Merge pull request #59 from jetstack/10-custom-ca

Enable custom CA certificates for kube-oidc-proxy tutorial

Author: jetstack-bot

demo/Makefile

@@ -5,6 +5,8 @@ CLOUD  ?= google
 KUBECONFIG := $(CURDIR)/.kubeconfig-$(CLOUD)
 
 GOOGLE_PROJECT := $(shell gcloud config get-value core/project)
+CA_CRT_FILE ?= /dev/null
+CA_KEY_FILE ?= /dev/null
 
 EXT_VARS := --tla-str cloud=$(CLOUD)
 
@@ -33,6 +35,8 @@ help:  ## Display this help
 terraform_apply: ## Applies terraform infrastructure
 	echo '' > infrastructure/$(CLOUD)/terraform.tfvars
 	echo 'google_project = "$(GOOGLE_PROJECT)"' > infrastructure/$(CLOUD)/terraform.tfvars
+	echo 'ca_crt_file = "$(CA_CRT_FILE)"' >> infrastructure/$(CLOUD)/terraform.tfvars
+	echo 'ca_key_file = "$(CA_KEY_FILE)"' >> infrastructure/$(CLOUD)/terraform.tfvars
 	cd infrastructure/$(CLOUD) && terraform init && terraform apply
 	cd infrastructure/$(CLOUD) && terraform output config > ../../manifests/$(CLOUD)-config.json
 	$(shell cd infrastructure/$(CLOUD) && terraform output kubeconfig_command)

demo/README.md

@@ -83,6 +83,13 @@ records for DNS challenges and OIDC secrets for all clusters. It should
 generate a JSON configuration file for each cluster in
 `./manifests/[google|amazon|digitalocean]-config.json` respectively.
 
+If you wish to use a custom CA to sign certificates for the `kube-oidc-proxy`
+then this is possible by setting the environment variables `CA_CRT_FILE` and
+`CA_KEY_FILE` to the full file path of the CA certificate and private key
+respectively. After a terraform apply, these will be stored in the terraform
+state and will eventually be uploaded to Kubernetes as a Secret. Cert-manager
+will then issue the kube-oidc-proxy with a signed certificate from this CA.
+
 ## Configuration
 
 Copy `config.dist.jsonnet` to `config.jsonnet`. This file will hold

demo/infrastructure/google/dns.tf

@@ -1,4 +1,7 @@
 module "dns" {
   source = "../modules/google-dns"
   suffix = "${random_id.suffix.hex}"
+
+  ca_crt_file = "${var.ca_crt_file}"
+  ca_key_file = "${var.ca_key_file}"
 }

demo/infrastructure/google/providers.tf

@@ -8,6 +8,9 @@ variable "google_zone" {
 
 variable "google_project" {}
 
+variable "ca_crt_file" {}
+variable "ca_key_file" {}
+
 provider "google" {
   region      = "${var.google_region}"
   credentials = "${file("~/.config/gcloud/terraform-admin.json")}"

demo/infrastructure/modules/google-dns/dns.tf

@@ -1,5 +1,8 @@
 variable "suffix" {}
 
+variable "ca_crt_file" {}
+variable "ca_key_file" {}
+
 resource "google_service_account" "external_dns" {
   account_id   = "external-dns-${var.suffix}"
   display_name = "External DNS/Cert Manager service account for GKE cluster cluster-${var.suffix}"
@@ -15,10 +18,21 @@ resource "google_service_account_key" "external_dns" {
   service_account_id = "${google_service_account.external_dns.account_id}"
 }
 
+data "local_file" "ca_crt" {
+    filename = "${var.ca_crt_file}"
+}
+
+data "local_file" "ca_key" {
+    filename = "${var.ca_key_file}"
+}
+
 output "config" {
   value = {
     service_account_credentials = "${base64decode(google_service_account_key.external_dns.private_key)}"
-    project                     = "${google_service_account.external_dns.project}"
-    provider                    = "google"
+
+    project  = "${google_service_account.external_dns.project}"
+    provider = "google"
+    ca_crt   = "${data.local_file.ca_crt.content}"
+    ca_key   = "${data.local_file.ca_key.content}"
   }
 }

demo/manifests/components/cert-manager.jsonnet

@@ -3,9 +3,28 @@ local kube = import '../vendor/kube-prod-runtime/lib/kube.libsonnet';
 
 local CERT_MANAGER_IMAGE = '';
 
+local add_acme_spec(issuer, obj) =
+  if std.objectHas(issuer.spec, 'acme') then
+    obj {
+      spec+: {
+        acme: {
+          config: [{
+            dns01: {
+              provider: issuer.spec.acme.dns01.providers[0].name,
+            },
+            domains: obj.spec.dnsNames,
+          }],
+        },
+      },
+    }
+  else
+    obj;
+
 upstream_cert_manager {
+  ca_secret_name:: 'ca-key-pair',
+
   // create simple to use certificate resource
-  Certificate(namespace, name, issuer, domains):: kube._Object($.certCRD.spec.group + '/' + $.certCRD.spec.version, $.certCRD.spec.names.kind, name) + {
+  Certificate(namespace, name, issuer, domains):: add_acme_spec(issuer, kube._Object($.certCRD.spec.group + '/' + $.certCRD.spec.version, $.certCRD.spec.names.kind, name) + {
     metadata+: {
       namespace: namespace,
       name: name,
@@ -17,18 +36,8 @@ upstream_cert_manager {
         name: issuer.metadata.name,
         kind: issuer.kind,
       },
-      acme: {
-        config: [
-          {
-            dns01: {
-              provider: issuer.spec.acme.dns01.providers[0].name,
-            },
-            domains: domains,
-          },
-        ],
-      },
     },
-  },
+  }),
 
   // TODO: use upstream images for cert-manager
 }

demo/manifests/main.jsonnet

@@ -48,6 +48,24 @@ local IngressRouteTLSPassthrough(namespace, name, domain, serviceName, servicePo
   },
 };
 
+local apply_ca_issuer(ca_crt, ca_key, obj) =
+  if ca_crt != '' && ca_key != '' then
+    {
+      issuer: obj,
+      secret: kube.Secret(obj.spec.ca.secretName) + cert_manager.metadata {
+        metadata+: {
+          namespace: 'kube-system',
+        },
+
+        data_+: {
+          'tls.crt': ca_crt,
+          'tls.key': ca_key,
+        },
+      },
+    }
+  else
+    {};
+
 {
 
   cloud:: 'google',
@@ -89,6 +107,9 @@ local IngressRouteTLSPassthrough(namespace, name, domain, serviceName, servicePo
   ns: kube.Namespace($.namespace),
 
 
+  ca_crt:: $.config.cert_manager.ca_crt,
+  ca_key:: $.config.cert_manager.ca_key,
+
   cert_manager: cert_manager {
     google_secret: kube.Secret($.cert_manager.p + 'clouddns-google-credentials') + $.cert_manager.metadata {
       data_+: {
@@ -103,6 +124,15 @@ local IngressRouteTLSPassthrough(namespace, name, domain, serviceName, servicePo
     },
     letsencrypt_environment:: 'prod',
 
+    ca_issuer: apply_ca_issuer($.ca_crt, $.ca_key, $.cert_manager.ClusterIssuer($.p + 'ca-issuer') {
+      local this = self,
+      spec+: {
+        ca+: {
+          secretName: $.cert_manager.ca_secret_name,
+        },
+      },
+    }),
+
     letsencryptStaging+: {
       spec+: {
         acme+: {
@@ -340,7 +370,7 @@ local IngressRouteTLSPassthrough(namespace, name, domain, serviceName, servicePo
     certificate: cert_manager.Certificate(
       $.namespace,
       this.name,
-      $.cert_manager.letsencryptProd,
+      if $.ca_crt != '' && $.ca_key != '' then $.cert_manager.ca_issuer.issuer else $.cert_manager.letsencryptProd,
       [this.domain]
     ),
     ingressRoute: IngressRouteTLSPassthrough($.namespace, this.name, this.domain, this.name, 443),