dch-webhooks: Configure SSH cert signer
The *dch-webhooks* tool now provides an operation for hosts to request a signed SSH certificate from the SSH CA. It's primarily useful for unattended deployments like CoreOS Ignition, where hosts do not have any credentials to authenticate with the CA directly.
This commit is contained in:
@@ -44,18 +44,13 @@ spec:
|
||||
- name: dch-webhooks
|
||||
image: git.pyrocufflink.net/containerimages/dch-webhooks
|
||||
env:
|
||||
- name: FIREFLY_URL
|
||||
value: http://firefly-iii.firefly-iii.svc.cluster.local:8080
|
||||
- name: FIREFLY_AUTH_TOKEN
|
||||
value: /run/secrets/du5t1n.me/firefly/firefly.token
|
||||
- name: PAPERLESS_URL
|
||||
value: http://paperless-ngx.paperless-ngx.svc.cluster.local:8000
|
||||
- name: PAPERLESS_AUTH_TOKEN
|
||||
value: /run/secrets/du5t1n.me/paperless/paperless.token
|
||||
- name: UVICORN_HOST
|
||||
value: 0.0.0.0
|
||||
- name: UVICORN_LOG_LEVEL
|
||||
value: debug
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: dch-webhooks
|
||||
ports:
|
||||
- name: http
|
||||
containerPort: 8000
|
||||
@@ -74,10 +69,18 @@ spec:
|
||||
securityContext:
|
||||
readOnlyRootFilesystem: true
|
||||
volumeMounts:
|
||||
- mountPath: /run/dch-root-ca.crt
|
||||
name: root-ca
|
||||
subPath: dch-root-ca.crt
|
||||
- mountPath: /run/secrets/du5t1n.me/firefly
|
||||
name: firefly-token
|
||||
- mountPath: /run/secrets/du5t1n.me/paperless
|
||||
name: paperless-token
|
||||
- mountPath: /run/secrets/du5t1n.me/step-ca
|
||||
name: step-ca-password
|
||||
- mountPath: /tmp
|
||||
name: tmp
|
||||
subPath: tmp
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
volumes:
|
||||
@@ -89,3 +92,13 @@ spec:
|
||||
secret:
|
||||
secretName: paperless-token
|
||||
optional: true
|
||||
- name: root-ca
|
||||
configMap:
|
||||
name: dch-root-ca
|
||||
- name: step-ca-password
|
||||
secret:
|
||||
secretName: step-ca-password
|
||||
optional: true
|
||||
- name: tmp
|
||||
emptyDir:
|
||||
medium: Memory
|
||||
|
||||
Reference in New Issue
Block a user