blob: 7ca1a63397b7a3a4be690a036cac049ec1d6f5a0 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
|
# cert-manager for f3s LAN TLS
This directory contains cert-manager configuration for providing self-signed TLS certificates for LAN access to f3s services via `*.f3s.lan.buetow.org`.
## Overview
- **Purpose**: Provide TLS certificates for LAN ingresses
- **Certificate Type**: Self-signed (via self-signed ClusterIssuer)
- **Wildcard Cert**: `*.f3s.lan.buetow.org`
- **Used by**: FreeBSD relayd on CARP VIP (192.168.1.138)
## Components
1. **cert-manager.yaml** - Official cert-manager installation (v1.14.4)
2. **self-signed-issuer.yaml** - ClusterIssuer for self-signed certificates
3. **ca-certificate.yaml** - CA certificate for signing
4. **wildcard-certificate.yaml** - Wildcard certificate for `*.f3s.lan.buetow.org`
## Deployment
Deployed via ArgoCD from `argocd-apps/infra/cert-manager.yaml`.
Manual deployment:
```bash
just install
```
## Exporting Certificates for relayd
After cert-manager creates the wildcard certificate, export it for use by FreeBSD relayd:
```bash
# Export from k3s
kubectl get secret f3s-lan-tls -n cert-manager -o jsonpath='{.data.tls\.crt}' | base64 -d > /tmp/f3s-lan-cert.pem
kubectl get secret f3s-lan-tls -n cert-manager -o jsonpath='{.data.tls\.key}' | base64 -d > /tmp/f3s-lan-key.pem
# Copy to FreeBSD hosts
scp /tmp/f3s-lan-cert.pem paul@f0:/tmp/
scp /tmp/f3s-lan-key.pem paul@f0:/tmp/
scp /tmp/f3s-lan-cert.pem paul@f1:/tmp/
scp /tmp/f3s-lan-key.pem paul@f1:/tmp/
# On f0 and f1
doas mkdir -p /usr/local/etc/ssl/relayd
doas mv /tmp/f3s-lan-cert.pem /usr/local/etc/ssl/relayd/f3s.lan.buetow.org.crt
doas mv /tmp/f3s-lan-key.pem /usr/local/etc/ssl/relayd/f3s.lan.buetow.org.key
doas chmod 600 /usr/local/etc/ssl/relayd/*
doas chown root:wheel /usr/local/etc/ssl/relayd/*
doas service relayd reload
```
## Trusting the CA Certificate
To avoid browser warnings, clients must trust the self-signed CA:
### Export CA Certificate
```bash
kubectl get secret selfsigned-ca-secret -n cert-manager -o jsonpath='{.data.ca\.crt}' | base64 -d > f3s-lan-ca.crt
```
### Install on Clients
**Linux (Fedora/Debian/Ubuntu):**
```bash
sudo cp f3s-lan-ca.crt /usr/local/share/ca-certificates/f3s-lan-ca.crt
sudo update-ca-certificates
```
**macOS:**
```bash
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain f3s-lan-ca.crt
```
**Windows:**
- Double-click `f3s-lan-ca.crt`
- Install to "Trusted Root Certification Authorities"
**Android:**
- Settings → Security → Encryption & credentials → Install a certificate → CA certificate
**iOS:**
- AirDrop the certificate or email it
- Settings → General → VPN & Device Management → Install Profile
## Certificate Renewal
Self-signed certificates are valid for 90 days by default. cert-manager automatically renews them before expiration. After renewal, re-export and deploy to relayd.
## See Also
- [cert-manager documentation](https://cert-manager.io/docs/)
- [Self-signed certificates](https://cert-manager.io/docs/configuration/selfsigned/)
|
