diff --git a/manifests/environments/nostromo/custom-certificates/README.md b/manifests/environments/nostromo/custom-certificates/README.md new file mode 100644 index 00000000..bac2b1b5 --- /dev/null +++ b/manifests/environments/nostromo/custom-certificates/README.md @@ -0,0 +1,3 @@ +# References + +- [upstream we follow](https://epam.github.io/edp-install/operator-guide/ssl-automation-okd/#modify-openshift-router-and-api-server-custom-resources) diff --git a/manifests/environments/nostromo/custom-certificates/api-server/api-server-certificate.yaml b/manifests/environments/nostromo/custom-certificates/api-server/api-server-certificate.yaml new file mode 100644 index 00000000..1fab040a --- /dev/null +++ b/manifests/environments/nostromo/custom-certificates/api-server/api-server-certificate.yaml @@ -0,0 +1,27 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: api-server-certificate + namespace: openshift-config +spec: + subject: + organizations: + - "#B4mad" + issuerRef: + kind: ClusterIssuer + name: letsencrypt + secretName: api-server-certificate + secretTemplate: + annotations: + app.kubernetes.io/part-of: op1st-emea-b4mad-nostromo + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 4096 + rotationPolicy: Always + usages: + - server auth + - client auth + dnsNames: + - "*.nostromo.erdgeschoss.b4mad.emea.operate-first.cloud" + - "*.apps.nostromo.erdgeschoss.b4mad.emea.operate-first.cloud" diff --git a/manifests/environments/nostromo/default-ingress/default-ingress-certificate.yaml b/manifests/environments/nostromo/custom-certificates/default-ingress/default-ingress-certificate.yaml similarity index 79% rename from manifests/environments/nostromo/default-ingress/default-ingress-certificate.yaml rename to manifests/environments/nostromo/custom-certificates/default-ingress/default-ingress-certificate.yaml index 47143bf1..98645219 100644 --- a/manifests/environments/nostromo/default-ingress/default-ingress-certificate.yaml +++ b/manifests/environments/nostromo/custom-certificates/default-ingress/default-ingress-certificate.yaml @@ -1,10 +1,3 @@ ---- -apiVersion: operator.openshift.io/v1 -kind: IngressController -metadata: - name: default - namespace: openshift-ingress-operator ---- apiVersion: cert-manager.io/v1 kind: Certificate metadata: @@ -25,5 +18,10 @@ spec: algorithm: RSA encoding: PKCS1 size: 4096 + rotationPolicy: Always + usages: + - server auth + - client auth dnsNames: + - "*.nostromo.erdgeschoss.b4mad.emea.operate-first.cloud" - "*.apps.nostromo.erdgeschoss.b4mad.emea.operate-first.cloud" diff --git a/manifests/environments/nostromo/custom-certificates/kustomization.yaml b/manifests/environments/nostromo/custom-certificates/kustomization.yaml new file mode 100644 index 00000000..efbc864d --- /dev/null +++ b/manifests/environments/nostromo/custom-certificates/kustomization.yaml @@ -0,0 +1,34 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - stubs/cluster-openshift-config.yaml + - stubs/default-openshift-ingress-operator.yaml + + - api-server/api-server-certificate.yaml + - default-ingress/default-ingress-certificate.yaml + +patches: + - patch: |- + apiVersion: operator.openshift.io/v1 + kind: IngressController + metadata: + name: default + namespace: openshift-ingress-operator + spec: + defaultCertificate: + name: default-ingress-certificate + + - patch: |- + apiVersion: config.openshift.io/v1 + kind: APIServer + metadata: + name: cluster + namespace: openshift-config + spec: + servingCerts: + namedCertificates: + - names: + - api.nostromo.erdgeschoss.b4mad.emea.operate-first.cloud + servingCertificate: + name: api-server-certificate diff --git a/manifests/environments/nostromo/custom-certificates/stubs/cluster-openshift-config.yaml b/manifests/environments/nostromo/custom-certificates/stubs/cluster-openshift-config.yaml new file mode 100644 index 00000000..15a5be73 --- /dev/null +++ b/manifests/environments/nostromo/custom-certificates/stubs/cluster-openshift-config.yaml @@ -0,0 +1,5 @@ +apiVersion: config.openshift.io/v1 +kind: APIServer +metadata: + name: cluster + namespace: openshift-config diff --git a/manifests/environments/nostromo/custom-certificates/stubs/default-openshift-ingress-operator.yaml b/manifests/environments/nostromo/custom-certificates/stubs/default-openshift-ingress-operator.yaml new file mode 100644 index 00000000..32cdb267 --- /dev/null +++ b/manifests/environments/nostromo/custom-certificates/stubs/default-openshift-ingress-operator.yaml @@ -0,0 +1,5 @@ +apiVersion: operator.openshift.io/v1 +kind: IngressController +metadata: + name: default + namespace: openshift-ingress-operator diff --git a/manifests/environments/nostromo/default-ingress/kustomization.yaml b/manifests/environments/nostromo/default-ingress/kustomization.yaml deleted file mode 100644 index de94f5e9..00000000 --- a/manifests/environments/nostromo/default-ingress/kustomization.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -resources: - - default-ingress-certificate.yaml - -patches: - - patch: |- - apiVersion: operator.openshift.io/v1 - kind: IngressController - metadata: - name: default - namespace: openshift-ingress-operator - spec: - defaultCertificate: - name: default-ingress-certificate diff --git a/manifests/environments/nostromo/kustomization.yaml b/manifests/environments/nostromo/kustomization.yaml index 8367e7fd..c4a677de 100644 --- a/manifests/environments/nostromo/kustomization.yaml +++ b/manifests/environments/nostromo/kustomization.yaml @@ -11,6 +11,7 @@ labels: resources: - ../../organizational-unit-scope/ + - stubs/cluster-version.yaml - stubs/openshift-storage.yaml - admin-acks/ @@ -19,9 +20,8 @@ resources: - alertmanager-receivers/ - cert-manager/ - cluster-monitoring-config.yaml - - cluster-version.yaml - crunchy-postgres/ - - default-ingress/ + - custom-certificates/ - grafana-operator/ - idp/github-com.yaml - local-storage/ diff --git a/manifests/environments/nostromo/cluster-version.yaml b/manifests/environments/nostromo/stubs/cluster-version.yaml similarity index 100% rename from manifests/environments/nostromo/cluster-version.yaml rename to manifests/environments/nostromo/stubs/cluster-version.yaml diff --git a/manifests/environments/phobos/custom-certificates/README copy.md b/manifests/environments/phobos/custom-certificates/README copy.md new file mode 100644 index 00000000..bac2b1b5 --- /dev/null +++ b/manifests/environments/phobos/custom-certificates/README copy.md @@ -0,0 +1,3 @@ +# References + +- [upstream we follow](https://epam.github.io/edp-install/operator-guide/ssl-automation-okd/#modify-openshift-router-and-api-server-custom-resources) diff --git a/manifests/environments/phobos/custom-certificates/README.md b/manifests/environments/phobos/custom-certificates/README.md new file mode 100644 index 00000000..bac2b1b5 --- /dev/null +++ b/manifests/environments/phobos/custom-certificates/README.md @@ -0,0 +1,3 @@ +# References + +- [upstream we follow](https://epam.github.io/edp-install/operator-guide/ssl-automation-okd/#modify-openshift-router-and-api-server-custom-resources) diff --git a/manifests/environments/phobos/custom-certificates/api-server/api-server-certificate.yaml b/manifests/environments/phobos/custom-certificates/api-server/api-server-certificate.yaml new file mode 100644 index 00000000..9a91faef --- /dev/null +++ b/manifests/environments/phobos/custom-certificates/api-server/api-server-certificate.yaml @@ -0,0 +1,27 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: api-server-certificate + namespace: openshift-config +spec: + subject: + organizations: + - "#B4mad" + issuerRef: + kind: ClusterIssuer + name: letsencrypt + secretName: api-server-certificate + secretTemplate: + annotations: + app.kubernetes.io/part-of: op1st-emea-b4mad-phobos + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 4096 + rotationPolicy: Always + usages: + - server auth + - client auth + dnsNames: + - "*.phobos.b4mad.emea.operate-first.cloud" + - "*.apps.phobos.b4mad.emea.operate-first.cloud" diff --git a/manifests/environments/phobos/default-ingress-certificate.yaml b/manifests/environments/phobos/custom-certificates/default-ingress/default-ingress-certificate.yaml similarity index 78% rename from manifests/environments/phobos/default-ingress-certificate.yaml rename to manifests/environments/phobos/custom-certificates/default-ingress/default-ingress-certificate.yaml index 319a843d..f7f563e7 100644 --- a/manifests/environments/phobos/default-ingress-certificate.yaml +++ b/manifests/environments/phobos/custom-certificates/default-ingress/default-ingress-certificate.yaml @@ -1,10 +1,3 @@ ---- -apiVersion: operator.openshift.io/v1 -kind: IngressController -metadata: - name: default - namespace: openshift-ingress-operator ---- apiVersion: cert-manager.io/v1 kind: Certificate metadata: @@ -25,5 +18,10 @@ spec: algorithm: RSA encoding: PKCS1 size: 4096 + rotationPolicy: Always + usages: + - server auth + - client auth dnsNames: + - "*.phobos.b4mad.emea.operate-first.cloud" - "*.apps.phobos.b4mad.emea.operate-first.cloud" diff --git a/manifests/environments/phobos/custom-certificates/kustomization.yaml b/manifests/environments/phobos/custom-certificates/kustomization.yaml new file mode 100644 index 00000000..782da4cf --- /dev/null +++ b/manifests/environments/phobos/custom-certificates/kustomization.yaml @@ -0,0 +1,34 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - stubs/cluster-openshift-config.yaml + - stubs/default-openshift-ingress-operator.yaml + + - api-server/api-server-certificate.yaml + - default-ingress/default-ingress-certificate.yaml + +patches: + - patch: |- + apiVersion: operator.openshift.io/v1 + kind: IngressController + metadata: + name: default + namespace: openshift-ingress-operator + spec: + defaultCertificate: + name: default-ingress-certificate + + - patch: |- + apiVersion: config.openshift.io/v1 + kind: APIServer + metadata: + name: cluster + namespace: openshift-config + spec: + servingCerts: + namedCertificates: + - names: + - api.phobos.b4mad.emea.operate-first.cloud + servingCertificate: + name: api-server-certificate diff --git a/manifests/environments/phobos/custom-certificates/stubs/cluster-openshift-config.yaml b/manifests/environments/phobos/custom-certificates/stubs/cluster-openshift-config.yaml new file mode 100644 index 00000000..15a5be73 --- /dev/null +++ b/manifests/environments/phobos/custom-certificates/stubs/cluster-openshift-config.yaml @@ -0,0 +1,5 @@ +apiVersion: config.openshift.io/v1 +kind: APIServer +metadata: + name: cluster + namespace: openshift-config diff --git a/manifests/environments/phobos/custom-certificates/stubs/default-openshift-ingress-operator.yaml b/manifests/environments/phobos/custom-certificates/stubs/default-openshift-ingress-operator.yaml new file mode 100644 index 00000000..32cdb267 --- /dev/null +++ b/manifests/environments/phobos/custom-certificates/stubs/default-openshift-ingress-operator.yaml @@ -0,0 +1,5 @@ +apiVersion: operator.openshift.io/v1 +kind: IngressController +metadata: + name: default + namespace: openshift-ingress-operator diff --git a/manifests/environments/phobos/kustomization.yaml b/manifests/environments/phobos/kustomization.yaml index be817bc4..d54f2c52 100644 --- a/manifests/environments/phobos/kustomization.yaml +++ b/manifests/environments/phobos/kustomization.yaml @@ -17,7 +17,7 @@ resources: - cert-manager-operator/ - cluster-monitoring-config.yaml - crunchy-postgres/ - - default-ingress-certificate.yaml + - custom-certificates/ - grafana-operator/ - local-storage/ - lvm-storage/