feat: custom certs for api-server

Signed-off-by: Christoph Görn <[email protected]>
goern · Apr 29, 2024 · 800e547 · 800e547
1 parent f86520d
commit 800e547
Show file tree

Hide file tree

Showing 17 changed files with 164 additions and 33 deletions.
diff --git a/manifests/environments/nostromo/custom-certificates/README.md b/manifests/environments/nostromo/custom-certificates/README.md
@@ -0,0 +1,3 @@
+# References
+
+- [upstream we follow](https://epam.github.io/edp-install/operator-guide/ssl-automation-okd/#modify-openshift-router-and-api-server-custom-resources)
diff --git a/manifests/environments/nostromo/custom-certificates/api-server/api-server-certificate.yaml b/manifests/environments/nostromo/custom-certificates/api-server/api-server-certificate.yaml
@@ -0,0 +1,27 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: api-server-certificate
+  namespace: openshift-config
+spec:
+  subject:
+    organizations:
+      - "#B4mad"
+  issuerRef:
+    kind: ClusterIssuer
+    name: letsencrypt
+  secretName: api-server-certificate
+  secretTemplate:
+    annotations:
+      app.kubernetes.io/part-of: op1st-emea-b4mad-nostromo
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS1
+    size: 4096
+    rotationPolicy: Always
+  usages:
+    - server auth
+    - client auth
+  dnsNames:
+    - "*.nostromo.erdgeschoss.b4mad.emea.operate-first.cloud"
+    - "*.apps.nostromo.erdgeschoss.b4mad.emea.operate-first.cloud"
diff --git a/...-ingress/default-ingress-certificate.yaml → ...-ingress/default-ingress-certificate.yaml b/...-ingress/default-ingress-certificate.yaml → ...-ingress/default-ingress-certificate.yaml
@@ -1,10 +1,3 @@
----
-apiVersion: operator.openshift.io/v1
-kind: IngressController
-metadata:
-  name: default
-  namespace: openshift-ingress-operator
----
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -25,5 +18,10 @@ spec:
     algorithm: RSA
     encoding: PKCS1
     size: 4096
+    rotationPolicy: Always
+  usages:
+    - server auth
+    - client auth
   dnsNames:
+    - "*.nostromo.erdgeschoss.b4mad.emea.operate-first.cloud"
     - "*.apps.nostromo.erdgeschoss.b4mad.emea.operate-first.cloud"
diff --git a/manifests/environments/nostromo/custom-certificates/kustomization.yaml b/manifests/environments/nostromo/custom-certificates/kustomization.yaml
@@ -0,0 +1,34 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - stubs/cluster-openshift-config.yaml
+  - stubs/default-openshift-ingress-operator.yaml
+
+  - api-server/api-server-certificate.yaml
+  - default-ingress/default-ingress-certificate.yaml
+
+patches:
+  - patch: |-
+      apiVersion: operator.openshift.io/v1
+      kind: IngressController
+      metadata:
+        name: default
+        namespace: openshift-ingress-operator
+      spec:
+        defaultCertificate:
+          name: default-ingress-certificate
+
+  - patch: |-
+      apiVersion: config.openshift.io/v1
+      kind: APIServer
+      metadata:
+        name: cluster
+        namespace: openshift-config
+      spec:
+        servingCerts:
+          namedCertificates:
+          - names:
+            - api.nostromo.erdgeschoss.b4mad.emea.operate-first.cloud
+            servingCertificate:
+              name: api-server-certificate
diff --git a/manifests/environments/nostromo/custom-certificates/stubs/cluster-openshift-config.yaml b/manifests/environments/nostromo/custom-certificates/stubs/cluster-openshift-config.yaml
@@ -0,0 +1,5 @@
+apiVersion: config.openshift.io/v1
+kind: APIServer
+metadata:
+  name: cluster
+  namespace: openshift-config
diff --git a/...s/environments/nostromo/custom-certificates/stubs/default-openshift-ingress-operator.yaml b/...s/environments/nostromo/custom-certificates/stubs/default-openshift-ingress-operator.yaml
@@ -0,0 +1,5 @@
+apiVersion: operator.openshift.io/v1
+kind: IngressController
+metadata:
+  name: default
+  namespace: openshift-ingress-operator
diff --git a/manifests/environments/nostromo/default-ingress/kustomization.yaml b/manifests/environments/nostromo/default-ingress/kustomization.yaml
diff --git a/manifests/environments/nostromo/kustomization.yaml b/manifests/environments/nostromo/kustomization.yaml
@@ -11,6 +11,7 @@ labels:
 resources:
   - ../../organizational-unit-scope/
 
+  - stubs/cluster-version.yaml
   - stubs/openshift-storage.yaml
 
   - admin-acks/
@@ -19,9 +20,8 @@ resources:
   - alertmanager-receivers/
   - cert-manager/
   - cluster-monitoring-config.yaml
-  - cluster-version.yaml
   - crunchy-postgres/
-  - default-ingress/
+  - custom-certificates/
   - grafana-operator/
   - idp/github-com.yaml
   - local-storage/

diff --git a/...nvironments/nostromo/cluster-version.yaml → ...ments/nostromo/stubs/cluster-version.yaml b/...nvironments/nostromo/cluster-version.yaml → ...ments/nostromo/stubs/cluster-version.yaml
diff --git a/manifests/environments/phobos/custom-certificates/README copy.md b/manifests/environments/phobos/custom-certificates/README copy.md
@@ -0,0 +1,3 @@
+# References
+
+- [upstream we follow](https://epam.github.io/edp-install/operator-guide/ssl-automation-okd/#modify-openshift-router-and-api-server-custom-resources)
diff --git a/manifests/environments/phobos/custom-certificates/README.md b/manifests/environments/phobos/custom-certificates/README.md
@@ -0,0 +1,3 @@
+# References
+
+- [upstream we follow](https://epam.github.io/edp-install/operator-guide/ssl-automation-okd/#modify-openshift-router-and-api-server-custom-resources)
diff --git a/manifests/environments/phobos/custom-certificates/api-server/api-server-certificate.yaml b/manifests/environments/phobos/custom-certificates/api-server/api-server-certificate.yaml
@@ -0,0 +1,27 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: api-server-certificate
+  namespace: openshift-config
+spec:
+  subject:
+    organizations:
+      - "#B4mad"
+  issuerRef:
+    kind: ClusterIssuer
+    name: letsencrypt
+  secretName: api-server-certificate
+  secretTemplate:
+    annotations:
+      app.kubernetes.io/part-of: op1st-emea-b4mad-phobos
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS1
+    size: 4096
+    rotationPolicy: Always
+  usages:
+    - server auth
+    - client auth
+  dnsNames:
+    - "*.phobos.b4mad.emea.operate-first.cloud"
+    - "*.apps.phobos.b4mad.emea.operate-first.cloud"
diff --git a/...s/phobos/default-ingress-certificate.yaml → ...-ingress/default-ingress-certificate.yaml b/...s/phobos/default-ingress-certificate.yaml → ...-ingress/default-ingress-certificate.yaml
@@ -1,10 +1,3 @@
----
-apiVersion: operator.openshift.io/v1
-kind: IngressController
-metadata:
-  name: default
-  namespace: openshift-ingress-operator
----
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -25,5 +18,10 @@ spec:
     algorithm: RSA
     encoding: PKCS1
     size: 4096
+    rotationPolicy: Always
+  usages:
+    - server auth
+    - client auth
   dnsNames:
+    - "*.phobos.b4mad.emea.operate-first.cloud"
     - "*.apps.phobos.b4mad.emea.operate-first.cloud"
diff --git a/manifests/environments/phobos/custom-certificates/kustomization.yaml b/manifests/environments/phobos/custom-certificates/kustomization.yaml
@@ -0,0 +1,34 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - stubs/cluster-openshift-config.yaml
+  - stubs/default-openshift-ingress-operator.yaml
+
+  - api-server/api-server-certificate.yaml
+  - default-ingress/default-ingress-certificate.yaml
+
+patches:
+  - patch: |-
+      apiVersion: operator.openshift.io/v1
+      kind: IngressController
+      metadata:
+        name: default
+        namespace: openshift-ingress-operator
+      spec:
+        defaultCertificate:
+          name: default-ingress-certificate
+
+  - patch: |-
+      apiVersion: config.openshift.io/v1
+      kind: APIServer
+      metadata:
+        name: cluster
+        namespace: openshift-config
+      spec:
+        servingCerts:
+          namedCertificates:
+          - names:
+            - api.phobos.b4mad.emea.operate-first.cloud
+            servingCertificate:
+              name: api-server-certificate
diff --git a/manifests/environments/phobos/custom-certificates/stubs/cluster-openshift-config.yaml b/manifests/environments/phobos/custom-certificates/stubs/cluster-openshift-config.yaml
@@ -0,0 +1,5 @@
+apiVersion: config.openshift.io/v1
+kind: APIServer
+metadata:
+  name: cluster
+  namespace: openshift-config
diff --git a/...sts/environments/phobos/custom-certificates/stubs/default-openshift-ingress-operator.yaml b/...sts/environments/phobos/custom-certificates/stubs/default-openshift-ingress-operator.yaml
@@ -0,0 +1,5 @@
+apiVersion: operator.openshift.io/v1
+kind: IngressController
+metadata:
+  name: default
+  namespace: openshift-ingress-operator
diff --git a/manifests/environments/phobos/kustomization.yaml b/manifests/environments/phobos/kustomization.yaml
@@ -17,7 +17,7 @@ resources:
   - cert-manager-operator/
   - cluster-monitoring-config.yaml
   - crunchy-postgres/
-  - default-ingress-certificate.yaml
+  - custom-certificates/
   - grafana-operator/
   - local-storage/
   - lvm-storage/
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		# References

		- [upstream we follow](https://epam.github.io/edp-install/operator-guide/ssl-automation-okd/#modify-openshift-router-and-api-server-custom-resources)