diff options
Diffstat (limited to 'f3s/cert-manager/README.md')
| -rw-r--r-- | f3s/cert-manager/README.md | 93 |
1 files changed, 93 insertions, 0 deletions
diff --git a/f3s/cert-manager/README.md b/f3s/cert-manager/README.md new file mode 100644 index 0000000..7ca1a63 --- /dev/null +++ b/f3s/cert-manager/README.md @@ -0,0 +1,93 @@ +# cert-manager for f3s LAN TLS + +This directory contains cert-manager configuration for providing self-signed TLS certificates for LAN access to f3s services via `*.f3s.lan.buetow.org`. + +## Overview + +- **Purpose**: Provide TLS certificates for LAN ingresses +- **Certificate Type**: Self-signed (via self-signed ClusterIssuer) +- **Wildcard Cert**: `*.f3s.lan.buetow.org` +- **Used by**: FreeBSD relayd on CARP VIP (192.168.1.138) + +## Components + +1. **cert-manager.yaml** - Official cert-manager installation (v1.14.4) +2. **self-signed-issuer.yaml** - ClusterIssuer for self-signed certificates +3. **ca-certificate.yaml** - CA certificate for signing +4. **wildcard-certificate.yaml** - Wildcard certificate for `*.f3s.lan.buetow.org` + +## Deployment + +Deployed via ArgoCD from `argocd-apps/infra/cert-manager.yaml`. + +Manual deployment: +```bash +just install +``` + +## Exporting Certificates for relayd + +After cert-manager creates the wildcard certificate, export it for use by FreeBSD relayd: + +```bash +# Export from k3s +kubectl get secret f3s-lan-tls -n cert-manager -o jsonpath='{.data.tls\.crt}' | base64 -d > /tmp/f3s-lan-cert.pem +kubectl get secret f3s-lan-tls -n cert-manager -o jsonpath='{.data.tls\.key}' | base64 -d > /tmp/f3s-lan-key.pem + +# Copy to FreeBSD hosts +scp /tmp/f3s-lan-cert.pem paul@f0:/tmp/ +scp /tmp/f3s-lan-key.pem paul@f0:/tmp/ +scp /tmp/f3s-lan-cert.pem paul@f1:/tmp/ +scp /tmp/f3s-lan-key.pem paul@f1:/tmp/ + +# On f0 and f1 +doas mkdir -p /usr/local/etc/ssl/relayd +doas mv /tmp/f3s-lan-cert.pem /usr/local/etc/ssl/relayd/f3s.lan.buetow.org.crt +doas mv /tmp/f3s-lan-key.pem /usr/local/etc/ssl/relayd/f3s.lan.buetow.org.key +doas chmod 600 /usr/local/etc/ssl/relayd/* +doas chown root:wheel /usr/local/etc/ssl/relayd/* +doas service relayd reload +``` + +## Trusting the CA Certificate + +To avoid browser warnings, clients must trust the self-signed CA: + +### Export CA Certificate + +```bash +kubectl get secret selfsigned-ca-secret -n cert-manager -o jsonpath='{.data.ca\.crt}' | base64 -d > f3s-lan-ca.crt +``` + +### Install on Clients + +**Linux (Fedora/Debian/Ubuntu):** +```bash +sudo cp f3s-lan-ca.crt /usr/local/share/ca-certificates/f3s-lan-ca.crt +sudo update-ca-certificates +``` + +**macOS:** +```bash +sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain f3s-lan-ca.crt +``` + +**Windows:** +- Double-click `f3s-lan-ca.crt` +- Install to "Trusted Root Certification Authorities" + +**Android:** +- Settings → Security → Encryption & credentials → Install a certificate → CA certificate + +**iOS:** +- AirDrop the certificate or email it +- Settings → General → VPN & Device Management → Install Profile + +## Certificate Renewal + +Self-signed certificates are valid for 90 days by default. cert-manager automatically renews them before expiration. After renewal, re-export and deploy to relayd. + +## See Also + +- [cert-manager documentation](https://cert-manager.io/docs/) +- [Self-signed certificates](https://cert-manager.io/docs/configuration/selfsigned/) |