From 791b998ada5990c31ebdf0624f82487a555be7c1 Mon Sep 17 00:00:00 2001
From: Craig Johnston <cj@imti.co>
Date: Sat, 22 Jul 2023 11:58:20 -0700
Subject: [PATCH] updated documentation

---
 README.md                                     | 38 +-----------------
 .../100-cluster-issuer-ca-bootstrap.yml       |  6 +++
 .../120-certificate-ca-root.yml               | 15 +++++++
 .../130-cluster-issuer-ca-root.yml            |  7 ++++
 k8s/000-cert-manager/README.md                |  8 ++++
 k8s/21-certificate-webhook-server.yml         | 21 ++++++++++
 k8s/22-certificate-webhook-client.yml         | 21 ++++++++++
 k8s/30-deployment.yml                         |  8 ++--
 k8s/80-webhook.yml                            |  2 +-
 k8s/README.md                                 | 39 +++++++++++++++++++
 10 files changed, 124 insertions(+), 41 deletions(-)
 create mode 100644 k8s/000-cert-manager/100-cluster-issuer-ca-bootstrap.yml
 create mode 100644 k8s/000-cert-manager/120-certificate-ca-root.yml
 create mode 100644 k8s/000-cert-manager/130-cluster-issuer-ca-root.yml
 create mode 100644 k8s/000-cert-manager/README.md
 create mode 100644 k8s/21-certificate-webhook-server.yml
 create mode 100644 k8s/22-certificate-webhook-client.yml
 create mode 100644 k8s/README.md

diff --git a/README.md b/README.md
index c474235..07d6bae 100644
--- a/README.md
+++ b/README.md
@@ -59,43 +59,7 @@ Refer to the example implementation at [txn2/amp-wh-example](https://github.com/
 
 ## Install
 
-```shell script
-git clone git@github.com:txn2/amp.git
-cd amp
-
-# create amp-system namespace
-kubectl apply -f ./k8s/00-namespace.yml
-```
-
-Create Certificate as Kubernets Secret in the new `amp-system` Namespace:
-
-```shell script
-curl https://raw.githubusercontent.com/IBM/istio101/master/presentation/scripts/install/kubernetes/webhook-create-signed-cert.sh -o cert-gen.sh
-
-chmod 775 cert-gen.sh
-
-./cert-gen.sh --service amp --namespace amp-system --secret amp-cert
-```
-
-Create RBAC access controls, a Service and `amp` Deployment:
-```shell script
-# setup rbac for apm
-kubectl apply -f ./k8s/01-rbac.yml
-
-# create the amp service used by the webhook configuration
-kubectl apply -f ./k8s/10-service.yml
-
-# create the amp deployment
-kubectl apply -f ./k8s/30-deployment.yml
-```
-
-```shell script
-kubectl apply -f ./k8s/80-webhook.yml
-```
-
-## TLS Certificates
-
-NOTE: AMP appemts to reload certificates 
+see [k8s/README.md](k8s/README.md)
 
 ## Development
 
diff --git a/k8s/000-cert-manager/100-cluster-issuer-ca-bootstrap.yml b/k8s/000-cert-manager/100-cluster-issuer-ca-bootstrap.yml
new file mode 100644
index 0000000..2d523cd
--- /dev/null
+++ b/k8s/000-cert-manager/100-cluster-issuer-ca-bootstrap.yml
@@ -0,0 +1,6 @@
+kind: ClusterIssuer
+apiVersion: cert-manager.io/v1
+metadata:
+  name: ca-bootstrap
+spec:
+  selfSigned: {}
\ No newline at end of file
diff --git a/k8s/000-cert-manager/120-certificate-ca-root.yml b/k8s/000-cert-manager/120-certificate-ca-root.yml
new file mode 100644
index 0000000..6759d5b
--- /dev/null
+++ b/k8s/000-cert-manager/120-certificate-ca-root.yml
@@ -0,0 +1,15 @@
+kind: Certificate
+apiVersion: cert-manager.io/v1
+metadata:
+  name: ca-root
+  namespace: cert-manager
+spec:
+  secretName: ca-root
+  isCA: true
+  commonName: ca-root
+  privateKey:
+    algorithm: RSA
+    size: 2048
+  issuerRef:
+    kind: ClusterIssuer
+    name: ca-bootstrap
\ No newline at end of file
diff --git a/k8s/000-cert-manager/130-cluster-issuer-ca-root.yml b/k8s/000-cert-manager/130-cluster-issuer-ca-root.yml
new file mode 100644
index 0000000..5c31f8c
--- /dev/null
+++ b/k8s/000-cert-manager/130-cluster-issuer-ca-root.yml
@@ -0,0 +1,7 @@
+kind: ClusterIssuer
+apiVersion: cert-manager.io/v1
+metadata:
+  name: ca-root
+spec:
+  ca:
+    secretName: ca-root
\ No newline at end of file
diff --git a/k8s/000-cert-manager/README.md b/k8s/000-cert-manager/README.md
new file mode 100644
index 0000000..551f449
--- /dev/null
+++ b/k8s/000-cert-manager/README.md
@@ -0,0 +1,8 @@
+# Cert Manager as Certificate Authority
+
+This allows Cert Manager to act as a certificate authority, providing and validating certificates for internal projects.
+
+see:
+- https://cert-manager.io/docs/concepts/ca-injector/
+- https://trstringer.com/admission-control-cert-manager/
+
diff --git a/k8s/21-certificate-webhook-server.yml b/k8s/21-certificate-webhook-server.yml
new file mode 100644
index 0000000..e7e9533
--- /dev/null
+++ b/k8s/21-certificate-webhook-server.yml
@@ -0,0 +1,21 @@
+kind: Certificate
+apiVersion: cert-manager.io/v1
+metadata:
+  name: server
+  namespace: amp-system
+spec:
+  issuerRef:
+    name: ca-root # see ./000-cert-manager/README.md
+    kind: ClusterIssuer
+  secretName: server-cert
+  duration: 2160h
+  renewBefore: 240h
+  dnsNames:
+    - amp.amp-system.svc
+  isCA: false
+  privateKey:
+    algorithm: RSA
+    size: 2048
+  usages:
+    - client auth
+    - server auth
diff --git a/k8s/22-certificate-webhook-client.yml b/k8s/22-certificate-webhook-client.yml
new file mode 100644
index 0000000..82757f8
--- /dev/null
+++ b/k8s/22-certificate-webhook-client.yml
@@ -0,0 +1,21 @@
+kind: Certificate
+apiVersion: cert-manager.io/v1
+metadata:
+  name: client
+  namespace: amp-system
+spec:
+  issuerRef:
+    name: ca-root # see ./000-cert-manager/README.md
+    kind: ClusterIssuer
+  secretName: client-cert
+  duration: 2160h
+  renewBefore: 240h
+  dnsNames:
+    - amp.txn2.com # webhook. see 80-webhook.yml
+  isCA: false
+  privateKey:
+    algorithm: RSA
+    size: 2048
+  usages:
+    - client auth
+    - server auth
diff --git a/k8s/30-deployment.yml b/k8s/30-deployment.yml
index 78bf27b..eb1fbcd 100644
--- a/k8s/30-deployment.yml
+++ b/k8s/30-deployment.yml
@@ -23,7 +23,7 @@ spec:
       volumes:
         - name: cert-vol
           secret:
-            secretName: amp-cert
+            secretName: server-cert
       containers:
         - name: amp
           image: txn2/amp:latest
@@ -35,8 +35,10 @@ spec:
               value: "8443"
             - name: MODE
               value: "release"
-            - name: CERT_PATH
-              value: "/cert"
+            - name: CERT_PATH_CRT
+              value: "/cert/tls.crt"
+            - name: CERT_PATH_KEY
+              value: "/cert/tls.key"
           ports:
             - name: http-int
               containerPort: 8443
diff --git a/k8s/80-webhook.yml b/k8s/80-webhook.yml
index 7fcd40c..16cd92e 100644
--- a/k8s/80-webhook.yml
+++ b/k8s/80-webhook.yml
@@ -14,7 +14,7 @@ webhooks:
         name: amp
         namespace: amp-system
         path: "/mutate"
-      caBundle: REPLACE
+      # caBundle: REPLACE or use cert-manager (see 000-cert-manager/README.md
     rules:
       - operations: ["CREATE"]
         apiGroups: [""]
diff --git a/k8s/README.md b/k8s/README.md
new file mode 100644
index 0000000..12405b8
--- /dev/null
+++ b/k8s/README.md
@@ -0,0 +1,39 @@
+# AMP System
+
+Create the `amp-system` Kubernetes namespace.
+```shell
+kubectl apply -f ./00-namespace.yml
+```
+
+Create the `amp-system` ServiceAccount, ClusterRole and ClusterRoleBinding
+```shell
+kubectl apply -f ./01-rbac.yml
+```
+
+Create the `amp-system` Service
+```shell
+kubectl apply -f ./10-service.yml
+```
+
+If using cert-manager (recommended), see ./000-cert-manager/README.md
+
+Create `server` certificate for AMP
+```shell
+kubectl apply -f ./21-certificate-webhook-server.yml
+```
+
+Create `client` certificate for MutatingWebhookConfiguration
+```shell
+kubectl apply -f ./22-certificate-webhook-client.yml
+```
+
+Create AMP deployment:
+```shell
+kubectl apply -f 80-webhook.yml
+```
+
+Create MutatingWebhookConfiguration:
+
+```shell
+kubectl apply -f 80-webhook.yml
+```
\ No newline at end of file