From 2f3f5e78b575bf2525a0aa44ea1ab1b2af59c1fa Mon Sep 17 00:00:00 2001 From: pvito Date: Thu, 11 Aug 2022 15:12:41 +0200 Subject: [PATCH] Use cert-manager as webhook cert signer --- charts/imagepullsecret-injector/Chart.yaml | 2 +- .../scripts/create-signed-cert.sh | 142 ------------------ .../templates/_helpers.tpl | 14 +- .../templates/cert.yaml | 12 ++ .../configmap-certigicate-gen.yaml | 9 -- .../cronjob-certificate-gen.yaml | 41 ----- .../certificate-gen/job-certificate-gen.yaml | 34 ----- .../certificate-gen/rbac-certificate-gen.yaml | 69 --------- .../templates/cm.yaml | 7 - .../templates/deployment.yaml | 4 +- .../templates/mutatingwebhook.yaml | 4 +- charts/imagepullsecret-injector/values.yaml | 9 +- 12 files changed, 25 insertions(+), 322 deletions(-) delete mode 100644 charts/imagepullsecret-injector/scripts/create-signed-cert.sh create mode 100644 charts/imagepullsecret-injector/templates/cert.yaml delete mode 100644 charts/imagepullsecret-injector/templates/certificate-gen/configmap-certigicate-gen.yaml delete mode 100644 charts/imagepullsecret-injector/templates/certificate-gen/cronjob-certificate-gen.yaml delete mode 100644 charts/imagepullsecret-injector/templates/certificate-gen/job-certificate-gen.yaml delete mode 100644 charts/imagepullsecret-injector/templates/certificate-gen/rbac-certificate-gen.yaml delete mode 100644 charts/imagepullsecret-injector/templates/cm.yaml diff --git a/charts/imagepullsecret-injector/Chart.yaml b/charts/imagepullsecret-injector/Chart.yaml index 55d08e0..4497a4b 100644 --- a/charts/imagepullsecret-injector/Chart.yaml +++ b/charts/imagepullsecret-injector/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.0.26 +version: 0.0.27 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/charts/imagepullsecret-injector/scripts/create-signed-cert.sh b/charts/imagepullsecret-injector/scripts/create-signed-cert.sh deleted file mode 100644 index 16c2526..0000000 --- a/charts/imagepullsecret-injector/scripts/create-signed-cert.sh +++ /dev/null @@ -1,142 +0,0 @@ -#!/bin/bash - -set -e - -usage() { - cat <> "${tmpdir}"/csr.conf -[req] -req_extensions = v3_req -distinguished_name = req_distinguished_name -[req_distinguished_name] -[ v3_req ] -basicConstraints = CA:FALSE -keyUsage = nonRepudiation, digitalSignature, keyEncipherment -extendedKeyUsage = serverAuth -subjectAltName = @alt_names -[alt_names] -DNS.1 = ${service} -DNS.2 = ${service}.${namespace} -DNS.3 = ${service}.${namespace}.svc -EOF - -openssl genrsa -out "${tmpdir}"/server-key.pem 2048 -openssl req -new -key "${tmpdir}"/server-key.pem -subj "/O=system:nodes/CN=system:node:${service}.${namespace}.svc" -out "${tmpdir}"/server.csr -config "${tmpdir}"/csr.conf - -# clean-up any previously created CSR for our service. Ignore errors if not present. -echo "Deleting old CertificateSigningRequests" -kubectl delete csr ${csrName} 2>/dev/null || true - -echo "Creating new CertificateSigningRequests" -# create server cert/key CSR and send to k8s API -jq -n --arg request "$(< "${tmpdir}"/server.csr base64)" \ - --arg namespace "$namespace" \ - --arg csrName "$csrName" '{ - apiVersion: "certificates.k8s.io/v1", - kind: "CertificateSigningRequest", - metadata: { - name: $csrName, - namespace: $namespace - }, - spec: { - signerName: "kubernetes.io/kubelet-serving", - groups: ["system:authenticated"], - request: $request, - usages: [ - "digital signature", - "key encipherment", - "server auth" - ] - } - }' | kubectl create -f - - -# verify CSR has been created -while true; do - if kubectl get csr ${csrName}; then - break - else - sleep 1 - fi -done - -echo "Approving CertificateSigningRequests" -# approve and fetch the signed certificate -kubectl certificate approve ${csrName} - -echo "Fetching certificate from approved CertificateSigningRequests" -# verify certificate has been signed -for _ in $(seq 10); do - serverCert=$(kubectl get csr ${csrName} -o jsonpath='{.status.certificate}') - if [[ ${serverCert} != '' ]]; then - break - fi - sleep 1 -done -if [[ ${serverCert} == '' ]]; then - echo "ERROR: After approving csr ${csrName}, the signed certificate did not appear on the resource. Giving up after 10 attempts." >&2 - exit 1 -fi -echo "${serverCert}" | openssl base64 -d -A -out "${tmpdir}"/server-cert.pem - -echo "Creating secret $secret based on the retrieved certificate" -# create the secret with CA cert and server cert/key -kubectl create secret generic ${secret} \ - --from-file=key.pem="${tmpdir}"/server-key.pem \ - --from-file=cert.pem="${tmpdir}"/server-cert.pem \ - --dry-run=client -o yaml | - kubectl -n ${namespace} apply -f - diff --git a/charts/imagepullsecret-injector/templates/_helpers.tpl b/charts/imagepullsecret-injector/templates/_helpers.tpl index 746ebcf..ae6cdc2 100644 --- a/charts/imagepullsecret-injector/templates/_helpers.tpl +++ b/charts/imagepullsecret-injector/templates/_helpers.tpl @@ -10,18 +10,12 @@ Expand the name of the chart. ips-injector-svc {{- end }} -{{- define "imagepullsecret-injector.certificateSecretName" -}} -{{ include "imagepullsecret-injector.name" . }}-webhook-certs +{{- define "imagepullsecret-injector.certificateName" -}} +{{ include "imagepullsecret-injector.name" . }}-webhook-cert {{- end }} -{{- define "imagepullsecret-injector.lookupCaBundle" -}} -{{- /* Find the name of the secret corresponding to the default SA in the default namespace */ -}} -{{- /* Equivalent to `kubectl get sa -n default default -ojsonpath='{.secrets[0].name}'` */ -}} -{{- $defaultSecretName := ((lookup "v1" "ServiceAccount" "default" "default").secrets | first).name -}} -{{- /* Fetch the ca.crt from the default secret (still base64-encoded)*/ -}} -{{- /* Equivalent to `kubectl get secret -n default $defaultSecretName -ojsonpath='{.data.ca\.crt}'` */ -}} -{{- $caBundle := get (lookup "v1" "Secret" "default" $defaultSecretName ).data "ca.crt" -}} -{{- $caBundle -}} +{{- define "imagepullsecret-injector.certificateSecretName" -}} +{{ include "imagepullsecret-injector.name" . }}-webhook-certs {{- end }} {{/* diff --git a/charts/imagepullsecret-injector/templates/cert.yaml b/charts/imagepullsecret-injector/templates/cert.yaml new file mode 100644 index 0000000..a953e42 --- /dev/null +++ b/charts/imagepullsecret-injector/templates/cert.yaml @@ -0,0 +1,12 @@ +kind: Certificate +metadata: + name: {{ include "imagepullsecret-injector.certificateName" . }} +spec: + commonName: {{ include "imagepullsecret-injector.serviceName" . }}.{{ .Release.Namespace }}.svc + dnsNames: + - {{ include "imagepullsecret-injector.serviceName" . }}.{{ .Release.Namespace }}.svc.cluster.local + - {{ include "imagepullsecret-injector.serviceName" . }}.{{ .Release.Namespace }}.svc + issuerRef: + kind: ClusterIssuer + name: {{ .Values.clusterIssuer }} + secretName: {{ include "imagepullsecret-injector.certificateSecretName" . | quote }} \ No newline at end of file diff --git a/charts/imagepullsecret-injector/templates/certificate-gen/configmap-certigicate-gen.yaml b/charts/imagepullsecret-injector/templates/certificate-gen/configmap-certigicate-gen.yaml deleted file mode 100644 index 1faa871..0000000 --- a/charts/imagepullsecret-injector/templates/certificate-gen/configmap-certigicate-gen.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: imagepullsecret-injector-cert-gen-entrypoint - namespace: {{ .Release.Namespace }} - labels: - {{- include "imagepullsecret-injector.labels" . | nindent 4 }} -data: - entrypoint.sh: | {{ .Files.Get "scripts/create-signed-cert.sh" | nindent 4 }} diff --git a/charts/imagepullsecret-injector/templates/certificate-gen/cronjob-certificate-gen.yaml b/charts/imagepullsecret-injector/templates/certificate-gen/cronjob-certificate-gen.yaml deleted file mode 100644 index 1bf7ac1..0000000 --- a/charts/imagepullsecret-injector/templates/certificate-gen/cronjob-certificate-gen.yaml +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: batch/v1beta1 -kind: CronJob -metadata: - name: "{{ .Release.Name }}-cert-gen-cron-job" - labels: - {{- include "imagepullsecret-injector.labels" . | nindent 4 }} -spec: - schedule: {{ .Values.certificateGenerator.cronJobSchedule }} - jobTemplate: - metadata: - name: "{{ .Release.Name }}" - labels: - {{- include "imagepullsecret-injector.labels" . | nindent 8 }} - spec: - ttlSecondsAfterFinished: 30 - template: - spec: - serviceAccountName: imagepullsecret-injector-cert-gen - restartPolicy: Never - containers: - - name: pre-install-job - image: "{{ .Values.certificateGeneratorImage.registry }}/{{ .Values.certificateGeneratorImage.repository }}:{{ .Values.certificateGeneratorImage.tag | default .Chart.AppVersion }}" - command: ["/entrypoint/entrypoint.sh"] - args: - - --service - - "{{ include "imagepullsecret-injector.serviceName" . }}" - - --namespace - - "{{ .Release.Namespace }}" - - --secret - - "{{ include "imagepullsecret-injector.certificateSecretName" . }}" - volumeMounts: - - mountPath: "/entrypoint" - name: entrypoint - volumes: - - name: entrypoint - configMap: - name: imagepullsecret-injector-cert-gen-entrypoint - items: - - key: entrypoint.sh - path: entrypoint.sh - mode: 0755 diff --git a/charts/imagepullsecret-injector/templates/certificate-gen/job-certificate-gen.yaml b/charts/imagepullsecret-injector/templates/certificate-gen/job-certificate-gen.yaml deleted file mode 100644 index a5d911c..0000000 --- a/charts/imagepullsecret-injector/templates/certificate-gen/job-certificate-gen.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: "{{ .Release.Name }}-cert-gen-job-{{ .Release.Revision }}" - labels: - {{- include "imagepullsecret-injector.labels" . | nindent 4 }} -spec: - ttlSecondsAfterFinished: 30 - template: - spec: - serviceAccountName: imagepullsecret-injector-cert-gen - restartPolicy: Never - containers: - - name: pre-install-job - image: "{{ .Values.certificateGeneratorImage.registry }}/{{ .Values.certificateGeneratorImage.repository }}:{{ .Values.certificateGeneratorImage.tag | default .Chart.AppVersion }}" - command: ["/entrypoint/entrypoint.sh"] - args: - - --service - - "{{ include "imagepullsecret-injector.serviceName" . }}" - - --namespace - - "{{ .Release.Namespace }}" - - --secret - - "{{ include "imagepullsecret-injector.certificateSecretName" . }}" - volumeMounts: - - mountPath: "/entrypoint" - name: entrypoint - volumes: - - name: entrypoint - configMap: - name: imagepullsecret-injector-cert-gen-entrypoint - items: - - key: entrypoint.sh - path: entrypoint.sh - mode: 0755 diff --git a/charts/imagepullsecret-injector/templates/certificate-gen/rbac-certificate-gen.yaml b/charts/imagepullsecret-injector/templates/certificate-gen/rbac-certificate-gen.yaml deleted file mode 100644 index 89940cd..0000000 --- a/charts/imagepullsecret-injector/templates/certificate-gen/rbac-certificate-gen.yaml +++ /dev/null @@ -1,69 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: imagepullsecret-injector-cert-gen - namespace : {{ .Release.Namespace }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - k8s-app: imagepullsecret-injector-cert-gen - name: imagepullsecret-injector-cert-gen -rules: - - apiGroups: - - "" - resources: - - secrets - - serviceaccounts - verbs: - - list - - patch - - create - - get - - delete - - apiGroups: - - "" - resources: - - namespaces - verbs: - - list - - get - - apiGroups: - - certificates.k8s.io - resources: - - certificatesigningrequests - verbs: - - create - - list - - get - - delete - - apiGroups: - - certificates.k8s.io - resources: - - certificatesigningrequests/approval - verbs: - - update - - apiGroups: - - certificates.k8s.io - resources: - - signers - resourceNames: - - kubernetes.io/kubelet-serving - verbs: - - approve ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: imagepullsecret-injector-cert-gen - labels: - {{- include "imagepullsecret-injector.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: imagepullsecret-injector-cert-gen -subjects: - - kind: ServiceAccount - name: imagepullsecret-injector-cert-gen - namespace : {{ .Release.Namespace }} diff --git a/charts/imagepullsecret-injector/templates/cm.yaml b/charts/imagepullsecret-injector/templates/cm.yaml deleted file mode 100644 index 92def69..0000000 --- a/charts/imagepullsecret-injector/templates/cm.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: tmp - namespace: {{ .Release.Namespace }} -data: - caBundle: {{ include "imagepullsecret-injector.lookupCaBundle" . | quote }} diff --git a/charts/imagepullsecret-injector/templates/deployment.yaml b/charts/imagepullsecret-injector/templates/deployment.yaml index 0bf85d6..b37fee1 100644 --- a/charts/imagepullsecret-injector/templates/deployment.yaml +++ b/charts/imagepullsecret-injector/templates/deployment.yaml @@ -27,9 +27,9 @@ spec: - name: CONFIG_PORT value: "8443" - name: CONFIG_CERT_PATH - value: "/etc/webhook/certs/cert.pem" + value: "/etc/webhook/certs/tls.crt" - name: CONFIG_KEY_PATH - value: "/etc/webhook/certs/key.pem" + value: "/etc/webhook/certs/tls.key" - name: CONFIG_EXCLUDE_NAMESPACES value: {{ join "," .Values.imagepullsecretInjector.excludeNamespaces | quote }} - name: CONFIG_SERVICE_ACCOUNTS diff --git a/charts/imagepullsecret-injector/templates/mutatingwebhook.yaml b/charts/imagepullsecret-injector/templates/mutatingwebhook.yaml index f0a8913..17b0c27 100644 --- a/charts/imagepullsecret-injector/templates/mutatingwebhook.yaml +++ b/charts/imagepullsecret-injector/templates/mutatingwebhook.yaml @@ -6,6 +6,8 @@ metadata: labels: app: imagepullsecret-injector {{- include "imagepullsecret-injector.labels" . | nindent 4 }} + annotations: + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "imagepullsecret-injector.certificateName" . }} webhooks: - name: imagepullsecret-injector.ysoftdevs.github.com clientConfig: @@ -13,7 +15,7 @@ webhooks: name: {{ include "imagepullsecret-injector.serviceName" . }} namespace : {{ .Release.Namespace }} path: "/mutate" - caBundle: {{ include "imagepullsecret-injector.lookupCaBundle" . }} + caBundle: "Cg==" rules: - operations: ["CREATE", "UPDATE"] apiGroups: [""] diff --git a/charts/imagepullsecret-injector/values.yaml b/charts/imagepullsecret-injector/values.yaml index ccab098..e8aecc1 100644 --- a/charts/imagepullsecret-injector/values.yaml +++ b/charts/imagepullsecret-injector/values.yaml @@ -5,11 +5,6 @@ image: # Overrides the image tag whose default is the chart appVersion. tag: "" -certificateGeneratorImage: - registry: ghcr.io/ysoftdevs/imagepullsecret-injector - repository: webhook-cert-generator - tag: "" - imagepullsecretInjector: dockerconfigjsonRef: secretName: acr-dockerconfigjson-source @@ -26,4 +21,6 @@ imagepullsecretInjector: - datadog certificateGenerator: - cronJobSchedule: '0 0 * * 0' # At 00:00 on Sunday \ No newline at end of file + cronJobSchedule: '0 0 * * 0' # At 00:00 on Sunday + +clusterIssuer: "webhook-issuer" \ No newline at end of file