From fbf2a6864f948b9987080d469b0e323c90cc2ec7 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Thu, 4 Jan 2024 15:35:00 -0600 Subject: [PATCH] cert-manager: cert-exporter: Static SSH host keys The *cert-exporter* script really only needs the SSH host key for Gitea, so the dynamic host key fetch is overkill. Since it frequently breaks for various reasons, it's probably better to just have a static list of trusted keys. --- cert-manager/cert-exporter.yaml | 8 +++----- cert-manager/kustomization.yaml | 3 +-- cert-manager/ssh_known_hosts | 6 ++++++ 3 files changed, 10 insertions(+), 7 deletions(-) create mode 100644 cert-manager/ssh_known_hosts diff --git a/cert-manager/cert-exporter.yaml b/cert-manager/cert-exporter.yaml index 89f3005..3b91b10 100644 --- a/cert-manager/cert-exporter.yaml +++ b/cert-manager/cert-exporter.yaml @@ -53,8 +53,6 @@ data: key: certificates/hatchlearningcenter.org.key cert: certificates/hatchlearningcenter.org.crt bundle: certificates/hatchlearningcenter.org.pem - known-hosts-command.ssh_config: | - KnownHostsCommand /usr/bin/curl -fsL https://files.pyrocufflink.blue/ssh_known_hosts --- apiVersion: rbac.authorization.k8s.io/v1 @@ -117,9 +115,9 @@ spec: name: sshkeys subPath: cert-exporter.pem readOnly: true - - mountPath: /etc/ssh/ssh_config.d/known-hosts-command.conf - name: config - subPath: known-hosts-command.ssh_config + - mountPath: /etc/ssh/ssh_known_hosts + name: sshkeys + subPath: ssh_known_hosts readOnly: true securityContext: fsGroup: 1000 diff --git a/cert-manager/kustomization.yaml b/cert-manager/kustomization.yaml index a33f1bc..0278f46 100644 --- a/cert-manager/kustomization.yaml +++ b/cert-manager/kustomization.yaml @@ -26,8 +26,7 @@ secretGenerator: namespace: cert-manager files: - cert-exporter.pem - options: - disableNameSuffixHash: true + - ssh_known_hosts - name: acme-dns namespace: cert-manager diff --git a/cert-manager/ssh_known_hosts b/cert-manager/ssh_known_hosts new file mode 100644 index 0000000..11f8daa --- /dev/null +++ b/cert-manager/ssh_known_hosts @@ -0,0 +1,6 @@ +git.pyrocufflink.blue ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJPLXOT4j+jYAIGfuGbtG8ea3oBZwtvOEYNzUHpsQBF9VO9E9nTQBswSRzc+otPzZhr5lJ+BlGo439hHGkbOIo8= +git.pyrocufflink.blue ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHEF/IXycjT/sSIpFLRDEVZUu95QA3i7d5LZvB/RncHN +git.pyrocufflink.blue ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDF1tB0KeyMStHKbnuminTQ2xwjjxyES/DBSlZZH0c7F25Lu6TfvxEEs/7YUtZKAnwFGLfuqW5gaS3eWV1eA3w7WtEGYoBAD6VFZUjN0vfmhNYWC85DMcY+gqkOkBQy1/SvyYSPHrtkgTJRPMG/MdWGaYEN+w/znr1HETPnj4qm7bFC8yxXKU2PXzKlUeY+ynY3hhlzAVwG4Ay7hgH+nO071eoAQtYq9zBdYTifXxoTzatLgU8ib3EYuC3/LDNXkFhYhxDhfp9iwPCNZRi49AccMlL323/Vp8x/Jy/iY5A60Fk8cIYtneEihRkIpzpyTudEK0MXyJ+FJ0vmjiEX5ZY9 +git.pyrocufflink.net ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBH+S6aTqXJ15DV3NczbPXVQKXxbvMVtaHToShsrhxps1GGWcJU/pbZtpAQcN4OGth7DQ1Q/1RvrFS+Fd/5U4wv4= +git.pyrocufflink.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFzOkLdjAJDPyja2o4+Km52VNM4t7jeYTyMVYl4gtudq +git.pyrocufflink.net ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDbgN04bblL95EStM+wpGF1asvEOL6vmH/oNTIBRd0HbTz8jRa3CMOGWWG7/xGIRjrXglAGURGZ/EOqkyGIsciVtC53lwLuyZT18sqHrmp8S5uq/rNaY3rSVfc7kW/fXsNksjtwnQ/sNtawSZ6UFv+p/X47qOGv0XPAwAzoXDwDpQ27wOz1YnbBa+5itThLh6QvxgM1DKnb78uZ1TBpaCCdtL2iH1IVo3FLmah9bNWvUU1QECKyOUDw3IiwIS6owtHIrpdCiZTlPSJhBLPvv7P/L9V0bTfREP+MMDBT1hhj2NUgmDxC4sDd8k1Qy/qxeyU/FA+7dn7K8YVIEe9rNbs/