certificate management with cert-manager

Fixes: aquarist-labs/s3gw-tools#193 Signed-off-by: Giuseppe Baccini <giuseppe.baccini@suse.com>
giubacc · Nov 30, 2022 · aa6d359 · aa6d359
1 parent 5107606
commit aa6d359
Show file tree

Hide file tree

Showing 8 changed files with 252 additions and 76 deletions.
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
@@ -59,6 +59,15 @@ jobs:
       - name: Create kind cluster
         uses: helm/kind-action@v1.2.0
 
+      - name: Install cert-manager
+        run: |
+          kubectl create namespace cert-manager
+          helm repo add jetstack https://charts.jetstack.io
+          helm repo update
+          helm install cert-manager --namespace cert-manager jetstack/cert-manager \
+           --set installCRDs=true \
+           --set extraArgs[0]=--enable-certificate-owner-ref=true
+
       - name: Install Traefik
         run: |
           helm repo add traefik https://helm.traefik.io/traefik

diff --git a/charts/s3gw/questions.yaml b/charts/s3gw/questions.yaml
@@ -1,6 +1,90 @@
 ---
 questions:
   # General settings
+
+  - variable: useCertManager
+    label: Use cert-manager
+    default: "true"
+    description: "Use cert-manager to provision TLS certificates"
+    type: boolean
+    group: "General"
+
+  - variable: tls.publicDomain.crt
+    show_if: "useCertManager=false"
+    description: "S3 TLS's certificate (Public Domain)"
+    label: "S3 TLS's certificate (Public Domain)"
+    type: string
+    group: "General"
+
+  - variable: tls.publicDomain.key
+    show_if: "useCertManager=false"
+    description: "S3 TLS's key (Public Domain)"
+    label: "S3 TLS's key (Public Domain)"
+    type: string
+    group: "General"
+
+  - variable: tls.privateDomain.crt
+    show_if: "useCertManager=false"
+    description: "S3 TLS's certificate (Private Domain)"
+    label: "S3 TLS's certificate (Private Domain)"
+    type: string
+    group: "General"
+
+  - variable: tls.privateDomain.key
+    show_if: "useCertManager=false"
+    description: "S3 TLS's key (Private Domain)"
+    label: "S3 TLS's key (Private Domain)"
+    type: string
+    group: "General"
+
+  - variable: tls.ui.publicDomain.crt
+    show_if: "useCertManager=false"
+    description: "UI TLS's certificate (Public Domain)"
+    label: "UI TLS's certificate (Public Domain)"
+    type: string
+    group: "General"
+
+  - variable: tls.ui.publicDomain.key
+    show_if: "useCertManager=false"
+    description: "UI TLS's key"
+    label: "UI TLS's key"
+    type: string
+    group: "General"
+
+  - variable: useCustomTlsIssuer
+    show_if: "useCertManager=true"
+    label: Use your own TLS issuer
+    default: "false"
+    description: "Use your own TLS issuer"
+    type: boolean
+    group: "General"
+    show_subquestion_if: true
+    subquestions:
+    - variable: customTlsIssuer
+      label: Custom TLS issuer
+      description: "Name of the custom TLS issuer to use"
+      type: string
+      required: false
+
+  - variable: tlsIssuer
+    show_if: "useCertManager=true&&useCustomTlsIssuer=false"
+    label: TLS issuer
+    description: "Name of the predefined TLS issuer to use"
+    type: enum
+    required: false
+    group: "General"
+    options:
+      - "s3gw-ca"
+      - "s3gw-letsencrypt"
+
+  - variable: email
+    show_if: "useCertManager=true&&tlsIssuer=s3gw-letsencrypt"
+    label: email address to use with s3gw-letsencrypt
+    description: "email address to use with s3gw-letsencrypt"
+    type: string
+    required: false
+    group: "General"
+
   - variable: serviceName
     default: s3gw
     description: "S3 Service Name"
@@ -75,39 +159,6 @@ questions:
     type: string
     group: "General"
 
-  # TLS settings
-  - variable: tls.crt
-    show_if: ingress.enabled=true
-    description: |
-      TLS Certificate for the Gateway (base64 encoded, CN must match serviceName + publicDomain)
-    label: "TLS Cert"
-    required: false
-    type: string
-    group: "TLS"
-
-  - variable: tls.key
-    show_if: ingress.enabled=true
-    description: "TLS Key for the Gateway (base64 encoded)"
-    label: "TLS Key"
-    required: false
-    type: string
-    group: "TLS"
-
-  - variable: ui.tls.crt
-    show_if: ui.enabled=true && ingress.enabled=true
-    description: |
-      TLS Certificate for the UI (base64 encoded, CN must match ui.serviceName + ui.publicDomain)
-    label: "TLS Cert"
-    type: string
-    group: "TLS"
-
-  - variable: ui.tls.key
-    show_if: ui.enabled=true && ingress.enabled=true
-    description: "TLS Key for the UI (base64 encoded)"
-    label: "TLS Key"
-    type: string
-    group: "TLS"
-
   # Storage
   - variable: storageSize
     description: "Storage Size"

diff --git a/charts/s3gw/templates/certificate.yaml b/charts/s3gw/templates/certificate.yaml
@@ -0,0 +1,26 @@
+{{- if .Values.useCertManager }}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: s3gw-cluster-ip
+  namespace: {{ .Release.Namespace }}
+spec:
+  subject:
+    countries:
+    - DE
+    localities:
+    - Nuremberg
+    organizationalUnits:
+    - Aquarist Labs
+    organizations:
+    - SUSE
+    provinces:
+    - Bavaria
+  commonName: '*.{{ .Values.serviceName }}.{{ .Release.Namespace }}.{{ .Values.privateDomain }}'
+  dnsNames:
+  - '{{ .Values.serviceName }}.{{ .Release.Namespace }}.{{ .Values.privateDomain }}'
+  issuerRef:
+    kind: Issuer
+    name: s3gw-ca
+  secretName: s3gw-cluster-ip-cert
+{{- end }}
diff --git a/charts/s3gw/templates/ingress-secret.yaml b/charts/s3gw/templates/ingress-secret.yaml
diff --git a/charts/s3gw/templates/ingress-traefik.yaml b/charts/s3gw/templates/ingress-traefik.yaml
@@ -1,4 +1,4 @@
-{{ if .Values.ingress.enabled }}
+{{- if .Values.ingress.enabled }}
 ---
 # Ingress
 apiVersion: networking.k8s.io/v1
@@ -12,12 +12,13 @@ metadata:
     traefik.ingress.kubernetes.io/router.tls: "true"
     traefik.ingress.kubernetes.io/router.middlewares:
       '{{ .Release.Namespace }}-cors-header@kubernetescrd'
+    cert-manager.io/cluster-issuer: {{ default .Values.tlsIssuer .Values.customTlsIssuer | quote }}
 spec:
   tls:
     - hosts:
         - '{{ .Values.serviceName }}.{{ .Values.publicDomain }}'
         - '*.{{ .Values.serviceName }}.{{ .Values.publicDomain }}'
-      secretName: 'certificates-{{ .Values.serviceName }}.{{ .Values.publicDomain }}'
+      secretName: s3gw-ingress-cert
   rules:
     - host: '{{ .Values.serviceName }}.{{ .Values.publicDomain }}'
       http:
@@ -87,11 +88,12 @@ metadata:
     traefik.ingress.kubernetes.io/router.tls: "true"
     traefik.ingress.kubernetes.io/router.middlewares:
       '{{ .Release.Namespace }}-cors-header@kubernetescrd'
+    cert-manager.io/cluster-issuer: {{ default .Values.tlsIssuer .Values.customTlsIssuer | quote }}
 spec:
   tls:
     - hosts:
         - '{{ .Values.ui.serviceName }}.{{ .Values.ui.publicDomain }}'
-      secretName: 'certificates-{{ .Values.ui.serviceName }}.{{ .Values.ui.publicDomain }}'
+      secretName: s3gw-ui-ingress-cert
   rules:
     - host: '{{ .Values.ui.serviceName }}.{{ .Values.ui.publicDomain }}'
       http:

diff --git a/charts/s3gw/templates/tls-issuer.yaml b/charts/s3gw/templates/tls-issuer.yaml
@@ -0,0 +1,58 @@
+{{- if .Values.useCertManager }}
+---
+# Self-signed issuer
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: s3gw-self-signed-issuer
+  namespace: {{ .Release.Namespace }}
+spec:
+  selfSigned: {}
+---
+# Private s3gw-ca issuer
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: s3gw-ca
+  namespace: {{ .Release.Namespace }}
+spec:
+  ca:
+    secretName: s3gw-ca-root
+---
+# Issue a root certificate
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: s3gw-ca
+  namespace: {{ .Release.Namespace }}
+spec:
+  commonName: s3gw-ca
+  isCA: true
+  issuerRef:
+    kind: ClusterIssuer
+    name: s3gw-self-signed-issuer
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  secretName: s3gw-ca-root
+{{- end }}
+# Let's encrypt production issuer
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: s3gw-letsencrypt
+spec:
+  acme:
+    email: {{ .Values.email }}
+    preferredChain: ""
+    privateKeySecretRef:
+      name: s3gw-letsencrypt
+    server: https://acme-v02.api.letsencrypt.org/directory
+    solvers:
+    - http01:
+        ingress:
+          ingressTemplate:
+            metadata:
+              annotations:
+                traefik.ingress.kubernetes.io/router.entrypoints: websecure
+                traefik.ingress.kubernetes.io/router.tls: "true"
diff --git a/charts/s3gw/templates/tls-secret.yaml b/charts/s3gw/templates/tls-secret.yaml
@@ -0,0 +1,46 @@
+{{- if not .Values.useCertManager }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: s3gw-ingress-cert
+  namespace: {{ .Release.Namespace }}
+  labels:
+{{ include "s3gw.labels" . | indent 4 }}
+type: kubernetes.io/tls
+data:
+  tls.crt: |
+    {{ .Values.tls.publicDomain.crt }}
+  tls.key: |
+    {{ .Values.tls.publicDomain.key }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: s3gw-cluster-ip-cert
+  namespace: {{ .Release.Namespace }}
+  labels:
+{{ include "s3gw.labels" . | indent 4 }}
+type: kubernetes.io/tls
+data:
+  tls.crt: |
+    {{ .Values.tls.privateDomain.crt }}
+  tls.key: |
+    {{ .Values.tls.privateDomain.key }}
+{{- if .Values.ui.enabled }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: s3gw-ui-ingress-cert
+  namespace: {{ .Release.Namespace }}
+  labels:
+{{ include "s3gw.labels" . | indent 4 }}
+type: kubernetes.io/tls
+data:
+  tls.crt: |
+    {{ .Values.tls.ui.publicDomain.crt }}
+  tls.key: |
+    {{ .Values.tls.ui.publicDomain.key }}
+{{- end }}
+{{- end }}