cert-manager: cert-exporter: Static SSH host keys

The *cert-exporter* script really only needs the SSH host key for Gitea, so the dynamic host key fetch is overkill. Since it frequently breaks for various reasons, it's probably better to just have a static list of trusted keys.
2024-01-04 15:35:00 -06:00
parent 98cdcdfe30
commit fbf2a6864f
3 changed files with 10 additions and 7 deletions
--- a/cert-manager/cert-exporter.yaml
+++ b/cert-manager/cert-exporter.yaml
@@ -53,8 +53,6 @@ data:
      key: certificates/hatchlearningcenter.org.key
      cert: certificates/hatchlearningcenter.org.crt
      bundle: certificates/hatchlearningcenter.org.pem
-  known-hosts-command.ssh_config: |
-    KnownHostsCommand /usr/bin/curl -fsL https://files.pyrocufflink.blue/ssh_known_hosts

 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -117,9 +115,9 @@ spec:
              name: sshkeys
              subPath: cert-exporter.pem
              readOnly: true
-            - mountPath: /etc/ssh/ssh_config.d/known-hosts-command.conf
-              name: config
-              subPath: known-hosts-command.ssh_config
+            - mountPath: /etc/ssh/ssh_known_hosts
+              name: sshkeys
+              subPath: ssh_known_hosts
              readOnly: true
          securityContext:
            fsGroup: 1000
--- a/cert-manager/kustomization.yaml
+++ b/cert-manager/kustomization.yaml
@@ -26,8 +26,7 @@ secretGenerator:
  namespace: cert-manager
  files:
  - cert-exporter.pem
-  options:
-    disableNameSuffixHash: true
+  - ssh_known_hosts

 - name: acme-dns
  namespace: cert-manager
--- a/cert-manager/ssh_known_hosts
+++ b/cert-manager/ssh_known_hosts
@@ -0,0 +1,6 @@
+git.pyrocufflink.blue ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJPLXOT4j+jYAIGfuGbtG8ea3oBZwtvOEYNzUHpsQBF9VO9E9nTQBswSRzc+otPzZhr5lJ+BlGo439hHGkbOIo8=
+git.pyrocufflink.blue ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHEF/IXycjT/sSIpFLRDEVZUu95QA3i7d5LZvB/RncHN
+git.pyrocufflink.blue ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDF1tB0KeyMStHKbnuminTQ2xwjjxyES/DBSlZZH0c7F25Lu6TfvxEEs/7YUtZKAnwFGLfuqW5gaS3eWV1eA3w7WtEGYoBAD6VFZUjN0vfmhNYWC85DMcY+gqkOkBQy1/SvyYSPHrtkgTJRPMG/MdWGaYEN+w/znr1HETPnj4qm7bFC8yxXKU2PXzKlUeY+ynY3hhlzAVwG4Ay7hgH+nO071eoAQtYq9zBdYTifXxoTzatLgU8ib3EYuC3/LDNXkFhYhxDhfp9iwPCNZRi49AccMlL323/Vp8x/Jy/iY5A60Fk8cIYtneEihRkIpzpyTudEK0MXyJ+FJ0vmjiEX5ZY9
+git.pyrocufflink.net ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBH+S6aTqXJ15DV3NczbPXVQKXxbvMVtaHToShsrhxps1GGWcJU/pbZtpAQcN4OGth7DQ1Q/1RvrFS+Fd/5U4wv4=
+git.pyrocufflink.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFzOkLdjAJDPyja2o4+Km52VNM4t7jeYTyMVYl4gtudq
+git.pyrocufflink.net ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDbgN04bblL95EStM+wpGF1asvEOL6vmH/oNTIBRd0HbTz8jRa3CMOGWWG7/xGIRjrXglAGURGZ/EOqkyGIsciVtC53lwLuyZT18sqHrmp8S5uq/rNaY3rSVfc7kW/fXsNksjtwnQ/sNtawSZ6UFv+p/X47qOGv0XPAwAzoXDwDpQ27wOz1YnbBa+5itThLh6QvxgM1DKnb78uZ1TBpaCCdtL2iH1IVo3FLmah9bNWvUU1QECKyOUDw3IiwIS6owtHIrpdCiZTlPSJhBLPvv7P/L9V0bTfREP+MMDBT1hhj2NUgmDxC4sDd8k1Qy/qxeyU/FA+7dn7K8YVIEe9rNbs/