Skip to content
Snippets Groups Projects
Commit fc0181fa authored by leo.muff's avatar leo.muff
Browse files

need fix pending orders

parent ad5bf5d2
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 480 additions and 1 deletion
acme.yaml 0 → 100644
+ 16
0
View file @ fc0181fa
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: chepia-ch
spec:
acme:
server: http://10.152.183.192:8200/v1/pki_int/acme/directory
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURwRENDQW95Z0F3SUJBZ0lVZG5nQ0ZoNEFaYWdlOWZmSGZoYis2UEFPV0Jzd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZURVRNQkVHQTFVRUF4TUtZMmhsY0dsaExtTnZiVEFlRncweU5EQTBNVEV3T0RVNE1URmFGdzB5TkRBMApNalV3T0RVNE5ERmFNQlV4RXpBUkJnTlZCQU1UQ21Ob1pYQnBZUzVqYjIwd2dnRWlNQTBHQ1NxR1NJYjNEUUVCCkFRVUFBNElCRHdBd2dnRUtBb0lCQVFDdGxFbjJtTGlFaGVveUQzNVg2Yi9EZGVmY21OejdKWTZmNkxzYUVPb0QKdHNXTGd3amFIZm5tSEFIbWsxOWJVVlozeE1hNDFoOXg1Y2d3S0k1YndCQ01NTGxZQ0hKVGc4dC95cG1YdWpTbwpPSEYwTDFUV1Q5QkZURWROVERUYUJ6U3IyM1REbHc5cEg5bFdqUlBPL1JVYSsxaGEyazJtY21DN2tZZGdCYjRDCkZsSUR5RXRDRHFuUEc3MWxGeVhsSm5nNWQwUDlPOUUzcmhxWTlpNWhkYTYxaFZWRmVjWGJxOXdZZHBDM0hUSDYKUlRUT0RnWW1wbEJQMjNwRkUvbkZZaDdTNnNBZGVtKytuWG1qZDhkOXVldVc2Zmo1Sit5K2pKdkRaaHMvTU9VZwpFbzN6VW1RMGJlUFRQQ3pZejR5cExlaXp4S1RCVWc4RDAwVC9ibVNKamd6ZkFnTUJBQUdqZ2Vzd2dlZ3dEZ1lEClZSMFBBUUgvQkFRREFnRUdNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdIUVlEVlIwT0JCWUVGSWxZOFh1Ukc5VnQKTldOaGJPQWthSmxhNG9rZE1COEdBMVVkSXdRWU1CYUFGSWxZOFh1Ukc5VnROV05oYk9Ba2FKbGE0b2tkTURzRwpDQ3NHQVFVRkJ3RUJCQzh3TFRBckJnZ3JCZ0VGQlFjd0FvWWZhSFIwY0Rvdkx6RXlOeTR3TGpBdU1UbzRNakF3CkwzWXhMM0JyYVM5allUQVZCZ05WSFJFRURqQU1nZ3BqYUdWd2FXRXVZMjl0TURFR0ExVWRId1FxTUNnd0pxQWsKb0NLR0lHaDBkSEE2THk4eE1qY3VNQzR3TGpFNk9ESXdNQzkyTVM5d2Eya3ZZM0pzTUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQjAvbWxvc1hJV3JYYldNZ2toSWdFckpZd0ZmUUdPN3p4M2drMCtmbFdxelcxaEFVR1p5MzF2CmRpV1JvcFpUT21zREk3YlBCaGR3QmZLdnlydWVKeEwzNmxPZm5kbFlUNWdBcVQ0czVFWHp0SUExa0h2d2lkQUEKWGo4Q0lWN3BnQlVpc1c1bEwxWm55MEZmRzZENS94RGxVSDJncG1pRGhiKzRmNVY0VGhRNm01Z3l3OVVrYVRVZgo2WVJaT1l1NTdpN1lHQVhDUkNKc3pYV2JpSlMvUVlNTjVwOHZWd2FsQ1FndzVOUzFrL05tS3E1dEpEbnovRjRuCm1FVmZhR0h2STh4N2ExcnlrMUpWK2ZrQVpsdVNIUkFRQWI0dm9MWXB2Mk1tUEorbDVjQ1FQTzV0bXdIakQ2R20KNnNhamNNWWFjVmFFWDdldzVFVW9zU3hwZ1VWZnV0MmUKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ==
privateKeySecretRef:
name: issuer-token-lmzpj
solvers:
- selector: {}
http01:
ingress:
ingressClassName: nginx
\ No newline at end of file
atelier_secu.md
+ 229
1
View file @ fc0181fa
...@@ -72,8 +72,22 @@ Initial Root Token: hvs.zWAYhaUkch0hfgfi18fduTvl ...@@ -72,8 +72,22 @@ Initial Root Token: hvs.zWAYhaUkch0hfgfi18fduTvl
--> Pour déverrouiller Vault, il faut que 3 des 5 tokens créés soit renseignés. On doit ensuite se logger avec le token root --> Pour déverrouiller Vault, il faut que 3 des 5 tokens créés soit renseignés. On doit ensuite se logger avec le token root
### Install tools on pod
- jq (json parsing)
```
microk8s kubectl exec -ti vault-0 -- sh
cd vault
wget https://github.com/stedolan/jq/releases/download/jq-1.7.1/jq-linux64 -O jq
chmod +x jq
```
### Configurer le PKI : ### Configurer le PKI :
- https://developer.hashicorp.com/vault/tutorials/secrets-management/pki-engine?variants=vault-deploy%3Aselfhosted
#### Root CA : #### Root CA :
Commandes : Commandes :
...@@ -99,4 +113,218 @@ vault secrets enable -path=pki_int pki ...@@ -99,4 +113,218 @@ vault secrets enable -path=pki_int pki
vault secrets tune -max-lease-ttl=240h pki_int vault secrets tune -max-lease-ttl=240h pki_int
``` ```
→ TTL 10 jours → TTL 10 jours
\ No newline at end of file
- **ADD GUI STEPS**
#### Create a role :
- **ADD GUI STEPS**
#### Request certificates
- **ADD GUI STEPS**
### Configurer cert-manager
- https://developer.hashicorp.com/vault/tutorials/kubernetes/kubernetes-cert-manager
### Delete expired certs
```
vault write pki_int/tidy tidy_cert_store=true tidy_revoked_certs=true
```
### Root certificate rotation
```
vault write pki/root/rotate/internal \
common_name="chepia.com" \
issuer_name="root-2"
```
```
vault write pki/roles/chepia-servers allow_any_name=true
```
#### Root bridge
```
cd vault
vault write -format=json pki_int/intermediate/cross-sign \
common_name="chepia.com" \
key_ref="$(vault read pki_int/issuer/root-2 \
| grep -i key_id | awk '{print $2}')" \
| ./jq -r '.data.csr' \
| tee cross-signed-intermediate.csr
vault write -format=json pki_int/issuer/root/sign-intermediate \
common_name="chepia.com" \
csr=@cross-signed-intermediate.csr \
| ./jq -r '.data.certificate' | tee cross-signed-intermediate.crt
vault write pki/intermediate/set-signed \
certificate=@cross-signed-intermediate.crt
```
#### Set default issuer
```
vault write pki/root/replace default=root-2
```
### cross-sign intermediate
```bash
cd vault
vault write -format=json pki_int/intermediate/cross-sign \
common_name="chepia.com Intermediate Authority" \
key_ref="$(vault read pki_int/issuer/$(vault read -field=default pki_int/config/issuers) \
| grep -i key_id | awk '{print $2}')" \
| ./jq -r '.data.csr' \
| tee cross-signed-intermediate.csr
vault write -format=json pki/issuer/root-2/sign-intermediate \
common_name="chepia.com Intermediate Authority" \
csr=@cross-signed-intermediate.csr \
| ./jq -r '.data.certificate' | tee cross-signed-intermediate.crt
vault write pki_int/intermediate/set-signed certificate=@cross-signed-intermediate.crt
```
### ACME setup
#### terminal :
```bash
vault write /sys/mounts/pki_int/tune \
passthrough_request_headers="If-Modified-Since" \
allowed_response_headers="Last-Modified,Location,Replay-Nonce,Link"
```
#### GUI :
- go to the intermediate certificate configuration page
- add url `http://127.0.0.1:8200/v1/pki_int` to AIA path and Mount's API path
- Tick "Enable ACME"
- save
### Add ACME to cert-manager
https://developer.hashicorp.com/vault/tutorials/kubernetes/kubernetes-cert-manager
#### add issuer
- Création du fichier de configuration acme.yaml
```yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: chepia-ch
spec:
acme:
server: http://127.0.0.1:8200/v1/pki_int
caBundle: <root cert in PEM format encoded in base64>
privateKeySecretRef:
name: issuer-token-lmzpj
```
- Activation de la config avec `microk8s kubectl apply -f acme.yaml `
### Add ingress to the k8s cluster
- Activer l'addon `ingress`qui permet d'exposer des services gérés par le cluster kubernetes :
`microk8s enable ingress`
- On peut maintenant créer des règles pour exposer des services en https.
### Create certificate
```
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: chepia-cert
namespace: default
spec:
issuerRef:
name: chepia-ch
kind: ClusterIssuer
secretName: chepia-cert
dnsNames:
\- www.chepia.ch
```
### Expose https service
- Nous allons utiliser un simple serveur web Nginx pour représenter la page d'accueil de l'intranet de notre entreprise :
1. Créer le fichier de config de la page d'accueil :
```yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-configmap
namespace: default
data:
index.html: |
&lt;html&gt;
&lt;h1&gt; Bienvenue sur l'intranet de CHEPIA &lt;/h1&gt;
&lt;h3&gt; Certificats gratos !! &lt;/h3&gt;
&lt;/html&gt;
```
2. Créer le fichier de config du serveur :
```yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-configmap
labels:
app: nginx
spec:
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:latest
ports:
- containerPort: 80
volumeMounts:
- name: nginx-index
mountPath: /usr/share/nginx/index.html
subPath: index.html
volumes:
- name: nginx-index
configMap:
name: nginx-configmap
```
3. Appliquer les configs : `microk8s kubectl apply -f nginx-configmap.yaml`, `microk8s kubectl apply -f nginx.yaml`
https://cert-manager.io/docs/usage/ingress/
\ No newline at end of file
cert.yaml 0 → 100644
+ 12
0
View file @ fc0181fa
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: chepia-cert
namespace: default
spec:
issuerRef:
name: chepia-ch
kind: ClusterIssuer
secretName: chepia-cert
dnsNames:
- www.chepia.ch
\ No newline at end of file
certs/3d-3a-0e-ad-b9-0e-e3-0c-5c-9b-34-0d-76-89-26-47-3c-83-c0-22.pem 0 → 100644
+ 20
0
View file @ fc0181fa
-----BEGIN CERTIFICATE-----
MIIDTDCCAjSgAwIBAgIUPToOrbkO4wxcmzQNdokmRzyDwCIwDQYJKoZIhvcNAQEL
BQAwFTETMBEGA1UEAxMKY2hlcGlhLmNvbTAeFw0yNDAzMjEwODUyMDRaFw0yNDAz
MjIwODUyMzRaMBoxGDAWBgNVBAMTD3ZhdWx0LmNoZXBpYS5jaDCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAOZjmkzMckLx5B6950AoKrG15CrhADQh3j0J
n/jSm6EKnQs1UHVSPCKJ6SG3Z0yLMxMOKvceZztUezKgsoGnvquUxQtMaGOH+7HI
OWdBetEd/h7lo/Kt7ZlOWXUAylVe8rLGwDmPfJlrTJ3Qgl4HnruF8DB45i/KmqyM
+5pWkgZAZK4MooPM79ZvGKXAnOnECDSuolfS9uByjBY1GrOsg/ZO8Ih++b1oE2Ii
XmNmDEsAzStrGHNqnm5o6cUEs7fCtNl4blvEHtylk41Q/WFU8u1pfX+RMc28ixbq
nLP2uExDDUAgJNmgbp3hscw4tr037wrt0Tu6T9pCoEmlGPN78GUCAwEAAaOBjjCB
izAOBgNVHQ8BAf8EBAMCA6gwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC
MB0GA1UdDgQWBBS41PXCPrKtRZi+mPfMDJeqiivO/jAfBgNVHSMEGDAWgBSIU1YV
In5I8XnLzPPnvLF4HAF7tTAaBgNVHREEEzARgg92YXVsdC5jaGVwaWEuY2gwDQYJ
KoZIhvcNAQELBQADggEBABOrgz2LqTJ+24l4ytPSGVPOlQjN0PjYwHxGxKbyzrn8
+iUDn03yJWbyvb6fs1WNlHwOmY+pkEJ+CEdfZkAgCK4XtQZc7QQhbbQryuVAyjSr
pos+OdrrricQEHCq+EcTsNEL2WTmheQmAjLi2H/3VSd70MqVgD0llhtYoWjjzIx5
Nt1wLPEAa2IrdJ1w32jhUx0PcSKCrLpBKCgnzswcYyS9AlKsvvuB4D4wNN6530vM
gRrO9INT0CLQEU0BavmDYS4YtTLLTquhDfheY3FiFqnrXgvCNnFq560WPJ23B31C
tzBm7PGs1iVU8ZO4DleCZIts/n4GClcrPCAoChEtGNQ=
-----END CERTIFICATE-----
\ No newline at end of file
cross-signed-intermediate.csr 0 → 100644
+ 0
0
View file @ fc0181fa
example-com-cert.yaml 0 → 100644
+ 12
0
View file @ fc0181fa
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: chepia-ch
namespace: default
spec:
secretName: chepia-ch-tls
issuerRef:
name: vault-issuer
commonName: www.chepia.ch
dnsNames:
- www.chepia.ch
images/ca-expired.png 0 → 100644
+ 0
0
View file @ fc0181fa
images/ca-expired.png

26.8 KiB

images/cert-expired.png 0 → 100644
+ 0
0
View file @ fc0181fa
images/cert-expired.png

58.7 KiB

images/cert-manager.png 0 → 100644
+ 0
0
View file @ fc0181fa
images/cert-manager.png

73 KiB

images/error-ttl.png 0 → 100644
+ 0
0
View file @ fc0181fa
images/error-ttl.png

22.7 KiB

images/vault-seal.md images/vault-seal.png
+ 0
0
View file @ fc0181fa
File moved
issuer-secret.yaml 0 → 100644
+ 7
0
View file @ fc0181fa
apiVersion: v1
kind: Secret
metadata:
name: issuer-token-lmzpj
annotations:
kubernetes.io/service-account.name: issuer
type: kubernetes.io/service-account-token
keys/priv_vault.key 0 → 100644
+ 27
0
View file @ fc0181fa
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEA5mOaTMxyQvHkHr3nQCgqsbXkKuEANCHePQmf+NKboQqdCzVQ
dVI8IonpIbdnTIszEw4q9x5nO1R7MqCygae+q5TFC0xoY4f7scg5Z0F60R3+HuWj
8q3tmU5ZdQDKVV7yssbAOY98mWtMndCCXgeeu4XwMHjmL8qarIz7mlaSBkBkrgyi
g8zv1m8YpcCc6cQINK6iV9L24HKMFjUas6yD9k7wiH75vWgTYiJeY2YMSwDNK2sY
c2qebmjpxQSzt8K02XhuW8Qe3KWTjVD9YVTy7Wl9f5ExzbyLFuqcs/a4TEMNQCAk
2aBuneGxzDi2vTfvCu3RO7pP2kKgSaUY83vwZQIDAQABAoIBAQDAzWfqj0mr5nxu
kaP+F98q2zo3/BXMiu9OC0j51V5yVcx4/cP4erpieSFFmxNyhidW8gtYxPPFPfzf
sIXSZUv2kUiZHPdbHAixjgsj8zNR35SzzJ/4Tj/BhUTt2px49z2KCTQCt6ahSZ9T
jpQbFqtq6TrJhdO0+QuaDV3dmkcXvKMnDemH42dbNc8Z0aoPIDmBz3mSn4m3hKqD
A62FELtoXZcYxR1Eq9kA9D2Ffq3JosGXRvXR9pbCHnQo2w3yaYxjB5HMw5IO4Iy5
gsAQIbh6f+XHfhIRl8KdaZ+jp44qgYc+onLEHgkeJKvzjbHopRdkJCpZ7fGkjVpm
a2HRGtVhAoGBAOyfdWiYrWsejOAmPJseBLLwS3X6RpfmxpOyvYzYVrolZae3IpQZ
lVCP7hWvVBaqEMkyU1oKRJNwH2y/TRt4e6g/cyqnfwlksGHg/Sc6VqnES9E/kuu6
SZw4FRAG/+3BrI2xjMpzYr34ZR8klnz5ymqb2U3o+HtJ9MXxMCwNPzE9AoGBAPlB
dYI7PDNHL5rj6g/qqjfWTfAqZ2C9SeIRsCIslHWXdOESY+0Eqw3uFB8PNfI13zq6
ylbANWkKG/7j6teh4pLA2MELW6rCGfMJeVDDlhhfbqMxXFgMVg/5FFzNaupA4IKu
/CCKZKs8WP/4pxGMsI8v7G3cWaiZ2X32ppkTFN5JAoGBAI443dnrgriS2TvU37Kg
XVSsJ78Wmh2tIQgfc9zXH3GtDqe65Ha91chhaknwYwtoVsSHkh/ZchRoXQsBBLiR
N0oOMQufNzUPJxD9qUtNvk815Bg2LPmws5PJBafnfSaLtUpJQIViyyPBzA3m8OjX
PrnLSNaSQ9/euNfMuxaPM79FAoGBAOWO+fB1KZ54Y0mduoXqM9a1EpasFwWrj44b
iEIRGLGsScK4MzupXvi3WeS5F4/5OZxXR97ZqtcQrnPz6OereoZ6AabZFRWRKmEB
Sq+tUmEkEztNTKTyx5hyZ+SIc31HPv5ctmwpyUlDjRxCH2w0TK+zDWao2BJFj19J
eGnmfwOxAoGAD0oQiYv5IvshFF2k3cQTy9AoIKMHR4qS1Cn2pVdU2HyAb++uCu8b
dyxCglt28ZuJRq5nGEoxXNjYjuBWiXonRbQ1thD7AxQGWeX0BzKI4Gs5ynqfAvTK
bfsGgol94RyiPYFooWKltIiwhn0RATHRQwK3PGf7qraQFXYQdu1b+eo=
-----END RSA PRIVATE KEY-----
\ No newline at end of file
nginx-configmap.yaml 0 → 100644
+ 11
0
View file @ fc0181fa
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-configmap
namespace: default
data:
index.html: |
<html>
<h1> Bienvenue sur l'intranet de CHEPIA </h1>
<h3> Certificats gratos !! </h3>
</html>
\ No newline at end of file
nginx-service.yaml 0 → 100644
+ 34
0
View file @ fc0181fa
apiVersion: v1
kind: Service
metadata:
name: nginx
spec:
ports:
- port: 443
targetPort: 80
protocol: TCP
selector:
app: nginx
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx
annotations:
cert-manager.io/cluster-issuer: chepia-ch
spec:
ingressClassName: nginx
tls:
- hosts:
- chepia.ch
secretName: tls-secret
rules:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: nginx
port:
number: 80
\ No newline at end of file
nginx.yaml 0 → 100644
+ 28
0
View file @ fc0181fa
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
labels:
app: nginx
spec:
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:latest
ports:
- containerPort: 80
volumeMounts:
- name: nginx-index
mountPath: /usr/share/nginx/index.html
subPath: index.html
volumes:
- name: nginx-index
configMap:
name: nginx-configmap
pki-script.sh 0 → 100644
+ 46
0
View file @ fc0181fa
#!/bin/bash
set -euxo pipefail
vault secrets enable pki
vault secrets tune -max-lease-ttl=87600h pki
vault write -field=certificate pki/root/generate/internal \
common_name="chepia" \
issuer_name="root" \
ttl=87600h > root_ca.crt
vault write pki/config/cluster \
path=http://10.1.1.100:8200/v1/pki \
aia_path=http://10.1.1.100:8200/v1/pki
vault write pki/roles/2023-servers \
allow_any_name=true \
no_store=false
vault write pki/config/urls \
issuing_certificates={{cluster_aia_path}}/issuer/{{issuer_id}}/der \
crl_distribution_points={{cluster_aia_path}}/issuer/{{issuer_id}}/crl/der \
ocsp_servers={{cluster_path}}/ocsp \
enable_templating=true
vault secrets enable -path=pki_int pki
vault secrets tune -max-lease-ttl=43800h pki_int
vault write -format=json pki_int/intermediate/generate/internal \
common_name="chepia Intermediate Authority" \
issuer_name="chepia-intermediate" \
| jq -r '.data.csr' > pki_intermediate.csr
vault write -format=json pki/root/sign-intermediate \
issuer_ref="root" \
csr=@pki_intermediate.csr \
format=pem_bundle ttl="43800h" \
| jq -r '.data.certificate' > intermediate.cert.pem
vault write pki_int/intermediate/set-signed certificate=@intermediate.cert.pem
vault write pki_int/config/cluster \
path=http://10.1.1.100:8200/v1/pki_int \
aia_path=http://10.1.1.100:8200/v1/pki_int
vault write pki_int/roles/learn \
issuer_ref="$(vault read -field=default pki_int/config/issuers)" \
allow_any_name=true \
max_ttl="720h" \
no_store=false
vault write pki_int/config/urls \
issuing_certificates={{cluster_aia_path}}/issuer/{{issuer_id}}/der \
crl_distribution_points={{cluster_aia_path}}/issuer/{{issuer_id}}/crl/der \
ocsp_servers={{cluster_path}}/ocsp \
enable_templating=true
\ No newline at end of file
root-ca.pem 0 → 100644
+ 22
0
View file @ fc0181fa
-----BEGIN CERTIFICATE-----
MIIDpDCCAoygAwIBAgIUdngCFh4AZage9ffHfhb+6PAOWBswDQYJKoZIhvcNAQEL
BQAwFTETMBEGA1UEAxMKY2hlcGlhLmNvbTAeFw0yNDA0MTEwODU4MTFaFw0yNDA0
MjUwODU4NDFaMBUxEzARBgNVBAMTCmNoZXBpYS5jb20wggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQCtlEn2mLiEheoyD35X6b/DdefcmNz7JY6f6LsaEOoD
tsWLgwjaHfnmHAHmk19bUVZ3xMa41h9x5cgwKI5bwBCMMLlYCHJTg8t/ypmXujSo
OHF0L1TWT9BFTEdNTDTaBzSr23TDlw9pH9lWjRPO/RUa+1ha2k2mcmC7kYdgBb4C
FlIDyEtCDqnPG71lFyXlJng5d0P9O9E3rhqY9i5hda61hVVFecXbq9wYdpC3HTH6
RTTODgYmplBP23pFE/nFYh7S6sAdem++nXmjd8d9ueuW6fj5J+y+jJvDZhs/MOUg
Eo3zUmQ0bePTPCzYz4ypLeizxKTBUg8D00T/bmSJjgzfAgMBAAGjgeswgegwDgYD
VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFIlY8XuRG9Vt
NWNhbOAkaJla4okdMB8GA1UdIwQYMBaAFIlY8XuRG9VtNWNhbOAkaJla4okdMDsG
CCsGAQUFBwEBBC8wLTArBggrBgEFBQcwAoYfaHR0cDovLzEyNy4wLjAuMTo4MjAw
L3YxL3BraS9jYTAVBgNVHREEDjAMggpjaGVwaWEuY29tMDEGA1UdHwQqMCgwJqAk
oCKGIGh0dHA6Ly8xMjcuMC4wLjE6ODIwMC92MS9wa2kvY3JsMA0GCSqGSIb3DQEB
CwUAA4IBAQB0/mlosXIWrXbWMgkhIgErJYwFfQGO7zx3gk0+flWqzW1hAUGZy31v
diWRopZTOmsDI7bPBhdwBfKvyrueJxL36lOfndlYT5gAqT4s5EXztIA1kHvwidAA
Xj8CIV7pgBUisW5lL1Zny0FfG6D5/xDlUH2gpmiDhb+4f5V4ThQ6m5gyw9UkaTUf
6YRZOYu57i7YGAXCRCJszXWbiJS/QYMN5p8vVwalCQgw5NS1k/NmKq5tJDnz/F4n
mEVfaGHvI8x7a1ryk1JV+fkAZluSHRAQAb4voLYpv2MmPJ+l5cCQPO5tmwHjD6Gm
6sajcMYacVaEX7ew5EUosSxpgUVfut2e
-----END CERTIFICATE-----
\ No newline at end of file
vault-issuer.yaml 0 → 100644
+ 16
0
View file @ fc0181fa
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: vault-issuer
namespace: default
spec:
vault:
server: http://vault.default:8200
path: pki_int/sign/chepia-dot-ch
auth:
kubernetes:
mountPath: /v1/auth/kubernetes
role: issuer
secretRef:
name: issuer-token-lmzpj
key: token
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment