blob: 1df257ab01858f25a204f608e3dafb9a79a7ef77 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
|
# Justfile for cert-manager
# Install cert-manager
install:
kubectl apply -f cert-manager.yaml
@echo "Waiting for cert-manager to be ready..."
kubectl wait --for=condition=Available --timeout=300s deployment/cert-manager -n cert-manager
kubectl wait --for=condition=Available --timeout=300s deployment/cert-manager-webhook -n cert-manager
kubectl wait --for=condition=Available --timeout=300s deployment/cert-manager-cainjector -n cert-manager
kubectl apply -f self-signed-issuer.yaml
kubectl apply -f ca-certificate.yaml
@echo "Waiting for CA certificate to be ready..."
sleep 10
kubectl wait --for=condition=Ready --timeout=120s certificate/selfsigned-ca -n cert-manager
kubectl apply -f wildcard-certificate.yaml
@echo "Waiting for wildcard certificate to be ready..."
kubectl wait --for=condition=Ready --timeout=120s certificate/f3s-lan-wildcard -n cert-manager
@echo ""
@echo "cert-manager installation complete!"
@echo "Run 'just export-certs' to export certificates for relayd"
# Upgrade cert-manager
upgrade:
kubectl apply -f cert-manager.yaml
kubectl apply -f self-signed-issuer.yaml
kubectl apply -f ca-certificate.yaml
kubectl apply -f wildcard-certificate.yaml
# Uninstall cert-manager
uninstall:
kubectl delete -f wildcard-certificate.yaml --ignore-not-found
kubectl delete -f ca-certificate.yaml --ignore-not-found
kubectl delete -f self-signed-issuer.yaml --ignore-not-found
kubectl delete -f cert-manager.yaml --ignore-not-found
# Check certificate status
status:
@echo "=== ClusterIssuers ==="
kubectl get clusterissuer
@echo ""
@echo "=== Certificates ==="
kubectl get certificate -n cert-manager
@echo ""
@echo "=== Certificate Details ==="
kubectl describe certificate -n cert-manager
# Export certificates for relayd
export-certs:
#!/bin/bash
set -e
echo "Exporting certificates..."
kubectl get secret f3s-lan-tls -n cert-manager -o jsonpath='{.data.tls\.crt}' | base64 -d > /tmp/f3s-lan-cert.pem
kubectl get secret f3s-lan-tls -n cert-manager -o jsonpath='{.data.tls\.key}' | base64 -d > /tmp/f3s-lan-key.pem
echo "Certificates exported to /tmp/f3s-lan-cert.pem and /tmp/f3s-lan-key.pem"
echo ""
echo "Copy to FreeBSD hosts with:"
echo " scp /tmp/f3s-lan-*.pem paul@f0:/tmp/"
echo " scp /tmp/f3s-lan-*.pem paul@f1:/tmp/"
# Export CA certificate for client trust
export-ca:
#!/bin/bash
set -e
echo "Exporting CA certificate..."
kubectl get secret selfsigned-ca-secret -n cert-manager -o jsonpath='{.data.ca\.crt}' | base64 -d > /tmp/f3s-lan-ca.crt
echo "CA certificate exported to /tmp/f3s-lan-ca.crt"
echo ""
echo "Install on clients to trust self-signed certificates."
echo "See README.md for platform-specific instructions."
# Renew wildcard certificate (force renewal)
renew:
kubectl delete certificate f3s-lan-wildcard -n cert-manager
kubectl apply -f wildcard-certificate.yaml
@echo "Waiting for certificate to be ready..."
kubectl wait --for=condition=Ready --timeout=120s certificate/f3s-lan-wildcard -n cert-manager
@echo "Certificate renewed. Run 'just export-certs' to update relayd."
|
