From 62f72cd3b1251c85fa19375c222a5f58de8747a5 Mon Sep 17 00:00:00 2001 From: Marco Iorio Date: Fri, 31 Mar 2023 08:57:47 +0200 Subject: [PATCH] Revert "helm: ca issuer" This reverts commit 082fa15ac8d3fcfda4fce638c8bb20243b7d3e61. Currently, in the helm chart, if the cert-manager approach is selected to generate the hubble and clustermesh certificates but no issuer is specified, a new issuer is created for each of them, along with a secret containing the CA information. Still, this approach is currently broken, since the CA secret which is created does not match the format expected by cert-manager. At the same time, this might also hide misconfigurations (e.g., if there is a typo in the issuer configuration) and possibly lead to different CAs for different components. Hence, let's just stick to the approach documented in the user guide and make it mandatory to specify the issuer when cert-manager is used. It is a task of the users (as unrelated from cilium) to create the appropriate issuer in advance, according to their own preference. Signed-off-by: Marco Iorio --- Documentation/helm-values.rst | 4 ++-- install/kubernetes/cilium/README.md | 4 ++-- .../tls-certmanager/_helpers.tpl | 9 -------- .../tls-certmanager/admin-secret.yaml | 2 +- .../tls-certmanager/client-secret.yaml | 2 +- .../clustermesh-apiserver-issuer.yaml | 21 ------------------- .../tls-certmanager/remote-secret.yaml | 2 +- .../tls-certmanager/server-secret.yaml | 2 +- .../hubble/tls-certmanager/_helpers.tpl | 9 -------- .../hubble/tls-certmanager/hubble-issuer.yaml | 21 ------------------- .../tls-certmanager/relay-client-secret.yaml | 2 +- .../tls-certmanager/relay-server-secret.yaml | 2 +- .../hubble/tls-certmanager/server-secret.yaml | 2 +- .../tls-certmanager/ui-client-certs.yaml | 2 +- install/kubernetes/cilium/values.yaml | 4 +--- install/kubernetes/cilium/values.yaml.tmpl | 4 +--- 16 files changed, 14 insertions(+), 78 deletions(-) delete mode 100644 install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/_helpers.tpl delete mode 100644 install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/clustermesh-apiserver-issuer.yaml delete mode 100644 install/kubernetes/cilium/templates/hubble/tls-certmanager/_helpers.tpl delete mode 100644 install/kubernetes/cilium/templates/hubble/tls-certmanager/hubble-issuer.yaml diff --git a/Documentation/helm-values.rst b/Documentation/helm-values.rst index 9f967c594dc2b..c544d821f4070 100644 --- a/Documentation/helm-values.rst +++ b/Documentation/helm-values.rst @@ -365,7 +365,7 @@ - object - ``{"certManagerIssuerRef":{},"certValidityDuration":1095,"enabled":true,"method":"helm"}`` * - clustermesh.apiserver.tls.auto.certManagerIssuerRef - - certmanager issuer used when clustermesh.apiserver.tls.auto.method=certmanager. If not specified, a CA issuer will be created. + - certmanager issuer used when clustermesh.apiserver.tls.auto.method=certmanager. - object - ``{}`` * - clustermesh.apiserver.tls.auto.certValidityDuration @@ -1181,7 +1181,7 @@ - object - ``{"certManagerIssuerRef":{},"certValidityDuration":1095,"enabled":true,"method":"helm","schedule":"0 0 1 */4 *"}`` * - hubble.tls.auto.certManagerIssuerRef - - certmanager issuer used when hubble.tls.auto.method=certmanager. If not specified, a CA issuer will be created. + - certmanager issuer used when hubble.tls.auto.method=certmanager. - object - ``{}`` * - hubble.tls.auto.certValidityDuration diff --git a/install/kubernetes/cilium/README.md b/install/kubernetes/cilium/README.md index 1aa6531c6758c..99209dd5bea7c 100644 --- a/install/kubernetes/cilium/README.md +++ b/install/kubernetes/cilium/README.md @@ -141,7 +141,7 @@ contributors across the globe, there is almost always someone available to help. | clustermesh.apiserver.tls.admin | object | `{"cert":"","key":""}` | base64 encoded PEM values for the clustermesh-apiserver admin certificate and private key. Used if 'auto' is not enabled. | | clustermesh.apiserver.tls.authMode | string | `"legacy"` | Configure the clustermesh authentication mode. Supported values: - legacy: All clusters access remote clustermesh instances with the same username (i.e., remote). The "remote" certificate must be generated with CN=remote if provided manually. - migration: Intermediate mode required to upgrade from legacy to cluster (and vice versa) with no disruption. Specifically, it enables the creation of the per-cluster usernames, while still using the common one for authentication. The "remote" certificate must be generated with CN=remote if provided manually (same as legacy). - cluster: Each cluster accesses remote etcd instances with a username depending on the local cluster name (i.e., remote-). The "remote" certificate must be generated with CN=remote- if provided manually. Cluster mode is meaningful only when the same CA is shared across all clusters part of the mesh. | | clustermesh.apiserver.tls.auto | object | `{"certManagerIssuerRef":{},"certValidityDuration":1095,"enabled":true,"method":"helm"}` | Configure automatic TLS certificates generation. A Kubernetes CronJob is used the generate any certificates not provided by the user at installation time. | -| clustermesh.apiserver.tls.auto.certManagerIssuerRef | object | `{}` | certmanager issuer used when clustermesh.apiserver.tls.auto.method=certmanager. If not specified, a CA issuer will be created. | +| clustermesh.apiserver.tls.auto.certManagerIssuerRef | object | `{}` | certmanager issuer used when clustermesh.apiserver.tls.auto.method=certmanager. | | clustermesh.apiserver.tls.auto.certValidityDuration | int | `1095` | Generated certificates validity duration in days. | | clustermesh.apiserver.tls.auto.enabled | bool | `true` | When set to true, automatically generate a CA and certificates to enable mTLS between clustermesh-apiserver and external workload instances. If set to false, the certs to be provided by setting appropriate values below. | | clustermesh.apiserver.tls.ca | object | `{"cert":"","key":""}` | base64 encoded PEM values for the ExternalWorkload CA certificate and private key. | @@ -345,7 +345,7 @@ contributors across the globe, there is almost always someone available to help. | hubble.socketPath | string | `"/var/run/cilium/hubble.sock"` | Unix domain socket path to listen to when Hubble is enabled. | | hubble.tls | object | `{"auto":{"certManagerIssuerRef":{},"certValidityDuration":1095,"enabled":true,"method":"helm","schedule":"0 0 1 */4 *"},"ca":{"cert":"","key":""},"enabled":true,"server":{"cert":"","extraDnsNames":[],"extraIpAddresses":[],"key":""}}` | TLS configuration for Hubble | | hubble.tls.auto | object | `{"certManagerIssuerRef":{},"certValidityDuration":1095,"enabled":true,"method":"helm","schedule":"0 0 1 */4 *"}` | Configure automatic TLS certificates generation. | -| hubble.tls.auto.certManagerIssuerRef | object | `{}` | certmanager issuer used when hubble.tls.auto.method=certmanager. If not specified, a CA issuer will be created. | +| hubble.tls.auto.certManagerIssuerRef | object | `{}` | certmanager issuer used when hubble.tls.auto.method=certmanager. | | hubble.tls.auto.certValidityDuration | int | `1095` | Generated certificates validity duration in days. | | hubble.tls.auto.enabled | bool | `true` | Auto-generate certificates. When set to true, automatically generate a CA and certificates to enable mTLS between Hubble server and Hubble Relay instances. If set to false, the certs for Hubble server need to be provided by setting appropriate values below. | | hubble.tls.auto.method | string | `"helm"` | Set the method to auto-generate certificates. Supported values: - helm: This method uses Helm to generate all certificates. - cronJob: This method uses a Kubernetes CronJob the generate any certificates not provided by the user at installation time. - certmanager: This method use cert-manager to generate & rotate certificates. | diff --git a/install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/_helpers.tpl b/install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/_helpers.tpl deleted file mode 100644 index 782f252ecd553..0000000000000 --- a/install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/_helpers.tpl +++ /dev/null @@ -1,9 +0,0 @@ -{{- define "clustermesh-apiserver-generate-certs.certmanager.issuer" }} -{{- if .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef }} - {{- toYaml .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef }} -{{- else }} - group: cert-manager.io - kind: Issuer - name: clustermesh-apiserver-issuer -{{- end }} -{{- end }} diff --git a/install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/admin-secret.yaml b/install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/admin-secret.yaml index 9665a59a054a3..3bc84ae1dccd0 100644 --- a/install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/admin-secret.yaml +++ b/install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/admin-secret.yaml @@ -7,7 +7,7 @@ metadata: namespace: {{ .Release.Namespace }} spec: issuerRef: - {{- include "clustermesh-apiserver-generate-certs.certmanager.issuer" . | nindent 4 }} + {{- toYaml .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef | nindent 4 }} secretName: clustermesh-apiserver-admin-cert commonName: {{ include "clustermesh-apiserver-generate-certs.admin-common-name" . }} dnsNames: diff --git a/install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/client-secret.yaml b/install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/client-secret.yaml index c56ffdef39545..3c2cf6431e50d 100644 --- a/install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/client-secret.yaml +++ b/install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/client-secret.yaml @@ -7,7 +7,7 @@ metadata: namespace: {{ .Release.Namespace }} spec: issuerRef: - {{- include "clustermesh-apiserver-generate-certs.certmanager.issuer" . | nindent 4 }} + {{- toYaml .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef | nindent 4 }} secretName: clustermesh-apiserver-client-cert commonName: externalworkload duration: {{ printf "%dh0m0s" (mul .Values.clustermesh.apiserver.tls.auto.certValidityDuration 24) }} diff --git a/install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/clustermesh-apiserver-issuer.yaml b/install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/clustermesh-apiserver-issuer.yaml deleted file mode 100644 index 5a8fa6a324cf7..0000000000000 --- a/install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/clustermesh-apiserver-issuer.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "certmanager") (not .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef) }} -{{- $_ := include "clustermesh-apiserver-generate-certs.helm.setup-ca" . -}} ---- -apiVersion: v1 -kind: Secret -metadata: - name: clustermesh-apiserver-ca-cert - namespace: {{ .Release.Namespace }} -data: - ca.crt: {{ .cmca.Cert | b64enc }} - ca.key: {{ .cmca.Key | b64enc }} ---- -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: clustermesh-apiserver-issuer - namespace: {{ .Release.Namespace }} -spec: - ca: - secretName: clustermesh-apiserver-ca-cert -{{- end }} diff --git a/install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/remote-secret.yaml b/install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/remote-secret.yaml index a601387be26a1..0a5e42e2904cc 100644 --- a/install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/remote-secret.yaml +++ b/install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/remote-secret.yaml @@ -7,7 +7,7 @@ metadata: namespace: {{ .Release.Namespace }} spec: issuerRef: - {{- include "clustermesh-apiserver-generate-certs.certmanager.issuer" . | nindent 4 }} + {{- toYaml .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef | nindent 4 }} secretName: clustermesh-apiserver-remote-cert commonName: {{ include "clustermesh-apiserver-generate-certs.remote-common-name" . }} duration: {{ printf "%dh0m0s" (mul .Values.clustermesh.apiserver.tls.auto.certValidityDuration 24) }} diff --git a/install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/server-secret.yaml b/install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/server-secret.yaml index 00aa9baf736d4..909947744c87a 100644 --- a/install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/server-secret.yaml +++ b/install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/server-secret.yaml @@ -7,7 +7,7 @@ metadata: namespace: {{ .Release.Namespace }} spec: issuerRef: - {{- include "clustermesh-apiserver-generate-certs.certmanager.issuer" . | nindent 4 }} + {{- toYaml .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef | nindent 4 }} secretName: clustermesh-apiserver-server-cert commonName: clustermesh-apiserver.cilium.io dnsNames: diff --git a/install/kubernetes/cilium/templates/hubble/tls-certmanager/_helpers.tpl b/install/kubernetes/cilium/templates/hubble/tls-certmanager/_helpers.tpl deleted file mode 100644 index 6b00dd5ae9b4c..0000000000000 --- a/install/kubernetes/cilium/templates/hubble/tls-certmanager/_helpers.tpl +++ /dev/null @@ -1,9 +0,0 @@ -{{- define "hubble-generate-certs.certmanager.issuer" }} -{{- if .Values.hubble.tls.auto.certManagerIssuerRef }} - {{- toYaml .Values.hubble.tls.auto.certManagerIssuerRef }} -{{- else }} - group: cert-manager.io - kind: Issuer - name: hubble-issuer -{{- end }} -{{- end }} diff --git a/install/kubernetes/cilium/templates/hubble/tls-certmanager/hubble-issuer.yaml b/install/kubernetes/cilium/templates/hubble/tls-certmanager/hubble-issuer.yaml deleted file mode 100644 index 8b60b1afb14b7..0000000000000 --- a/install/kubernetes/cilium/templates/hubble/tls-certmanager/hubble-issuer.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if and (or .Values.agent .Values.hubble.relay.enabled .Values.hubble.ui.enabled) .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "certmanager") (not .Values.hubble.tls.auto.certManagerIssuerRef) }} -{{- $_ := include "hubble-generate-certs.helm.setup-ca" . -}} ---- -apiVersion: v1 -kind: Secret -metadata: - name: hubble-ca-secret - namespace: {{ .Release.Namespace }} -data: - ca.crt: {{ .ca.Cert | b64enc }} - ca.key: {{ .ca.Key | b64enc }} ---- -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: hubble-issuer - namespace: {{ .Release.Namespace }} -spec: - ca: - secretName: hubble-ca-secret -{{- end }} diff --git a/install/kubernetes/cilium/templates/hubble/tls-certmanager/relay-client-secret.yaml b/install/kubernetes/cilium/templates/hubble/tls-certmanager/relay-client-secret.yaml index 1aa9b95d4e58c..58d173700ff75 100644 --- a/install/kubernetes/cilium/templates/hubble/tls-certmanager/relay-client-secret.yaml +++ b/install/kubernetes/cilium/templates/hubble/tls-certmanager/relay-client-secret.yaml @@ -7,7 +7,7 @@ metadata: namespace: {{ .Release.Namespace }} spec: issuerRef: - {{- include "hubble-generate-certs.certmanager.issuer" . | nindent 4 }} + {{- toYaml .Values.hubble.tls.auto.certManagerIssuerRef | nindent 4 }} secretName: hubble-relay-client-certs commonName: "*.hubble-relay.cilium.io" dnsNames: diff --git a/install/kubernetes/cilium/templates/hubble/tls-certmanager/relay-server-secret.yaml b/install/kubernetes/cilium/templates/hubble/tls-certmanager/relay-server-secret.yaml index 83df06f5add59..b8e9fdee4f724 100644 --- a/install/kubernetes/cilium/templates/hubble/tls-certmanager/relay-server-secret.yaml +++ b/install/kubernetes/cilium/templates/hubble/tls-certmanager/relay-server-secret.yaml @@ -7,7 +7,7 @@ metadata: namespace: {{ .Release.Namespace }} spec: issuerRef: - {{- include "hubble-generate-certs.certmanager.issuer" . | nindent 4 }} + {{- toYaml .Values.hubble.tls.auto.certManagerIssuerRef | nindent 4 }} secretName: hubble-relay-server-certs commonName: "*.hubble-relay.cilium.io" dnsNames: diff --git a/install/kubernetes/cilium/templates/hubble/tls-certmanager/server-secret.yaml b/install/kubernetes/cilium/templates/hubble/tls-certmanager/server-secret.yaml index e9456a75f4db3..3517c52c6134c 100644 --- a/install/kubernetes/cilium/templates/hubble/tls-certmanager/server-secret.yaml +++ b/install/kubernetes/cilium/templates/hubble/tls-certmanager/server-secret.yaml @@ -8,7 +8,7 @@ metadata: namespace: {{ .Release.Namespace }} spec: issuerRef: - {{- include "hubble-generate-certs.certmanager.issuer" . | nindent 4 }} + {{- toYaml .Values.hubble.tls.auto.certManagerIssuerRef | nindent 4 }} secretName: hubble-server-certs commonName: {{ $cn | quote }} dnsNames: diff --git a/install/kubernetes/cilium/templates/hubble/tls-certmanager/ui-client-certs.yaml b/install/kubernetes/cilium/templates/hubble/tls-certmanager/ui-client-certs.yaml index a50ddc1294a33..f2256219a1449 100644 --- a/install/kubernetes/cilium/templates/hubble/tls-certmanager/ui-client-certs.yaml +++ b/install/kubernetes/cilium/templates/hubble/tls-certmanager/ui-client-certs.yaml @@ -7,7 +7,7 @@ metadata: namespace: {{ .Release.Namespace }} spec: issuerRef: - {{- include "hubble-generate-certs.certmanager.issuer" . | nindent 4 }} + {{- toYaml .Values.hubble.tls.auto.certManagerIssuerRef | nindent 4 }} secretName: hubble-ui-client-certs commonName: "*.hubble-ui.cilium.io" dnsNames: diff --git a/install/kubernetes/cilium/values.yaml b/install/kubernetes/cilium/values.yaml index 3659bfa4d03d2..d16c337549ce8 100644 --- a/install/kubernetes/cilium/values.yaml +++ b/install/kubernetes/cilium/values.yaml @@ -995,7 +995,6 @@ hubble: # kind: ClusterIssuer # name: ca-issuer # -- certmanager issuer used when hubble.tls.auto.method=certmanager. - # If not specified, a CA issuer will be created. certManagerIssuerRef: {} # -- Deprecated in favor of tls.ca. To be removed in 1.13. @@ -2175,7 +2174,7 @@ nodeinit: # -- bootstrapFile is the location of the file where the bootstrap timestamp is # written by the node-init DaemonSet bootstrapFile: "/tmp/cilium-bootstrap.d/cilium-bootstrap-time" - + # -- startup offers way to customize startup nodeinit script (pre and post position) startup: preScript: "" @@ -2541,7 +2540,6 @@ clustermesh: # kind: ClusterIssuer # name: ca-issuer # -- certmanager issuer used when clustermesh.apiserver.tls.auto.method=certmanager. - # If not specified, a CA issuer will be created. certManagerIssuerRef: {} # -- base64 encoded PEM values for the ExternalWorkload CA certificate and private key. ca: diff --git a/install/kubernetes/cilium/values.yaml.tmpl b/install/kubernetes/cilium/values.yaml.tmpl index ac63028ce9af2..249ae84b59442 100644 --- a/install/kubernetes/cilium/values.yaml.tmpl +++ b/install/kubernetes/cilium/values.yaml.tmpl @@ -992,7 +992,6 @@ hubble: # kind: ClusterIssuer # name: ca-issuer # -- certmanager issuer used when hubble.tls.auto.method=certmanager. - # If not specified, a CA issuer will be created. certManagerIssuerRef: {} # -- Deprecated in favor of tls.ca. To be removed in 1.13. @@ -2172,7 +2171,7 @@ nodeinit: # -- bootstrapFile is the location of the file where the bootstrap timestamp is # written by the node-init DaemonSet bootstrapFile: "/tmp/cilium-bootstrap.d/cilium-bootstrap-time" - + # -- startup offers way to customize startup nodeinit script (pre and post position) startup: preScript: "" @@ -2538,7 +2537,6 @@ clustermesh: # kind: ClusterIssuer # name: ca-issuer # -- certmanager issuer used when clustermesh.apiserver.tls.auto.method=certmanager. - # If not specified, a CA issuer will be created. certManagerIssuerRef: {} # -- base64 encoded PEM values for the ExternalWorkload CA certificate and private key. ca: