cert-manager/cert-exporter.config.yml

@@ -0,0 +1,17 @@
+git_repo: gitea@git.pyrocufflink.blue:dustin/certs.git
+certs:
+- name: pyrocufflink-cert
+  namespace: default
+  key: certificates/_.pyrocufflink.net.key
+  cert: certificates/_.pyrocufflink.net.crt
+  bundle: certificates/_.pyrocufflink.net.pem
+- name: dustinandtabitha-cert
+  namespace: default
+  key: certificates/dustinandtabitha.com.key
+  cert: certificates/dustinandtabitha.com.crt
+  bundle: certificates/dustinandtabitha.com.pem
+- name: hlc-cert
+  namespace: default
+  key: certificates/hatchlearningcenter.org.key
+  cert: certificates/hatchlearningcenter.org.crt
+  bundle: certificates/hatchlearningcenter.org.pem

cert-manager/cert-exporter.yaml

@@ -0,0 +1,78 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cert-exporter
+  namespace: cert-manager
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cert-exporter
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - get
+  resourceNames:
+  - pyrocufflink-cert
+  - dustinandtabitha-cert
+  - hlc-cert
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cert-exporter
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cert-exporter
+subjects:
+- kind: ServiceAccount
+  name: cert-exporter
+  namespace: cert-manager
+
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: cert-exporter
+  namespace: cert-manager
+spec:
+  timeZone: America/Chicago
+  schedule: '27 9,20 * * *'
+  jobTemplate: &jobtemplate
+    spec:
+      template:
+        spec:
+          containers:
+          - image: git.pyrocufflink.net/containerimages/cert-exporter
+            name: cert-exporter
+            volumeMounts:
+            - mountPath: /etc/cert-exporter/config.yml
+              name: config
+              subPath: config.yml
+              readOnly: true
+            - mountPath: /home/cert-exporter/.ssh/id_ed25519
+              name: sshkeys
+              subPath: cert-exporter.pem
+              readOnly: true
+            - mountPath: /etc/ssh/ssh_known_hosts
+              name: sshkeys
+              subPath: ssh_known_hosts
+              readOnly: true
+          securityContext:
+            fsGroup: 1000
+          serviceAccount: cert-exporter
+          volumes:
+          - name: config
+            configMap:
+              name: cert-exporter
+          - name: sshkeys
+            secret:
+              secretName: cert-exporter-sshkey
+              defaultMode: 00440
+          restartPolicy: Never

cert-manager/certificates.yaml

@@ -16,3 +16,51 @@ spec:
   privateKey:
     algorithm: ECDSA
     rotationPolicy: Always
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: dustinandtabitha-cert
+spec:
+  secretName: dustinandtabitha-cert
+  dnsNames:
+  - dustinandtabitha.com
+  - '*.dustinandtabitha.com'
+  - dustinandtabitha.xyz
+  - '*.dustinandtabitha.xyz'
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: zerossl
+  privateKey:
+    algorithm: ECDSA
+    rotationPolicy: Always
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: hlc-cert
+spec:
+  secretName: hlc-cert
+  dnsNames:
+  - hatchlearningcenter.org
+  - '*.hatchlearningcenter.org'
+  - hatchlearningcenter.com
+  - '*.hatchlearningcenter.com'
+  - hlckc.org
+  - '*.hlckc.org'
+  - hlckc.com
+  - '*.hlckc.com'
+  - hlcks.org
+  - '*.hlcks.org'
+  - hlcks.com
+  - '*.hlcks.com'
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: zerossl
+  privateKey:
+    algorithm: ECDSA
+    rotationPolicy: Always

cert-manager/jenkins.yaml

@@ -11,6 +11,8 @@ rules:
   - get
   resourceNames:
   - pyrocufflink-cert
+  - dustinandtabitha-cert
+  - hlc-cert
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1

cert-manager/kustomization.yaml

@@ -5,10 +5,19 @@ resources:
 - https://github.com/cert-manager/cert-manager/releases/download/v1.16.4/cert-manager.yaml
 - cluster-issuer.yaml
 - certificates.yaml
+- cert-exporter.yaml
 - dch-ca-issuer.yaml
 - secrets.yaml
 - jenkins.yaml
 
+configMapGenerator:
+- name: cert-exporter
+  namespace: cert-manager
+  files:
+  - config.yml=cert-exporter.config.yml
+  options:
+    disableNameSuffixHash: True
+
 secretGenerator:
 - name: zerossl-eab
   namespace: cert-manager
@@ -17,6 +26,12 @@ secretGenerator:
   options:
     disableNameSuffixHash: true
 
+- name: cert-exporter-sshkey
+  namespace: cert-manager
+  files:
+  - cert-exporter.pem
+  - ssh_known_hosts
+
 - name: cloudflare
   namespace: cert-manager
   files: