feat: use cert-manager to gen tls cert and secret. (#3540)

* use k8s job to gen tls cert and secret.

* fix check tls secret logic error.

* add set -x for init.sh

* fix ns logic and update readme.

* use tmpl.

* use cert-manager to mock cert.

deploy/cloud/Kubefile

@@ -3,6 +3,7 @@ COPY tars tars
 COPY etc etc
 COPY scripts scripts
 COPY manifests manifests
+COPY registry registry
 
 ENV cloudDomain="127.0.0.1.nip.io"
 

deploy/cloud/README.md

@@ -46,13 +46,15 @@ sealos gen labring/kubernetes:v1.25.6\
     labring/zot:v1.4.3\
     labring/kubeblocks:v0.5.3\
     --env policy=anonymousPolicy\
-    --masters 10.140.0.16 > Clusterfile
+    --masters 10.140.0.16 \
+    --nodes 10.140.0.17, 10.140.0.18 > Clusterfile
 
 sealos apply -f Clusterfile
 ```
 
 Note: if you want to change pod cidr, please edit the `Clusterfile` before run `sealos apply`
 
+
 ### Ingress-nginx setup
 We use ingress-nginx to expose our services. You can install ingress-nginx by using sealos:
 
@@ -82,10 +84,16 @@ Install ingress-nginx and switch to NodePort mode
 sealos run docker.io/labring/ingress-nginx:v1.5.1 --config-file ingress-nginx-config.yaml
 ```
 
+Note: if your domain is resolved to the master ip, you may need patch ingress-nginx DaemonSet to run on master node:
+
+```shell
+kubectl -n ingress-nginx patch ds ingress-nginx-controller -p '{"spec":{"template":{"spec":{"tolerations":[{"key":"node-role.kubernetes.io/master","operator":"Exists","effect":"NoSchedule"}]}}}}'
+````
+
 ## run sealos cloud cluster image
 
 ### Generate TLS config file
-You can skip this step if you use the self-signed cert that we provide by default. 
+You can skip this step if you use the self-signed cert which we provided by default. 
 
 Please make sure `spec.match` is the same as the image you want to run and the registry name such as ghcr.io/docker.io can
 

deploy/cloud/manifests/mock-cert.yaml.tmpl

@@ -0,0 +1,27 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: selfsigned-issuer
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: sealos-cloud
+  namespace: sealos-system
+spec:
+  secretName: wildcard-cert
+  issuerRef:
+    name: selfsigned-issuer
+    kind: ClusterIssuer
+  commonName: {{ .cloudDomain }}
+  dnsNames:
+    - '{{ .cloudDomain }}'
+    - '*.{{ .cloudDomain }}'
+  secretTemplate:
+    annotations:
+      reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
+      reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: sealos,\w+-system,\w+-frontend,ns-[\-a-z0-9]*
+      reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
+      reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: sealos,\w+-system,\w+-frontend,ns-[\-a-z0-9]*

deploy/cloud/scripts/init.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-set -e
+set -ex
 
 cloudDomain="127.0.0.1.nip.io"
 tlsCrtPlaceholder="<tls-crt-placeholder>"
@@ -10,17 +10,15 @@ function read_env {
   source $1
 }
 
-function mock_tls {
+function create_tls_secret {
   if grep -q $tlsCrtPlaceholder manifests/tls-secret.yaml; then
     echo "mock tls secret"
+    kubectl apply -f manifests/mock-cert.yaml
+    echo "mock tls cert has been created successfully."
   else
     echo "tls secret is already set"
-    return
+    kubectl apply -f manifests/tls-secret.yaml
   fi
-
-  mkdir -p etc/tls
-  openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout etc/tls/tls.key -out etc/tls/tls.crt -subj "/CN=$1" -addext "subjectAltName=DNS:$1,DNS:*.$1" >/dev/null 2>&1
-  sed -i -e "s;$tlsCrtPlaceholder;$(base64 -w 0 etc/tls/tls.crt);" -e "s;$tlsKeyPlaceholder;$(base64 -w 0 etc/tls/tls.key);" manifests/tls-secret.yaml
 }
 
 function sealos_run_controller {
@@ -94,11 +92,11 @@ function install {
   # read env
   read_env etc/sealos/cloud.env
 
-  # mock tls
-  mock_tls $cloudDomain
-
   # kubectl apply namespace, secret and mongodb
-  kubectl apply -f manifests/namespace.yaml -f manifests/tls-secret.yaml
+  kubectl apply -f manifests/namespace.yaml
+
+  # create tls secret
+  create_tls_secret $cloudDomain
 
   # gen mongodb uri
   gen_mongodb_uri