From 2b6830f1314e1158eaf96738d0da49645e381bf3 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Mon, 9 Dec 2024 17:58:43 +0000 Subject: [PATCH] cert-manager: Configure ACME DNS.01 for dch-ca Since transitioning to externalIPs for TCP services, it is no longer possible to use the HTTP.01 ACME challenge to issue certificates for services hosted in the cluster, because the ingress controller does not listen on those addresses. Thus, we have to switch to using the DNS.01 challenge. I had avoided using it before because of the complexity of managing dynamic DNS records with the Samba AD server, but this was actually pretty to work around. I created a new DNS zone on the firewall specifically for ACME challenges. Names in the AD-managed zone have CNAME records for their corresponding *_acme-challenge* labels pointing to this new zone. The new zone has dynamic updates enabled, which _cert-manager_ supports using the RFC2136 plugin. For now, this is only enabled for _rabbitmq.pyrocufflink.blue_. I will transition the other names soon. --- cert-manager/dch-ca-issuer.yaml | 12 ++++++++++++ cert-manager/kustomization.yaml | 1 + cert-manager/secrets.yaml | 13 +++++++++++++ 3 files changed, 26 insertions(+) create mode 100644 cert-manager/secrets.yaml diff --git a/cert-manager/dch-ca-issuer.yaml b/cert-manager/dch-ca-issuer.yaml index e390b21..293e887 100644 --- a/cert-manager/dch-ca-issuer.yaml +++ b/cert-manager/dch-ca-issuer.yaml @@ -12,6 +12,18 @@ spec: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ4RENDQVdxZ0F3SUJBZ0lVYkh6MnRzc2EwOXpzSGsrRWRHRDNRS3ByTUtRd0NnWUlLb1pJemowRUF3UXcKUURFTE1Ba0dBMVVFQmhNQ1ZWTXhHREFXQmdOVkJBb01EMFIxYzNScGJpQkRMaUJJWVhSamFERVhNQlVHQTFVRQpBd3dPUkVOSUlGSnZiM1FnUTBFZ1VqSXdIaGNOTWpNd09USTBNakExTXpBNVdoY05ORE13T1RFNU1qQTFNekE1CldqQkFNUXN3Q1FZRFZRUUdFd0pWVXpFWU1CWUdBMVVFQ2d3UFJIVnpkR2x1SUVNdUlFaGhkR05vTVJjd0ZRWUQKVlFRRERBNUVRMGdnVW05dmRDQkRRU0JTTWpCWk1CTUdCeXFHU000OUFnRUdDQ3FHU000OUF3RUhBMElBQkUyRApOSkhSY2p1QTE5Wm9wckJLYXhJZlV4QWJ6NkxpZ003ZGd0TzYraXNhTWx4UkFWSm1zSVRBRElFLzIyUnJVRGdECk9ma3QyaVpUVWpNcnozQXhYaFdqUWpCQU1CMEdBMVVkRGdRV0JCVE0rZDhrYjFrb0dtS1J0SnM0Z045ellhKzYKb1RBU0JnTlZIUk1CQWY4RUNEQUdBUUgvQWdFQk1Bc0dBMVVkRHdRRUF3SUJCakFLQmdncWhrak9QUVFEQkFOSQpBREJGQWlFQTJLYThtTWlBRkxtckZXdDBkQW1sMjQ3cmUyK2k0VVBoeUhjT0JmTksrZ29DSUh2K3ZFdzdDSFpRCmlySWE2OTduZmU0S2lYSU13SGxBTVMxKzFRWm9oRkRDCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K solvers: + - dns01: + cnameStrategy: Follow + rfc2136: + nameserver: 172.30.0.1 + tsigSecretSecretRef: + name: pyrocufflink-tsig + key: cert-manager.tsig.key + tsigKeyName: cert-manager + tsigAlgorithm: HMACSHA512 + selector: + dnsNames: + - rabbitmq.pyrocufflink.blue - http01: ingress: ingressClassName: nginx diff --git a/cert-manager/kustomization.yaml b/cert-manager/kustomization.yaml index 6216727..8dcea21 100644 --- a/cert-manager/kustomization.yaml +++ b/cert-manager/kustomization.yaml @@ -7,6 +7,7 @@ resources: - certificates.yaml - cert-exporter.yaml - dch-ca-issuer.yaml +- secrets.yaml configMapGenerator: - name: cert-exporter diff --git a/cert-manager/secrets.yaml b/cert-manager/secrets.yaml new file mode 100644 index 0000000..e05dc86 --- /dev/null +++ b/cert-manager/secrets.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: pyrocufflink-tsig + namespace: cert-manager +spec: + encryptedData: + cert-manager.tsig.key: AgAf1dVezJ0ytOdGI5rzCJ35rAVpY114pQJgIzqAKsKkRVE6kwWXjoFj94ZgDsjpOedAp1zdNB1UQnu0n10ayuz/NUYb74wkXcu0RRy6Ve06SJjI01f7lHP2/a4cnW+0et/Xzin0RQ/3hHmZUk5aCwV/FCLs0D5LdFixHf+sbMCzhyIYrQ64x0YH9YqBTRgXkEx94+PUuxi9ZyLuKiepd/K4UF+L5rF2zWt9DVKOmdbilzd5RqdQSgEyoOOpmcbDKHm1s17KHWSJb44rvxj7vg2fmXXwEvEW5SiQdrhmywOcqqhXEbE1ZEvBrVt3GgrjZHeTyL0Gx4jugiqSR/WulY7ak4+ZkDF80OS5RzciYeVMDdNxst48Xdkc2F7E93GGWCeIN5gig0oCFcB18BRF3aO4AB+fqh0IWBSiBCGinbjvX684TF9BGPuKMj01ORW3fFnRfbeE4gYTrdBKFi1ltG6VxJ6X9i5ztLIQBcH48btf7uMjQsC79GPq35CCWBprqnNBvi81lJtGVaVqY6hNIvyQIO+fEReMk/Mp0N+KxWlWVY/vK+ck2KWkgXaui3xkM4jbB6RiXWZXrUW4y+XyDs+sTziwYRRz03MU9NC58do9MBnOeM+fJqioMyQq81/mXKtcxIsvJadJ7WsYQKdqa/gVE5D/ybJ2qrtbEQqgCXnyowIIIOVvvWilhzh/zjQgtRiLHlsbLmvRX5aZm1Z048CMDFPh8CxcHlVwz7FUviJzbNoqENh1PE6HhKwFqpGxtjjR6X3LEi8iLvLNg05EUzLNJD1+SCi0imhQPGesJZtr/h1xqI9utB4NjA== + template: + metadata: + name: pyrocufflink-tsig + namespace: cert-manager