Use cert-manager to secure APIService resource

Signed-off-by: James Munnelly <james@munnelly.eu>
2019-04-29 18:09:16 +01:00 · 2019-04-29 18:09:16 +01:00 · 2c01592255
commit 2c01592255
parent 3935fd70e7
4 changed files with 105 additions and 1 deletions
--- a/deploy/example-webhook/templates/_helpers.tpl
+++ b/deploy/example-webhook/templates/_helpers.tpl
@ -30,3 +30,19 @@ Create chart name and version as used by the chart label.
 {{- define "example-webhook.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
+
+{{- define "example-webhook.selfSignedIssuer" -}}
+{{ printf "%s-selfsign" (include "example-webhook.fullname" .) }}
+{{- end -}}
+
+{{- define "example-webhook.rootCAIssuer" -}}
+{{ printf "%s-ca" (include "example-webhook.fullname" .) }}
+{{- end -}}
+
+{{- define "example-webhook.rootCACertificate" -}}
+{{ printf "%s-ca" (include "example-webhook.fullname" .) }}
+{{- end -}}
+
+{{- define "example-webhook.servingCertificate" -}}
+{{ printf "%s-webhook-tls" (include "example-webhook.fullname" .) }}
+{{- end -}}
--- a/deploy/example-webhook/templates/apiservice.yaml
+++ b/deploy/example-webhook/templates/apiservice.yaml
@ -7,11 +7,12 @@ metadata:
    chart: {{ include "example-webhook.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
+  annotations:
+    certmanager.k8s.io/inject-ca-from: "{{ .Release.Namespace }}/{{ include "example-webhook.servingCertificate" . }}"
 spec:
  group: {{ .Values.groupName }}
  groupPriorityMinimum: 1000
  versionPriority: 15
-  insecureSkipTLSVerify: true
  service:
    name: {{ include "example-webhook.fullname" . }}
    namespace: {{ .Release.Namespace }}
--- a/deploy/example-webhook/templates/deployment.yaml
+++ b/deploy/example-webhook/templates/deployment.yaml
@ -24,6 +24,9 @@ spec:
        - name: {{ .Chart.Name }}
          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          args:
+            - --tls-cert-file=/tls/tls.crt
+            - --tls-private-key-file=/tls/tls.key
          env:
            - name: GROUP_NAME
              value: {{ .Values.groupName | quote }}
@ -41,8 +44,16 @@ spec:
              scheme: HTTPS
              path: /healthz
              port: https
+          volumeMounts:
+            - name: certs
+              mountPath: /tls
+              readOnly: true
          resources:
 {{ toYaml .Values.resources | indent 12 }}
+      volumes:
+        - name: certs
+          secret:
+            secretName: {{ include "example-webhook.servingCertificate" . }}
    {{- with .Values.nodeSelector }}
      nodeSelector:
 {{ toYaml . | indent 8 }}
--- a/deploy/example-webhook/templates/pki.yaml
+++ b/deploy/example-webhook/templates/pki.yaml
@ -0,0 +1,76 @@
+---
+# Create a selfsigned Issuer, in order to create a root CA certificate for
+# signing webhook serving certificates
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: Issuer
+metadata:
+  name: {{ include "example-webhook.selfSignedIssuer" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    app: {{ include "example-webhook.name" . }}
+    chart: {{ include "example-webhook.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  selfSigned: {}
+
+---
+
+# Generate a CA Certificate used to sign certificates for the webhook
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: Certificate
+metadata:
+  name: {{ include "example-webhook.rootCACertificate" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    app: {{ include "example-webhook.name" . }}
+    chart: {{ include "example-webhook.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  secretName: {{ include "example-webhook.rootCACertificate" . }}
+  duration: 43800h # 5y
+  issuerRef:
+    name: {{ include "example-webhook.selfSignedIssuer" . }}
+  commonName: "ca.example-webhook.cert-manager"
+  isCA: true
+
+---
+
+# Create an Issuer that uses the above generated CA certificate to issue certs
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: Issuer
+metadata:
+  name: {{ include "example-webhook.rootCAIssuer" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    app: {{ include "example-webhook.name" . }}
+    chart: {{ include "example-webhook.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  ca:
+    secretName: {{ include "example-webhook.rootCACertificate" . }}
+
+---
+
+# Finally, generate a serving certificate for the webhook to use
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: Certificate
+metadata:
+  name: {{ include "example-webhook.servingCertificate" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    app: {{ include "example-webhook.name" . }}
+    chart: {{ include "example-webhook.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  secretName: {{ include "example-webhook.servingCertificate" . }}
+  duration: 8760h # 1y
+  issuerRef:
+    name: {{ include "example-webhook.rootCAIssuer" . }}
+  dnsNames:
+  - {{ include "example-webhook.fullname" . }}
+  - {{ include "example-webhook.fullname" . }}.{{ .Release.Namespace }}
+  - {{ include "example-webhook.fullname" . }}.{{ .Release.Namespace }}.svc