Skip to content

Commit

Permalink
helm: ca issuer
Browse files Browse the repository at this point in the history 
create CA issuer when certManagerIssuerRef is not specify

Signed-off-by: Đặng Minh Dũng <dungdm93@live.com>
  • Loading branch information
@dungdm93 @joestringer
dungdm93 authored and joestringer committed Oct 1, 2021
1 parent ce82ab9 commit 082fa15
Show file tree
Hide file tree
Showing 14 changed files with 74 additions and 12 deletions.
4 changes: 2 additions & 2 deletions install/kubernetes/cilium/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,7 @@ contributors across the globe, there is almost always someone available to help.
| clustermesh.apiserver.service.type | string | `"NodePort"` | The type of service used for apiserver access. |
| clustermesh.apiserver.tls.admin | object | `{"cert":"","key":""}` | base64 encoded PEM values for the clustermesh-apiserver admin certificate and private key. Used if 'auto' is not enabled. |
| clustermesh.apiserver.tls.auto | object | `{"certManagerIssuerRef":{},"certValidityDuration":1095,"enabled":true,"method":"helm"}` | Configure automatic TLS certificates generation. A Kubernetes CronJob is used the generate any certificates not provided by the user at installation time. |
| clustermesh.apiserver.tls.auto.certManagerIssuerRef | object | `{}` | certmanager issuer used when clustermesh.apiserver.tls.auto.method=certmanager |
| clustermesh.apiserver.tls.auto.certManagerIssuerRef | object | `{}` | certmanager issuer used when clustermesh.apiserver.tls.auto.method=certmanager. If not specified, a CA issuer will be created. |
| clustermesh.apiserver.tls.auto.certValidityDuration | int | `1095` | Generated certificates validity duration in days. |
| clustermesh.apiserver.tls.auto.enabled | bool | `true` | When set to true, automatically generate a CA and certificates to enable mTLS between clustermesh-apiserver and external workload instances. If set to false, the certs to be provided by setting appropriate values below. |
| clustermesh.apiserver.tls.ca | object | `{"cert":"","key":""}` | base64 encoded PEM values for the ExternalWorkload CA certificate and private key. |
Expand Down Expand Up @@ -222,7 +222,7 @@ contributors across the globe, there is almost always someone available to help.
| hubble.socketPath | string | `"/var/run/cilium/hubble.sock"` | Unix domain socket path to listen to when Hubble is enabled. |
| hubble.tls | object | `{"auto":{"certManagerIssuerRef":{},"certValidityDuration":1095,"enabled":true,"method":"helm","schedule":"0 0 1 */4 *"},"ca":{"cert":"","key":""},"enabled":true,"server":{"cert":"","extraDnsNames":[],"extraIpAddresses":[],"key":""}}` | TLS configuration for Hubble |
| hubble.tls.auto | object | `{"certManagerIssuerRef":{},"certValidityDuration":1095,"enabled":true,"method":"helm","schedule":"0 0 1 */4 *"}` | Configure automatic TLS certificates generation. |
| hubble.tls.auto.certManagerIssuerRef | object | `{}` | certmanager issuer used when hubble.tls.auto.method=certmanager |
| hubble.tls.auto.certManagerIssuerRef | object | `{}` | certmanager issuer used when hubble.tls.auto.method=certmanager. If not specified, a CA issuer will be created. |
| hubble.tls.auto.certValidityDuration | int | `1095` | Generated certificates validity duration in days. |
| hubble.tls.auto.enabled | bool | `true` | Auto-generate certificates. When set to true, automatically generate a CA and certificates to enable mTLS between Hubble server and Hubble Relay instances. If set to false, the certs for Hubble server need to be provided by setting appropriate values below. |
| hubble.tls.auto.method | string | `"helm"` | Set the method to auto-generate certificates. Supported values: - helm: This method uses Helm to generate all certificates. - cronJob: This method uses a Kubernetes CronJob the generate any certificates not provided by the user at installation time. - certmanager: This method use cert-manager to generate & rotate certificates. |
Expand Down
9 changes: 9 additions & 0 deletions install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/_helpers.tpl
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
{{- define "clustermesh-apiserver-generate-certs.certmanager.issuer" }}
{{- if .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef }}
{{- toYaml .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef }}
{{- else }}
group: cert-manager.io
kind: Issuer
name: clustermesh-apiserver-issuer
{{- end }}
{{- end }}
2 changes: 1 addition & 1 deletion install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/admin-secret.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ metadata:
namespace: {{ .Release.Namespace }}
spec:
issuerRef:
{{- toYaml .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef | nindent 4 }}
{{- include "clustermesh-apiserver-generate-certs.certmanager.issuer" . | nindent 4 }}
secretName: clustermesh-apiserver-admin-cert
commonName: root
dnsNames:
Expand Down
2 changes: 1 addition & 1 deletion install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/client-secret.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ metadata:
namespace: {{ .Release.Namespace }}
spec:
issuerRef:
{{- toYaml .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef | nindent 4 }}
{{- include "clustermesh-apiserver-generate-certs.certmanager.issuer" . | nindent 4 }}
secretName: clustermesh-apiserver-client-cert
commonName: externalworkload
duration: {{ printf "%dh" (mul .Values.clustermesh.apiserver.tls.auto.certValidityDuration 24) }}
Expand Down
21 changes: 21 additions & 0 deletions .../cilium/templates/clustermesh-apiserver/tls-certmanager/clustermesh-apiserver-issuer.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
{{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "certmanager") (not .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef) }}
{{- $_ := include "clustermesh-apiserver-generate-certs.helm.setup-ca" . -}}
---
apiVersion: v1
kind: Secret
metadata:
name: clustermesh-apiserver-ca-cert
namespace: {{ .Release.Namespace }}
data:
ca.crt: {{ .cmca.Cert | b64enc }}
ca.key: {{ .cmca.Key | b64enc }}
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: clustermesh-apiserver-issuer
namespace: {{ .Release.Namespace }}
spec:
ca:
secretName: clustermesh-apiserver-ca-cert
{{- end }}
2 changes: 1 addition & 1 deletion install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/remote-secret.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ metadata:
namespace: {{ .Release.Namespace }}
spec:
issuerRef:
{{- toYaml .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef | nindent 4 }}
{{- include "clustermesh-apiserver-generate-certs.certmanager.issuer" . | nindent 4 }}
secretName: clustermesh-apiserver-remote-cert
commonName: remote
duration: {{ printf "%dh" (mul .Values.clustermesh.apiserver.tls.auto.certValidityDuration 24) }}
Expand Down
2 changes: 1 addition & 1 deletion install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/server-secret.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ metadata:
namespace: {{ .Release.Namespace }}
spec:
issuerRef:
{{- toYaml .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef | nindent 4 }}
{{- include "clustermesh-apiserver-generate-certs.certmanager.issuer" . | nindent 4 }}
secretName: clustermesh-apiserver-server-cert
commonName: clustermesh-apiserver.cilium.io
dnsNames:
Expand Down
9 changes: 9 additions & 0 deletions install/kubernetes/cilium/templates/hubble/tls-certmanager/_helpers.tpl
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
{{- define "hubble-generate-certs.certmanager.issuer" }}
{{- if .Values.hubble.tls.auto.certManagerIssuerRef }}
{{- toYaml .Values.hubble.tls.auto.certManagerIssuerRef }}
{{- else }}
group: cert-manager.io
kind: Issuer
name: hubble-issuer
{{- end }}
{{- end }}
21 changes: 21 additions & 0 deletions install/kubernetes/cilium/templates/hubble/tls-certmanager/hubble-issuer.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
{{- if and (or .Values.agent .Values.hubble.relay.enabled .Values.hubble.ui.enabled) .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "certmanager") (not .Values.hubble.tls.auto.certManagerIssuerRef) }}
{{- $_ := include "hubble-generate-certs.helm.setup-ca" . -}}
---
apiVersion: v1
kind: Secret
metadata:
name: hubble-ca-secret
namespace: {{ .Release.Namespace }}
data:
ca.crt: {{ .ca.Cert | b64enc }}
ca.key: {{ .ca.Key | b64enc }}
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: hubble-issuer
namespace: {{ .Release.Namespace }}
spec:
ca:
secretName: hubble-ca-secret
{{- end }}
2 changes: 1 addition & 1 deletion install/kubernetes/cilium/templates/hubble/tls-certmanager/relay-client-secret.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ metadata:
namespace: {{ .Release.Namespace }}
spec:
issuerRef:
{{- toYaml .Values.hubble.tls.auto.certManagerIssuerRef | nindent 4 }}
{{- include "hubble-generate-certs.certmanager.issuer" . | nindent 4 }}
secretName: hubble-relay-client-certs
commonName: "*.hubble-relay.cilium.io"
dnsNames:
Expand Down
2 changes: 1 addition & 1 deletion install/kubernetes/cilium/templates/hubble/tls-certmanager/relay-server-secret.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ metadata:
namespace: {{ .Release.Namespace }}
spec:
issuerRef:
{{- toYaml .Values.hubble.tls.auto.certManagerIssuerRef | nindent 4 }}
{{- include "hubble-generate-certs.certmanager.issuer" . | nindent 4 }}
secretName: hubble-relay-server-certs
commonName: "*.hubble-relay.cilium.io"
dnsNames:
Expand Down
2 changes: 1 addition & 1 deletion install/kubernetes/cilium/templates/hubble/tls-certmanager/server-secret.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ metadata:
namespace: {{ .Release.Namespace }}
spec:
issuerRef:
{{- toYaml .Values.hubble.tls.auto.certManagerIssuerRef | nindent 4 }}
{{- include "hubble-generate-certs.certmanager.issuer" . | nindent 4 }}
secretName: hubble-server-certs
commonName: {{ $cn | quote }}
dnsNames:
Expand Down
2 changes: 1 addition & 1 deletion install/kubernetes/cilium/templates/hubble/tls-certmanager/ui-client-certs.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ metadata:
namespace: {{ .Release.Namespace }}
spec:
issuerRef:
{{- toYaml .Values.hubble.tls.auto.certManagerIssuerRef | nindent 4 }}
{{- include "hubble-generate-certs.certmanager.issuer" . | nindent 4 }}
secretName: hubble-ui-client-certs
commonName: "*.hubble-ui.cilium.io"
dnsNames:
Expand Down
6 changes: 4 additions & 2 deletions install/kubernetes/cilium/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -639,7 +639,8 @@ hubble:
# group: cert-manager.io
# kind: ClusterIssuer
# name: ca-issuer
# -- certmanager issuer used when hubble.tls.auto.method=certmanager
# -- certmanager issuer used when hubble.tls.auto.method=certmanager.
# If not specified, a CA issuer will be created.
certManagerIssuerRef: {}
# -- base64 encoded PEM values for the Hubble CA certificate and private key.
ca:
Expand Down Expand Up @@ -1695,7 +1696,8 @@ clustermesh:
# group: cert-manager.io
# kind: ClusterIssuer
# name: ca-issuer
# -- certmanager issuer used when clustermesh.apiserver.tls.auto.method=certmanager
# -- certmanager issuer used when clustermesh.apiserver.tls.auto.method=certmanager.
# If not specified, a CA issuer will be created.
certManagerIssuerRef: {}
# -- base64 encoded PEM values for the ExternalWorkload CA certificate and private key.
ca:
Expand Down

0 comments on commit 082fa15

Please sign in to comment.