Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cert-manager URL validation fix / EAB enabled #1278

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 8 additions & 1 deletion acre.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -798,10 +798,17 @@ validation:
- url
- - or
- ["valueset", ["self-signed", "staging", "live"]]
- dnsdomain
- ["match", '(https:\/\/)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*(\/[a-zA-Z0-9]+)*(\/)?']
- - optionalfield
- ca
- ["and", [(( cert-manager_validators.selfsigned )), (( landscape.cert-manager.server.url ))], [(( cert-manager_validators.acme )), (( landscape.cert-manager.server.url ))]]
- - optionalfield
- eab
- - and
- - mapfield
- keyID
- - mapfield
- keySecret
- - optionalfield
- privateKey
- privatekey
Expand Down
23 changes: 23 additions & 0 deletions components/cert-manager/controller/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ settings:
self-signed: (( .caSpec.url == "self-signed" ))
issuerName: (( .settings.self-signed ? "ca-issuer" :"acme-issuer" ))
issuerPrivateKey: (( .settings.self-signed -or (! valid( .landscape.cert-manager.privateKey ) ) ? ~ :.landscape.cert-manager.privateKey ))
issuerEABSecretName: "acme-issuer-eab"
caSecret: "self-signed-ca"
certClass: "garden-setup"
ca:
Expand All @@ -20,6 +21,7 @@ caSpec:
instantiateIfNeeded: (( |x|-> type( x ) == "template" ? *x :x ))
server: (( caSpec.instantiateIfNeeded( .servers[.landscape.cert-manager.server.url] || .landscape.cert-manager.server ) ))
url: (( server.url || server ))
eab: (( .landscape.cert-manager.server.eab || ~~ ))
ca: (( server.ca || ~~ ))

plugins:
Expand Down Expand Up @@ -54,11 +56,31 @@ issuer-secret:
data:
privateKey: (( base64(settings.issuerPrivateKey) ))

eab:
<<: (( &temporary ))
issuerSnippet:
<<: (( &template ))
keyID: (( .caSpec.eab.keyID ))
keySecretRef:
name: (( .settings.issuerEABSecretName ))
namespace: (( .settings.namespace ))
manifests:
- <<: (( &template ))
- apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: (( .settings.issuerEABSecretName ))
namespace: (( .settings.namespace ))
data:
hmacKey: (( base64(.caSpec.eab.keySecret) ))

acme_issuer:
<<: (( &template &temporary ))
kubeconfig: (( landscape.clusters.[0].kubeconfig ))
manifests:
- <<: (( valid( .settings.issuerPrivateKey ) ? *issuer-secret :~ ))
- <<: (( valid( .caSpec.eab ) ? *.eab.manifests :~ ))
- apiVersion: cert.gardener.cloud/v1alpha1
kind: Issuer
metadata:
Expand All @@ -72,6 +94,7 @@ acme_issuer:
privateKeySecretRef:
name: (( .settings.issuerName "-secret" ))
namespace: (( .settings.namespace ))
externalAccountBinding: (( valid( .caSpec.eab ) ? *.eab.issuerSnippet :~~ ))

ca_issuer:
<<: (( &template &temporary ))
Expand Down
7 changes: 6 additions & 1 deletion docs/extended/cert-manager.md
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,9 @@ Internally, if `landscape.cert-manager.server` is a string, it is converted into
ca:
crt:
key:
eab:
keyID:
keySecret:
```

It is also possible to use this structure directly in the `acre.yaml` file, with the following effects:
Expand All @@ -25,4 +28,6 @@ If `url` is `self-signed` and `ca.crt` and `ca.key` contain a CA certificate and

If `url` points to an ACME server that produces untrusted certificates (as the letsencrypt staging server, for example), *the root CA and all intermediate CAs that are used by that ACME server to sign certificates* have to be given in `ca.crt` (simply appended to each other). Otherwise, the deployed kube-apiserver won't be able to verify the dashboard certificate and thus won't accept it. There is one exception to this - if `server.url` is set to `staging`, the required letsencrypt certificates (root CA and intermediate CA) are automatically downloaded and do not have to be provided.

If `url` is `live` or points to an ACME server generating publicly trusted certificates, the `ca` node must not be there at all. You can just use the simplified notation and put the acme server URL directly into `landscape.cert-manager.server`.
If `url` is `live` or points to an ACME server generating publicly trusted certificates, the `ca` node must not be there at all. You can just use the simplified notation and put the acme server URL directly into `landscape.cert-manager.server`.

If your ACME server requires you to specify an EAB, you have to use the extended notation and specify its id and secret as shown above.