infra
/
kubernetes
1
0
Fork 0
Code Pull Requests 4 Activity

dch-webhooks: Configure SSH cert signer 

The *dch-webhooks* tool now provides an operation for hosts to request a
signed SSH certificate from the SSH CA.  It's primarily useful for
unattended deployments like CoreOS Ignition, where hosts do not have
any credentials to authenticate with the CA directly.
dch-webhooks-secrets
Dustin 2023-10-09 08:07:29 -05:00
parent 92a5aee7b4
commit f7a8f391ea
7 changed files with 88 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
dch-root-ca/dch-root-ca.crt Normal file
View File

@ -0,0 +1,12 @@
-----BEGIN CERTIFICATE-----
MIIBxDCCAWqgAwIBAgIUbHz2tssa09zsHk+EdGD3QKprMKQwCgYIKoZIzj0EAwQw
QDELMAkGA1UEBhMCVVMxGDAWBgNVBAoMD0R1c3RpbiBDLiBIYXRjaDEXMBUGA1UE
AwwORENIIFJvb3QgQ0EgUjIwHhcNMjMwOTI0MjA1MzA5WhcNNDMwOTE5MjA1MzA5
WjBAMQswCQYDVQQGEwJVUzEYMBYGA1UECgwPRHVzdGluIEMuIEhhdGNoMRcwFQYD
VQQDDA5EQ0ggUm9vdCBDQSBSMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE2D
NJHRcjuA19ZoprBKaxIfUxAbz6LigM7dgtO6+isaMlxRAVJmsITADIE/22RrUDgD
Ofkt2iZTUjMrz3AxXhWjQjBAMB0GA1UdDgQWBBTM+d8kb1koGmKRtJs4gN9zYa+6
oTASBgNVHRMBAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwIBBjAKBggqhkjOPQQDBANI
ADBFAiEA2Ka8mMiAFLmrFWt0dAml247re2+i4UPhyHcOBfNK+goCIHv+vEw7CHZQ
irIa697nfe4KiXIMwHlAMS1+1QZohFDC
-----END CERTIFICATE-----

7
dch-root-ca/kustomization.yaml Normal file
View File

@ -0,0 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
configMapGenerator:
- name: dch-root-ca
files:
- dch-root-ca.crt

1
dch-webhooks/.gitignore vendored
View File

@ -1,2 +1,3 @@
paperless.token paperless.token
firefly.token firefly.token
provisioner.password

9
dch-webhooks/dch-webhooks.env Normal file
View File

@ -0,0 +1,9 @@
FIREFLY_URL=http://firefly-iii.firefly-iii.svc.cluster.local:8080
FIREFLY_AUTH_TOKEN=/run/secrets/du5t1n.me/firefly/firefly.token
PAPERLESS_URL=http://paperless-ngx.paperless-ngx.svc.cluster.local:8000
PAPERLESS_AUTH_TOKEN=/run/secrets/du5t1n.me/paperless/paperless.token
STEP_CA_URL=https://ca.pyrocufflink.blue:32599
STEP_ROOT=/run/dch-root-ca.crt
STEP_PROVISIONER=host-bootstrap
STEP_PROVISIONER_PASSWORD_FILE=/run/secrets/du5t1n.me/step-ca/provisioner.password

29
dch-webhooks/dch-webhooks.yaml
View File

@ -44,18 +44,13 @@ spec:
- name: dch-webhooks - name: dch-webhooks
image: git.pyrocufflink.net/containerimages/dch-webhooks image: git.pyrocufflink.net/containerimages/dch-webhooks
env: env:
- name: FIREFLY_URL
value: http://firefly-iii.firefly-iii.svc.cluster.local:8080
- name: FIREFLY_AUTH_TOKEN
value: /run/secrets/du5t1n.me/firefly/firefly.token
- name: PAPERLESS_URL
value: http://paperless-ngx.paperless-ngx.svc.cluster.local:8000
- name: PAPERLESS_AUTH_TOKEN
value: /run/secrets/du5t1n.me/paperless/paperless.token
- name: UVICORN_HOST - name: UVICORN_HOST
value: 0.0.0.0 value: 0.0.0.0
- name: UVICORN_LOG_LEVEL - name: UVICORN_LOG_LEVEL
value: debug value: debug
envFrom:
- configMapRef:
name: dch-webhooks
ports: ports:
- name: http - name: http
containerPort: 8000 containerPort: 8000
@ -74,10 +69,18 @@ spec:
securityContext: securityContext:
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
volumeMounts: volumeMounts:
- mountPath: /run/dch-root-ca.crt
name: root-ca
subPath: dch-root-ca.crt
- mountPath: /run/secrets/du5t1n.me/firefly - mountPath: /run/secrets/du5t1n.me/firefly
name: firefly-token name: firefly-token
- mountPath: /run/secrets/du5t1n.me/paperless - mountPath: /run/secrets/du5t1n.me/paperless
name: paperless-token name: paperless-token
- mountPath: /run/secrets/du5t1n.me/step-ca
name: step-ca-password
- mountPath: /tmp
name: tmp
subPath: tmp
securityContext: securityContext:
runAsNonRoot: true runAsNonRoot: true
volumes: volumes:
@ -89,3 +92,13 @@ spec:
secret: secret:
secretName: paperless-token secretName: paperless-token
optional: true optional: true
- name: root-ca
configMap:
name: dch-root-ca
- name: step-ca-password
secret:
secretName: step-ca-password
optional: true
- name: tmp
emptyDir:
medium: Memory

27
dch-webhooks/ingress.yaml Normal file
View File

@ -0,0 +1,27 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
labels:
app.kubernetes.io/name: dch-webhooks
app.kubernetes.io/component: dch-webhooks
app.kubernetes.io/instance: dch-webhooks
app.kubernetes.io/part-of: dch-webhooks
name: dch-webhooks
spec:
ingressClassName: nginx
tls:
- hosts:
- webhooks.pyrocufflink.blue
rules:
- host: webhooks.pyrocufflink.blue
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: dch-webhooks
port:
name: http

11
dch-webhooks/kustomization.yaml
View File

@ -2,7 +2,14 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
resources: resources:
- ../dch-root-ca
- dch-webhooks.yaml - dch-webhooks.yaml
- ingress.yaml
configMapGenerator:
- name: dch-webhooks
envs:
- dch-webhooks.env
secretGenerator: secretGenerator:
- name: firefly-token - name: firefly-token
@ -12,3 +19,7 @@ secretGenerator:
- name: paperless-token - name: paperless-token
files: files:
- paperless.token - paperless.token
- name: step-ca-password
files:
- provisioner.password