Kubernetes: properly reuse tls certificates ⚠️ (#1234)

* Kubernetes: properly reuse tls certificates

Traefik does not properly work when ingress'es in multiple namespaces use the same tls
certificate. See more in
traefik/traefik#12116. This works around the
problem by manually defining certificates and uploading them to
TLSStore. Ingress'es use TLSStore under the hood.

Implementation detail:
1) we generate certificates by explicitly defining certificate resource
   in cert-manager
2) we copy generated secrets (containing certitificates) to traefik
   namespace via reflector
3) traefik explicitly defines TLSStore that references secrets
   (containing certificates)

Bonus:
- Add HELMFILE_EXTRA_ARGS variable to Makefile to pass options to
  helmfile CLI if necessary

Related issue/s
- closes #1228

Related PR/s
- configuration ...

* traefik: delete ingress tls config

* Update certificate values

* Customize reflector chart & polish certs template

* Merge traefik values + explicit cert dates

Author: YuryHrytsuk

charts/Makefile

@@ -4,9 +4,16 @@ REPO_BASE_DIR := $(shell git rev-parse --show-toplevel)
 include ${REPO_BASE_DIR}/scripts/common.Makefile
 include $(REPO_CONFIG_LOCATION)
 
+#
+# Vars
+#
+
 export CONFIG_DIR := $(shell dirname $(REPO_CONFIG_LOCATION))
 CHART_DIRS := $(wildcard $(REPO_BASE_DIR)/charts/*/)
 
+HELMFILE_EXTRA_ARGS ?=
+HELMFILE := helmfile $(HELMFILE_EXTRA_ARGS)
+
 .PHONY: .check-helmfile-installed
 .check-helmfile-installed: ## Checks if helmfile is installed
 	@if ! command -v helmfile >/dev/null 2>&1; then \
@@ -22,27 +29,27 @@ simcore-charts/helmfile.yaml: ## Copies the simcore helmfile to the charts direc
 .PHONY: helmfile-lint
 helmfile-lint: .check-helmfile-installed helmfile.yaml ## Lints the helmfile
 	set -a; source $(REPO_CONFIG_LOCATION); set +a; \
-	helmfile lint
+	$(HELMFILE) lint
 
 .PHONY: helmfile-apply
 helmfile-apply: .check-helmfile-installed helmfile.yaml ## Applies the helmfile configuration
 	set -a; source $(REPO_CONFIG_LOCATION); set +a; \
-	helmfile -f $(REPO_BASE_DIR)/charts/helmfile.yaml apply
+	$(HELMFILE) -f $(REPO_BASE_DIR)/charts/helmfile.yaml apply
 
 .PHONY: helmfile-sync
 helmfile-sync: .check-helmfile-installed helmfile.yaml ## Syncs the helmfile configuration (use `helmfile-apply` to deploy the app)
 	set -a; source $(REPO_CONFIG_LOCATION); set +a; \
-	helmfile -f $(REPO_BASE_DIR)/charts/helmfile.yaml sync
+	$(HELMFILE) -f $(REPO_BASE_DIR)/charts/helmfile.yaml sync
 
 .PHONY: helmfile-diff
 helmfile-diff: .check-helmfile-installed helmfile.yaml ## Shows the differences that would be applied by helmfile
 	@set -a; source $(REPO_CONFIG_LOCATION); set +a; \
-	helmfile -f $(REPO_BASE_DIR)/charts/helmfile.yaml diff
+	$(HELMFILE) -f $(REPO_BASE_DIR)/charts/helmfile.yaml diff
 
 .PHONY: helmfile-delete
 helmfile-delete: .check-helmfile-installed helmfile.yaml ## Deletes the helmfile configuration
 	@set -a; source $(REPO_CONFIG_LOCATION); set +a; \
-	helmfile -f $(REPO_BASE_DIR)/charts/helmfile.yaml delete
+	$(HELMFILE) -f $(REPO_BASE_DIR)/charts/helmfile.yaml delete
 
 .PHONY: up
 up: helmfile-apply ## Start the stack

charts/adminer/values.yaml.gotmpl

@@ -52,12 +52,8 @@ ingress:
   className: ""
   annotations:
     namespace: {{ .Release.Namespace }}
-    cert-manager.io/cluster-issuer: "cert-issuer"
+    traefik.ingress.kubernetes.io/router.tls: "true"
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
-  tls:
-    - hosts:
-        - {{ requiredEnv "K8S_MONITORING_FQDN" }}
-      secretName: monitoring-tls
   hosts:
     - host: {{ requiredEnv "K8S_MONITORING_FQDN" }}
       paths:

charts/cert-manager/README.md

@@ -3,3 +3,9 @@
 Read more https://cert-manager.io/docs/installation/best-practice/#network-requirements
 
 Be aware that this might have an affect on cert manager webhook application that is called during installation of the cert manager helm chart. If network policy is misconfigured, this will affect installation (e.g. `certissuers` might be missing as they are installed via helm hooks that apparently require cert manager webhook to be reachable)
+
+## Extract certificate from secret
+
+```bash
+kubectl -n <namespace> get secret <secret-tls> -o jsonpath="{.data['tls\.crt']}" | base64 -d | openssl x509 -text -noout | head
+```

charts/cert-manager/templates/certificates.yaml

@@ -0,0 +1,25 @@
+{{- range .Values.certificates -}}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ .certName }}
+spec:
+  # https://github.com/emberstack/kubernetes-reflector?tab=readme-ov-file#cert-manager-support
+  secretTemplate:
+    annotations:
+      reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
+      reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "traefik"
+      reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
+      reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "traefik"
+  duration: 2160h # 90 days
+  renewBefore: 720h # 30 days
+  secretName: {{ .secretName }}
+  dnsNames:
+{{- range .dnsNames }}
+    - "{{ . }}"
+{{- end }}
+  issuerRef:
+    name: cert-issuer
+    kind: ClusterIssuer
+---
+{{- end -}}

charts/cert-manager/values.common.yaml.gotmpl

@@ -1,3 +1,9 @@
+certificates:
+  - certName: {{ requiredEnv "MACHINE_FQDN" | replace "." "-" }}
+    secretName: {{ requiredEnv "MACHINE_FQDN" | replace "." "-" }}-tls
+    dnsNames:
+      - {{ requiredEnv "K8S_MONITORING_FQDN" }}
+
 cert-manager:
   crds:
     enabled: true

charts/cert-manager/values.selfsigned.yaml.gotmpl

@@ -23,12 +23,6 @@ cert-manager:
         "helm.sh/hook": post-install,post-upgrade
         "helm.sh/hook-weight": "1"
     spec:
-      secretTemplate:
-        annotations:
-          reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
-          reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: ""  # Control destination namespaces: emptystring means all
-          reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true" # Auto create reflection for matching namespaces
-          reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "" # Control auto-reflection namespaces
       isCA: true
       commonName: local-ca
       subject:

charts/longhorn/values.yaml.gotmpl

@@ -58,11 +58,9 @@ ingress:
     className: ""
     annotations:
       namespace: {{ .Release.Namespace }}
-      cert-manager.io/cluster-issuer: "cert-issuer"
+      traefik.ingress.kubernetes.io/router.tls: "true"
       traefik.ingress.kubernetes.io/router.entrypoints: websecure
       traefik.ingress.kubernetes.io/router.middlewares: traefik-traefik-basic-auth@kubernetescrd,traefik-longhorn-strip-prefix@kubernetescrd  # namespace + middleware name
-    tls: true
-    tlsSecret: monitoring-tls
     host: {{ requiredEnv "K8S_MONITORING_FQDN" }}
     path: /longhorn
     pathType: Prefix

charts/portainer/values.yaml.gotmpl

@@ -41,13 +41,9 @@ portainer:
     className: ""
     annotations:
       namespace: {{ .Release.Namespace }}
-      cert-manager.io/cluster-issuer: "cert-issuer"
+      traefik.ingress.kubernetes.io/router.tls: "true"
       traefik.ingress.kubernetes.io/router.entrypoints: websecure
       traefik.ingress.kubernetes.io/router.middlewares: traefik-traefik-basic-auth@kubernetescrd,traefik-portainer-strip-prefix@kubernetescrd  # namespace + middleware name
-    tls:
-      - hosts:
-          - {{ requiredEnv "K8S_MONITORING_FQDN" }}
-        secretName: monitoring-tls
     hosts:
       - host: {{ requiredEnv "K8S_MONITORING_FQDN" }}
         paths:

charts/reflector/namespace.yaml

@@ -0,0 +1,15 @@
+# namespace with defined pod security standard
+# inspired from https://aro-labs.com/pod-security-standards/
+# official doc: https://kubernetes.io/docs/concepts/security/pod-security-standards/
+#
+# Warning: if pod / container does not meet enforced standards, it will not be deployed (silently)
+# execute `kubectl -n <namespace> events` to see errors (e.g.)
+#   Error creating: pods "xyz" is forbidden: violates PodSecurity "baseline:latest": privileged
+#   container "xyz" must not set securityContext.privileged to true
+#
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: reflector
+  labels:
+    pod-security.kubernetes.io/enforce: baseline

charts/reflector/values.yaml.gotmpl

@@ -0,0 +1,4 @@
+configuration:
+  watcher:
+    # https://github.com/emberstack/kubernetes-reflector/issues/560#issuecomment-3415122791
+    timeout: 30  # seconds