From 2c01592255d90e2636b9a5f40cd7e2fbcb0e5529 Mon Sep 17 00:00:00 2001 From: James Munnelly Date: Mon, 29 Apr 2019 18:09:16 +0100 Subject: [PATCH 1/3] Use cert-manager to secure APIService resource Signed-off-by: James Munnelly --- deploy/example-webhook/templates/_helpers.tpl | 16 ++++ .../example-webhook/templates/apiservice.yaml | 3 +- .../example-webhook/templates/deployment.yaml | 11 +++ deploy/example-webhook/templates/pki.yaml | 76 +++++++++++++++++++ 4 files changed, 105 insertions(+), 1 deletion(-) create mode 100644 deploy/example-webhook/templates/pki.yaml diff --git a/deploy/example-webhook/templates/_helpers.tpl b/deploy/example-webhook/templates/_helpers.tpl index db3c5cd..d3c474b 100644 --- a/deploy/example-webhook/templates/_helpers.tpl +++ b/deploy/example-webhook/templates/_helpers.tpl @@ -30,3 +30,19 @@ Create chart name and version as used by the chart label. {{- define "example-webhook.chart" -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} {{- end -}} + +{{- define "example-webhook.selfSignedIssuer" -}} +{{ printf "%s-selfsign" (include "example-webhook.fullname" .) }} +{{- end -}} + +{{- define "example-webhook.rootCAIssuer" -}} +{{ printf "%s-ca" (include "example-webhook.fullname" .) }} +{{- end -}} + +{{- define "example-webhook.rootCACertificate" -}} +{{ printf "%s-ca" (include "example-webhook.fullname" .) }} +{{- end -}} + +{{- define "example-webhook.servingCertificate" -}} +{{ printf "%s-webhook-tls" (include "example-webhook.fullname" .) }} +{{- end -}} diff --git a/deploy/example-webhook/templates/apiservice.yaml b/deploy/example-webhook/templates/apiservice.yaml index ddd7c75..504ab91 100644 --- a/deploy/example-webhook/templates/apiservice.yaml +++ b/deploy/example-webhook/templates/apiservice.yaml @@ -7,11 +7,12 @@ metadata: chart: {{ include "example-webhook.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} + annotations: + certmanager.k8s.io/inject-ca-from: "{{ .Release.Namespace }}/{{ include "example-webhook.servingCertificate" . }}" spec: group: {{ .Values.groupName }} groupPriorityMinimum: 1000 versionPriority: 15 - insecureSkipTLSVerify: true service: name: {{ include "example-webhook.fullname" . }} namespace: {{ .Release.Namespace }} diff --git a/deploy/example-webhook/templates/deployment.yaml b/deploy/example-webhook/templates/deployment.yaml index fc0acbd..23e9064 100644 --- a/deploy/example-webhook/templates/deployment.yaml +++ b/deploy/example-webhook/templates/deployment.yaml @@ -24,6 +24,9 @@ spec: - name: {{ .Chart.Name }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ .Values.image.pullPolicy }} + args: + - --tls-cert-file=/tls/tls.crt + - --tls-private-key-file=/tls/tls.key env: - name: GROUP_NAME value: {{ .Values.groupName | quote }} @@ -41,8 +44,16 @@ spec: scheme: HTTPS path: /healthz port: https + volumeMounts: + - name: certs + mountPath: /tls + readOnly: true resources: {{ toYaml .Values.resources | indent 12 }} + volumes: + - name: certs + secret: + secretName: {{ include "example-webhook.servingCertificate" . }} {{- with .Values.nodeSelector }} nodeSelector: {{ toYaml . | indent 8 }} diff --git a/deploy/example-webhook/templates/pki.yaml b/deploy/example-webhook/templates/pki.yaml new file mode 100644 index 0000000..89b6a23 --- /dev/null +++ b/deploy/example-webhook/templates/pki.yaml @@ -0,0 +1,76 @@ +--- +# Create a selfsigned Issuer, in order to create a root CA certificate for +# signing webhook serving certificates +apiVersion: certmanager.k8s.io/v1alpha1 +kind: Issuer +metadata: + name: {{ include "example-webhook.selfSignedIssuer" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ include "example-webhook.name" . }} + chart: {{ include "example-webhook.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + selfSigned: {} + +--- + +# Generate a CA Certificate used to sign certificates for the webhook +apiVersion: certmanager.k8s.io/v1alpha1 +kind: Certificate +metadata: + name: {{ include "example-webhook.rootCACertificate" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ include "example-webhook.name" . }} + chart: {{ include "example-webhook.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + secretName: {{ include "example-webhook.rootCACertificate" . }} + duration: 43800h # 5y + issuerRef: + name: {{ include "example-webhook.selfSignedIssuer" . }} + commonName: "ca.example-webhook.cert-manager" + isCA: true + +--- + +# Create an Issuer that uses the above generated CA certificate to issue certs +apiVersion: certmanager.k8s.io/v1alpha1 +kind: Issuer +metadata: + name: {{ include "example-webhook.rootCAIssuer" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ include "example-webhook.name" . }} + chart: {{ include "example-webhook.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + ca: + secretName: {{ include "example-webhook.rootCACertificate" . }} + +--- + +# Finally, generate a serving certificate for the webhook to use +apiVersion: certmanager.k8s.io/v1alpha1 +kind: Certificate +metadata: + name: {{ include "example-webhook.servingCertificate" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ include "example-webhook.name" . }} + chart: {{ include "example-webhook.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + secretName: {{ include "example-webhook.servingCertificate" . }} + duration: 8760h # 1y + issuerRef: + name: {{ include "example-webhook.rootCAIssuer" . }} + dnsNames: + - {{ include "example-webhook.fullname" . }} + - {{ include "example-webhook.fullname" . }}.{{ .Release.Namespace }} + - {{ include "example-webhook.fullname" . }}.{{ .Release.Namespace }}.svc From 8d973b09a6238693a1bc1d2e9bba06d52a7d8504 Mon Sep 17 00:00:00 2001 From: James Munnelly Date: Mon, 29 Apr 2019 18:23:40 +0100 Subject: [PATCH 2/3] Update cert-manager dependency Signed-off-by: James Munnelly --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 54d7d95..a8a6bea 100644 --- a/go.mod +++ b/go.mod @@ -5,7 +5,7 @@ go 1.12 require ( github.com/dgrijalva/jwt-go v3.2.0+incompatible // indirect github.com/imdario/mergo v0.3.7 // indirect - github.com/jetstack/cert-manager v0.7.1-0.20190418141904-49f91f9fa4d4 + github.com/jetstack/cert-manager v0.7.1-0.20190429172244-546d3f1d7627 golang.org/x/oauth2 v0.0.0-20190402181905-9f3314589c9a // indirect golang.org/x/time v0.0.0-20190308202827-9d24e82272b4 // indirect k8s.io/apiextensions-apiserver v0.0.0-20190413053546-d0acb7a76918 diff --git a/go.sum b/go.sum index 68fe345..42cdc36 100644 --- a/go.sum +++ b/go.sum @@ -184,8 +184,8 @@ github.com/imdario/mergo v0.3.7/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJ github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM= github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= github.com/jefferai/jsonx v1.0.0/go.mod h1:OGmqmi2tTeI/PS+qQfBDToLHHJIy/RMp24fPo8vFvoQ= -github.com/jetstack/cert-manager v0.7.1-0.20190418141904-49f91f9fa4d4 h1:BkzDdMD/2CXv3BWr0uwndx+mXaNbJHamruJNQ/gQNKw= -github.com/jetstack/cert-manager v0.7.1-0.20190418141904-49f91f9fa4d4/go.mod h1:jCOiKjYkFd3eh/kJJK2ufc0hyNQ/yJIUV/V4iWxR1t8= +github.com/jetstack/cert-manager v0.7.1-0.20190429172244-546d3f1d7627 h1:zHzxugtT5zh7jp/U1ZOWLvPMOb0L6Q39nTQzb849V+s= +github.com/jetstack/cert-manager v0.7.1-0.20190429172244-546d3f1d7627/go.mod h1:GsWWdhRdDmHDL/GvVQt82/N/Hr4R6GQfNjZV2BwOPfY= github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k= github.com/jonboulle/clockwork v0.0.0-20141017032234-72f9bd7c4e0c h1:XpRROA6ssPlTwJI8/pH+61uieOkcJhmAFz25cu0B94Y= github.com/jonboulle/clockwork v0.0.0-20141017032234-72f9bd7c4e0c/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= From a598b0e12668be45d7346f761b0b00432e40fa11 Mon Sep 17 00:00:00 2001 From: James Munnelly Date: Mon, 29 Apr 2019 18:47:23 +0100 Subject: [PATCH 3/3] Add Makefile and make options configurable Signed-off-by: James Munnelly --- Makefile | 20 ++++++++++++++++++++ deploy/example-webhook/templates/NOTES.txt | 19 ------------------- deploy/example-webhook/values.yaml | 15 +-------------- main.go | 7 ++++++- 4 files changed, 27 insertions(+), 34 deletions(-) diff --git a/Makefile b/Makefile index e69de29..bddb85d 100644 --- a/Makefile +++ b/Makefile @@ -0,0 +1,20 @@ +IMAGE_NAME := "webhook" +IMAGE_TAG := "latest" + +OUT := $(shell pwd)/_out + +$(shell mkdir -p "$(OUT)") + +verify: + go test -v . + +build: + docker build -t "$(IMAGE_NAME):$(IMAGE_TAG)" . + +.PHONY: rendered-manifest.yaml +rendered-manifest.yaml: + helm template \ + --name example-webhook \ + --set image.repository=$(IMAGE_NAME) \ + --set image.tag=$(IMAGE_TAG) \ + deploy/example-webhook > "$(OUT)/rendered-manifest.yaml" diff --git a/deploy/example-webhook/templates/NOTES.txt b/deploy/example-webhook/templates/NOTES.txt index 197e374..e69de29 100644 --- a/deploy/example-webhook/templates/NOTES.txt +++ b/deploy/example-webhook/templates/NOTES.txt @@ -1,19 +0,0 @@ -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http{{ if $.Values.ingress.tls }}s{{ end }}://{{ . }}{{ $.Values.ingress.path }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "example-webhook.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "example-webhook.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "example-webhook.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.port }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ include "example-webhook.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:80 -{{- end }} diff --git a/deploy/example-webhook/values.yaml b/deploy/example-webhook/values.yaml index da3f9eb..31eb151 100644 --- a/deploy/example-webhook/values.yaml +++ b/deploy/example-webhook/values.yaml @@ -14,7 +14,7 @@ certManager: image: repository: mycompany/webhook-image - tag: stable + tag: latest pullPolicy: IfNotPresent nameOverride: "" @@ -24,19 +24,6 @@ service: type: ClusterIP port: 443 -ingress: - enabled: false - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - path: / - hosts: - - chart-example.local - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little diff --git a/main.go b/main.go index 8a4c78b..85aeac9 100644 --- a/main.go +++ b/main.go @@ -3,6 +3,7 @@ package main import ( "encoding/json" "fmt" + "os" extapi "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1" //"k8s.io/client-go/kubernetes" @@ -12,9 +13,13 @@ import ( "github.com/jetstack/cert-manager/pkg/acme/webhook/cmd" ) -const GroupName = "acme.mycompany.com" +var GroupName = os.Getenv("GROUP_NAME") func main() { + if GroupName == "" { + panic("GROUP_NAME must be specified") + } + // This will register our custom DNS provider with the webhook serving // library, making it available as an API under the provided GroupName. // You can register multiple DNS provider implementations with a single