Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #220 from grafana/mplzik/cert-manager
Import cert manager libraries.
- Loading branch information
Showing
29 changed files
with
6,581 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
# Cert-manager jsonnet library (alpha) | ||
|
||
This library was created as a mostly 1-to-1 rewrite of cert-manager helm chart and is in use internally at Grafana Labs. It should be considered experimental. | ||
|
||
In addition to the helm chart content, this jsonnet library also provides `letsencrypt-prod` and `letsencrypt-staging` ClusterIssuers for direct consumption. Please have a look at `config.libsonnet` for configuration parameters. | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
{ | ||
local deployment = $.apps.v1.deployment, | ||
local container = $.core.v1.container, | ||
|
||
cainjector_container:: container.new('cainjector', $._images.cert_manager_cainjector) | ||
.withImagePullPolicy('IfNotPresent') | ||
.withArgs([ | ||
'--v=2', // loglevel | ||
'--leader-election-namespace=kube-system', // optionally customizable | ||
]) | ||
.withEnv([ | ||
container.envType.fromFieldPath('POD_NAMESPACE', 'metadata.namespace'), | ||
]), | ||
|
||
cainjector_deployment: deployment.new(name='cert-manager-cainjector', replicas=1, containers=[$.cainjector_container], podLabels={ | ||
/* TODO: labels */ | ||
app: 'cainjector', | ||
},) + | ||
deployment.mixin.spec.template.spec | ||
.withServiceAccountName('cert-manager-cainjector') + | ||
deployment.mixin.metadata.withLabels({ app: 'cainjector' },), | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
{ | ||
local podSecurityPolicy = $.policy.v1beta1.podSecurityPolicy, | ||
local ranges = podSecurityPolicy.mixin.spec.runAsUser.rangesType, | ||
|
||
cainjector_psp: | ||
podSecurityPolicy.new() + | ||
podSecurityPolicy.mixin.metadata | ||
.withName('cert-manager-cainjector') | ||
.withLabels({}/* TODO: labels */,) | ||
.withAnnotations({ | ||
'seccomp.security.alpha.kubernetes.io/allowedProfileNames': 'docker/default', | ||
'seccomp.security.alpha.kubernetes.io/defaultProfileName': 'docker/default', | ||
|
||
// If apparmor is enabled | ||
/* | ||
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default', | ||
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default', | ||
*/ | ||
},) + | ||
podSecurityPolicy.mixin.spec | ||
.withPrivileged(false) | ||
.withAllowPrivilegeEscalation(false) | ||
.withAllowedCapabilities([]) | ||
.withVolumes([ | ||
'configMap', | ||
'emptyDir', | ||
'projected', | ||
'secret', | ||
'downwardAPI', | ||
],) | ||
.withHostNetwork(false) | ||
.withHostIpc(false) | ||
.withHostPid(false) + | ||
podSecurityPolicy.mixin.spec.runAsUser | ||
.withRule('MustRunAs') | ||
.withRanges(ranges.new() + ranges.withMin(1000) + ranges.withMax(1000)) + | ||
podSecurityPolicy.mixin.spec.seLinux.withRule('RunAsAny') + | ||
podSecurityPolicy.mixin.spec.supplementalGroups | ||
.withRule('MustRunAs') | ||
.withRanges(ranges.new() + ranges.withMin(1000) + ranges.withMax(1000)) + | ||
podSecurityPolicy.mixin.spec.fsGroup | ||
.withRule('MustRunAs') | ||
.withRanges(ranges.new() + ranges.withMin(1000) + ranges.withMax(1000)), | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
{ | ||
local clusterRole = $.rbac.v1.clusterRole, | ||
local rules = clusterRole.rulesType, | ||
|
||
cainjector_psp_clusterrole: | ||
clusterRole.new() + | ||
clusterRole.mixin.metadata | ||
.withName('cert-manager-cainjector-psp') | ||
.withLabels({},/* TODO: labels */) + | ||
clusterRole.withRules( | ||
rules.new() + | ||
rules | ||
.withApiGroups('policy') | ||
.withResources(['podsecuritypolicies']) | ||
.withVerbs(['use']) | ||
.withResourceNames(['cert-manager-cainjector']) | ||
), | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
{ | ||
local clusterRoleBinding = $.rbac.v1.clusterRoleBinding, | ||
local roleRef = clusterRoleBinding.roleRefType, | ||
local subjects = clusterRoleBinding.subjectsType, | ||
|
||
cainjector_psp_clusterrolebinding: | ||
clusterRoleBinding.new() + | ||
clusterRoleBinding.mixin.metadata | ||
.withName('cert-manager-cainjector-psp') | ||
.withLabels({}/* TODO: labels */,) + | ||
clusterRoleBinding.mixin.roleRef | ||
.withApiGroup('rbac.authorization.k8s.io') | ||
.withKind('ClusterRole') | ||
.withName('cert-manager-cainjector-psp') + | ||
clusterRoleBinding.withSubjects( | ||
subjects.new() + subjects | ||
.withKind('ServiceAccount') | ||
.withName('cert-manager-cainjector') | ||
.withNamespace($._config.namespace) | ||
), | ||
|
||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,91 @@ | ||
{ | ||
local clusterRole = $.rbac.v1beta1.clusterRole, | ||
local rules = clusterRole.rulesType, | ||
|
||
cainjector_clusterrole: | ||
clusterRole.new() + | ||
clusterRole.mixin.metadata | ||
.withName('cert-manager-cainjector') | ||
.withNamespace('kube-system') | ||
.withLabels({}/* TODO:labels */) + | ||
clusterRole.withRules( | ||
[ | ||
rules.withApiGroups('cert-manager.io') | ||
.withResources(['certificates']) | ||
.withVerbs(['get', 'list', 'watch']), | ||
rules.withApiGroups('') | ||
.withResources(['secrets']) | ||
.withVerbs(['get', 'list', 'watch']), | ||
rules.withApiGroups('') | ||
.withResources(['events'],) | ||
.withVerbs(['get', 'create', 'update', 'patch']), | ||
rules.withApiGroups('admissionregistration.k8s.io') | ||
.withResources(['validatingwebhookconfigurations', 'mutatingwebhookconfigurations'],) | ||
.withVerbs(['get', 'list', 'watch', 'update']), | ||
rules.withApiGroups(['apiregistration.k8s.io']) | ||
.withResources(['apiservices']) | ||
.withVerbs(['get', 'list', 'watch', 'update']), | ||
rules.withApiGroups(['apiextensions.k8s.io']) | ||
.withResources(['customresourcedefinitions'],) | ||
.withVerbs(['get', 'list', 'watch', 'update'],), | ||
] | ||
), | ||
|
||
local clusterRoleBinding = $.rbac.v1beta1.clusterRoleBinding, | ||
local roleRef = clusterRoleBinding.roleRefType, | ||
local subjects = clusterRoleBinding.subjectsType, | ||
|
||
cainjector_clusterrolebinding: | ||
clusterRoleBinding.new() + | ||
clusterRoleBinding.mixin.metadata | ||
.withName('cert-manager-cainjector') | ||
.withNamespace('kube-system') | ||
.withLabels({}/* TODO: labels */) + | ||
clusterRoleBinding.mixin.roleRef | ||
.withName('cert-manager-cainjector') | ||
.withKind('ClusterRole') | ||
.withApiGroup('rbac.authorization.k8s.io') + | ||
clusterRoleBinding.withSubjects( | ||
subjects.withKind('ServiceAccount') | ||
.withName('cert-manager-cainjector') | ||
.withNamespace($._config.namespace) | ||
), | ||
|
||
local role = $.rbac.v1beta1.role, | ||
|
||
cainjector_leaderelection_role: | ||
role.new() + | ||
role.mixin.metadata | ||
.withName('cert-manager-cainjector:leaderelection') | ||
.withNamespace('kube-system') | ||
.withLabels({}/* TODO: labels */) + | ||
role.withRules( | ||
[ | ||
role.rulesType.new() + | ||
role.rulesType | ||
.withApiGroups('') | ||
.withResources(['configmaps'],) | ||
.withVerbs(['get', 'create', 'update', 'patch']), | ||
], | ||
), | ||
|
||
local roleBinding = $.rbac.v1beta1.roleBinding, | ||
|
||
cainjector_leaderelection_rolebinding: | ||
roleBinding.new() + | ||
roleBinding.mixin.metadata | ||
.withName('cert-manager-cainjector:leaderelection') | ||
.withNamespace('kube-system') | ||
.withLabels({}/* TODO: labels */) + | ||
roleBinding.mixin.roleRef | ||
.withApiGroup('rbac.authorization.k8s.io') | ||
.withKind('Role') | ||
.withName('cert-manager-cainjector:leaderelection') + | ||
roleBinding.withSubjects( | ||
subjects | ||
.withKind('ServiceAccount') | ||
.withName('cert-manager-cainjector') | ||
.withNamespace($._config.namespace) | ||
), | ||
|
||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
{ | ||
local serviceAccount = $.core.v1.serviceAccount, | ||
cainjector_serviceaccount: | ||
serviceAccount.new('cert-manager-cainjector') + | ||
serviceAccount.mixin.metadata | ||
.withLabels({}/* TODO: labels */) | ||
.withNamespace($._config.namespace), | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
(import 'ksonnet-util/kausal.libsonnet') + | ||
(import 'cert-manager/cainjector_deployment.libsonnet') + | ||
(import 'cert-manager/cainjector_psp.libsonnet') + | ||
(import 'cert-manager/cainjector_psp_clusterrole.libsonnet') + | ||
(import 'cert-manager/cainjector_psp_clusterrolebinding.libsonnet') + | ||
(import 'cert-manager/cainjector_rbac.libsonnet') + | ||
(import 'cert-manager/cainjector_serviceaccount.libsonnet') + | ||
(import 'cert-manager/config.libsonnet') + | ||
(import 'cert-manager/default_clusterissuers.libsonnet') + | ||
(import 'cert-manager/deployment.libsonnet') + | ||
(import 'cert-manager/namespace.libsonnet') + | ||
(import 'cert-manager/psp.libsonnet') + | ||
(import 'cert-manager/psp_clusterrole.libsonnet') + | ||
(import 'cert-manager/psp_clusterrolebinding.libsonnet') + | ||
(import 'cert-manager/rbac.libsonnet') + | ||
(import 'cert-manager/service.libsonnet') + | ||
(import 'cert-manager/serviceaccount.libsonnet') + | ||
(import 'cert-manager/webhook_deployment.libsonnet') + | ||
(import 'cert-manager/webhook_mutating_webhook.libsonnet') + | ||
(import 'cert-manager/webhook_psp_clusterrole.libsonnet') + | ||
(import 'cert-manager/webhook_psp_clusterrolebinding.libsonnet') + | ||
(import 'cert-manager/webhook_psp.libsonnet') + | ||
(import 'cert-manager/webhook_rbac.libsonnet') + | ||
(import 'cert-manager/webhook_service.libsonnet') + | ||
(import 'cert-manager/webhook_serviceaccount.libsonnet') + | ||
(import 'cert-manager/webhook_validating_webhook.libsonnet') + | ||
(import 'cert-manager/crds.libsonnet') |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
{ | ||
_images+:: { | ||
cert_manager: 'quay.io/jetstack/cert-manager-controller:v0.13.0', | ||
cert_manager_cainjector: 'quay.io/jetstack/cert-manager-cainjector:v0.13.0', | ||
cert_manager_webhook: 'quay.io/jetstack/cert-manager-webhook:v0.13.0', | ||
}, | ||
// Empty for now, used to keep the structure consistent. | ||
_config+:: { | ||
namespace: error '$._config.namespace needs to be configured.', | ||
// "letsencrypt-staging" and "letsencrypt-prod" ClusterIssuer is generated automatically. | ||
default_issuer: null, | ||
default_issuer_group: 'cert-manager.io', | ||
issuer_email: error '$._config.issuer_email needs to be configured.', | ||
}, | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
{ | ||
local parseYAML = std.native('parseYaml'), | ||
local raw_yaml = importstr 'cert-manager/files/00-crds.yaml', | ||
local crds_yaml = parseYAML(raw_yaml), | ||
// Downloaded from https://raw.githubusercontent.com/jetstack/cert-manager/release-0.12/deploy/manifests/00-crds.yaml | ||
crds: crds_yaml, | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
{ | ||
cluster_issuer_staging: { | ||
apiVersion: 'cert-manager.io/v1alpha2', | ||
kind: 'ClusterIssuer', | ||
metadata: { | ||
name: 'letsencrypt-staging', | ||
}, | ||
spec: { | ||
acme: { | ||
// You must replace this email address with your own. | ||
// Let's Encrypt will use this to contact you about expiring | ||
// certificates, and issues related to your account. | ||
email: $._config.issuer_email, | ||
server: 'https://acme-staging-v02.api.letsencrypt.org/directory', | ||
privateKeySecretRef: { | ||
// Secret resource used to store the account's private key. | ||
name: 'letsencrypt-staging-account', | ||
}, | ||
// Add a single challenge solver, HTTP01 using nginx | ||
solvers: [ | ||
{ | ||
http01: { | ||
ingress: { | ||
class: 'nginx', | ||
}, | ||
}, | ||
}, | ||
], | ||
}, | ||
}, | ||
}, | ||
|
||
cluster_issuer_prod: { | ||
apiVersion: 'cert-manager.io/v1alpha2', | ||
kind: 'ClusterIssuer', | ||
metadata: { | ||
name: 'letsencrypt-prod', | ||
}, | ||
spec: { | ||
acme: { | ||
// You must replace this email address with your own. | ||
// Let's Encrypt will use this to contact you about expiring | ||
// certificates, and issues related to your account. | ||
email: $._config.issuer_email, | ||
server: 'https://acme-v02.api.letsencrypt.org/directory', | ||
privateKeySecretRef: { | ||
// Secret resource used to store the account's private key. | ||
name: 'letsencrypt-prod-account', | ||
}, | ||
// Add a single challenge solver, HTTP01 using nginx | ||
solvers: [ | ||
{ | ||
http01: { | ||
ingress: { | ||
class: 'nginx', | ||
}, | ||
}, | ||
}, | ||
], | ||
}, | ||
}, | ||
}, | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
{ | ||
local deployment = $.apps.v1.deployment, | ||
local container = $.core.v1.container, | ||
local containerPort = $.core.v1.containerPort, | ||
|
||
cert_manager_container:: | ||
container.new('cert-manager', $._images.cert_manager) | ||
.withPorts(containerPort.new(name='cert-manager', port=9402).withProtocol('TCP')) | ||
.withImagePullPolicy('IfNotPresent') | ||
.withArgs([ | ||
'--v=2', // loglevel | ||
'--cluster-resource-namespace=$(POD_NAMESPACE)', // optionally customizable | ||
'--leader-election-namespace=kube-system', // optionally customizable | ||
//'--default-issuer-name=', // unset by default | ||
//'--default-issuer-kind=', // unset by default | ||
//'--default-issuer-group=', // unset by default | ||
'--webhook-namespace=$(POD_NAMESPACE)', | ||
'--webhook-ca-secret=cert-manager-webhook-ca', | ||
'--webhook-serving-secret=cert-manager-webhook-tls', | ||
std.format('--webhook-dns-names=cert-manager-webhook,cert-manager-webhook.%(ns)s,cert-manager-webhook.%(ns)s.svc', { ns: $._config.namespace }), | ||
'--default-issuer-kind=ClusterIssuer', | ||
] + | ||
(if $._config.default_issuer != null then ['--default-issuer-name=' + $._config.default_issuer] else []) + | ||
(if $._config.default_issuer_group != null then ['--default-issuer-group=' + $._config.default_issuer_group] else []) | ||
,) | ||
|
||
.withEnv([ | ||
container.envType.fromFieldPath('POD_NAMESPACE', 'metadata.namespace'), | ||
]), | ||
|
||
deployment: | ||
deployment.new(name='cert-manager', replicas=1, containers=[$.cert_manager_container], podLabels={ | ||
app: 'controller', | ||
/* TODO: labels */ | ||
},) + | ||
deployment.mixin.spec.template.spec | ||
.withServiceAccountName('cert-manager'), | ||
} |
Oops, something went wrong.