diff --git a/roles/ocp4_workload_cert_manager/tasks/cert_manager_api_cert_check.yml b/roles/ocp4_workload_cert_manager/tasks/cert_manager_api_cert_check.yml index 11888a3..4bb1ee5 100644 --- a/roles/ocp4_workload_cert_manager/tasks/cert_manager_api_cert_check.yml +++ b/roles/ocp4_workload_cert_manager/tasks/cert_manager_api_cert_check.yml @@ -47,6 +47,75 @@ msg: "Requesting certificate for API servers failed after {{ ocp4_workload_cert_manager_api_cert_max_retries }} retries." - name: Fail if requesting certificates failed - when: not ocp4_workload_cert_manager_ignore_errors | bool + when: + - not ocp4_workload_cert_manager_ignore_errors | bool + - ocp4_workload_cert_manager_provider_fallback == "" ansible.builtin.fail: msg: "Requesting certificate for API servers failed after {{ ocp4_workload_cert_manager_api_cert_max_retries }} retries." + + - name: Try fallback provider if defined + when: + - ocp4_workload_cert_manager_provider_fallback != "" + - r_certificate_api is failed + block: + - name: Remove existing API Certificate + kubernetes.core.k8s: + api_version: cert-manager.io/v1 + kind: Certificate + name: cert-manager-api-cert + namespace: openshift-config + state: absent + + - name: Add certificate requests using fallback provider + kubernetes.core.k8s: + state: present + definition: "{{ lookup('template', item) }}" + loop: + - certificate-api-fallback.yaml.j2 + register: r_clusterissuer + retries: 10 + delay: 30 + until: r_clusterissuer is success + + - name: Wait until API Certificate is ready + when: not api_cert_ready | default(false) | bool + kubernetes.core.k8s_info: + api_version: cert-manager.io/v1 + kind: Certificate + name: cert-manager-api-cert + namespace: openshift-config + wait: true + wait_sleep: 5 + wait_timeout: "{{ ocp4_workload_cert_manager_wait_timeout | int }}" + wait_condition: + type: "Ready" + status: "True" + register: r_certificate_api + rescue: + - name: Restart cert-manager on failure + kubernetes.core.k8s: + api_version: v1 + kind: Pod + state: absent + label_selectors: + - app.kubernetes.io/instance=cert-manager + - app.kubernetes.io/component=controller + namespace: cert-manager + - name: Wait until API Certificate is ready + when: not api_cert_ready | default(false) | bool + kubernetes.core.k8s_info: + api_version: cert-manager.io/v1 + kind: Certificate + name: cert-manager-api-cert + namespace: openshift-config + wait: true + wait_sleep: 5 + wait_timeout: "{{ ocp4_workload_cert_manager_wait_timeout | int }}" + wait_condition: + type: "Ready" + status: "True" + register: r_certificate_api + - name: Mark cert ready + when: not r_certificate_api is failed + ansible.builtin.set_fact: + api_cert_ready: true diff --git a/roles/ocp4_workload_cert_manager/tasks/cert_manager_ddns.yml b/roles/ocp4_workload_cert_manager/tasks/cert_manager_ddns.yml new file mode 100644 index 0000000..12546b1 --- /dev/null +++ b/roles/ocp4_workload_cert_manager/tasks/cert_manager_ddns.yml @@ -0,0 +1,8 @@ +- name: Create DDNS secret + kubernetes.core.k8s: + state: present + definition: "{{ lookup('template', 'secret-tsig-creds.yaml.j2') }}" + register: r_ddns_secret + retries: 10 + delay: 60 + until: r_ddns_secret is success diff --git a/roles/ocp4_workload_cert_manager/tasks/cert_manager_ingress_cert_check.yml b/roles/ocp4_workload_cert_manager/tasks/cert_manager_ingress_cert_check.yml index 54b5e1e..c7e2927 100644 --- a/roles/ocp4_workload_cert_manager/tasks/cert_manager_ingress_cert_check.yml +++ b/roles/ocp4_workload_cert_manager/tasks/cert_manager_ingress_cert_check.yml @@ -93,4 +93,34 @@ - name: Mark certificate ready when: not r_certificate_ingress is failed ansible.builtin.set_fact: - ingress_cert_ready: true + _ocp4_workload_cert_manager_ingress_cert_ready: true + rescue: + - name: Restart cert-manager on failure + kubernetes.core.k8s: + api_version: v1 + kind: Pod + state: absent + label_selectors: + - app.kubernetes.io/instance=cert-manager + - app.kubernetes.io/component=controller + namespace: cert-manager + + - name: Wait until Ingress Certificate is ready + when: not ingress_cert_ready | default(false) | bool + kubernetes.core.k8s_info: + api_version: cert-manager.io/v1 + kind: Certificate + name: cert-manager-ingress-cert + namespace: openshift-ingress + wait: true + wait_sleep: 5 + wait_timeout: "{{ ocp4_workload_cert_manager_wait_timeout | int }}" + wait_condition: + type: "Ready" + status: "True" + register: r_certificate_ingress + + - name: Mark cert ready + when: not r_certificate_ingress is failed + ansible.builtin.set_fact: + _ocp4_workload_cert_manager_ingress_cert_ready: true diff --git a/roles/ocp4_workload_cert_manager/tasks/workload.yml b/roles/ocp4_workload_cert_manager/tasks/workload.yml index 32db8e5..a349bfd 100644 --- a/roles/ocp4_workload_cert_manager/tasks/workload.yml +++ b/roles/ocp4_workload_cert_manager/tasks/workload.yml @@ -21,7 +21,7 @@ - name: Update CertManager for AWS/GCP/Azure to use external DNS when: > - ocp4_workload_cert_manager_cloud_provider in ["aws", "gcp", "azure"] + ocp4_workload_cert_manager_cloud_provider in ["aws", "gcp", "azure", "acme-bifrost"] kubernetes.core.k8s: state: present template: certmanager.yaml.j2 @@ -61,12 +61,52 @@ - name: Set up cloud provider specific prerequisites for cert manager ansible.builtin.include_tasks: "cert_manager_{{ ocp4_workload_cert_manager_cloud_provider }}.yml" + +- name: Deploy ACME Bifrost webhook + when: ocp4_workload_cert_manager_provider == "acme-bifrost" or ocp4_workload_cert_manager_provider_fallback == "acme-bifrost" + kubernetes.core.k8s: + state: present + definition: "{{ lookup('template', 'webhook_acme_bifrost.yaml.j2') }}" + register: r_webhook_acme_bifrost + retries: 10 + delay: 30 + until: r_webhook_acme_bifrost is success + +- name: Wait for acme-bifrost-webhook deployment to be ready + when: ocp4_workload_cert_manager_provider == "acme-bifrost" or ocp4_workload_cert_manager_provider_fallback == "acme-bifrost" + kubernetes.core.k8s_info: + api_version: apps/v1 + kind: Deployment + name: acme-bifrost-webhook + namespace: cert-manager + register: r_webhook_deployment + until: + - r_webhook_deployment.resources | length > 0 + - r_webhook_deployment.resources[0].status.readyReplicas is defined + - r_webhook_deployment.resources[0].status.readyReplicas == r_webhook_deployment.resources[0].spec.replicas + retries: 30 + delay: 10 + +- name: Wait for webhook APIService to be available + when: ocp4_workload_cert_manager_provider == "acme-bifrost" or ocp4_workload_cert_manager_provider_fallback == "acme-bifrost" + kubernetes.core.k8s_info: + api_version: apiregistration.k8s.io/v1 + kind: APIService + name: v1alpha1.bifrost.demo.redhat.com + register: r_webhook_apiservice + until: + - r_webhook_apiservice.resources | length > 0 + - r_webhook_apiservice.resources[0].status.conditions | selectattr('type', 'equalto', 'Available') | selectattr('status', 'equalto', 'True') | list | length > 0 + retries: 30 + delay: 10 + - name: Set up ClusterIssuer and request certificates kubernetes.core.k8s: state: present template: "{{ item }}" loop: - clusterissuer.yaml.j2 + - clusterissuer-fallback.yaml.j2 - certificate-ingress.yaml.j2 - certificate-api.yaml.j2 register: r_clusterissuer @@ -82,7 +122,7 @@ with_sequence: start=0 end={{ ocp4_workload_cert_manager_ingress_cert_max_retries }} - name: Update Ingress controller to use certificate - when: not r_certificate_ingress is failed + when: _ocp4_workload_cert_manager_ingress_cert_ready | default(false) | bool kubernetes.core.k8s: state: present template: default-ingress-controller.yaml.j2 @@ -95,7 +135,7 @@ with_sequence: start=0 end={{ ocp4_workload_cert_manager_api_cert_max_retries }} - name: API Certificate successfull - when: not r_certificate_api is failed + when: _ocp4_workload_cert_manager_api_cert_ready | default(false) | bool block: - name: Update API server to use certificate kubernetes.core.k8s: diff --git a/roles/ocp4_workload_cert_manager/templates/certificate-api-fallback.yaml.j2 b/roles/ocp4_workload_cert_manager/templates/certificate-api-fallback.yaml.j2 new file mode 100644 index 0000000..db62ad5 --- /dev/null +++ b/roles/ocp4_workload_cert_manager/templates/certificate-api-fallback.yaml.j2 @@ -0,0 +1,20 @@ +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: cert-manager-api-cert + namespace: openshift-config +spec: + isCA: false + commonName: "{{ _ocp4_workload_cert_manager_api_hostname }}" + secretName: cert-manager-api-cert + duration: 2160h + renewBefore: 360h + usages: + - server auth + dnsNames: + - "{{ _ocp4_workload_cert_manager_api_hostname }}" + issuerRef: + kind: ClusterIssuer + name: {{ ocp4_workload_cert_manager_provider }}-production-{{ ocp4_workload_cert_manager_cloud_provider }}-fallback + group: cert-manager.io diff --git a/roles/ocp4_workload_cert_manager/templates/certificate-api.yaml.j2 b/roles/ocp4_workload_cert_manager/templates/certificate-api.yaml.j2 index 1844fdd..1c8423b 100644 --- a/roles/ocp4_workload_cert_manager/templates/certificate-api.yaml.j2 +++ b/roles/ocp4_workload_cert_manager/templates/certificate-api.yaml.j2 @@ -12,7 +12,6 @@ spec: renewBefore: 360h usages: - server auth - - client auth dnsNames: - "{{ _ocp4_workload_cert_manager_api_hostname }}" issuerRef: diff --git a/roles/ocp4_workload_cert_manager/templates/certificate-ingress-fallback.yaml.j2 b/roles/ocp4_workload_cert_manager/templates/certificate-ingress-fallback.yaml.j2 index f88b2c4..dd62d51 100644 --- a/roles/ocp4_workload_cert_manager/templates/certificate-ingress-fallback.yaml.j2 +++ b/roles/ocp4_workload_cert_manager/templates/certificate-ingress-fallback.yaml.j2 @@ -6,17 +6,16 @@ metadata: namespace: openshift-ingress spec: isCA: false - commonName: "{{ _ocp4_workload_cert_manager_wildcard_domain }}" + commonName: "*.{{ _ocp4_workload_cert_manager_wildcard_domain }}" secretName: cert-manager-ingress-cert duration: 2160h renewBefore: 360h usages: - server auth - - client auth dnsNames: - - "{{ _ocp4_workload_cert_manager_wildcard_domain }}" - "*.{{ _ocp4_workload_cert_manager_wildcard_domain }}" + - "{{ _ocp4_workload_cert_manager_wildcard_domain }}" issuerRef: kind: ClusterIssuer - name: {{ ocp4_workload_cert_manager_provider_fallback }}-production-{{ ocp4_workload_cert_manager_cloud_provider }} + name: {{ ocp4_workload_cert_manager_provider_fallback }}-production-{{ ocp4_workload_cert_manager_cloud_provider }}-fallback group: cert-manager.io diff --git a/roles/ocp4_workload_cert_manager/templates/certificate-ingress.yaml.j2 b/roles/ocp4_workload_cert_manager/templates/certificate-ingress.yaml.j2 index 063609c..2a2bf2c 100644 --- a/roles/ocp4_workload_cert_manager/templates/certificate-ingress.yaml.j2 +++ b/roles/ocp4_workload_cert_manager/templates/certificate-ingress.yaml.j2 @@ -6,16 +6,15 @@ metadata: namespace: openshift-ingress spec: isCA: false - commonName: "{{ _ocp4_workload_cert_manager_wildcard_domain }}" + commonName: "*.{{ _ocp4_workload_cert_manager_wildcard_domain }}" secretName: cert-manager-ingress-cert duration: 2160h renewBefore: 360h usages: - server auth - - client auth dnsNames: - - "{{ _ocp4_workload_cert_manager_wildcard_domain }}" - "*.{{ _ocp4_workload_cert_manager_wildcard_domain }}" + - "{{ _ocp4_workload_cert_manager_wildcard_domain }}" issuerRef: kind: ClusterIssuer name: {{ ocp4_workload_cert_manager_provider }}-production-{{ ocp4_workload_cert_manager_cloud_provider }} diff --git a/roles/ocp4_workload_cert_manager/templates/clusterissuer-fallback.yaml.j2 b/roles/ocp4_workload_cert_manager/templates/clusterissuer-fallback.yaml.j2 new file mode 100644 index 0000000..8cd289c --- /dev/null +++ b/roles/ocp4_workload_cert_manager/templates/clusterissuer-fallback.yaml.j2 @@ -0,0 +1,84 @@ +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: {{ ocp4_workload_cert_manager_provider_fallback }}-production-{{ ocp4_workload_cert_manager_cloud_provider }}-fallback +spec: + acme: + email: rhpds-admins@redhat.com + server: {{ ocp4_workload_cert_manager_acme_url_fallback }} + privateKeySecretRef: + name: cluster-issuer-acme-production-fallback +{% if ocp4_workload_cert_manager_provider_fallback == "zerossl" %} + externalAccountBinding: + keyID: {{ ocp4_workload_cert_manager_zerossl_eab_key_id }} + keySecretRef: + name: cert-manager-zerossl-creds + key: zerossl_hmac_key + privateKeySecretRef: + name: zerossl-prod-fallback +{% endif %} + solvers: + - selector: + dnsZones: + - {{ _ocp4_workload_cert_manager_api_hostname }} + - {{ _ocp4_workload_cert_manager_wildcard_domain }} + dns01: +{% if ocp4_workload_cert_manager_cloud_provider == "aws" and ocp4_workload_cert_manager_provider != "acme-bifrost" %} + route53: + region: {{ ocp4_workload_cert_manager_aws_region }} + hostedZoneID: {{ _ocp4_workload_cert_manager_hostedzoneid }} + accessKeyID: {{ ocp4_workload_cert_manager_aws_access_key_id }} + secretAccessKeySecretRef: + name: cert-manager-aws-creds + key: aws_secret_access_key +{% endif %} +{% if ocp4_workload_cert_manager_cloud_provider == "gcp" %} + cloudDNS: + project: {{ ocp4_workload_cert_manager_gcp_project_id }} + hostedZoneName: dns-zone-{{ guid }} + serviceAccountSecretRef: + name: cert-manager-gcp-creds + key: key.json +{% endif %} +{% if ocp4_workload_cert_manager_cloud_provider == "azure" %} + azureDNS: + clientID: {{ ocp4_workload_cert_manager_azure_client_id }} + clientSecretSecretRef: + name: cert-manager-azure-creds + key: client-secret + environment: AzurePublicCloud + hostedZoneName: {{ ocp4_workload_cert_manager_azure_hostedzone_name }} + resourceGroupName: {{ ocp4_workload_cert_manager_azure_resource_group_name }} + subscriptionID: {{ ocp4_workload_cert_manager_azure_subscription_id }} + tenantID: {{ ocp4_workload_cert_manager_azure_tenant_id }} +{% endif %} +{% if ocp4_workload_cert_manager_provider == "acme-bifrost" %} + webhook: + groupName: bifrost.demo.redhat.com + solverName: gateway-passthrough + config: + gatewayURL: {{ ocp4_workload_cert_manager_acme_bifrost_gateway_url }} + caProvider: {{ ocp4_workload_cert_manager_acme_bifrost_ca_provider | default("letsencrypt") }} +{% if ocp4_workload_cert_manager_cloud_provider == "aws" %} + region: {{ ocp4_workload_cert_manager_aws_region }} + zoneID: "{{ _ocp4_workload_cert_manager_hostedzoneid }}" + accessKeyIDSecretRef: + name: cert-manager-aws-creds + key: aws_access_key_id + secretAccessKeySecretRef: + name: cert-manager-aws-creds + key: aws_secret_access_key +{% elif ocp4_workload_cert_manager_cloud_provider == "ddns" %} + dnsProvider: ddns + ddnsServer: "{{ cluster_dns_server }}" + ddnsZone: "{{ cluster_dns_zone }}" + tsigKeyName: "{{ ddns_key_name }}" + tsigAlgorithm: "hmac-sha256" + tsigSecretRef: + name: cert-manager-tsig-creds + key: tsig-secret +{% endif %} + webhookKID: "{{ ocp4_workload_cert_manager_acme_bifrost_webhook_kid }}" + webhookSecret: "{{ ocp4_workload_cert_manager_acme_bifrost_webhook_secret }}" +{% endif %} diff --git a/roles/ocp4_workload_cert_manager/templates/clusterissuer.yaml.j2 b/roles/ocp4_workload_cert_manager/templates/clusterissuer.yaml.j2 index b5f8ecd..c72329b 100644 --- a/roles/ocp4_workload_cert_manager/templates/clusterissuer.yaml.j2 +++ b/roles/ocp4_workload_cert_manager/templates/clusterissuer.yaml.j2 @@ -9,7 +9,7 @@ spec: server: {{ ocp4_workload_cert_manager_acme_url }} privateKeySecretRef: name: cluster-issuer-acme-production -{% if ocp4_workload_cert_manager_provider == "zerossl" %} +{% if ocp4_workload_cert_manager_provider == "zerossl" %} externalAccountBinding: keyID: {{ ocp4_workload_cert_manager_zerossl_eab_key_id }} keySecretRef: @@ -24,7 +24,7 @@ spec: - {{ _ocp4_workload_cert_manager_api_hostname }} - {{ _ocp4_workload_cert_manager_wildcard_domain }} dns01: -{% if ocp4_workload_cert_manager_cloud_provider == "aws" %} +{% if ocp4_workload_cert_manager_cloud_provider == "aws" and ocp4_workload_cert_manager_provider != "acme-bifrost" %} route53: region: {{ ocp4_workload_cert_manager_aws_region }} hostedZoneID: {{ _ocp4_workload_cert_manager_hostedzoneid }} @@ -33,7 +33,7 @@ spec: name: cert-manager-aws-creds key: aws_secret_access_key {% endif %} -{% if ocp4_workload_cert_manager_cloud_provider == "gcp" %} +{% if ocp4_workload_cert_manager_cloud_provider == "gcp" %} cloudDNS: project: {{ ocp4_workload_cert_manager_gcp_project_id }} hostedZoneName: dns-zone-{{ guid }} @@ -53,3 +53,33 @@ spec: subscriptionID: {{ ocp4_workload_cert_manager_azure_subscription_id }} tenantID: {{ ocp4_workload_cert_manager_azure_tenant_id }} {% endif %} +{% if ocp4_workload_cert_manager_provider == "acme-bifrost" %} + webhook: + groupName: bifrost.demo.redhat.com + solverName: gateway-passthrough + config: + gatewayURL: {{ ocp4_workload_cert_manager_acme_bifrost_gateway_url }} + caProvider: {{ ocp4_workload_cert_manager_acme_bifrost_ca_provider | default("letsencrypt") }} +{% if ocp4_workload_cert_manager_cloud_provider == "aws" %} + region: {{ ocp4_workload_cert_manager_aws_region }} + zoneID: "{{ _ocp4_workload_cert_manager_hostedzoneid }}" + accessKeyIDSecretRef: + name: cert-manager-aws-creds + key: aws_access_key_id + secretAccessKeySecretRef: + name: cert-manager-aws-creds + key: aws_secret_access_key +{% elif ocp4_workload_cert_manager_cloud_provider == "ddns" %} + dnsProvider: ddns + ddnsServer: "{{ cluster_dns_server }}" + ddnsZone: "{{ cluster_dns_zone }}" + tsigKeyName: "{{ ddns_key_name }}" + tsigAlgorithm: "hmac-sha256" + tsigSecretRef: + name: cert-manager-tsig-creds + key: tsig-secret +{% endif %} + webhookKID: "{{ ocp4_workload_cert_manager_acme_bifrost_webhook_kid }}" + webhookSecret: "{{ ocp4_workload_cert_manager_acme_bifrost_webhook_secret }}" +{% endif %} + diff --git a/roles/ocp4_workload_cert_manager/templates/secret-tsig-creds.yaml.j2 b/roles/ocp4_workload_cert_manager/templates/secret-tsig-creds.yaml.j2 new file mode 100644 index 0000000..4e0ecf5 --- /dev/null +++ b/roles/ocp4_workload_cert_manager/templates/secret-tsig-creds.yaml.j2 @@ -0,0 +1,9 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: cert-manager-tsig-creds + namespace: cert-manager +type: Opaque +data: + tsig-secret: {{ ddns_key_secret | b64encode }} diff --git a/roles/ocp4_workload_cert_manager/templates/webhook_acme_bifrost.yaml.j2 b/roles/ocp4_workload_cert_manager/templates/webhook_acme_bifrost.yaml.j2 new file mode 100644 index 0000000..194d80a --- /dev/null +++ b/roles/ocp4_workload_cert_manager/templates/webhook_acme_bifrost.yaml.j2 @@ -0,0 +1,255 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: acme-bifrost-webhook + namespace: cert-manager +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: acme-bifrost-webhook + namespace: cert-manager +rules: +- apiGroups: + - "" + resources: + - "secrets" + verbs: + - "get" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: acme-bifrost-webhook + namespace: cert-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: acme-bifrost-webhook +subjects: +- apiGroup: "" + kind: ServiceAccount + name: acme-bifrost-webhook + namespace: cert-manager +--- +# ClusterRole for cert-manager to create webhook solver resources +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: acme-bifrost-webhook:flowcontrol-solver + labels: + app: acme-bifrost-webhook +rules: +- apiGroups: + - bifrost.demo.redhat.com + resources: + - '*' + verbs: + - 'create' +--- +# ClusterRoleBinding for cert-manager to use the webhook +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: acme-bifrost-webhook:flowcontrol-solver + labels: + app: acme-bifrost-webhook +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: acme-bifrost-webhook:flowcontrol-solver +subjects: +- apiGroup: "" + kind: ServiceAccount + name: cert-manager + namespace: cert-manager +--- +# ClusterRole for webhook to create subjectaccessreviews (required for API aggregation) +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: acme-bifrost-webhook:subjectaccessreviews + labels: + app: acme-bifrost-webhook +rules: +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +# ClusterRoleBinding for webhook subjectaccessreviews +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: acme-bifrost-webhook:subjectaccessreviews + labels: + app: acme-bifrost-webhook +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: acme-bifrost-webhook:subjectaccessreviews +subjects: +- apiGroup: "" + kind: ServiceAccount + name: acme-bifrost-webhook + namespace: cert-manager +--- +apiVersion: v1 +kind: Service +metadata: + name: acme-bifrost-webhook + namespace: cert-manager +spec: + type: ClusterIP + ports: + - port: 443 + targetPort: 8443 + protocol: TCP + name: https + selector: + app: acme-bifrost-webhook +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: acme-bifrost-webhook-orders +rules: +- apiGroups: ["acme.cert-manager.io"] + resources: ["orders", "orders/status"] + verbs: ["list", "get", "patch", "watch", "update"] +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: acme-bifrost-webhook + namespace: cert-manager + labels: + app: acme-bifrost-webhook +spec: + replicas: 1 + selector: + matchLabels: + app: acme-bifrost-webhook + template: + metadata: + labels: + app: acme-bifrost-webhook + spec: + serviceAccountName: acme-bifrost-webhook + containers: + - name: webhook + image: {{ ocp4_workload_cert_manager_acme_bifrost_webhook_image }} + imagePullPolicy: IfNotPresent + args: + - --tls-cert-file=/tls/tls.crt + - --tls-private-key-file=/tls/tls.key + - --secure-port=8443 + env: + - name: GROUP_NAME + value: "bifrost.demo.redhat.com" + - name: TSIG_SECRET + valueFrom: + secretKeyRef: + name: cert-manager-tsig-creds + key: tsig-secret + ports: + - name: https + containerPort: 8443 + protocol: TCP + livenessProbe: + httpGet: + scheme: HTTPS + path: /healthz + port: https + readinessProbe: + httpGet: + scheme: HTTPS + path: /healthz + port: https + volumeMounts: + - name: certs + mountPath: /tls + readOnly: true + volumes: + - name: certs + secret: + secretName: acme-bifrost-webhook-webhook-tls +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: acme-bifrost-webhook-webhook-tls + namespace: cert-manager +spec: + secretName: acme-bifrost-webhook-webhook-tls + duration: 2160h # 90d + renewBefore: 360h # 15d + issuerRef: + name: selfsigned + kind: ClusterIssuer + dnsNames: + - acme-bifrost-webhook + - acme-bifrost-webhook.cert-manager + - acme-bifrost-webhook.cert-manager.svc +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: selfsigned +spec: + selfSigned: {} +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + name: v1alpha1.bifrost.demo.redhat.com + labels: + app: acme-bifrost-webhook + annotations: + cert-manager.io/inject-ca-from: "cert-manager/acme-bifrost-webhook-webhook-tls" +spec: + group: bifrost.demo.redhat.com + groupPriorityMinimum: 1000 + versionPriority: 15 + service: + name: acme-bifrost-webhook + namespace: cert-manager + version: v1alpha1 +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cert-manager-webhook-bifrost +rules: +- apiGroups: ["bifrost.demo.redhat.com"] + resources: ["*"] + verbs: ["create"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cert-manager-webhook-bifrost +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cert-manager-webhook-bifrost +subjects: +- kind: ServiceAccount + name: cert-manager + namespace: cert-manager +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: acme-bifrost-webhook-orders +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: acme-bifrost-webhook-orders +subjects: +- kind: ServiceAccount + name: acme-bifrost-webhook + namespace: cert-manager