From f81eadea58906af043fbc0ac7fc96d978c2a4c1c Mon Sep 17 00:00:00 2001 From: steiler Date: Fri, 26 Jan 2024 10:17:02 +0100 Subject: [PATCH 1/6] cert-manager for api-service cert --- artifacts/apiservice.yaml | 4 ++-- .../cert-manager_certificate-api-service.yaml | 14 ++++++++++++++ artifacts/cert-manager_clusterIssuer.yaml | 9 +++++++++ artifacts/cert-manager_selfsigned-ca.yaml | 16 ++++++++++++++++ artifacts/cert-mnager_ca-issuer.yaml | 8 ++++++++ 5 files changed, 49 insertions(+), 2 deletions(-) create mode 100644 artifacts/cert-manager_certificate-api-service.yaml create mode 100644 artifacts/cert-manager_clusterIssuer.yaml create mode 100644 artifacts/cert-manager_selfsigned-ca.yaml create mode 100644 artifacts/cert-mnager_ca-issuer.yaml diff --git a/artifacts/apiservice.yaml b/artifacts/apiservice.yaml index 48abdb4b..b99c833e 100644 --- a/artifacts/apiservice.yaml +++ b/artifacts/apiservice.yaml @@ -2,8 +2,9 @@ apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: name: v1alpha1.config.sdcio.dev + annotations: + cert-manager.io/inject-ca-from: network-system/config-apiservice spec: - insecureSkipTLSVerify: true group: config.sdcio.dev groupPriorityMinimum: 1000 versionPriority: 15 @@ -12,4 +13,3 @@ spec: namespace: network-system port: 6443 version: v1alpha1 - #caBundle: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURZekNDQWt1Z0F3SUJBZ0lKQUtKY0FOZ3htSG1TTUEwR0NTcUdTSWIzRFFFQkN3VUFNR1V4Q3pBSkJnTlYKQkFZVEFuVnVNUXN3Q1FZRFZRUUlEQUp6ZERFS01BZ0dBMVVFQnd3QmJERUtNQWdHQTFVRUNnd0JiekVMTUFrRwpBMVVFQ3d3Q2IzVXhKREFpQmdOVkJBTU1HMkpoYzJsakxXTmxjblJwWm1sallYUmxMV0YxZEdodmNtbDBlVEFlCkZ3MHlNakF6TXpFd09URTNOVE5hRncweU16QXpNekV3T1RFM05UTmFNR1V4Q3pBSkJnTlZCQVlUQW5WdU1Rc3cKQ1FZRFZRUUlEQUp6ZERFS01BZ0dBMVVFQnd3QmJERUtNQWdHQTFVRUNnd0JiekVMTUFrR0ExVUVDd3dDYjNVeApKREFpQmdOVkJBTU1HMkpoYzJsakxXTmxjblJwWm1sallYUmxMV0YxZEdodmNtbDBlVENDQVNJd0RRWUpLb1pJCmh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTUJwMHRhNU92Vy9VcVlsR1RMZnVsam9HYkFwVnB4MW1CbUwKR0dHOUhOZmJkVWxoQ1FtMVNYK3V6dllyQ05EZEJRMWdBYWVEa1lxOWNMbnN4YU92R25peHJ1WllUV1gyaU9maQpjRTZxRUVRTm05MmxRRnBvbnBneXI2dFc3dDhkMGRNcEVVNTlYUlQzdXRGZGhHRVJUYi94clR0c1RpaUp4Vk1jCmxFSzh3ajZjLytONitHNHZEcVBydkF5cFBJaUJtbkhwVE9tbmhOdjhSeXVXc3VXVEJwb0JTMUVjbTg1VlY3MEUKUGFpYSs3bDczLzArWmFzcTBHeklCdkx4S0ZiVHVYZHh2a0REY1M5c0FuTytVcHg1YUxhbjgrR25UTWd6NzR6Vgp3WDRuSFU1blFxYkZSSC9TQzVXeGNYczJXL0JNZllBRUk2ckhnUTBKNjJiMTBSZk0vQmNDQXdFQUFhTVdNQlF3CkVnWURWUjBUQVFIL0JBZ3dCZ0VCL3dJQkFUQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFxUXM5eUdsalBFcUgKVHF6REpEa29DbXlTWmQ0S3VVSEpPcjY1QmhmYmppKzBsSC9Rbk9mdHdpd1FvajhwSFlnejVmZGZJa3JMTFU1KwpwMzh0cSs5QllsOFNudXd6U2EzQ2VpYUlncHUvL05xaCtieDRad1liNFJmVnZmSU5NdUZJaUhLUFBJUm1QRmlECjZJQjl0WFNrSmNmanhHd1NLRmhLSGszYU9EbmsxNUlyTDA0U040S0ZER1dncnI0WkJoL1RYT25XVmRpMHRBN3kKT2lmRkpRdWt1anhNVDRUU3ZtcmtjZW5Ubk84VEZTMk03SGVPZDRLYm14QUJFR3ZzaGZ0V2tXUGh0ZW1IYVJXYwpVOEh2SG8xS1M4cGdyYVdxMU5jMjErdHJoQS9uaGRtaWRDbW1DOHZSQ1MwU1cxZE90Q3ZJRzhpVUpIeDVKMklGCnhjUGt3aHYrN1E9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==" diff --git a/artifacts/cert-manager_certificate-api-service.yaml b/artifacts/cert-manager_certificate-api-service.yaml new file mode 100644 index 00000000..2609d5bd --- /dev/null +++ b/artifacts/cert-manager_certificate-api-service.yaml @@ -0,0 +1,14 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: config-apiservice + namespace: network-system +spec: + secretName: config-server + secretTemplate: + labels: + config-server: "true" + dnsNames: + - config-server.network-system.svc + issuerRef: + name: my-ca-issuer \ No newline at end of file diff --git a/artifacts/cert-manager_clusterIssuer.yaml b/artifacts/cert-manager_clusterIssuer.yaml new file mode 100644 index 00000000..6cdd9f19 --- /dev/null +++ b/artifacts/cert-manager_clusterIssuer.yaml @@ -0,0 +1,9 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: selfsigned-issuer +spec: + selfSigned: {} + + + diff --git a/artifacts/cert-manager_selfsigned-ca.yaml b/artifacts/cert-manager_selfsigned-ca.yaml new file mode 100644 index 00000000..fd0b714d --- /dev/null +++ b/artifacts/cert-manager_selfsigned-ca.yaml @@ -0,0 +1,16 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: my-selfsigned-ca + namespace: network-system +spec: + isCA: true + commonName: my-selfsigned-ca + secretName: root-secret + privateKey: + algorithm: ECDSA + size: 256 + issuerRef: + name: selfsigned-issuer + kind: ClusterIssuer + group: cert-manager.io \ No newline at end of file diff --git a/artifacts/cert-mnager_ca-issuer.yaml b/artifacts/cert-mnager_ca-issuer.yaml new file mode 100644 index 00000000..fa5822b5 --- /dev/null +++ b/artifacts/cert-mnager_ca-issuer.yaml @@ -0,0 +1,8 @@ +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: my-ca-issuer + namespace: network-system +spec: + ca: + secretName: root-secret From 18675042343ff16a6c5ceb9ec1100237d9f28933 Mon Sep 17 00:00:00 2001 From: steiler Date: Fri, 26 Jan 2024 10:18:49 +0100 Subject: [PATCH 2/6] remove the predefined cert secret --- artifacts/secret.yaml | 11 ----------- 1 file changed, 11 deletions(-) delete mode 100644 artifacts/secret.yaml diff --git a/artifacts/secret.yaml b/artifacts/secret.yaml deleted file mode 100644 index bccbe155..00000000 --- a/artifacts/secret.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: Secret -type: kubernetes.io/tls -metadata: - name: config-server - namespace: network-system - labels: - sdcio.dev/config-server: "true" -data: - tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURZekNDQWt1Z0F3SUJBZ0lJSC9mSFZHenZ3cnN3RFFZSktvWklodmNOQVFFTEJRQXdaVEVMTUFrR0ExVUUKQmhNQ2RXNHhDekFKQmdOVkJBZ01Bbk4wTVFvd0NBWURWUVFIREFGc01Rb3dDQVlEVlFRS0RBRnZNUXN3Q1FZRApWUVFMREFKdmRURWtNQ0lHQTFVRUF3d2JZbUZ6YVdNdFkyVnlkR2xtYVdOaGRHVXRZWFYwYUc5eWFYUjVNQjRYCkRUSXlNRE16TVRBNU1UYzFNMW9YRFRNeU1ETXlPREE1TVRjMU5Gb3dIREVhTUJnR0ExVUVBeE1SWW1GemFXTXUKWkdWbVlYVnNkQzV6ZG1Nd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUN0TUt0eApjc3Rjdk8rdDVMazZRQkRBZ3g1akZCL2F1dStVb3BDR2Z6VitaRW5obldpaC8xMVZ2ek44cjhmdGZuUkZGTVZ6CmJqYlVhSXNDOFc1eGJDNXNpc2VrdnVBWDlpanUzMlFybEU0RTR1UzNYREdVZkhGSFhMcWxBRU9RclUvRzQ0RGgKa0I3ajJOcDRzbk9IckF0aDA3TStvbXBmVklhSTlkQmdYY3hsUE5QRkNNamlOb1VweVM4eXNha3RQRXFjZTBpawpmNDBYVERmN1YwekFFelI0QkE4Yzh0b05UMVNnSXFIV0xueERKcnZRempDaTVFN2NMNkpmTmhlZDQ5MUVNWlEwCmVnbkV5bXd6d1Jya3BYTkZ4RHJzSXpOZmhHelB6RGJLdmFIUHh5NUwvM3h3clZ3VHllbklaOVExK0tjemtCSksKRXZIaVVKL1BML0VYZkloakFnTUJBQUdqWURCZU1BNEdBMVVkRHdFQi93UUVBd0lGb0RBZEJnTlZIU1VFRmpBVQpCZ2dyQmdFRkJRY0RBUVlJS3dZQkJRVUhBd0l3TFFZRFZSMFJCQ1l3SklJSmJHOWpZV3hvYjNOMGdoRmlZWE5wCll5NWtaV1poZFd4MExuTjJZNGNFZndBQUFUQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFEa1hsbGZMTlpzWDEKYmp1b0h4RXVUWitaODlMWUxPUDBMM0dHMFgwdVdkZzJFcXY1bmZNRHVRVmJIRmt5dVo3ZDlDY01QYk12MTdDWgoxZGwwQk1GQTJkTkJzK3V1UXFIUFh3RkI4SFdPSDhBc1pMMnYvbG91T3g2dU1QQk9uWUhuQ3pFY21FQXZoR2dLCkpXMDNkd2QwNlJPeUdLT29qSklFTlRnd0xnQ1dZSytPWmIzQklyMUJqS012Q2dHN3pJVDFUUVNna3hGN1NGNzUKYk5BaEdOa0NWMGVrSnNXQWk1UGhzVS9IdWthdGVHUGNMS3hia0RGdHpSV2tRNmdKUXhkZmVuOVBKTjVJVCt4RQpFci8wYUkrOFM5Y1FPUnk0VTNDSFRodmlnOGFyZ3FucmFWMU92OXZNTWxzZ3pnYXc3SjdaeGtkWWwrSkMyWUcvCjJrUThVd1IzQnc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== - tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBclRDcmNYTExYTHp2cmVTNU9rQVF3SU1lWXhRZjJycnZsS0tRaG44MWZtUko0WjFvCm9mOWRWYjh6ZksvSDdYNTBSUlRGYzI0MjFHaUxBdkZ1Y1d3dWJJckhwTDdnRi9Zbzd0OWtLNVJPQk9Ma3Qxd3gKbEh4eFIxeTZwUUJEa0sxUHh1T0E0WkFlNDlqYWVMSnpoNndMWWRPelBxSnFYMVNHaVBYUVlGM01aVHpUeFFqSQo0amFGS2Nrdk1yR3BMVHhLbkh0SXBIK05GMHczKzFkTXdCTTBlQVFQSFBMYURVOVVvQ0toMWk1OFF5YTcwTTR3Cm91Uk8zQytpWHpZWG5lUGRSREdVTkhvSnhNcHNNOEVhNUtWelJjUTY3Q016WDRSc3o4dzJ5cjJoejhjdVMvOTgKY0sxY0U4bnB5R2ZVTmZpbk01QVNTaEx4NGxDZnp5L3hGM3lJWXdJREFRQUJBb0lCQUJWWU16ajNLZU1URWdMLwpkbWljYnJRYk5NcUhOMm5Rc2loQ1pNZCt0QXdRdGg1Tk5SRUtGT20xZDlYOUlBbkFGUHBTbGdjazVUTUdjMk40CmQrRVlzUndGZXBkdVF0WVJLM2hOSmQ1TkY5UjRWakhXOWZGVDZPNGZtbzB0WENaZmhiNkFXV2p6Unl0VGxaRmMKaE9xS3BKaDQ2OVZqVlBMTXl3dmtKN3RJdENFaHl4b0t0VVhwcm45SXBLNnNUa051OTFmMVA4czJNbDd1RlVqYwpJdGhMb3JnMEYyU3RaeEJmVDJGaFRYaFZxRlRJS1pmazFGbnRpbUwyWlQrRXZzQlpnZHYwa2Z1Q2hFdE5jRW1PCnRZc2dKT3ExTWF5M2d0dlk3VDB6WkRtTTIrOVpKQ0JLcm8yV2IxdGw0RHNnaWNkR0I2SlhnTi81aklSMTNmbDUKMTRJd1hza0NnWUVBemtQb1MrTko0QkJkR3RYem5tZWVhRFFQVVU0dkF1R3YyU2VtajR3RG1KRXB6aDdoMWlQZAprVWxmYjcxZ1VMbmk0SDVkVFlyVFpwOElUaXZvM3A1bUNrV3lFV09wMmx4VUZoM3JnVWN6NWt0RUhkejl1bjNoCnFYNVJpTWlkM0Y3dWRIODdqYTdJVi9mUEFGSnlremQrWHNaZGFuT0tPK1UvV0t2ek0rSFEzUThDZ1lFQTF2TWoKdml3dnFxM0FBa0VpN2RlOUxLUE1uS1N5VE9BdHQzS2dqV1RLNU5aQUdqeWpoSGxEbjRCempSS25DWk8xY0lJZwo0Wnl1VzQrUlB5aGQreEFubzVoMVh0Ny9LYzNFaW1ucjBLU0ZmRWVza2NORFIyVHNTdCtjYTl6aFFPTFJ0TWRCCnE5OWZDeFprK1pmcEhpSzJCK0pHVExNdVJRY0tDYU43RldKTkIyMENnWUJhc2k5bGx3WjMySm9uMzZYa3BDbGEKSm5JSnpUZ01xMUlZU1VBSzVJVDhRL0ErNndOZ2xwcXBkTHJiTmtrd2xkdjEzSHFJU3gvVGd1QXpCMG01QWF0YQpudlRDZ3JGQUM5TUplcFNBWHQrcVJyUW44WEU3M0hncWdCbTM3SWJGVEpUTGN0cXIzUXZJNm5VQjdqN2xEc1NwClJjM3pyZVE5bS9yenNZQVo4eFJVN3dLQmdRQ0JYTjg4Q3JlOVRzaHFFdTJFbXZ4ZEswOXZUcWVJSUxzaTFyZk4Kb01XREozWjQwOW5OVm5YZVBwNU1YdGRzcWhyZVZWS1l0WVV4MFp1bW1STEdrSmhxbXN5NGhoaW0vaEcxQTc1SwpXVm1FekZZTmU2aTRCUU00cEk4dFUwZTFsMHlDTWhGUjhTTHdOMUFaN3RUN3NBUkJobXFzcW9IRVJWSkRMc0phCndraDltUUtCZ0NYR2xoZzY4aVMzMldmSWVtYUFRMTJpNFRUUk1FNWppTFl0ZlkyREJTMDBWV3NxY0l1OEFUWm0KVHVoZHBRVG9mKzE3LzFyU0cyYnFaWFA2L0h3ak14OTVIdWlXbjVKSjA3RTduOUVCUDlkQTY0K0lHdWlvd0h5RAo2a3g3VVhuTUtTYXdiV2JxZ1JGZTFOZEdLbkh0ZE5GOGxndEdjdytxUTk3YkIreXFreXMxCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== From a66d75574854867ffb9f8505bde65548cdddf93a Mon Sep 17 00:00:00 2001 From: steiler Date: Fri, 26 Jan 2024 10:27:59 +0100 Subject: [PATCH 3/6] fix typo --- .../{cert-mnager_ca-issuer.yaml => cert-manager_ca-issuer.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename artifacts/{cert-mnager_ca-issuer.yaml => cert-manager_ca-issuer.yaml} (100%) diff --git a/artifacts/cert-mnager_ca-issuer.yaml b/artifacts/cert-manager_ca-issuer.yaml similarity index 100% rename from artifacts/cert-mnager_ca-issuer.yaml rename to artifacts/cert-manager_ca-issuer.yaml From 6e2559228196ab7710a97b8678c77c21b2dcca1b Mon Sep 17 00:00:00 2001 From: steiler Date: Fri, 26 Jan 2024 10:42:37 +0100 Subject: [PATCH 4/6] adjust resource names --- artifacts/apiservice.yaml | 2 +- artifacts/cert-manager_ca-issuer.yaml | 2 +- artifacts/cert-manager_certificate-api-service.yaml | 2 +- artifacts/cert-manager_selfsigned-ca.yaml | 2 +- artifacts/deployment.yaml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/artifacts/apiservice.yaml b/artifacts/apiservice.yaml index b99c833e..70166190 100644 --- a/artifacts/apiservice.yaml +++ b/artifacts/apiservice.yaml @@ -3,7 +3,7 @@ kind: APIService metadata: name: v1alpha1.config.sdcio.dev annotations: - cert-manager.io/inject-ca-from: network-system/config-apiservice + cert-manager.io/inject-ca-from: network-system/config-server-cert spec: group: config.sdcio.dev groupPriorityMinimum: 1000 diff --git a/artifacts/cert-manager_ca-issuer.yaml b/artifacts/cert-manager_ca-issuer.yaml index fa5822b5..f87e3db5 100644 --- a/artifacts/cert-manager_ca-issuer.yaml +++ b/artifacts/cert-manager_ca-issuer.yaml @@ -5,4 +5,4 @@ metadata: namespace: network-system spec: ca: - secretName: root-secret + secretName: my-selfsigned-ca-secret diff --git a/artifacts/cert-manager_certificate-api-service.yaml b/artifacts/cert-manager_certificate-api-service.yaml index 2609d5bd..80fb319e 100644 --- a/artifacts/cert-manager_certificate-api-service.yaml +++ b/artifacts/cert-manager_certificate-api-service.yaml @@ -4,7 +4,7 @@ metadata: name: config-apiservice namespace: network-system spec: - secretName: config-server + secretName: config-server-cert secretTemplate: labels: config-server: "true" diff --git a/artifacts/cert-manager_selfsigned-ca.yaml b/artifacts/cert-manager_selfsigned-ca.yaml index fd0b714d..f0ed4e1b 100644 --- a/artifacts/cert-manager_selfsigned-ca.yaml +++ b/artifacts/cert-manager_selfsigned-ca.yaml @@ -6,7 +6,7 @@ metadata: spec: isCA: true commonName: my-selfsigned-ca - secretName: root-secret + secretName: my-selfsigned-ca-secret privateKey: algorithm: ECDSA size: 256 diff --git a/artifacts/deployment.yaml b/artifacts/deployment.yaml index 90af4c31..4179d5c6 100644 --- a/artifacts/deployment.yaml +++ b/artifacts/deployment.yaml @@ -96,7 +96,7 @@ spec: name: data-server - name: apiserver-certs secret: - secretName: config-server + secretName: config-server-cert - name: cache emptyDir: sizeLimit: 10Gi From 5110ea0db627b63f5593b309e49ed82a271a0b33 Mon Sep 17 00:00:00 2001 From: steiler Date: Fri, 26 Jan 2024 10:57:41 +0100 Subject: [PATCH 5/6] adjust ca-injector ref for api-service --- artifacts/apiservice.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/artifacts/apiservice.yaml b/artifacts/apiservice.yaml index 70166190..b99c833e 100644 --- a/artifacts/apiservice.yaml +++ b/artifacts/apiservice.yaml @@ -3,7 +3,7 @@ kind: APIService metadata: name: v1alpha1.config.sdcio.dev annotations: - cert-manager.io/inject-ca-from: network-system/config-server-cert + cert-manager.io/inject-ca-from: network-system/config-apiservice spec: group: config.sdcio.dev groupPriorityMinimum: 1000 From 3b73b0c6b61621359f56f1673911a477ab167bb2 Mon Sep 17 00:00:00 2001 From: steiler Date: Mon, 5 Feb 2024 11:36:15 +0100 Subject: [PATCH 6/6] update label with prefix --- artifacts/cert-manager_certificate-api-service.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/artifacts/cert-manager_certificate-api-service.yaml b/artifacts/cert-manager_certificate-api-service.yaml index 80fb319e..4478f335 100644 --- a/artifacts/cert-manager_certificate-api-service.yaml +++ b/artifacts/cert-manager_certificate-api-service.yaml @@ -7,7 +7,7 @@ spec: secretName: config-server-cert secretTemplate: labels: - config-server: "true" + sdcio.dev/config-server: "true" dnsNames: - config-server.network-system.svc issuerRef: