updated documentation

txn2 · Jul 22, 2023 · 791b998 · 791b998
1 parent 8ebaefb
commit 791b998
Show file tree

Hide file tree

Showing 10 changed files with 124 additions and 41 deletions.
diff --git a/README.md b/README.md
@@ -59,43 +59,7 @@ Refer to the example implementation at [txn2/amp-wh-example](https://github.com/
 
 ## Install
 
-```shell script
-git clone git@github.com:txn2/amp.git
-cd amp
-
-# create amp-system namespace
-kubectl apply -f ./k8s/00-namespace.yml
-```
-
-Create Certificate as Kubernets Secret in the new `amp-system` Namespace:
-
-```shell script
-curl https://raw.githubusercontent.com/IBM/istio101/master/presentation/scripts/install/kubernetes/webhook-create-signed-cert.sh -o cert-gen.sh
-
-chmod 775 cert-gen.sh
-
-./cert-gen.sh --service amp --namespace amp-system --secret amp-cert
-```
-
-Create RBAC access controls, a Service and `amp` Deployment:
-```shell script
-# setup rbac for apm
-kubectl apply -f ./k8s/01-rbac.yml
-
-# create the amp service used by the webhook configuration
-kubectl apply -f ./k8s/10-service.yml
-
-# create the amp deployment
-kubectl apply -f ./k8s/30-deployment.yml
-```
-
-```shell script
-kubectl apply -f ./k8s/80-webhook.yml
-```
-
-## TLS Certificates
-
-NOTE: AMP appemts to reload certificates 
+see [k8s/README.md](k8s/README.md)
 
 ## Development
 

diff --git a/k8s/000-cert-manager/100-cluster-issuer-ca-bootstrap.yml b/k8s/000-cert-manager/100-cluster-issuer-ca-bootstrap.yml
@@ -0,0 +1,6 @@
+kind: ClusterIssuer
+apiVersion: cert-manager.io/v1
+metadata:
+  name: ca-bootstrap
+spec:
+  selfSigned: {}
diff --git a/k8s/000-cert-manager/120-certificate-ca-root.yml b/k8s/000-cert-manager/120-certificate-ca-root.yml
@@ -0,0 +1,15 @@
+kind: Certificate
+apiVersion: cert-manager.io/v1
+metadata:
+  name: ca-root
+  namespace: cert-manager
+spec:
+  secretName: ca-root
+  isCA: true
+  commonName: ca-root
+  privateKey:
+    algorithm: RSA
+    size: 2048
+  issuerRef:
+    kind: ClusterIssuer
+    name: ca-bootstrap
diff --git a/k8s/000-cert-manager/130-cluster-issuer-ca-root.yml b/k8s/000-cert-manager/130-cluster-issuer-ca-root.yml
@@ -0,0 +1,7 @@
+kind: ClusterIssuer
+apiVersion: cert-manager.io/v1
+metadata:
+  name: ca-root
+spec:
+  ca:
+    secretName: ca-root
diff --git a/k8s/000-cert-manager/README.md b/k8s/000-cert-manager/README.md
@@ -0,0 +1,8 @@
+# Cert Manager as Certificate Authority
+
+This allows Cert Manager to act as a certificate authority, providing and validating certificates for internal projects.
+
+see:
+- https://cert-manager.io/docs/concepts/ca-injector/
+- https://trstringer.com/admission-control-cert-manager/
+
diff --git a/k8s/21-certificate-webhook-server.yml b/k8s/21-certificate-webhook-server.yml
@@ -0,0 +1,21 @@
+kind: Certificate
+apiVersion: cert-manager.io/v1
+metadata:
+  name: server
+  namespace: amp-system
+spec:
+  issuerRef:
+    name: ca-root # see ./000-cert-manager/README.md
+    kind: ClusterIssuer
+  secretName: server-cert
+  duration: 2160h
+  renewBefore: 240h
+  dnsNames:
+    - amp.amp-system.svc
+  isCA: false
+  privateKey:
+    algorithm: RSA
+    size: 2048
+  usages:
+    - client auth
+    - server auth
diff --git a/k8s/22-certificate-webhook-client.yml b/k8s/22-certificate-webhook-client.yml
@@ -0,0 +1,21 @@
+kind: Certificate
+apiVersion: cert-manager.io/v1
+metadata:
+  name: client
+  namespace: amp-system
+spec:
+  issuerRef:
+    name: ca-root # see ./000-cert-manager/README.md
+    kind: ClusterIssuer
+  secretName: client-cert
+  duration: 2160h
+  renewBefore: 240h
+  dnsNames:
+    - amp.txn2.com # webhook. see 80-webhook.yml
+  isCA: false
+  privateKey:
+    algorithm: RSA
+    size: 2048
+  usages:
+    - client auth
+    - server auth
diff --git a/k8s/30-deployment.yml b/k8s/30-deployment.yml
@@ -23,7 +23,7 @@ spec:
       volumes:
         - name: cert-vol
           secret:
-            secretName: amp-cert
+            secretName: server-cert
       containers:
         - name: amp
           image: txn2/amp:latest
@@ -35,8 +35,10 @@ spec:
               value: "8443"
             - name: MODE
               value: "release"
-            - name: CERT_PATH
-              value: "/cert"
+            - name: CERT_PATH_CRT
+              value: "/cert/tls.crt"
+            - name: CERT_PATH_KEY
+              value: "/cert/tls.key"
           ports:
             - name: http-int
               containerPort: 8443

diff --git a/k8s/80-webhook.yml b/k8s/80-webhook.yml
@@ -14,7 +14,7 @@ webhooks:
         name: amp
         namespace: amp-system
         path: "/mutate"
-      caBundle: REPLACE
+      # caBundle: REPLACE or use cert-manager (see 000-cert-manager/README.md
     rules:
       - operations: ["CREATE"]
         apiGroups: [""]

diff --git a/k8s/README.md b/k8s/README.md
@@ -0,0 +1,39 @@
+# AMP System
+
+Create the `amp-system` Kubernetes namespace.
+```shell
+kubectl apply -f ./00-namespace.yml
+```
+
+Create the `amp-system` ServiceAccount, ClusterRole and ClusterRoleBinding
+```shell
+kubectl apply -f ./01-rbac.yml
+```
+
+Create the `amp-system` Service
+```shell
+kubectl apply -f ./10-service.yml
+```
+
+If using cert-manager (recommended), see ./000-cert-manager/README.md
+
+Create `server` certificate for AMP
+```shell
+kubectl apply -f ./21-certificate-webhook-server.yml
+```
+
+Create `client` certificate for MutatingWebhookConfiguration
+```shell
+kubectl apply -f ./22-certificate-webhook-client.yml
+```
+
+Create AMP deployment:
+```shell
+kubectl apply -f 80-webhook.yml
+```
+
+Create MutatingWebhookConfiguration:
+
+```shell
+kubectl apply -f 80-webhook.yml
+```