feat(shield): add support to cert-manager on cluster-shield

francesco-furlan · francesco-furlan · commit a6d8e0429653 · 2025-10-20T09:09:29.000+02:00
diff --git a/charts/shield/templates/cluster/_tls.tpl b/charts/shield/templates/cluster/_tls.tpl
@@ -11,6 +11,8 @@
 {{- define "cluster.tls_certificates.secret_name" -}}
   {{- if .Values.cluster.tls_certificates.create -}}
     {{- include "cluster.fullname" . }}-tls-certificates
+  {{- else if (include "cluster.tls_certificates.use_cert_manager" .) -}}
+    {{- include "cluster.tls_certificates.cm_certificate_name" . -}}
   {{- else if .Values.cluster.tls_certificates.secret_name -}}
     {{- .Values.cluster.tls_certificates.secret_name -}}
   {{- else -}}
@@ -47,3 +49,112 @@
   {{- end -}}
   {{- $dnsNames | toYaml  -}}
 {{- end }}
+
+{{- define "cluster.tls_certificates.check_conflicts" -}}
+  {{- if and .Values.cluster.tls_certificates.create .Values.cluster.tls_certificates.cert_manager.enabled -}}
+    {{- fail "Cannot specify both tls_certificates.create and tls_certificates.cert_manager.enabled" -}}
+  {{- end -}}
+  {{- if and (not (quote .Values.cluster.tls_certificates.secret_name | empty)) .Values.cluster.tls_certificates.cert_manager.enabled -}}
+    {{- fail "Cannot specify both tls_certificates.cert_manager.enabled and tls_certificates.secret_name" -}}
+  {{- end -}}
+{{- end }}
+
+{{- define "cluster.tls_certificates.use_cert_manager" -}}
+  {{- if and .Values.cluster.tls_certificates.cert_manager .Values.cluster.tls_certificates.cert_manager.enabled -}}
+    {{- if and (not .Values.cluster.tls_certificates.cert_manager.ca.generate) (not .Values.cluster.tls_certificates.cert_manager.ca.secret_name) -}}
+      {{- fail "cert_manager.ca.secret_name must be specified when CA generation is disabled" -}}
+    {{- end -}}
+    {{- if and (not .Values.cluster.tls_certificates.cert_manager.issuer.generate) (not .Values.cluster.tls_certificates.cert_manager.issuer.name) -}}
+      {{- fail "cert_manager.issuer.name must be specified when Issuer generation is disabled" -}}
+    {{- end -}}
+    {{- true -}}
+  {{- end -}}
+{{- end }}
+
+{{- define "cluster.tls_certificates.cm_certificate_name" -}}
+  {{- printf "%s-cm-tls" ((include "cluster.fullname" .) | trimSuffix "-" | trunc 57) -}}
+{{- end }}
+
+{{- define "cluster.tls_certificates.cm_ca_secret_name" -}}
+  {{- if .Values.cluster.tls_certificates.cert_manager.ca.generate -}}
+    {{- printf "%s-cm-ca" ((include "cluster.fullname" .) | trimSuffix "-" | trunc 58) -}}
+  {{- else -}}
+    {{- .Values.cluster.tls_certificates.cert_manager.ca.secret_name -}}
+  {{- end -}}
+{{- end }}
+
+{{- define "cluster.tls_certificates.cm_generate_ca" -}}
+  {{- if and (include "cluster.tls_certificates.use_cert_manager" .) (.Values.cluster.tls_certificates.cert_manager.ca.generate) -}}
+    {{- true -}}
+  {{- end -}}
+{{- end }}
+
+{{- define "cluster.tls_certificates.cm_generate_issuer" -}}
+  {{- if and (include "cluster.tls_certificates.use_cert_manager" .) (.Values.cluster.tls_certificates.cert_manager.issuer.generate) -}}
+    {{- true -}}
+  {{- end -}}
+{{- end }}
+
+{{- define "cluster.tls_certificates.cm_issuer_name" -}}
+  {{- if .Values.cluster.tls_certificates.cert_manager.issuer.generate -}}
+    {{- printf "%s-cm-self-issuer" ((include "cluster.fullname" .) | trimSuffix "-" | trunc 49) -}}
+  {{- else -}}
+    {{- .Values.cluster.tls_certificates.cert_manager.issuer.name -}}
+  {{- end -}}
+{{- end }}
+
+{{- define "cluster.tls_certificates.cm_issuer_namespace" -}}
+  {{- if .Values.cluster.tls_certificates.cert_manager.issuer.generate -}}
+    {{- if and (not .Values.cluster.tls_certificates.cert_manager.ca.generate) (not (empty .Values.cluster.tls_certificates.cert_manager.ca.secret_namespace)) -}}
+      {{- .Values.cluster.tls_certificates.cert_manager.ca.secret_namespace -}}
+    {{- else -}}
+      {{- .Release.Namespace -}}
+    {{- end -}}
+  {{- else -}}
+    {{- .Release.Namespace -}}
+  {{- end -}}
+{{- end }}
+
+{{- define "cluster.tls_certificates.cm_self_ca_cert_name" -}}
+  {{- printf "%s-cm-self-ca" ((include "cluster.fullname" .) | trimSuffix "-" | trunc 53) -}}
+{{- end }}
+
+{{- define "cluster.tls_certificates.cm_issuer_kind" -}}
+  {{- if .Values.cluster.tls_certificates.cert_manager.issuer.generate -}}
+    {{- if and (not .Values.cluster.tls_certificates.cert_manager.ca.generate) (not (empty .Values.cluster.tls_certificates.cert_manager.ca.secret_namespace)) -}}
+      {{- "ClusterIssuer" -}}
+    {{- else -}}
+      {{- "Issuer" -}}
+    {{- end -}}
+  {{- else -}}
+    {{- .Values.cluster.tls_certificates.cert_manager.issuer.kind -}}
+  {{- end -}}
+{{- end }}
+
+{{- define "cluster.tls_certificates.cm_issuer_group" -}}
+  {{- if .Values.cluster.tls_certificates.cert_manager.issuer.generate -}}
+    {{- "cert-manager.io" -}}
+  {{- else -}}
+    {{- .Values.cluster.tls_certificates.cert_manager.issuer.group -}}
+  {{- end -}}
+{{- end }}
+
+{{/*
+If we are generating the Issuer we are going to use the CA secret for the inject-ca annotation,
+because the Issuer maybe not ready yet.
+*/}}
+{{- define "cluster.tls_certificates.cm_use_ca_secret" -}}
+  {{- if (include "cluster.tls_certificates.cm_generate_issuer" .) -}}
+    {{- true -}}
+  {{- end -}}
+{{- end }}
+
+{{- define "cluster.tls_certificates.cm_ca_secret_template" -}}
+  {{- $tmpl := .Values.cluster.tls_certificates.cert_manager.ca.secret_template -}}
+  {{- $injectAnnotation := "cert-manager.io/allow-direct-injection" -}}
+  {{- if and (include "cluster.tls_certificates.cm_generate_ca" .) (include "cluster.tls_certificates.cm_generate_issuer" .) -}}
+    {{- $currentAnnotations := $tmpl.annotations | default (dict) -}}
+    {{- $_ := set $tmpl "annotations" (merge $currentAnnotations (dict $injectAnnotation "true")) -}}
+  {{- end -}}
+  {{- $tmpl | toYaml -}}
+{{- end }}
diff --git a/charts/shield/templates/cluster/cert-manager-certificate.yaml b/charts/shield/templates/cluster/cert-manager-certificate.yaml
@@ -0,0 +1,34 @@
+{{- if (include "cluster.tls_certificates.use_cert_manager" .) }}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ include "cluster.tls_certificates.cm_certificate_name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "cluster.labels" . | nindent 4 }}
+spec:
+  secretName: {{ include "cluster.tls_certificates.cm_certificate_name" . }}
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS1
+    size: 2048
+  issuerRef:
+    name: {{ include "cluster.tls_certificates.cm_issuer_name" . }}
+    kind: {{ include "cluster.tls_certificates.cm_issuer_kind" . }}
+    group: {{ include "cluster.tls_certificates.cm_issuer_group" . }}
+  duration: {{ .Values.cluster.tls_certificates.cert_manager.duration }}
+  renewBefore: {{ .Values.cluster.tls_certificates.cert_manager.renew_before }}
+  subject:
+    organizations:
+      - "Sysdig, Inc."
+  isCA: false
+  usages:
+    - server auth
+    - client auth
+  commonName: {{ include "cluster.fullname" . }}
+  dnsNames:
+    {{- include "cluster.tls_certificates.dns_names" . | nindent 4 }}
+  ipAddresses:
+    - "127.0.0.1"
+{{- end }}
diff --git a/charts/shield/templates/cluster/cert-manager-self-generate.yaml b/charts/shield/templates/cluster/cert-manager-self-generate.yaml
@@ -0,0 +1,49 @@
+{{- if and (include "cluster.tls_certificates.cm_generate_ca" .) (include "cluster.tls_certificates.cm_generate_issuer" .) }}
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ include "cluster.tls_certificates.cm_self_ca_cert_name" . }}
+  namespace: {{ include "cluster.tls_certificates.cm_issuer_namespace" . }}
+  labels:
+    {{- include "cluster.labels" . | nindent 4 }}
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ include "cluster.tls_certificates.cm_self_ca_cert_name" . }}
+  namespace: {{ include "cluster.tls_certificates.cm_issuer_namespace" . }}
+  labels:
+    {{- include "cluster.labels" . | nindent 4 }}
+spec:
+  isCA: true
+  commonName: {{ include "cluster.fullname" . }}
+  secretName: {{ include "cluster.tls_certificates.cm_ca_secret_name" . }}
+  secretTemplate:
+    {{- (include "cluster.tls_certificates.cm_ca_secret_template" .) | nindent 4 }}
+  privateKey:
+    algorithm: RSA
+    size: 2048
+  duration: 43800h0m0s     # 5 years
+  renewBefore: 14600h0m0s  # 1.6 year, 1/3rd of the duration
+  issuerRef:
+    name: {{ include "cluster.tls_certificates.cm_self_ca_cert_name" . }}
+    kind: Issuer
+    group: cert-manager.io
+{{- end }}
+{{- if (include "cluster.tls_certificates.cm_generate_issuer" .) }}
+---
+apiVersion: cert-manager.io/v1
+kind: {{ include "cluster.tls_certificates.cm_issuer_kind" . }}
+metadata:
+  name: {{ include "cluster.tls_certificates.cm_issuer_name" . }}
+  {{- if eq (include "cluster.tls_certificates.cm_issuer_kind" .) "Issuer" }}
+  namespace: {{ include "cluster.tls_certificates.cm_issuer_namespace" . }}
+  {{- end }}
+  labels:
+    {{- include "cluster.labels" . | nindent 4 }}
+spec:
+  ca:
+    secretName: {{ include "cluster.tls_certificates.cm_ca_secret_name" . }}
+{{- end }}
diff --git a/charts/shield/templates/cluster/tls-certificates-admissionregistration.yaml b/charts/shield/templates/cluster/tls-certificates-admissionregistration.yaml
@@ -1,5 +1,7 @@
 {{- if (include "cluster.tls_certificates.required" .) }}
+{{- include "cluster.tls_certificates.check_conflicts" . -}}
 {{- $cert := dict -}}
+{{- if not (include "cluster.tls_certificates.use_cert_manager" .) }}
 {{- $existingTlsCertificatesSecret := lookup "v1" "Secret" .Release.Namespace (include "cluster.tls_certificates.secret_name" .) -}}
 {{- if $existingTlsCertificatesSecret -}}
   {{- $_ := set $cert "Cert" (index $existingTlsCertificatesSecret.data (include "cluster.tls_certificates.cert_file_name" .)) -}}
@@ -18,6 +20,7 @@
   {{- $_ := set $cert "Key" ($tlsCert.Key | b64enc) -}}
   {{- $_ := set $cert "CACert" ($ca.Cert | b64enc) -}}
 {{- end -}}
+{{- end -}}
 {{- if .Values.cluster.tls_certificates.create }}
 ---
 apiVersion: v1
@@ -40,6 +43,14 @@ metadata:
   name: {{ include "cluster.audit_webhook_name" . }}
   labels:
     {{- include "cluster.labels" . | nindent 4 }}
+  {{- if (include "cluster.tls_certificates.use_cert_manager" .) }}
+  annotations:
+    {{- if (include "cluster.tls_certificates.cm_use_ca_secret" .) }}
+    cert-manager.io/inject-ca-from-secret: {{ include "cluster.tls_certificates.cm_issuer_namespace" . }}/{{ include "cluster.tls_certificates.cm_ca_secret_name" . }}
+    {{- else }}
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "cluster.tls_certificates.cm_certificate_name" . }}
+    {{- end }}
+  {{- end }}
 webhooks:
   - name: audit.secure.sysdig.com
     {{ with .Values.features.detections.kubernetes_audit.excluded_namespaces }}
@@ -63,7 +74,9 @@ webhooks:
         name: {{ include "cluster.service_name" . }}
         path: /k8s-audit
         port: {{ include "cluster.audit_service_port" . }}
+      {{- if not (include "cluster.tls_certificates.use_cert_manager" .) }}
       caBundle: {{ $cert.CACert }}
+      {{- end }}
     admissionReviewVersions: ["v1", "v1beta1"]
     sideEffects: None
     timeoutSeconds: {{ .Values.features.detections.kubernetes_audit.timeout }}
@@ -77,6 +90,14 @@ metadata:
   name: {{ include "cluster.admission_control_webhook_name" . }}
   labels:
     {{- include "cluster.labels" . | nindent 4 }}
+  {{- if (include "cluster.tls_certificates.use_cert_manager" .) }}
+  annotations:
+    {{- if (include "cluster.tls_certificates.cm_use_ca_secret" .) }}
+    cert-manager.io/inject-ca-from-secret: {{ include "cluster.tls_certificates.cm_issuer_namespace" . }}/{{ include "cluster.tls_certificates.cm_ca_secret_name" . }}
+    {{- else }}
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "cluster.tls_certificates.cm_certificate_name" . }}
+    {{- end }}
+  {{- end }}
 webhooks:
   - name: vac.secure.sysdig.com
     namespaceSelector:
@@ -112,7 +133,9 @@ webhooks:
         name: {{ include "cluster.service_name" . }}
         path: /validate
         port: {{ include "cluster.admission_control_service_port" . }}
+      {{- if not (include "cluster.tls_certificates.use_cert_manager" .) }}
       caBundle: {{ $cert.CACert }}
+      {{- end }}
     admissionReviewVersions: ["v1", "v1beta1"]
     sideEffects: None
     timeoutSeconds: {{ .Values.features.admission_control.timeout }}
diff --git a/charts/shield/values.yaml b/charts/shield/values.yaml
@@ -440,6 +440,33 @@ cluster:
     create: true
     # The name of the secret that contains the TLS certificates
     secret_name:
+    cert_manager:
+      # Enable cert-manager for certificate management
+      enabled: false
+      ca:
+        # Generate the CA certificate using cert-manager
+        generate: false
+        # The template for the CA certificate secret (if generate is true)
+        # will automatically add the annotation `cert-manager.io/allow-direct-injection: "true"` if not present
+        secret_template: {}
+        # The name of the existing CA certificate secret (if generate is false)
+        # has to be annotated with `cert-manager.io/allow-direct-injection: "true"`
+        secret_name: ""
+        # The namespace of the existing CA certificate secret (if generate is false)
+        secret_namespace: ""
+      issuer:
+        # Generate the Issuer instead of using an existing one
+        generate: false
+        # The name of the existing issuer
+        name: ""
+        # The kind of the existing issuer (Issuer, ClusterIssuer)
+        kind: Issuer
+        # The group of the existing issuer
+        group: cert-manager.io
+      # Certificate duration (default: 30 days)
+      duration: "720h"
+      # How long before expiry to renew (default: 15 days)
+      renew_before: "360h"
   resources:
     requests:
       # The CPU request for the cluster shield
