From b7eb1cf9364d71c889ddffe83c2ff208dfd5d890 Mon Sep 17 00:00:00 2001 From: Antoine Gatineau <43171889+infra-monkey@users.noreply.github.com> Date: Fri, 5 Nov 2021 17:43:52 +0100 Subject: [PATCH] cert-manager: add trusted internal ca when configured (#8135) * cert-manager: add trusted internal ca when configured * wrong check for inventory variable * Update documentation --- docs/cert_manager.md | 14 ++++++++++++ .../sample/group_vars/k8s_cluster/addons.yml | 4 ++++ .../templates/cert-manager.yml.j2 | 22 +++++++++++++++++++ 3 files changed, 40 insertions(+) diff --git a/docs/cert_manager.md b/docs/cert_manager.md index 34378a56a69..4ed28afc224 100644 --- a/docs/cert_manager.md +++ b/docs/cert_manager.md @@ -88,6 +88,20 @@ Certificates issued by public ACME servers are typically trusted by client’s c - [DNS01 Challenges](https://cert-manager.io/v1.5-docs/configuration/acme/dns01/) - [ACME FAQ](https://cert-manager.io/v1.5-docs/faq/acme/) +#### ACME With An Internal Certificate Authority + +The ACME Issuer with an internal certificate authority requires cert-manager to trust the certificate authority. This trust must be done at the cert-manager deployment level. +To add a trusted certificate authority to cert-manager, add it's certificate to `group_vars/k8s-cluster/addons.yml`: + +```yaml +cert_manager_trusted_internal_ca: | + -----BEGIN CERTIFICATE----- + [REPLACE with your CA certificate] + -----END CERTIFICATE----- +``` + +Once the CA is trusted, you can define your issuer normally. + ### Create New TLS Root CA Certificate and Key #### Install Cloudflare PKI/TLS `cfssl` Toolkit diff --git a/inventory/sample/group_vars/k8s_cluster/addons.yml b/inventory/sample/group_vars/k8s_cluster/addons.yml index 5f5e37f443c..2e077dd805e 100644 --- a/inventory/sample/group_vars/k8s_cluster/addons.yml +++ b/inventory/sample/group_vars/k8s_cluster/addons.yml @@ -129,6 +129,10 @@ ingress_alb_enabled: false # Cert manager deployment cert_manager_enabled: false # cert_manager_namespace: "cert-manager" +# cert_manager_trusted_internal_ca: | +# -----BEGIN CERTIFICATE----- +# [REPLACE with your CA certificate] +# -----END CERTIFICATE----- # MetalLB deployment metallb_enabled: false diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2 index 200ab268016..3f51b19ad66 100644 --- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2 +++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2 @@ -875,6 +875,17 @@ spec: resources: {} --- +{% if cert_manager_trusted_internal_ca is defined %} +apiVersion: v1 +data: + internal-ca.pem: | + {{ cert_manager_trusted_internal_ca | indent(width=4, indentfirst=False) }} +kind: ConfigMap +metadata: + name: ca-internal-truststore + namespace: {{ cert_manager_namespace }} +--- +{% endif %} # Source: cert-manager/templates/deployment.yaml apiVersion: apps/v1 kind: Deployment @@ -928,6 +939,17 @@ spec: fieldPath: metadata.namespace resources: {} +{% if cert_manager_trusted_internal_ca is defined %} + volumeMounts: + - mountPath: /etc/ssl/certs/internal-ca.pem + name: ca-internal-truststore + subPath: internal-ca.pem + volumes: + - configMap: + defaultMode: 420 + name: ca-internal-truststore + name: ca-internal-truststore +{% endif %} --- # Source: cert-manager/templates/webhook-deployment.yaml apiVersion: apps/v1