simon/cert-manager-webhook-manitu
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Use cert-manager to secure APIService resource

Browse Source 
Signed-off-by: James Munnelly <james@munnelly.eu>
This commit is contained in:
James Munnelly 2019-04-29 18:09:16 +01:00
parent 3935fd70e7
commit 2c01592255
4 changed files with 105 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
deploy/example-webhook/templates/_helpers.tpl
View File

@ -30,3 +30,19 @@ Create chart name and version as used by the chart label.
{{- define "example-webhook.chart" -}} {{- define "example-webhook.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}} {{- end -}}
{{- define "example-webhook.selfSignedIssuer" -}}
{{ printf "%s-selfsign" (include "example-webhook.fullname" .) }}
{{- end -}}
{{- define "example-webhook.rootCAIssuer" -}}
{{ printf "%s-ca" (include "example-webhook.fullname" .) }}
{{- end -}}
{{- define "example-webhook.rootCACertificate" -}}
{{ printf "%s-ca" (include "example-webhook.fullname" .) }}
{{- end -}}
{{- define "example-webhook.servingCertificate" -}}
{{ printf "%s-webhook-tls" (include "example-webhook.fullname" .) }}
{{- end -}}

3
deploy/example-webhook/templates/apiservice.yaml
View File

@ -7,11 +7,12 @@ metadata:
chart: {{ include "example-webhook.chart" . }} chart: {{ include "example-webhook.chart" . }}
release: {{ .Release.Name }} release: {{ .Release.Name }}
heritage: {{ .Release.Service }} heritage: {{ .Release.Service }}
annotations:
certmanager.k8s.io/inject-ca-from: "{{ .Release.Namespace }}/{{ include "example-webhook.servingCertificate" . }}"
spec: spec:
group: {{ .Values.groupName }} group: {{ .Values.groupName }}
groupPriorityMinimum: 1000 groupPriorityMinimum: 1000
versionPriority: 15 versionPriority: 15
insecureSkipTLSVerify: true
service: service:
name: {{ include "example-webhook.fullname" . }} name: {{ include "example-webhook.fullname" . }}
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}

11
deploy/example-webhook/templates/deployment.yaml
View File

@ -24,6 +24,9 @@ spec:
- name: {{ .Chart.Name }} - name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }} imagePullPolicy: {{ .Values.image.pullPolicy }}
args:
- --tls-cert-file=/tls/tls.crt
- --tls-private-key-file=/tls/tls.key
env: env:
- name: GROUP_NAME - name: GROUP_NAME
value: {{ .Values.groupName | quote }} value: {{ .Values.groupName | quote }}
@ -41,8 +44,16 @@ spec:
scheme: HTTPS scheme: HTTPS
path: /healthz path: /healthz
port: https port: https
volumeMounts:
- name: certs
mountPath: /tls
readOnly: true
resources: resources:
{{ toYaml .Values.resources | indent 12 }} {{ toYaml .Values.resources | indent 12 }}
volumes:
- name: certs
secret:
secretName: {{ include "example-webhook.servingCertificate" . }}
{{- with .Values.nodeSelector }} {{- with .Values.nodeSelector }}
nodeSelector: nodeSelector:
{{ toYaml . | indent 8 }} {{ toYaml . | indent 8 }}

76
deploy/example-webhook/templates/pki.yaml Normal file
View File

@ -0,0 +1,76 @@
---
# Create a selfsigned Issuer, in order to create a root CA certificate for
# signing webhook serving certificates
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
name: {{ include "example-webhook.selfSignedIssuer" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ include "example-webhook.name" . }}
chart: {{ include "example-webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
selfSigned: {}
---
# Generate a CA Certificate used to sign certificates for the webhook
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: {{ include "example-webhook.rootCACertificate" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ include "example-webhook.name" . }}
chart: {{ include "example-webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
secretName: {{ include "example-webhook.rootCACertificate" . }}
duration: 43800h # 5y
issuerRef:
name: {{ include "example-webhook.selfSignedIssuer" . }}
commonName: "ca.example-webhook.cert-manager"
isCA: true
---
# Create an Issuer that uses the above generated CA certificate to issue certs
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
name: {{ include "example-webhook.rootCAIssuer" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ include "example-webhook.name" . }}
chart: {{ include "example-webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
ca:
secretName: {{ include "example-webhook.rootCACertificate" . }}
---
# Finally, generate a serving certificate for the webhook to use
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: {{ include "example-webhook.servingCertificate" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ include "example-webhook.name" . }}
chart: {{ include "example-webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
secretName: {{ include "example-webhook.servingCertificate" . }}
duration: 8760h # 1y
issuerRef:
name: {{ include "example-webhook.rootCAIssuer" . }}
dnsNames:
- {{ include "example-webhook.fullname" . }}
- {{ include "example-webhook.fullname" . }}.{{ .Release.Namespace }}
- {{ include "example-webhook.fullname" . }}.{{ .Release.Namespace }}.svc