diff --git a/staging/cert-manager-setup/README.md b/staging/cert-manager-setup/README.md index f3901b52d..4416738c6 100644 --- a/staging/cert-manager-setup/README.md +++ b/staging/cert-manager-setup/README.md @@ -6,7 +6,9 @@ TLS certificates from various issuing sources. `cert-manager` will ensure certificates are valid and up to date periodically, and attempt to renew certificates at an appropriate time before expiry. -In addition to installing `cert-manager`, `cert-manager-setup` provides the capability to specify a `ClusterIssuer` in the `values.yaml` file which will be applied directly after the `cert-manager` installation has completed. +`cert-manager-setup` deploys the cert-manager + +In addition to installing `cert-manager`, `cert-manager-setup` provides the capability to specify a `ClusterIssuer` in the `values.yaml` file which will be applied directly after the `cert-manager` installation has completed. In order for this to happen, `cert-manager-setup` sets up an `Issuer` in the `cert-manager` namespace. It then creates an intermediate certificate from the secret `kubernetes-root-ca` which must already contain ideally the Kubernetes root CA. The `ClusterIssuer` then uses the intermediate certificate derived from the Kubernetes root CA. # Supported values format diff --git a/staging/cert-manager-setup/templates/clusterissuer.yaml b/staging/cert-manager-setup/templates/clusterissuer.yaml deleted file mode 100644 index a86f7b18f..000000000 --- a/staging/cert-manager-setup/templates/clusterissuer.yaml +++ /dev/null @@ -1,11 +0,0 @@ -{{ if .Values.clusterissuer }} -apiVersion: certmanager.k8s.io/v1alpha1 -kind: ClusterIssuer -metadata: - name: {{ required "clusterissuer must have a name" .Values.clusterissuer.name }} - annotations: - "helm.sh/hook": "post-install" - "helm.sh/hook-weight": "-4" -spec: -{{ required "clusterissuer must have a spec" .Values.clusterissuer.spec | toYaml | indent 4 }} -{{ end }} diff --git a/staging/cert-manager-setup/templates/clusterrolebinding.yaml b/staging/cert-manager-setup/templates/clusterrolebinding.yaml index d5882fa86..19c26432e 100644 --- a/staging/cert-manager-setup/templates/clusterrolebinding.yaml +++ b/staging/cert-manager-setup/templates/clusterrolebinding.yaml @@ -2,10 +2,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: read-apiservices-rolebinding - namespace: kubeaddons + namespace: cert-manager subjects: - kind: ServiceAccount - namespace: kubeaddons + namespace: cert-manager name: default roleRef: kind: ClusterRole diff --git a/staging/cert-manager-setup/templates/issuers.yaml b/staging/cert-manager-setup/templates/issuers.yaml new file mode 100644 index 000000000..619ca01ea --- /dev/null +++ b/staging/cert-manager-setup/templates/issuers.yaml @@ -0,0 +1,42 @@ +{{ if .Values.clusterissuer }} +apiVersion: certmanager.k8s.io/v1alpha1 +kind: Issuer +metadata: + name: kubernetes-root-issuer + namespace: cert-manager + annotations: + "helm.sh/hook": "post-install" + "helm.sh/hook-weight": "-4" +spec: + ca: + secretName: kubernetes-root-ca +--- +apiVersion: certmanager.k8s.io/v1alpha1 +kind: Certificate +metadata: + name: kubernetes-intermediate-ca + annotations: + "helm.sh/hook": "post-install" + "helm.sh/hook-weight": "-3" +spec: + isCA: true + commonName: cert-manager + secretName: kubernetes-intermediate-ca + issuerRef: + name: kubernetes-root-issuer + kind: Issuer + # These are the default usages for reference + usages: + - "digital signature" + - "key encipherment" +--- +apiVersion: certmanager.k8s.io/v1alpha1 +kind: ClusterIssuer +metadata: + name: {{ required "clusterissuer must have a name" .Values.clusterissuer.name }} + annotations: + "helm.sh/hook": "post-install" + "helm.sh/hook-weight": "-2" +spec: +{{ required "clusterissuer must have a spec" .Values.clusterissuer.spec | toYaml | indent 4 }} +{{ end }}