diff --git a/Documentation/helm-values.rst b/Documentation/helm-values.rst index 9f967c594dc2..c544d821f407 100644 --- a/Documentation/helm-values.rst +++ b/Documentation/helm-values.rst @@ -365,7 +365,7 @@ - object - ``{"certManagerIssuerRef":{},"certValidityDuration":1095,"enabled":true,"method":"helm"}`` * - clustermesh.apiserver.tls.auto.certManagerIssuerRef - - certmanager issuer used when clustermesh.apiserver.tls.auto.method=certmanager. If not specified, a CA issuer will be created. + - certmanager issuer used when clustermesh.apiserver.tls.auto.method=certmanager. - object - ``{}`` * - clustermesh.apiserver.tls.auto.certValidityDuration @@ -1181,7 +1181,7 @@ - object - ``{"certManagerIssuerRef":{},"certValidityDuration":1095,"enabled":true,"method":"helm","schedule":"0 0 1 */4 *"}`` * - hubble.tls.auto.certManagerIssuerRef - - certmanager issuer used when hubble.tls.auto.method=certmanager. If not specified, a CA issuer will be created. + - certmanager issuer used when hubble.tls.auto.method=certmanager. - object - ``{}`` * - hubble.tls.auto.certValidityDuration diff --git a/install/kubernetes/cilium/README.md b/install/kubernetes/cilium/README.md index 1aa6531c6758..99209dd5bea7 100644 --- a/install/kubernetes/cilium/README.md +++ b/install/kubernetes/cilium/README.md @@ -141,7 +141,7 @@ contributors across the globe, there is almost always someone available to help. | clustermesh.apiserver.tls.admin | object | `{"cert":"","key":""}` | base64 encoded PEM values for the clustermesh-apiserver admin certificate and private key. Used if 'auto' is not enabled. | | clustermesh.apiserver.tls.authMode | string | `"legacy"` | Configure the clustermesh authentication mode. Supported values: - legacy: All clusters access remote clustermesh instances with the same username (i.e., remote). The "remote" certificate must be generated with CN=remote if provided manually. - migration: Intermediate mode required to upgrade from legacy to cluster (and vice versa) with no disruption. Specifically, it enables the creation of the per-cluster usernames, while still using the common one for authentication. The "remote" certificate must be generated with CN=remote if provided manually (same as legacy). - cluster: Each cluster accesses remote etcd instances with a username depending on the local cluster name (i.e., remote-). The "remote" certificate must be generated with CN=remote- if provided manually. Cluster mode is meaningful only when the same CA is shared across all clusters part of the mesh. | | clustermesh.apiserver.tls.auto | object | `{"certManagerIssuerRef":{},"certValidityDuration":1095,"enabled":true,"method":"helm"}` | Configure automatic TLS certificates generation. A Kubernetes CronJob is used the generate any certificates not provided by the user at installation time. | -| clustermesh.apiserver.tls.auto.certManagerIssuerRef | object | `{}` | certmanager issuer used when clustermesh.apiserver.tls.auto.method=certmanager. If not specified, a CA issuer will be created. | +| clustermesh.apiserver.tls.auto.certManagerIssuerRef | object | `{}` | certmanager issuer used when clustermesh.apiserver.tls.auto.method=certmanager. | | clustermesh.apiserver.tls.auto.certValidityDuration | int | `1095` | Generated certificates validity duration in days. | | clustermesh.apiserver.tls.auto.enabled | bool | `true` | When set to true, automatically generate a CA and certificates to enable mTLS between clustermesh-apiserver and external workload instances. If set to false, the certs to be provided by setting appropriate values below. | | clustermesh.apiserver.tls.ca | object | `{"cert":"","key":""}` | base64 encoded PEM values for the ExternalWorkload CA certificate and private key. | @@ -345,7 +345,7 @@ contributors across the globe, there is almost always someone available to help. | hubble.socketPath | string | `"/var/run/cilium/hubble.sock"` | Unix domain socket path to listen to when Hubble is enabled. | | hubble.tls | object | `{"auto":{"certManagerIssuerRef":{},"certValidityDuration":1095,"enabled":true,"method":"helm","schedule":"0 0 1 */4 *"},"ca":{"cert":"","key":""},"enabled":true,"server":{"cert":"","extraDnsNames":[],"extraIpAddresses":[],"key":""}}` | TLS configuration for Hubble | | hubble.tls.auto | object | `{"certManagerIssuerRef":{},"certValidityDuration":1095,"enabled":true,"method":"helm","schedule":"0 0 1 */4 *"}` | Configure automatic TLS certificates generation. | -| hubble.tls.auto.certManagerIssuerRef | object | `{}` | certmanager issuer used when hubble.tls.auto.method=certmanager. If not specified, a CA issuer will be created. | +| hubble.tls.auto.certManagerIssuerRef | object | `{}` | certmanager issuer used when hubble.tls.auto.method=certmanager. | | hubble.tls.auto.certValidityDuration | int | `1095` | Generated certificates validity duration in days. | | hubble.tls.auto.enabled | bool | `true` | Auto-generate certificates. When set to true, automatically generate a CA and certificates to enable mTLS between Hubble server and Hubble Relay instances. If set to false, the certs for Hubble server need to be provided by setting appropriate values below. | | hubble.tls.auto.method | string | `"helm"` | Set the method to auto-generate certificates. Supported values: - helm: This method uses Helm to generate all certificates. - cronJob: This method uses a Kubernetes CronJob the generate any certificates not provided by the user at installation time. - certmanager: This method use cert-manager to generate & rotate certificates. | diff --git a/install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/_helpers.tpl b/install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/_helpers.tpl deleted file mode 100644 index 782f252ecd55..000000000000 --- a/install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/_helpers.tpl +++ /dev/null @@ -1,9 +0,0 @@ -{{- define "clustermesh-apiserver-generate-certs.certmanager.issuer" }} -{{- if .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef }} - {{- toYaml .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef }} -{{- else }} - group: cert-manager.io - kind: Issuer - name: clustermesh-apiserver-issuer -{{- end }} -{{- end }} diff --git a/install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/admin-secret.yaml b/install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/admin-secret.yaml index 9665a59a054a..3bc84ae1dccd 100644 --- a/install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/admin-secret.yaml +++ b/install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/admin-secret.yaml @@ -7,7 +7,7 @@ metadata: namespace: {{ .Release.Namespace }} spec: issuerRef: - {{- include "clustermesh-apiserver-generate-certs.certmanager.issuer" . | nindent 4 }} + {{- toYaml .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef | nindent 4 }} secretName: clustermesh-apiserver-admin-cert commonName: {{ include "clustermesh-apiserver-generate-certs.admin-common-name" . }} dnsNames: diff --git a/install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/client-secret.yaml b/install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/client-secret.yaml index c56ffdef3954..3c2cf6431e50 100644 --- a/install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/client-secret.yaml +++ b/install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/client-secret.yaml @@ -7,7 +7,7 @@ metadata: namespace: {{ .Release.Namespace }} spec: issuerRef: - {{- include "clustermesh-apiserver-generate-certs.certmanager.issuer" . | nindent 4 }} + {{- toYaml .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef | nindent 4 }} secretName: clustermesh-apiserver-client-cert commonName: externalworkload duration: {{ printf "%dh0m0s" (mul .Values.clustermesh.apiserver.tls.auto.certValidityDuration 24) }} diff --git a/install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/clustermesh-apiserver-issuer.yaml b/install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/clustermesh-apiserver-issuer.yaml deleted file mode 100644 index 5a8fa6a324cf..000000000000 --- a/install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/clustermesh-apiserver-issuer.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "certmanager") (not .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef) }} -{{- $_ := include "clustermesh-apiserver-generate-certs.helm.setup-ca" . -}} ---- -apiVersion: v1 -kind: Secret -metadata: - name: clustermesh-apiserver-ca-cert - namespace: {{ .Release.Namespace }} -data: - ca.crt: {{ .cmca.Cert | b64enc }} - ca.key: {{ .cmca.Key | b64enc }} ---- -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: clustermesh-apiserver-issuer - namespace: {{ .Release.Namespace }} -spec: - ca: - secretName: clustermesh-apiserver-ca-cert -{{- end }} diff --git a/install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/remote-secret.yaml b/install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/remote-secret.yaml index a601387be26a..0a5e42e2904c 100644 --- a/install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/remote-secret.yaml +++ b/install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/remote-secret.yaml @@ -7,7 +7,7 @@ metadata: namespace: {{ .Release.Namespace }} spec: issuerRef: - {{- include "clustermesh-apiserver-generate-certs.certmanager.issuer" . | nindent 4 }} + {{- toYaml .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef | nindent 4 }} secretName: clustermesh-apiserver-remote-cert commonName: {{ include "clustermesh-apiserver-generate-certs.remote-common-name" . }} duration: {{ printf "%dh0m0s" (mul .Values.clustermesh.apiserver.tls.auto.certValidityDuration 24) }} diff --git a/install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/server-secret.yaml b/install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/server-secret.yaml index 00aa9baf736d..909947744c87 100644 --- a/install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/server-secret.yaml +++ b/install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/server-secret.yaml @@ -7,7 +7,7 @@ metadata: namespace: {{ .Release.Namespace }} spec: issuerRef: - {{- include "clustermesh-apiserver-generate-certs.certmanager.issuer" . | nindent 4 }} + {{- toYaml .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef | nindent 4 }} secretName: clustermesh-apiserver-server-cert commonName: clustermesh-apiserver.cilium.io dnsNames: diff --git a/install/kubernetes/cilium/templates/hubble/tls-certmanager/_helpers.tpl b/install/kubernetes/cilium/templates/hubble/tls-certmanager/_helpers.tpl deleted file mode 100644 index 6b00dd5ae9b4..000000000000 --- a/install/kubernetes/cilium/templates/hubble/tls-certmanager/_helpers.tpl +++ /dev/null @@ -1,9 +0,0 @@ -{{- define "hubble-generate-certs.certmanager.issuer" }} -{{- if .Values.hubble.tls.auto.certManagerIssuerRef }} - {{- toYaml .Values.hubble.tls.auto.certManagerIssuerRef }} -{{- else }} - group: cert-manager.io - kind: Issuer - name: hubble-issuer -{{- end }} -{{- end }} diff --git a/install/kubernetes/cilium/templates/hubble/tls-certmanager/hubble-issuer.yaml b/install/kubernetes/cilium/templates/hubble/tls-certmanager/hubble-issuer.yaml deleted file mode 100644 index 8b60b1afb14b..000000000000 --- a/install/kubernetes/cilium/templates/hubble/tls-certmanager/hubble-issuer.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if and (or .Values.agent .Values.hubble.relay.enabled .Values.hubble.ui.enabled) .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "certmanager") (not .Values.hubble.tls.auto.certManagerIssuerRef) }} -{{- $_ := include "hubble-generate-certs.helm.setup-ca" . -}} ---- -apiVersion: v1 -kind: Secret -metadata: - name: hubble-ca-secret - namespace: {{ .Release.Namespace }} -data: - ca.crt: {{ .ca.Cert | b64enc }} - ca.key: {{ .ca.Key | b64enc }} ---- -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: hubble-issuer - namespace: {{ .Release.Namespace }} -spec: - ca: - secretName: hubble-ca-secret -{{- end }} diff --git a/install/kubernetes/cilium/templates/hubble/tls-certmanager/relay-client-secret.yaml b/install/kubernetes/cilium/templates/hubble/tls-certmanager/relay-client-secret.yaml index 1aa9b95d4e58..58d173700ff7 100644 --- a/install/kubernetes/cilium/templates/hubble/tls-certmanager/relay-client-secret.yaml +++ b/install/kubernetes/cilium/templates/hubble/tls-certmanager/relay-client-secret.yaml @@ -7,7 +7,7 @@ metadata: namespace: {{ .Release.Namespace }} spec: issuerRef: - {{- include "hubble-generate-certs.certmanager.issuer" . | nindent 4 }} + {{- toYaml .Values.hubble.tls.auto.certManagerIssuerRef | nindent 4 }} secretName: hubble-relay-client-certs commonName: "*.hubble-relay.cilium.io" dnsNames: diff --git a/install/kubernetes/cilium/templates/hubble/tls-certmanager/relay-server-secret.yaml b/install/kubernetes/cilium/templates/hubble/tls-certmanager/relay-server-secret.yaml index 83df06f5add5..b8e9fdee4f72 100644 --- a/install/kubernetes/cilium/templates/hubble/tls-certmanager/relay-server-secret.yaml +++ b/install/kubernetes/cilium/templates/hubble/tls-certmanager/relay-server-secret.yaml @@ -7,7 +7,7 @@ metadata: namespace: {{ .Release.Namespace }} spec: issuerRef: - {{- include "hubble-generate-certs.certmanager.issuer" . | nindent 4 }} + {{- toYaml .Values.hubble.tls.auto.certManagerIssuerRef | nindent 4 }} secretName: hubble-relay-server-certs commonName: "*.hubble-relay.cilium.io" dnsNames: diff --git a/install/kubernetes/cilium/templates/hubble/tls-certmanager/server-secret.yaml b/install/kubernetes/cilium/templates/hubble/tls-certmanager/server-secret.yaml index e9456a75f4db..3517c52c6134 100644 --- a/install/kubernetes/cilium/templates/hubble/tls-certmanager/server-secret.yaml +++ b/install/kubernetes/cilium/templates/hubble/tls-certmanager/server-secret.yaml @@ -8,7 +8,7 @@ metadata: namespace: {{ .Release.Namespace }} spec: issuerRef: - {{- include "hubble-generate-certs.certmanager.issuer" . | nindent 4 }} + {{- toYaml .Values.hubble.tls.auto.certManagerIssuerRef | nindent 4 }} secretName: hubble-server-certs commonName: {{ $cn | quote }} dnsNames: diff --git a/install/kubernetes/cilium/templates/hubble/tls-certmanager/ui-client-certs.yaml b/install/kubernetes/cilium/templates/hubble/tls-certmanager/ui-client-certs.yaml index a50ddc1294a3..f2256219a144 100644 --- a/install/kubernetes/cilium/templates/hubble/tls-certmanager/ui-client-certs.yaml +++ b/install/kubernetes/cilium/templates/hubble/tls-certmanager/ui-client-certs.yaml @@ -7,7 +7,7 @@ metadata: namespace: {{ .Release.Namespace }} spec: issuerRef: - {{- include "hubble-generate-certs.certmanager.issuer" . | nindent 4 }} + {{- toYaml .Values.hubble.tls.auto.certManagerIssuerRef | nindent 4 }} secretName: hubble-ui-client-certs commonName: "*.hubble-ui.cilium.io" dnsNames: diff --git a/install/kubernetes/cilium/values.yaml b/install/kubernetes/cilium/values.yaml index 3659bfa4d03d..d16c337549ce 100644 --- a/install/kubernetes/cilium/values.yaml +++ b/install/kubernetes/cilium/values.yaml @@ -995,7 +995,6 @@ hubble: # kind: ClusterIssuer # name: ca-issuer # -- certmanager issuer used when hubble.tls.auto.method=certmanager. - # If not specified, a CA issuer will be created. certManagerIssuerRef: {} # -- Deprecated in favor of tls.ca. To be removed in 1.13. @@ -2175,7 +2174,7 @@ nodeinit: # -- bootstrapFile is the location of the file where the bootstrap timestamp is # written by the node-init DaemonSet bootstrapFile: "/tmp/cilium-bootstrap.d/cilium-bootstrap-time" - + # -- startup offers way to customize startup nodeinit script (pre and post position) startup: preScript: "" @@ -2541,7 +2540,6 @@ clustermesh: # kind: ClusterIssuer # name: ca-issuer # -- certmanager issuer used when clustermesh.apiserver.tls.auto.method=certmanager. - # If not specified, a CA issuer will be created. certManagerIssuerRef: {} # -- base64 encoded PEM values for the ExternalWorkload CA certificate and private key. ca: diff --git a/install/kubernetes/cilium/values.yaml.tmpl b/install/kubernetes/cilium/values.yaml.tmpl index ac63028ce9af..249ae84b5944 100644 --- a/install/kubernetes/cilium/values.yaml.tmpl +++ b/install/kubernetes/cilium/values.yaml.tmpl @@ -992,7 +992,6 @@ hubble: # kind: ClusterIssuer # name: ca-issuer # -- certmanager issuer used when hubble.tls.auto.method=certmanager. - # If not specified, a CA issuer will be created. certManagerIssuerRef: {} # -- Deprecated in favor of tls.ca. To be removed in 1.13. @@ -2172,7 +2171,7 @@ nodeinit: # -- bootstrapFile is the location of the file where the bootstrap timestamp is # written by the node-init DaemonSet bootstrapFile: "/tmp/cilium-bootstrap.d/cilium-bootstrap-time" - + # -- startup offers way to customize startup nodeinit script (pre and post position) startup: preScript: "" @@ -2538,7 +2537,6 @@ clustermesh: # kind: ClusterIssuer # name: ca-issuer # -- certmanager issuer used when clustermesh.apiserver.tls.auto.method=certmanager. - # If not specified, a CA issuer will be created. certManagerIssuerRef: {} # -- base64 encoded PEM values for the ExternalWorkload CA certificate and private key. ca: