Add sealed secret for cluster-issuer

This commit is contained in:
Kasper Juul Hermansen 2022-06-04 15:36:03 +02:00
parent a5940a3bb6
commit 35e4ed430e
Signed by: kjuulh
GPG Key ID: 0F95C140730F2F23
4 changed files with 58 additions and 0 deletions

View File

@ -0,0 +1,16 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: cloudflare-api-token-secret
namespace: cert-manager
spec:
encryptedData:
api-token: AgBfxV2k7bG5Zf9KIvaSGwgisxhpi6Wxg6TlgIqdJmARkWezhnM7kc41oU2FxK2rOroYF4ailxBJVbCyeCSPoaPu7sn9Fc7+EgGvlb1DOHKvLVLXoAdu3b1opta6gYi05Uzc8anU9uAsMoEJFcn71RTzFIGNMVKVs2VovtajtRf6UW61kNaC54wmMPuhEYsYKYs75sCc/CgmhMD7P8bx6/b6f7QnsksP07mR5GXS1Q8DePu4dHGx9FhMNXVu+lajyd6wW2eLk0EqzNsZ1cSoK3gZrbpKtHGOkuO6TIoBPAgtgqN8wQzurFkeHowTuEU7GMas0FJtP5b/uH0GwKzYeKvqLvX2LLybwiD/idb/fGSZiPIdk5g3ENSOa8bUiVB78mVGXfSWmVcJCAmKY5uB7vRxq44jZI6eTvalrZoAFKF0zzHi1PBTOimgiDUWJXNd6gVORcqqvsbuAOYi/8KzBSXd+qR+EGbAfYgC/0UAhQPr2uuH0MP1x2gnOLtulxU5oRMvtSzMVZrv85qGrkp1KOtK5oQoDT6kgNZKJ6FBV8JsKhISPUGdM0xsgH+cXyqVZ73UlyohaiPYVHpvoRtcMMw0zQM/tQnhMdstEKQgsSGuzg8g7cOgv2aiYFL1sfm08XEofCBeBXrTNodxAa77I4KnNeB1tbR/WXdX/kzLxb0aGheCxsv8nDU3KJyrvAbRj9wVL3hnBnIc6p/bg8KPLrJkp2Qe+3ree/7Wma0+qhlswdvjLn4dGeb9
template:
data: null
metadata:
creationTimestamp: null
name: cloudflare-api-token-secret
namespace: cert-manager

View File

@ -0,0 +1,25 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-issuer
spec:
acme:
# You must replace this email address with your own.
# Let's Encrypt will use this to contact you about expiring
# certificates, and issues related to your account.
email: contact@kasperhermansen.com
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
# Secret resource that will be used to store the account's private key.
name: letsencrypt-issuer-secret
# Add a single challenge solver, HTTP01 using nginx
solvers:
- dns01:
cloudflare:
apiTokenSecretRef:
name: cloudflare-api-token-secret
key: api-token
selector:
dnsNames:
- 'kjuulh.app'
- '*.kjuulh.app'

View File

@ -0,0 +1,15 @@
#!/bin/bash
echo "Encrypt secret with 'sealed-secrets'"
kubectl -n default create secret generic cloudflare-api-token-secret \
--from-literal=api-token="$1" \
--namespace="cert-manager" \
--dry-run=client \
-o yaml > cloudflare-secret.yaml
echo "secret: $1"
kubeseal \
--format=yaml \
--controller-name=sealed-secrets \
--controller-namespace=kube-system \
< cloudflare-secret.yaml > cloudflare-secret.sealed.yaml
echo "Updated/created secret"
rm cloudflare-secret.yaml

View File

@ -4,3 +4,5 @@ namespace: cert-manager
resources:
- namespace.yaml
- release.yaml
- cloudflare-secret.sealed.yaml
- cluster-issuer.yaml