From a443929c0c4e58825ba28ccd8bacb3db1dd3eaf4 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sat, 24 Aug 2024 11:27:37 -0500
Subject: [PATCH] websites: Manage dcow cert via Ingress annotation

Now that the reverse proxy for Internet-facing sites uses TLS
passthrough, the certificate for the _darkchestofwonders.us_ Ingress
needs to be correct.  Since Ingress resources can only use either the
default certificate (_*.pyrocufflink.blue_) or a certificate from their
same namespace, we have to move the Certificate and its corresponding
Secret into the _websites_ namespace.  Fortunately, this is easy enoug
to do, by setting the appropriate annotations on the Ingress.

To keep the existing certificate (until it expires), I moved the Secret
manually:

```sh
kubectl get secret dcow-cert -o yaml | grep -v namespace | kubectl create -n websites -f -
```
---
 cert-manager/cert-exporter.yaml             |  6 ------
 cert-manager/certificates.yaml              | 18 ------------------
 websites/darkchestofwonders.us/ingress.yaml |  7 +++++++
 3 files changed, 7 insertions(+), 24 deletions(-)

diff --git a/cert-manager/cert-exporter.yaml b/cert-manager/cert-exporter.yaml
index 3b91b10..7a3f32a 100644
--- a/cert-manager/cert-exporter.yaml
+++ b/cert-manager/cert-exporter.yaml
@@ -33,11 +33,6 @@ data:
       key: certificates/tabitha.biz.key
       cert: certificates/tabitha.biz.crt
       bundle: certificates/tabitha.biz.pem
-    - name: dcow-cert
-      namespace: default
-      key: certificates/darkchestofwonders.us.key
-      cert: certificates/darkchestofwonders.us.crt
-      bundle: certificates/darkchestofwonders.us.pem
     - name: chmod777-cert
       namespace: default
       key: certificates/chmod777.sh.key
@@ -71,7 +66,6 @@ rules:
   - dustinhatchname-cert
   - hatchchat-cert
   - tabitha-cert
-  - dcow-cert
   - chmod777-cert
   - dustinandtabitha-cert
   - hlc-cert
diff --git a/cert-manager/certificates.yaml b/cert-manager/certificates.yaml
index 35e8847..d9fec2e 100644
--- a/cert-manager/certificates.yaml
+++ b/cert-manager/certificates.yaml
@@ -71,24 +71,6 @@ spec:
     algorithm: ECDSA
     rotationPolicy: Always
 
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: dcow-cert
-spec:
-  secretName: dcow-cert
-  dnsNames:
-  - darkchestofwonders.us
-  - '*.darkchestofwonders.us'
-  issuerRef:
-    group: cert-manager.io
-    kind: ClusterIssuer
-    name: zerossl
-  privateKey:
-    algorithm: ECDSA
-    rotationPolicy: Always
-
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
diff --git a/websites/darkchestofwonders.us/ingress.yaml b/websites/darkchestofwonders.us/ingress.yaml
index f50fdfe..580838c 100644
--- a/websites/darkchestofwonders.us/ingress.yaml
+++ b/websites/darkchestofwonders.us/ingress.yaml
@@ -8,10 +8,17 @@ metadata:
     app.kubernetes.io/component: darkchestofwonders.us
     app.kubernetes.io/part-of: darkchestofwonders.us
   annotations:
+    cert-manager.io/cluster-issuer: zerossl
+    cert-manager.io/private-key-algorithm: ECDSA
     nginx.ingress.kubernetes.io/ssl-redirect: "false"
     nginx.ingress.kubernetes.io/proxy-body-size: 100m
 spec:
   ingressClassName: nginx
+  tls:
+  - hosts:
+    - '*.darkchestofwonders.us'
+    - darkchestofwonders.us
+    secretName: dcow-cert
   rules:
   - host: darkchestofwonders.us
     http: