diff --git a/deploy/cloud/manifests/mock-cert-job.yaml.tmpl b/deploy/cloud/manifests/mock-cert-job.yaml.tmpl deleted file mode 100644 index 2c8ddc637b0..00000000000 --- a/deploy/cloud/manifests/mock-cert-job.yaml.tmpl +++ /dev/null @@ -1,78 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: mock-cert-sa - namespace: sealos-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: secret-manager - namespace: sealos-system -rules: - - apiGroups: [""] - resources: ["secrets"] - verbs: ["*"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: secret-creator-binding - namespace: sealos-system -subjects: - - kind: ServiceAccount - name: mock-cert-sa - namespace: sealos-system -roleRef: - kind: Role - name: secret-manager - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: mock-cert - namespace: sealos-system -spec: - template: - spec: - securityContext: - runAsUser: 0 - serviceAccountName: mock-cert-sa - containers: - - name: mock-cert - image: bitnami/kubectl:1.25.6 - command: [ "/bin/sh", "-c" ] - args: - - | - set -ex - - mkdir -p /etc/tls - openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ - -keyout /etc/tls/tls.key \ - -out /etc/tls/tls.crt \ - -subj "/CN={{ .cloudDomain }}" \ - -addext "subjectAltName=DNS:{{ .cloudDomain }},DNS:*.{{ .cloudDomain }}" - tls_crt=$(cat /etc/tls/tls.crt | base64 | tr -d '\n') - tls_key=$(cat /etc/tls/tls.key | base64 | tr -d '\n') - tmpfile=$(mktemp) - cat <$tmpfile - apiVersion: v1 - data: - tls.crt: $tls_crt - tls.key: $tls_key - kind: Secret - metadata: - annotations: - reflector.v1.k8s.emberstack.com/reflection-allowed: "true" - reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: sealos,\w+-system,\w+-frontend,ns-[\-a-z0-9]* - reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true" - reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: sealos,\w+-system,\w+-frontend,ns-[\-a-z0-9]* - name: wildcard-cert - namespace: sealos-system - type: kubernetes.io/tls - EOF - - kubectl apply -f $tmpfile --namespace=sealos-system - restartPolicy: Never - backoffLimit: 1 \ No newline at end of file diff --git a/deploy/cloud/manifests/mock-cert.yaml.tmpl b/deploy/cloud/manifests/mock-cert.yaml.tmpl new file mode 100644 index 00000000000..8224d5c34f4 --- /dev/null +++ b/deploy/cloud/manifests/mock-cert.yaml.tmpl @@ -0,0 +1,27 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: selfsigned-issuer +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: sealos-cloud + namespace: sealos-system +spec: + secretName: wildcard-cert + issuerRef: + name: selfsigned-issuer + kind: ClusterIssuer + commonName: {{ .cloudDomain }} + dnsNames: + - '{{ .cloudDomain }}' + - '*.{{ .cloudDomain }}' + secretTemplate: + annotations: + reflector.v1.k8s.emberstack.com/reflection-allowed: "true" + reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: sealos,\w+-system,\w+-frontend,ns-[\-a-z0-9]* + reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true" + reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: sealos,\w+-system,\w+-frontend,ns-[\-a-z0-9]* diff --git a/deploy/cloud/scripts/init.sh b/deploy/cloud/scripts/init.sh index b43198406e2..2577f13f583 100644 --- a/deploy/cloud/scripts/init.sh +++ b/deploy/cloud/scripts/init.sh @@ -13,8 +13,8 @@ function read_env { function create_tls_secret { if grep -q $tlsCrtPlaceholder manifests/tls-secret.yaml; then echo "mock tls secret" - kubectl apply -f manifests/mock-cert-job.yaml - echo "mock tls job has been created successfully." + kubectl apply -f manifests/mock-cert.yaml + echo "mock tls cert has been created successfully." else echo "tls secret is already set" kubectl apply -f manifests/tls-secret.yaml