From 1f4d2cf578ae300c561c84acd7ca3d3054353bc5 Mon Sep 17 00:00:00 2001 From: Todd Short Date: Tue, 2 Jul 2024 13:29:14 -0400 Subject: [PATCH] Share common CA with OLMv1 in overlays/cert-manager Use kustomization Components to share a common ClusterIssuer with operator-controller. Fixes #295 Signed-off-by: Todd Short --- config/components/ca/kustomization.yaml | 5 +++ config/components/ca/resources/issuers.yaml | 32 ++++++++++++++++ config/components/tls/kustomization.yaml | 15 ++++++++ .../patches/catalogserver_service_port.yaml | 0 .../patches/manager_deployment_certs.yaml | 0 .../tls}/resources/certificate.yaml | 9 ++++- .../overlays/cert-manager/kustomization.yaml | 25 ++----------- .../cert-manager/resources/issuer.yaml | 37 ------------------- .../cert-manager/resources/kustomization.yaml | 3 -- 9 files changed, 62 insertions(+), 64 deletions(-) create mode 100644 config/components/ca/kustomization.yaml create mode 100644 config/components/ca/resources/issuers.yaml create mode 100644 config/components/tls/kustomization.yaml rename config/{overlays/cert-manager => components/tls}/patches/catalogserver_service_port.yaml (100%) rename config/{overlays/cert-manager => components/tls}/patches/manager_deployment_certs.yaml (100%) rename config/{overlays/cert-manager => components/tls}/resources/certificate.yaml (57%) delete mode 100644 config/overlays/cert-manager/resources/issuer.yaml delete mode 100644 config/overlays/cert-manager/resources/kustomization.yaml diff --git a/config/components/ca/kustomization.yaml b/config/components/ca/kustomization.yaml new file mode 100644 index 00000000..3d03bee8 --- /dev/null +++ b/config/components/ca/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +# No namespace is specified here, otherwise, it will overwrite _all_ the other namespaces! +resources: +- resources/issuers.yaml diff --git a/config/components/ca/resources/issuers.yaml b/config/components/ca/resources/issuers.yaml new file mode 100644 index 00000000..0dffee04 --- /dev/null +++ b/config/components/ca/resources/issuers.yaml @@ -0,0 +1,32 @@ +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: self-sign-issuer + namespace: cert-manager +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: olmv1-ca + namespace: cert-manager +spec: + isCA: true + commonName: olmv1-ca + secretName: olmv1-ca + privateKey: + algorithm: ECDSA + size: 256 + issuerRef: + name: self-sign-issuer + kind: Issuer + group: cert-manager.io +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: olmv1-ca +spec: + ca: + secretName: olmv1-ca diff --git a/config/components/tls/kustomization.yaml b/config/components/tls/kustomization.yaml new file mode 100644 index 00000000..63ef5b9d --- /dev/null +++ b/config/components/tls/kustomization.yaml @@ -0,0 +1,15 @@ +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +namespace: olmv1-system +namePrefix: catalogd- +resources: +- resources/certificate.yaml +patches: +- target: + kind: Service + name: catalogserver + path: patches/catalogserver_service_port.yaml +- target: + kind: Deployment + name: controller-manager + path: patches/manager_deployment_certs.yaml diff --git a/config/overlays/cert-manager/patches/catalogserver_service_port.yaml b/config/components/tls/patches/catalogserver_service_port.yaml similarity index 100% rename from config/overlays/cert-manager/patches/catalogserver_service_port.yaml rename to config/components/tls/patches/catalogserver_service_port.yaml diff --git a/config/overlays/cert-manager/patches/manager_deployment_certs.yaml b/config/components/tls/patches/manager_deployment_certs.yaml similarity index 100% rename from config/overlays/cert-manager/patches/manager_deployment_certs.yaml rename to config/components/tls/patches/manager_deployment_certs.yaml diff --git a/config/overlays/cert-manager/resources/certificate.yaml b/config/components/tls/resources/certificate.yaml similarity index 57% rename from config/overlays/cert-manager/resources/certificate.yaml rename to config/components/tls/resources/certificate.yaml index e08c16c6..a3ad991b 100644 --- a/config/overlays/cert-manager/resources/certificate.yaml +++ b/config/components/tls/resources/certificate.yaml @@ -9,6 +9,11 @@ spec: dnsNames: - localhost - catalogd-catalogserver.olmv1-system.svc + - catalogd-catalogserver.olmv1-system.svc.cluster.local + privateKey: + algorithm: ECDSA + size: 256 issuerRef: - kind: Issuer - name: catalogd-catalogserver-ca-issuer + kind: ClusterIssuer + group: cert-manager.io + name: olmv1-ca diff --git a/config/overlays/cert-manager/kustomization.yaml b/config/overlays/cert-manager/kustomization.yaml index 99edf65a..fb27be4f 100644 --- a/config/overlays/cert-manager/kustomization.yaml +++ b/config/overlays/cert-manager/kustomization.yaml @@ -1,28 +1,9 @@ -# Adds namespace to all resources. -namespace: olmv1-system - -# Value of this field is prepended to the -# names of all resources, e.g. a deployment named -# "wordpress" becomes "alices-wordpress". -# Note that it should also match with the prefix (text before '-') of the namespace -# field above. -namePrefix: catalogd- - -# the following config is for teaching kustomize how to do var substitution apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ../../base/crd - ../../base/rbac - ../../base/manager -- resources - -patches: -- target: - kind: Service - name: catalogserver - path: patches/catalogserver_service_port.yaml -- target: - kind: Deployment - name: controller-manager - path: patches/manager_deployment_certs.yaml \ No newline at end of file +components: +- ../../components/tls +- ../../components/ca diff --git a/config/overlays/cert-manager/resources/issuer.yaml b/config/overlays/cert-manager/resources/issuer.yaml deleted file mode 100644 index b06f9dd5..00000000 --- a/config/overlays/cert-manager/resources/issuer.yaml +++ /dev/null @@ -1,37 +0,0 @@ ---- -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: catalogserver-selfsigned-issuer -spec: - selfSigned: {} ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: catalogserver-ca - namespace: system -spec: - isCA: true - secretName: catalogd-catalogserver-ca - dnsNames: - - catalogd.io - duration: 2160h # 90d - renewBefore: 360h # 15d - privateKey: - rotationPolicy: Always - algorithm: ECDSA - size: 256 - issuerRef: - name: catalogd-catalogserver-selfsigned-issuer - kind: Issuer - group: cert-manager.io ---- -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: catalogserver-ca-issuer - namespace: system -spec: - ca: - secretName: catalogd-catalogserver-ca \ No newline at end of file diff --git a/config/overlays/cert-manager/resources/kustomization.yaml b/config/overlays/cert-manager/resources/kustomization.yaml deleted file mode 100644 index be2bcf4c..00000000 --- a/config/overlays/cert-manager/resources/kustomization.yaml +++ /dev/null @@ -1,3 +0,0 @@ -resources: -- certificate.yaml -- issuer.yaml \ No newline at end of file