cert-manager: Add dch-ca issuer

In-cluster services can now get certificates signed by the DCH CA via `step-ca`. This issuer uses ACME with the HTTP-01 challenge, so it can only issue certificates for names in the _pyrocufflink.blue_ zone that point to the ingress controllers.
2024-07-26 20:49:00 -05:00 · 2024-07-26 20:49:00 -05:00 · e56a38c034
parent 54187176ba
commit e56a38c034
2 changed files with 18 additions and 0 deletions
--- a/cert-manager/dch-ca-issuer.yaml
+++ b/cert-manager/dch-ca-issuer.yaml
@ -0,0 +1,17 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: dch-ca
+spec:
+  acme:
+    server: https://ca.pyrocufflink.blue:32599/acme/acme/directory
+    email: cert-manager@pyrocufflink.net
+    privateKeySecretRef:
+      name: dch-ca-acme
+    caBundle:
+      LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ4RENDQVdxZ0F3SUJBZ0lVYkh6MnRzc2EwOXpzSGsrRWRHRDNRS3ByTUtRd0NnWUlLb1pJemowRUF3UXcKUURFTE1Ba0dBMVVFQmhNQ1ZWTXhHREFXQmdOVkJBb01EMFIxYzNScGJpQkRMaUJJWVhSamFERVhNQlVHQTFVRQpBd3dPUkVOSUlGSnZiM1FnUTBFZ1VqSXdIaGNOTWpNd09USTBNakExTXpBNVdoY05ORE13T1RFNU1qQTFNekE1CldqQkFNUXN3Q1FZRFZRUUdFd0pWVXpFWU1CWUdBMVVFQ2d3UFJIVnpkR2x1SUVNdUlFaGhkR05vTVJjd0ZRWUQKVlFRRERBNUVRMGdnVW05dmRDQkRRU0JTTWpCWk1CTUdCeXFHU000OUFnRUdDQ3FHU000OUF3RUhBMElBQkUyRApOSkhSY2p1QTE5Wm9wckJLYXhJZlV4QWJ6NkxpZ003ZGd0TzYraXNhTWx4UkFWSm1zSVRBRElFLzIyUnJVRGdECk9ma3QyaVpUVWpNcnozQXhYaFdqUWpCQU1CMEdBMVVkRGdRV0JCVE0rZDhrYjFrb0dtS1J0SnM0Z045ellhKzYKb1RBU0JnTlZIUk1CQWY4RUNEQUdBUUgvQWdFQk1Bc0dBMVVkRHdRRUF3SUJCakFLQmdncWhrak9QUVFEQkFOSQpBREJGQWlFQTJLYThtTWlBRkxtckZXdDBkQW1sMjQ3cmUyK2k0VVBoeUhjT0JmTksrZ29DSUh2K3ZFdzdDSFpRCmlySWE2OTduZmU0S2lYSU13SGxBTVMxKzFRWm9oRkRDCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+
+    solvers:
+    - http01:
+        ingress:
+          ingressClassName: nginx
--- a/cert-manager/kustomization.yaml
+++ b/cert-manager/kustomization.yaml
@ -6,6 +6,7 @@ resources:
 - cluster-issuer.yaml
 - certificates.yaml
 - cert-exporter.yaml
+- dch-ca-issuer.yaml

 secretGenerator:
 - name: zerossl-eab