diff --git a/CHANGELOG.md b/CHANGELOG.md index 82499053..e95d2441 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,7 +7,10 @@ and this project's packages adheres to [Semantic Versioning](http://semver.org/s ## [Unreleased] -- Service: Add CAPA support. +### Added + +- Service: Add CAPA support. ([#380](https://github.com/giantswarm/nginx-ingress-controller-app/pull/380)) +- Webhook: Use `cert-manager` for certificate lifecycle management. ([#386](https://github.com/giantswarm/nginx-ingress-controller-app/pull/386)) ## [2.21.0] - 2023-01-02 diff --git a/helm/nginx-ingress-controller-app/templates/admission-webhooks/cert-manager.yaml b/helm/nginx-ingress-controller-app/templates/admission-webhooks/cert-manager.yaml new file mode 100644 index 00000000..55fab471 --- /dev/null +++ b/helm/nginx-ingress-controller-app/templates/admission-webhooks/cert-manager.yaml @@ -0,0 +1,63 @@ +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.certManager.enabled -}} +{{- if not .Values.controller.admissionWebhooks.certManager.issuerRef -}} +# Create a selfsigned Issuer, in order to create a root CA certificate for +# signing webhook serving certificates +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ include "ingress-nginx.fullname" . }}-self-signed-issuer + namespace: {{ .Release.Namespace }} +spec: + selfSigned: {} +--- +# Generate a CA Certificate used to sign certificates for the webhook +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ include "ingress-nginx.fullname" . }}-root-cert + namespace: {{ .Release.Namespace }} +spec: + secretName: {{ include "ingress-nginx.fullname" . }}-root-cert + duration: {{ .Values.controller.admissionWebhooks.certManager.rootCert.duration | default "43800h0m0s" | quote }} + issuerRef: + name: {{ include "ingress-nginx.fullname" . }}-self-signed-issuer + commonName: "ca.webhook.ingress-nginx" + isCA: true + subject: + organizations: + - ingress-nginx +--- +# Create an Issuer that uses the above generated CA certificate to issue certs +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ include "ingress-nginx.fullname" . }}-root-issuer + namespace: {{ .Release.Namespace }} +spec: + ca: + secretName: {{ include "ingress-nginx.fullname" . }}-root-cert +{{- end }} +--- +# generate a server certificate for the apiservices to use +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ include "ingress-nginx.fullname" . }}-admission + namespace: {{ .Release.Namespace }} +spec: + secretName: {{ include "ingress-nginx.fullname" . }}-admission + duration: {{ .Values.controller.admissionWebhooks.certManager.admissionCert.duration | default "8760h0m0s" | quote }} + issuerRef: + {{- if .Values.controller.admissionWebhooks.certManager.issuerRef }} + {{- toYaml .Values.controller.admissionWebhooks.certManager.issuerRef | nindent 4 }} + {{- else }} + name: {{ include "ingress-nginx.fullname" . }}-root-issuer + {{- end }} + dnsNames: + - {{ include "ingress-nginx.controller.fullname" . }}-admission + - {{ include "ingress-nginx.controller.fullname" . }}-admission.{{ .Release.Namespace }} + - {{ include "ingress-nginx.controller.fullname" . }}-admission.{{ .Release.Namespace }}.svc + subject: + organizations: + - ingress-nginx-admission +{{- end -}} diff --git a/helm/nginx-ingress-controller-app/templates/admission-webhooks/job-patch/clusterrole.yaml b/helm/nginx-ingress-controller-app/templates/admission-webhooks/job-patch/clusterrole.yaml index 5659a1f1..f9ec7097 100644 --- a/helm/nginx-ingress-controller-app/templates/admission-webhooks/job-patch/clusterrole.yaml +++ b/helm/nginx-ingress-controller-app/templates/admission-webhooks/job-patch/clusterrole.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}} +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/helm/nginx-ingress-controller-app/templates/admission-webhooks/job-patch/clusterrolebinding.yaml b/helm/nginx-ingress-controller-app/templates/admission-webhooks/job-patch/clusterrolebinding.yaml index fe40bb13..87195326 100644 --- a/helm/nginx-ingress-controller-app/templates/admission-webhooks/job-patch/clusterrolebinding.yaml +++ b/helm/nginx-ingress-controller-app/templates/admission-webhooks/job-patch/clusterrolebinding.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}} +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: diff --git a/helm/nginx-ingress-controller-app/templates/admission-webhooks/job-patch/job-createSecret.yaml b/helm/nginx-ingress-controller-app/templates/admission-webhooks/job-patch/job-createSecret.yaml index 4fad0a65..2e2eadf7 100644 --- a/helm/nginx-ingress-controller-app/templates/admission-webhooks/job-patch/job-createSecret.yaml +++ b/helm/nginx-ingress-controller-app/templates/admission-webhooks/job-patch/job-createSecret.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}} +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}} apiVersion: batch/v1 kind: Job metadata: diff --git a/helm/nginx-ingress-controller-app/templates/admission-webhooks/job-patch/job-patchWebhook.yaml b/helm/nginx-ingress-controller-app/templates/admission-webhooks/job-patch/job-patchWebhook.yaml index 8f736a83..790864ef 100644 --- a/helm/nginx-ingress-controller-app/templates/admission-webhooks/job-patch/job-patchWebhook.yaml +++ b/helm/nginx-ingress-controller-app/templates/admission-webhooks/job-patch/job-patchWebhook.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}} +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}} apiVersion: batch/v1 kind: Job metadata: diff --git a/helm/nginx-ingress-controller-app/templates/admission-webhooks/job-patch/role.yaml b/helm/nginx-ingress-controller-app/templates/admission-webhooks/job-patch/role.yaml index 4b84d8de..ea7c2081 100644 --- a/helm/nginx-ingress-controller-app/templates/admission-webhooks/job-patch/role.yaml +++ b/helm/nginx-ingress-controller-app/templates/admission-webhooks/job-patch/role.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}} +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: diff --git a/helm/nginx-ingress-controller-app/templates/admission-webhooks/job-patch/rolebinding.yaml b/helm/nginx-ingress-controller-app/templates/admission-webhooks/job-patch/rolebinding.yaml index 698c5c86..60c3f4ff 100644 --- a/helm/nginx-ingress-controller-app/templates/admission-webhooks/job-patch/rolebinding.yaml +++ b/helm/nginx-ingress-controller-app/templates/admission-webhooks/job-patch/rolebinding.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}} +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: diff --git a/helm/nginx-ingress-controller-app/templates/admission-webhooks/job-patch/serviceaccount.yaml b/helm/nginx-ingress-controller-app/templates/admission-webhooks/job-patch/serviceaccount.yaml index eae47511..00be54ec 100644 --- a/helm/nginx-ingress-controller-app/templates/admission-webhooks/job-patch/serviceaccount.yaml +++ b/helm/nginx-ingress-controller-app/templates/admission-webhooks/job-patch/serviceaccount.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}} +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}} apiVersion: v1 kind: ServiceAccount metadata: diff --git a/helm/nginx-ingress-controller-app/templates/admission-webhooks/validating-webhook.yaml b/helm/nginx-ingress-controller-app/templates/admission-webhooks/validating-webhook.yaml index 8caffcb0..f27244dc 100644 --- a/helm/nginx-ingress-controller-app/templates/admission-webhooks/validating-webhook.yaml +++ b/helm/nginx-ingress-controller-app/templates/admission-webhooks/validating-webhook.yaml @@ -4,8 +4,13 @@ apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: + annotations: + {{- if .Values.controller.admissionWebhooks.certManager.enabled }} + certmanager.k8s.io/inject-ca-from: {{ printf "%s/%s-admission" .Release.Namespace (include "ingress-nginx.fullname" .) | quote }} + cert-manager.io/inject-ca-from: {{ printf "%s/%s-admission" .Release.Namespace (include "ingress-nginx.fullname" .) | quote }} + {{- end }} {{- if .Values.controller.admissionWebhooks.annotations }} - annotations: {{ toYaml .Values.controller.admissionWebhooks.annotations | nindent 4 }} + {{- toYaml .Values.controller.admissionWebhooks.annotations | nindent 4 }} {{- end }} labels: {{- include "ingress-nginx.labels" . | nindent 4 }} diff --git a/helm/nginx-ingress-controller-app/templates/controller-deployment.yaml b/helm/nginx-ingress-controller-app/templates/controller-deployment.yaml index 824c65a0..577cfff6 100644 --- a/helm/nginx-ingress-controller-app/templates/controller-deployment.yaml +++ b/helm/nginx-ingress-controller-app/templates/controller-deployment.yaml @@ -210,4 +210,11 @@ spec: - name: webhook-cert secret: secretName: {{ include "ingress-nginx.fullname" . }}-admission + {{- if .Values.controller.admissionWebhooks.certManager.enabled }} + items: + - key: tls.crt + path: cert + - key: tls.key + path: key + {{- end }} {{- end }} diff --git a/helm/nginx-ingress-controller-app/values.schema.json b/helm/nginx-ingress-controller-app/values.schema.json index f5fcdf42..19a41ea9 100644 --- a/helm/nginx-ingress-controller-app/values.schema.json +++ b/helm/nginx-ingress-controller-app/values.schema.json @@ -37,6 +37,41 @@ "annotations": { "type": "object" }, + "certManager": { + "type": "object", + "properties": { + "admissionCert": { + "type": "object", + "properties": { + "duration": { + "type": "string" + } + } + }, + "enabled": { + "type": "boolean" + }, + "issuerRef": { + "type": "object", + "properties": { + "kind": { + "type": "string" + }, + "name": { + "type": "string" + } + } + }, + "rootCert": { + "type": "object", + "properties": { + "duration": { + "type": "string" + } + } + } + } + }, "certificate": { "type": "string" }, diff --git a/helm/nginx-ingress-controller-app/values.yaml b/helm/nginx-ingress-controller-app/values.yaml index b58ae4f2..e08f4e8f 100644 --- a/helm/nginx-ingress-controller-app/values.yaml +++ b/helm/nginx-ingress-controller-app/values.yaml @@ -571,6 +571,18 @@ controller: runAsUser: 2000 fsGroup: 2000 + # Use certmanager to generate webhook certs + certManager: + enabled: false + # self-signed root certificate + rootCert: + duration: "" # default to be 5y + admissionCert: + duration: "" # default to be 1y + # issuerRef: + # name: "issuer" + # kind: "ClusterIssuer" + # controller.updateIngressStatus # Enables updating of the loadbalancer status of Ingress objects which this controller is reconciling. Unless you are # managing DNS for ingresses via an external method, this should always be left enabled.