotationPolicy: Always

---
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: dcow-cert
-spec:
-  secretName: dcow-cert
-  dnsNames:
-  - darkchestofwonders.us
-  - '*.darkchestofwonders.us'
-  issuerRef:
-    group: cert-manager.io
-    kind: ClusterIssuer
-    name: zerossl
-  privateKey:
-    algorithm: ECDSA
-    rotationPolicy: Always
-
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
--- a/websites/darkchestofwonders.us/ingress.yaml
+++ b/websites/darkchestofwonders.us/ingress.yaml
@ -8,10 +8,17 @@ metadata:
    app.kubernetes.io/component: darkchestofwonders.us
    app.kubernetes.io/part-of: darkchestofwonders.us
  annotations:
+    cert-manager.io/cluster-issuer: zerossl
+    cert-manager.io/private-key-algorithm: ECDSA
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    nginx.ingress.kubernetes.io/proxy-body-size: 100m
 spec:
  ingressClassName: nginx
+  tls:
+  - hosts:
+    - '*.darkchestofwonders.us'
+    - darkchestofwonders.us
+    secretName: dcow-cert
  rules:
  - host: darkchestofwonders.us
    http: