Dustin C. Hatch
fbf2a6864f
The *cert-exporter* script really only needs the SSH host key for Gitea, so the dynamic host key fetch is overkill. Since it frequently breaks for various reasons, it's probably better to just have a static list of trusted keys.
134 lines
3.5 KiB
YAML
134 lines
3.5 KiB
YAML
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: cert-exporter
|
|
namespace: cert-manager
|
|
|
|
---
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: cert-exporter
|
|
namespace: cert-manager
|
|
data:
|
|
config.yml: |
|
|
git_repo: gitea@git.pyrocufflink.blue:dustin/certs.git
|
|
certs:
|
|
- name: pyrocufflink-cert
|
|
namespace: default
|
|
key: certificates/_.pyrocufflink.net.key
|
|
cert: certificates/_.pyrocufflink.net.crt
|
|
bundle: certificates/_.pyrocufflink.net.pem
|
|
- name: dustinhatchname-cert
|
|
namespace: default
|
|
key: acme.sh/dustin.hatch.name/dustin.hatch.name.key
|
|
cert: acme.sh/dustin.hatch.name/fullchain.cer
|
|
- name: hatchchat-cert
|
|
namespace: default
|
|
key: certificates/hatch.chat.key
|
|
cert: certificates/hatch.chat.crt
|
|
bundle: certificates/hatch.chat.pem
|
|
- name: tabitha-cert
|
|
namespace: default
|
|
key: certificates/tabitha.biz.key
|
|
cert: certificates/tabitha.biz.crt
|
|
bundle: certificates/tabitha.biz.pem
|
|
- name: dcow-cert
|
|
namespace: default
|
|
key: certificates/darkchestofwonders.us.key
|
|
cert: certificates/darkchestofwonders.us.crt
|
|
bundle: certificates/darkchestofwonders.us.pem
|
|
- name: chmod777-cert
|
|
namespace: default
|
|
key: certificates/chmod777.sh.key
|
|
cert: certificates/chmod777.sh.crt
|
|
bundle: certificates/chmod777.sh.pem
|
|
- name: dustinandtabitha-cert
|
|
namespace: default
|
|
key: certificates/dustinandtabitha.com.key
|
|
cert: certificates/dustinandtabitha.com.crt
|
|
bundle: certificates/dustinandtabitha.com.pem
|
|
- name: hlc-cert
|
|
namespace: default
|
|
key: certificates/hatchlearningcenter.org.key
|
|
cert: certificates/hatchlearningcenter.org.crt
|
|
bundle: certificates/hatchlearningcenter.org.pem
|
|
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: cert-exporter
|
|
rules:
|
|
- apiGroups:
|
|
- ''
|
|
resources:
|
|
- secrets
|
|
verbs:
|
|
- get
|
|
resourceNames:
|
|
- pyrocufflink-cert
|
|
- dustinhatchname-cert
|
|
- hatchchat-cert
|
|
- tabitha-cert
|
|
- dcow-cert
|
|
- chmod777-cert
|
|
- dustinandtabitha-cert
|
|
- hlc-cert
|
|
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: cert-exporter
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: cert-exporter
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: cert-exporter
|
|
namespace: cert-manager
|
|
|
|
---
|
|
apiVersion: batch/v1
|
|
kind: CronJob
|
|
metadata:
|
|
name: cert-exporter
|
|
namespace: cert-manager
|
|
spec:
|
|
timeZone: America/Chicago
|
|
schedule: '27 9,20 * * *'
|
|
jobTemplate: &jobtemplate
|
|
spec:
|
|
template:
|
|
spec:
|
|
containers:
|
|
- image: git.pyrocufflink.net/containerimages/cert-exporter
|
|
name: cert-exporter
|
|
volumeMounts:
|
|
- mountPath: /etc/cert-exporter/config.yml
|
|
name: config
|
|
subPath: config.yml
|
|
readOnly: true
|
|
- mountPath: /home/cert-exporter/.ssh/id_ed25519
|
|
name: sshkeys
|
|
subPath: cert-exporter.pem
|
|
readOnly: true
|
|
- mountPath: /etc/ssh/ssh_known_hosts
|
|
name: sshkeys
|
|
subPath: ssh_known_hosts
|
|
readOnly: true
|
|
securityContext:
|
|
fsGroup: 1000
|
|
serviceAccount: cert-exporter
|
|
volumes:
|
|
- name: config
|
|
configMap:
|
|
name: cert-exporter
|
|
- name: sshkeys
|
|
secret:
|
|
secretName: cert-exporter-sshkey
|
|
defaultMode: 00440
|
|
restartPolicy: Never
|