Merge pull request #220 from grafana/mplzik/cert-manager

Import cert manager libraries.
grafana · Mar 19, 2020 · d3c9f46 · d3c9f46
2 parents 03da9ea + 5dc3afb
commit d3c9f46
Show file tree

Hide file tree

Showing 29 changed files with 6,581 additions and 0 deletions.
diff --git a/cert-manager/README.md b/cert-manager/README.md
@@ -0,0 +1,6 @@
+# Cert-manager jsonnet library (alpha)
+
+This library was created as a mostly 1-to-1 rewrite of cert-manager helm chart and is in use internally at Grafana Labs. It should be considered experimental.
+
+In addition to the helm chart content, this jsonnet library also provides `letsencrypt-prod` and `letsencrypt-staging` ClusterIssuers for direct consumption. Please have a look at `config.libsonnet` for configuration parameters.
+
diff --git a/cert-manager/cainjector_deployment.libsonnet b/cert-manager/cainjector_deployment.libsonnet
@@ -0,0 +1,22 @@
+{
+  local deployment = $.apps.v1.deployment,
+  local container = $.core.v1.container,
+
+  cainjector_container:: container.new('cainjector', $._images.cert_manager_cainjector)
+                         .withImagePullPolicy('IfNotPresent')
+                         .withArgs([
+    '--v=2',  // loglevel
+    '--leader-election-namespace=kube-system',  // optionally customizable
+  ])
+                         .withEnv([
+    container.envType.fromFieldPath('POD_NAMESPACE', 'metadata.namespace'),
+  ]),
+
+  cainjector_deployment: deployment.new(name='cert-manager-cainjector', replicas=1, containers=[$.cainjector_container], podLabels={
+                           /* TODO: labels */
+                           app: 'cainjector',
+                         },) +
+                         deployment.mixin.spec.template.spec
+                         .withServiceAccountName('cert-manager-cainjector') +
+                         deployment.mixin.metadata.withLabels({ app: 'cainjector' },),
+}
diff --git a/cert-manager/cainjector_psp.libsonnet b/cert-manager/cainjector_psp.libsonnet
@@ -0,0 +1,44 @@
+{
+  local podSecurityPolicy = $.policy.v1beta1.podSecurityPolicy,
+  local ranges = podSecurityPolicy.mixin.spec.runAsUser.rangesType,
+
+  cainjector_psp:
+    podSecurityPolicy.new() +
+    podSecurityPolicy.mixin.metadata
+    .withName('cert-manager-cainjector')
+    .withLabels({}/* TODO: labels */,)
+    .withAnnotations({
+      'seccomp.security.alpha.kubernetes.io/allowedProfileNames': 'docker/default',
+      'seccomp.security.alpha.kubernetes.io/defaultProfileName': 'docker/default',
+
+      // If apparmor is enabled
+      /*
+      apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default',
+      apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default',
+      */
+    },) +
+    podSecurityPolicy.mixin.spec
+    .withPrivileged(false)
+    .withAllowPrivilegeEscalation(false)
+    .withAllowedCapabilities([])
+    .withVolumes([
+      'configMap',
+      'emptyDir',
+      'projected',
+      'secret',
+      'downwardAPI',
+    ],)
+    .withHostNetwork(false)
+    .withHostIpc(false)
+    .withHostPid(false) +
+    podSecurityPolicy.mixin.spec.runAsUser
+    .withRule('MustRunAs')
+    .withRanges(ranges.new() + ranges.withMin(1000) + ranges.withMax(1000)) +
+    podSecurityPolicy.mixin.spec.seLinux.withRule('RunAsAny') +
+    podSecurityPolicy.mixin.spec.supplementalGroups
+    .withRule('MustRunAs')
+    .withRanges(ranges.new() + ranges.withMin(1000) + ranges.withMax(1000)) +
+    podSecurityPolicy.mixin.spec.fsGroup
+    .withRule('MustRunAs')
+    .withRanges(ranges.new() + ranges.withMin(1000) + ranges.withMax(1000)),
+}
diff --git a/cert-manager/cainjector_psp_clusterrole.libsonnet b/cert-manager/cainjector_psp_clusterrole.libsonnet
@@ -0,0 +1,18 @@
+{
+  local clusterRole = $.rbac.v1.clusterRole,
+  local rules = clusterRole.rulesType,
+
+  cainjector_psp_clusterrole:
+    clusterRole.new() +
+    clusterRole.mixin.metadata
+    .withName('cert-manager-cainjector-psp')
+    .withLabels({},/* TODO: labels */) +
+    clusterRole.withRules(
+      rules.new() +
+      rules
+      .withApiGroups('policy')
+      .withResources(['podsecuritypolicies'])
+      .withVerbs(['use'])
+      .withResourceNames(['cert-manager-cainjector'])
+    ),
+}
diff --git a/cert-manager/cainjector_psp_clusterrolebinding.libsonnet b/cert-manager/cainjector_psp_clusterrolebinding.libsonnet
@@ -0,0 +1,22 @@
+{
+  local clusterRoleBinding = $.rbac.v1.clusterRoleBinding,
+  local roleRef = clusterRoleBinding.roleRefType,
+  local subjects = clusterRoleBinding.subjectsType,
+
+  cainjector_psp_clusterrolebinding:
+    clusterRoleBinding.new() +
+    clusterRoleBinding.mixin.metadata
+    .withName('cert-manager-cainjector-psp')
+    .withLabels({}/* TODO: labels */,) +
+    clusterRoleBinding.mixin.roleRef
+    .withApiGroup('rbac.authorization.k8s.io')
+    .withKind('ClusterRole')
+    .withName('cert-manager-cainjector-psp') +
+    clusterRoleBinding.withSubjects(
+      subjects.new() + subjects
+                       .withKind('ServiceAccount')
+                       .withName('cert-manager-cainjector')
+                       .withNamespace($._config.namespace)
+    ),
+
+}
diff --git a/cert-manager/cainjector_rbac.libsonnet b/cert-manager/cainjector_rbac.libsonnet
@@ -0,0 +1,91 @@
+{
+  local clusterRole = $.rbac.v1beta1.clusterRole,
+  local rules = clusterRole.rulesType,
+
+  cainjector_clusterrole:
+    clusterRole.new() +
+    clusterRole.mixin.metadata
+    .withName('cert-manager-cainjector')
+    .withNamespace('kube-system')
+    .withLabels({}/* TODO:labels */) +
+    clusterRole.withRules(
+      [
+        rules.withApiGroups('cert-manager.io')
+        .withResources(['certificates'])
+        .withVerbs(['get', 'list', 'watch']),
+        rules.withApiGroups('')
+        .withResources(['secrets'])
+        .withVerbs(['get', 'list', 'watch']),
+        rules.withApiGroups('')
+        .withResources(['events'],)
+        .withVerbs(['get', 'create', 'update', 'patch']),
+        rules.withApiGroups('admissionregistration.k8s.io')
+        .withResources(['validatingwebhookconfigurations', 'mutatingwebhookconfigurations'],)
+        .withVerbs(['get', 'list', 'watch', 'update']),
+        rules.withApiGroups(['apiregistration.k8s.io'])
+        .withResources(['apiservices'])
+        .withVerbs(['get', 'list', 'watch', 'update']),
+        rules.withApiGroups(['apiextensions.k8s.io'])
+        .withResources(['customresourcedefinitions'],)
+        .withVerbs(['get', 'list', 'watch', 'update'],),
+      ]
+    ),
+
+  local clusterRoleBinding = $.rbac.v1beta1.clusterRoleBinding,
+  local roleRef = clusterRoleBinding.roleRefType,
+  local subjects = clusterRoleBinding.subjectsType,
+
+  cainjector_clusterrolebinding:
+    clusterRoleBinding.new() +
+    clusterRoleBinding.mixin.metadata
+    .withName('cert-manager-cainjector')
+    .withNamespace('kube-system')
+    .withLabels({}/* TODO: labels */) +
+    clusterRoleBinding.mixin.roleRef
+    .withName('cert-manager-cainjector')
+    .withKind('ClusterRole')
+    .withApiGroup('rbac.authorization.k8s.io') +
+    clusterRoleBinding.withSubjects(
+      subjects.withKind('ServiceAccount')
+      .withName('cert-manager-cainjector')
+      .withNamespace($._config.namespace)
+    ),
+
+  local role = $.rbac.v1beta1.role,
+
+  cainjector_leaderelection_role:
+    role.new() +
+    role.mixin.metadata
+    .withName('cert-manager-cainjector:leaderelection')
+    .withNamespace('kube-system')
+    .withLabels({}/* TODO: labels */) +
+    role.withRules(
+      [
+        role.rulesType.new() +
+        role.rulesType
+        .withApiGroups('')
+        .withResources(['configmaps'],)
+        .withVerbs(['get', 'create', 'update', 'patch']),
+      ],
+    ),
+
+  local roleBinding = $.rbac.v1beta1.roleBinding,
+
+  cainjector_leaderelection_rolebinding:
+    roleBinding.new() +
+    roleBinding.mixin.metadata
+    .withName('cert-manager-cainjector:leaderelection')
+    .withNamespace('kube-system')
+    .withLabels({}/* TODO: labels */) +
+    roleBinding.mixin.roleRef
+    .withApiGroup('rbac.authorization.k8s.io')
+    .withKind('Role')
+    .withName('cert-manager-cainjector:leaderelection') +
+    roleBinding.withSubjects(
+      subjects
+      .withKind('ServiceAccount')
+      .withName('cert-manager-cainjector')
+      .withNamespace($._config.namespace)
+    ),
+
+}
diff --git a/cert-manager/cainjector_serviceaccount.libsonnet b/cert-manager/cainjector_serviceaccount.libsonnet
@@ -0,0 +1,8 @@
+{
+  local serviceAccount = $.core.v1.serviceAccount,
+  cainjector_serviceaccount:
+    serviceAccount.new('cert-manager-cainjector') +
+    serviceAccount.mixin.metadata
+    .withLabels({}/* TODO: labels */)
+    .withNamespace($._config.namespace),
+}
diff --git a/cert-manager/cert-manager.libsonnet b/cert-manager/cert-manager.libsonnet
@@ -0,0 +1,27 @@
+(import 'ksonnet-util/kausal.libsonnet') +
+(import 'cert-manager/cainjector_deployment.libsonnet') +
+(import 'cert-manager/cainjector_psp.libsonnet') +
+(import 'cert-manager/cainjector_psp_clusterrole.libsonnet') +
+(import 'cert-manager/cainjector_psp_clusterrolebinding.libsonnet') +
+(import 'cert-manager/cainjector_rbac.libsonnet') +
+(import 'cert-manager/cainjector_serviceaccount.libsonnet') +
+(import 'cert-manager/config.libsonnet') +
+(import 'cert-manager/default_clusterissuers.libsonnet') +
+(import 'cert-manager/deployment.libsonnet') +
+(import 'cert-manager/namespace.libsonnet') +
+(import 'cert-manager/psp.libsonnet') +
+(import 'cert-manager/psp_clusterrole.libsonnet') +
+(import 'cert-manager/psp_clusterrolebinding.libsonnet') +
+(import 'cert-manager/rbac.libsonnet') +
+(import 'cert-manager/service.libsonnet') +
+(import 'cert-manager/serviceaccount.libsonnet') +
+(import 'cert-manager/webhook_deployment.libsonnet') +
+(import 'cert-manager/webhook_mutating_webhook.libsonnet') +
+(import 'cert-manager/webhook_psp_clusterrole.libsonnet') +
+(import 'cert-manager/webhook_psp_clusterrolebinding.libsonnet') +
+(import 'cert-manager/webhook_psp.libsonnet') +
+(import 'cert-manager/webhook_rbac.libsonnet') +
+(import 'cert-manager/webhook_service.libsonnet') +
+(import 'cert-manager/webhook_serviceaccount.libsonnet') +
+(import 'cert-manager/webhook_validating_webhook.libsonnet') +
+(import 'cert-manager/crds.libsonnet')
diff --git a/cert-manager/config.libsonnet b/cert-manager/config.libsonnet
@@ -0,0 +1,15 @@
+{
+  _images+:: {
+    cert_manager: 'quay.io/jetstack/cert-manager-controller:v0.13.0',
+    cert_manager_cainjector: 'quay.io/jetstack/cert-manager-cainjector:v0.13.0',
+    cert_manager_webhook: 'quay.io/jetstack/cert-manager-webhook:v0.13.0',
+  },
+  // Empty for now, used to keep the structure consistent.
+  _config+:: {
+    namespace: error '$._config.namespace needs to be configured.',
+    // "letsencrypt-staging" and "letsencrypt-prod" ClusterIssuer is generated automatically.
+    default_issuer: null,
+    default_issuer_group: 'cert-manager.io',
+    issuer_email: error '$._config.issuer_email needs to be configured.',
+  },
+}
diff --git a/cert-manager/crds.libsonnet b/cert-manager/crds.libsonnet
@@ -0,0 +1,7 @@
+{
+  local parseYAML = std.native('parseYaml'),
+  local raw_yaml = importstr 'cert-manager/files/00-crds.yaml',
+  local crds_yaml = parseYAML(raw_yaml),
+  // Downloaded from https://raw.githubusercontent.com/jetstack/cert-manager/release-0.12/deploy/manifests/00-crds.yaml
+  crds: crds_yaml,
+}
diff --git a/cert-manager/default_clusterissuers.libsonnet b/cert-manager/default_clusterissuers.libsonnet
@@ -0,0 +1,63 @@
+{
+  cluster_issuer_staging: {
+    apiVersion: 'cert-manager.io/v1alpha2',
+    kind: 'ClusterIssuer',
+    metadata: {
+      name: 'letsencrypt-staging',
+    },
+    spec: {
+      acme: {
+        // You must replace this email address with your own.
+        // Let's Encrypt will use this to contact you about expiring
+        // certificates, and issues related to your account.
+        email: $._config.issuer_email,
+        server: 'https://acme-staging-v02.api.letsencrypt.org/directory',
+        privateKeySecretRef: {
+          // Secret resource used to store the account's private key.
+          name: 'letsencrypt-staging-account',
+        },
+        // Add a single challenge solver, HTTP01 using nginx
+        solvers: [
+          {
+            http01: {
+              ingress: {
+                class: 'nginx',
+              },
+            },
+          },
+        ],
+      },
+    },
+  },
+
+  cluster_issuer_prod: {
+    apiVersion: 'cert-manager.io/v1alpha2',
+    kind: 'ClusterIssuer',
+    metadata: {
+      name: 'letsencrypt-prod',
+    },
+    spec: {
+      acme: {
+        // You must replace this email address with your own.
+        // Let's Encrypt will use this to contact you about expiring
+        // certificates, and issues related to your account.
+        email: $._config.issuer_email,
+        server: 'https://acme-v02.api.letsencrypt.org/directory',
+        privateKeySecretRef: {
+          // Secret resource used to store the account's private key.
+          name: 'letsencrypt-prod-account',
+        },
+        // Add a single challenge solver, HTTP01 using nginx
+        solvers: [
+          {
+            http01: {
+              ingress: {
+                class: 'nginx',
+              },
+            },
+          },
+        ],
+      },
+    },
+  },
+}
diff --git a/cert-manager/deployment.libsonnet b/cert-manager/deployment.libsonnet
@@ -0,0 +1,38 @@
+{
+  local deployment = $.apps.v1.deployment,
+  local container = $.core.v1.container,
+  local containerPort = $.core.v1.containerPort,
+
+  cert_manager_container::
+    container.new('cert-manager', $._images.cert_manager)
+    .withPorts(containerPort.new(name='cert-manager', port=9402).withProtocol('TCP'))
+    .withImagePullPolicy('IfNotPresent')
+    .withArgs([
+                '--v=2',  // loglevel
+                '--cluster-resource-namespace=$(POD_NAMESPACE)',  // optionally customizable
+                '--leader-election-namespace=kube-system',  // optionally customizable
+                //'--default-issuer-name=', // unset by default
+                //'--default-issuer-kind=', // unset by default
+                //'--default-issuer-group=', // unset by default
+                '--webhook-namespace=$(POD_NAMESPACE)',
+                '--webhook-ca-secret=cert-manager-webhook-ca',
+                '--webhook-serving-secret=cert-manager-webhook-tls',
+                std.format('--webhook-dns-names=cert-manager-webhook,cert-manager-webhook.%(ns)s,cert-manager-webhook.%(ns)s.svc', { ns: $._config.namespace }),
+                '--default-issuer-kind=ClusterIssuer',
+              ] +
+              (if $._config.default_issuer != null then ['--default-issuer-name=' + $._config.default_issuer] else []) +
+              (if $._config.default_issuer_group != null then ['--default-issuer-group=' + $._config.default_issuer_group] else [])
+              ,)
+
+    .withEnv([
+      container.envType.fromFieldPath('POD_NAMESPACE', 'metadata.namespace'),
+    ]),
+
+  deployment:
+    deployment.new(name='cert-manager', replicas=1, containers=[$.cert_manager_container], podLabels={
+      app: 'controller',
+      /* TODO: labels */
+    },) +
+    deployment.mixin.spec.template.spec
+    .withServiceAccountName('cert-manager'),
+}