#! Copyright 2020-2023 the Pinniped contributors. All Rights Reserved. #! SPDX-License-Identifier: Apache-2.0 #@ load("@ytt:data", "data") --- apiVersion: v1 kind: ServiceAccount metadata: name: cert-issuer namespace: tools labels: app: cert-issuer --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: cert-issuer namespace: tools labels: app: cert-issuer rules: - apiGroups: [""] resources: [secrets] verbs: [create, get, patch, update, watch, delete] --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: cert-issuer namespace: tools labels: app: cert-issuer subjects: - kind: ServiceAccount name: cert-issuer namespace: tools roleRef: kind: Role name: cert-issuer apiGroup: rbac.authorization.k8s.io --- apiVersion: batch/v1 kind: Job metadata: name: cert-issuer namespace: tools labels: app: cert-issuer spec: template: spec: serviceAccountName: cert-issuer initContainers: - name: generate-certs image: #@ data.values.cfssl_image imagePullPolicy: IfNotPresent command: ["/bin/bash"] args: - -c - | cd /var/certs cfssl print-defaults config > /tmp/cfssl-default.json echo '{"CN": "Pinniped Test","hosts": [],"key": {"algo": "ecdsa","size": 256},"names": [{}]}' > /tmp/csr.json echo "generating CA key..." cfssl genkey \ -config /tmp/cfssl-default.json \ -initca /tmp/csr.json \ | cfssljson -bare ca echo "generating Dex server certificate..." cfssl gencert \ -ca ca.pem -ca-key ca-key.pem \ -config /tmp/cfssl-default.json \ -profile www \ -cn "dex.tools.svc.cluster.local" \ -hostname "dex.tools.svc.cluster.local" \ /tmp/csr.json \ | cfssljson -bare dex # Cheat and add 127.0.0.1 as an IP SAN so we can use the ldaps port through port forwarding. # Also allow the server to be accessed by multiple Service names to different Services # can provide/hide different ports. echo "generating LDAP server certificate..." cfssl gencert \ -ca ca.pem -ca-key ca-key.pem \ -config /tmp/cfssl-default.json \ -profile www \ -cn "ldap.tools.svc.cluster.local" \ -hostname "ldap.tools.svc.cluster.local,ldaps.tools.svc.cluster.local,ldapstarttls.tools.svc.cluster.local,127.0.0.1" \ /tmp/csr.json \ | cfssljson -bare ldap chmod -R 777 /var/certs echo echo "generated certificates:" ls -l /var/certs echo echo "CA cert..." cat ca.pem | openssl x509 -text echo echo "Dex cert..." cat dex.pem | openssl x509 -text echo echo "LDAP cert..." cat ldap.pem | openssl x509 -text volumeMounts: - name: certs mountPath: /var/certs containers: - name: save-certs image: #@ data.values.kubectl_image imagePullPolicy: IfNotPresent command: ["/bin/bash"] args: - -c - | kubectl create secret generic -n tools certs --from-file=/var/certs \ --dry-run=client --output yaml | kubectl apply -f - volumeMounts: - name: certs mountPath: /var/certs volumes: - name: certs emptyDir: {} restartPolicy: Never tolerations: - key: kubernetes.io/arch effect: NoSchedule operator: Equal value: amd64 #! Allow running on amd64 nodes. - key: kubernetes.io/arch effect: NoSchedule operator: Equal value: arm64 #! Also allow running on arm64 nodes.