From 2a0fdc07dfe9cb2841ec28674abead33c9ae3e3a Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Mon, 11 Aug 2025 08:59:57 -0500 Subject: [PATCH 1/3] cert-manager: Drop dustinandtabitha.com certificate This site now obtains its own certificate using Apache _mod_md_. --- cert-manager/cert-exporter.config.yml | 5 ----- cert-manager/cert-exporter.yaml | 1 - cert-manager/certificates.yaml | 20 -------------------- cert-manager/jenkins.yaml | 1 - 4 files changed, 27 deletions(-) diff --git a/cert-manager/cert-exporter.config.yml b/cert-manager/cert-exporter.config.yml index 078ac6c..677f993 100644 --- a/cert-manager/cert-exporter.config.yml +++ b/cert-manager/cert-exporter.config.yml @@ -5,11 +5,6 @@ certs: key: certificates/_.pyrocufflink.net.key cert: certificates/_.pyrocufflink.net.crt bundle: certificates/_.pyrocufflink.net.pem -- name: dustinandtabitha-cert - namespace: default - key: certificates/dustinandtabitha.com.key - cert: certificates/dustinandtabitha.com.crt - bundle: certificates/dustinandtabitha.com.pem - name: hlc-cert namespace: default key: certificates/hatchlearningcenter.org.key diff --git a/cert-manager/cert-exporter.yaml b/cert-manager/cert-exporter.yaml index b8c2203..0acdf9d 100644 --- a/cert-manager/cert-exporter.yaml +++ b/cert-manager/cert-exporter.yaml @@ -18,7 +18,6 @@ rules: - get resourceNames: - pyrocufflink-cert - - dustinandtabitha-cert - hlc-cert --- diff --git a/cert-manager/certificates.yaml b/cert-manager/certificates.yaml index 794adaa..9080a99 100644 --- a/cert-manager/certificates.yaml +++ b/cert-manager/certificates.yaml @@ -17,26 +17,6 @@ spec: algorithm: ECDSA rotationPolicy: Always ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: dustinandtabitha-cert -spec: - secretName: dustinandtabitha-cert - dnsNames: - - dustinandtabitha.com - - '*.dustinandtabitha.com' - - dustinandtabitha.xyz - - '*.dustinandtabitha.xyz' - issuerRef: - group: cert-manager.io - kind: ClusterIssuer - name: zerossl - privateKey: - algorithm: ECDSA - rotationPolicy: Always - --- apiVersion: cert-manager.io/v1 kind: Certificate diff --git a/cert-manager/jenkins.yaml b/cert-manager/jenkins.yaml index 790ccaf..16c941d 100644 --- a/cert-manager/jenkins.yaml +++ b/cert-manager/jenkins.yaml @@ -11,7 +11,6 @@ rules: - get resourceNames: - pyrocufflink-cert - - dustinandtabitha-cert - hlc-cert --- From b068a260e7b7007f94f935b3a0003a977c42aed8 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Sun, 7 Sep 2025 10:30:20 -0500 Subject: [PATCH 2/3] cert-manager: Drop HLC certificate This site now obtains its own certificate using Apache _mod_md_. --- cert-manager/cert-exporter.config.yml | 5 ----- cert-manager/cert-exporter.yaml | 1 - cert-manager/certificates.yaml | 28 --------------------------- cert-manager/jenkins.yaml | 1 - 4 files changed, 35 deletions(-) diff --git a/cert-manager/cert-exporter.config.yml b/cert-manager/cert-exporter.config.yml index 677f993..410630f 100644 --- a/cert-manager/cert-exporter.config.yml +++ b/cert-manager/cert-exporter.config.yml @@ -5,8 +5,3 @@ certs: key: certificates/_.pyrocufflink.net.key cert: certificates/_.pyrocufflink.net.crt bundle: certificates/_.pyrocufflink.net.pem -- name: hlc-cert - namespace: default - key: certificates/hatchlearningcenter.org.key - cert: certificates/hatchlearningcenter.org.crt - bundle: certificates/hatchlearningcenter.org.pem diff --git a/cert-manager/cert-exporter.yaml b/cert-manager/cert-exporter.yaml index 0acdf9d..09697b4 100644 --- a/cert-manager/cert-exporter.yaml +++ b/cert-manager/cert-exporter.yaml @@ -18,7 +18,6 @@ rules: - get resourceNames: - pyrocufflink-cert - - hlc-cert --- apiVersion: rbac.authorization.k8s.io/v1 diff --git a/cert-manager/certificates.yaml b/cert-manager/certificates.yaml index 9080a99..188f239 100644 --- a/cert-manager/certificates.yaml +++ b/cert-manager/certificates.yaml @@ -16,31 +16,3 @@ spec: privateKey: algorithm: ECDSA rotationPolicy: Always - ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: hlc-cert -spec: - secretName: hlc-cert - dnsNames: - - hatchlearningcenter.org - - '*.hatchlearningcenter.org' - - hatchlearningcenter.com - - '*.hatchlearningcenter.com' - - hlckc.org - - '*.hlckc.org' - - hlckc.com - - '*.hlckc.com' - - hlcks.org - - '*.hlcks.org' - - hlcks.com - - '*.hlcks.com' - issuerRef: - group: cert-manager.io - kind: ClusterIssuer - name: zerossl - privateKey: - algorithm: ECDSA - rotationPolicy: Always diff --git a/cert-manager/jenkins.yaml b/cert-manager/jenkins.yaml index 16c941d..ce145c0 100644 --- a/cert-manager/jenkins.yaml +++ b/cert-manager/jenkins.yaml @@ -11,7 +11,6 @@ rules: - get resourceNames: - pyrocufflink-cert - - hlc-cert --- apiVersion: rbac.authorization.k8s.io/v1 From a02dfa1dfc607a8ba9157603e2311a7aae857910 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Sun, 7 Sep 2025 10:31:36 -0500 Subject: [PATCH 3/3] cert-manager: Decommission cert-exporter The `cert-exporter` is no longer needed. All websites manage their own certificates with _mod_md_ now, and all internal applications that use the wildcard certificate fetch it directly from the Kubernetes Secret. --- cert-manager/cert-exporter.config.yml | 7 --- cert-manager/cert-exporter.yaml | 76 --------------------------- cert-manager/kustomization.yaml | 15 ------ 3 files changed, 98 deletions(-) delete mode 100644 cert-manager/cert-exporter.config.yml delete mode 100644 cert-manager/cert-exporter.yaml diff --git a/cert-manager/cert-exporter.config.yml b/cert-manager/cert-exporter.config.yml deleted file mode 100644 index 410630f..0000000 --- a/cert-manager/cert-exporter.config.yml +++ /dev/null @@ -1,7 +0,0 @@ -git_repo: gitea@git.pyrocufflink.blue:dustin/certs.git -certs: -- name: pyrocufflink-cert - namespace: default - key: certificates/_.pyrocufflink.net.key - cert: certificates/_.pyrocufflink.net.crt - bundle: certificates/_.pyrocufflink.net.pem diff --git a/cert-manager/cert-exporter.yaml b/cert-manager/cert-exporter.yaml deleted file mode 100644 index 09697b4..0000000 --- a/cert-manager/cert-exporter.yaml +++ /dev/null @@ -1,76 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: cert-exporter - namespace: cert-manager - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: cert-exporter -rules: -- apiGroups: - - '' - resources: - - secrets - verbs: - - get - resourceNames: - - pyrocufflink-cert - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: cert-exporter -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cert-exporter -subjects: -- kind: ServiceAccount - name: cert-exporter - namespace: cert-manager - ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: cert-exporter - namespace: cert-manager -spec: - timeZone: America/Chicago - schedule: '27 9,20 * * *' - jobTemplate: &jobtemplate - spec: - template: - spec: - containers: - - image: git.pyrocufflink.net/containerimages/cert-exporter - name: cert-exporter - volumeMounts: - - mountPath: /etc/cert-exporter/config.yml - name: config - subPath: config.yml - readOnly: true - - mountPath: /home/cert-exporter/.ssh/id_ed25519 - name: sshkeys - subPath: cert-exporter.pem - readOnly: true - - mountPath: /etc/ssh/ssh_known_hosts - name: sshkeys - subPath: ssh_known_hosts - readOnly: true - securityContext: - fsGroup: 1000 - serviceAccount: cert-exporter - volumes: - - name: config - configMap: - name: cert-exporter - - name: sshkeys - secret: - secretName: cert-exporter-sshkey - defaultMode: 00440 - restartPolicy: Never diff --git a/cert-manager/kustomization.yaml b/cert-manager/kustomization.yaml index 63f5100..dfeeddc 100644 --- a/cert-manager/kustomization.yaml +++ b/cert-manager/kustomization.yaml @@ -5,19 +5,10 @@ resources: - https://github.com/cert-manager/cert-manager/releases/download/v1.16.4/cert-manager.yaml - cluster-issuer.yaml - certificates.yaml -- cert-exporter.yaml - dch-ca-issuer.yaml - secrets.yaml - jenkins.yaml -configMapGenerator: -- name: cert-exporter - namespace: cert-manager - files: - - config.yml=cert-exporter.config.yml - options: - disableNameSuffixHash: True - secretGenerator: - name: zerossl-eab namespace: cert-manager @@ -26,12 +17,6 @@ secretGenerator: options: disableNameSuffixHash: true -- name: cert-exporter-sshkey - namespace: cert-manager - files: - - cert-exporter.pem - - ssh_known_hosts - - name: cloudflare namespace: cert-manager files: