generate client certs using cert-manager

Author: kvaps

deploy/helm/kubernetes/scripts/configure-cluster.sh

@@ -39,39 +39,6 @@ if ! kubectl get secret "${FULL_NAME}-pki-sa" >/dev/null; then
 fi
 {{- end }}
 
-# generate cluster-admin kubeconfig
-rm -f /etc/kubernetes/admin.conf
-kubeadm init phase kubeconfig admin --config kubeadmcfg.yaml
-kubectl --kubeconfig=/etc/kubernetes/admin.conf config set-cluster kubernetes --server "https://${FULL_NAME}-apiserver:6443"
-kubectl create secret generic "${FULL_NAME}-admin-conf" --from-file=/etc/kubernetes/admin.conf --dry-run=client -o yaml | kubectl apply -f -
-
-{{- if .Values.controllerManager.enabled }}{{"\n"}}
-# generate controller-manager kubeconfig
-rm -f /etc/kubernetes/controller-manager.conf
-kubeadm init phase kubeconfig controller-manager --config kubeadmcfg.yaml
-kubectl --kubeconfig=/etc/kubernetes/controller-manager.conf config set-cluster kubernetes --server "https://${FULL_NAME}-apiserver:6443"
-kubectl create secret generic "${FULL_NAME}-controller-manager-conf" --from-file=/etc/kubernetes/controller-manager.conf --dry-run=client -o yaml | kubectl apply -f -
-{{- end }}
-
-{{- if .Values.scheduler.enabled }}{{"\n"}}
-# generate scheduler kubeconfig
-rm -f /etc/kubernetes/scheduler.conf
-kubeadm init phase kubeconfig scheduler --config kubeadmcfg.yaml
-kubectl --kubeconfig=/etc/kubernetes/scheduler.conf config set-cluster kubernetes --server "https://${FULL_NAME}-apiserver:6443"
-kubectl create secret generic "${FULL_NAME}-scheduler-conf" --from-file=/etc/kubernetes/scheduler.conf --dry-run=client -o yaml | kubectl apply -f -
-{{- end }}
-
-{{- if .Values.konnectivityServer.enabled }}{{"\n"}}
-# generate konnectivity-server kubeconfig
-openssl req -subj "/CN=system:konnectivity-server" -new -newkey rsa:2048 -nodes -out konnectivity.csr -keyout konnectivity.key -out konnectivity.csr
-openssl x509 -req -in konnectivity.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out konnectivity.crt -days 375 -sha256
-kubectl --kubeconfig /etc/kubernetes/konnectivity-server.conf config set-credentials system:konnectivity-server --client-certificate konnectivity.crt --client-key konnectivity.key --embed-certs=true
-kubectl --kubeconfig /etc/kubernetes/konnectivity-server.conf config set-cluster kubernetes --server "https://${FULL_NAME}-apiserver:6443" --certificate-authority /etc/kubernetes/pki/ca.crt --embed-certs=true
-kubectl --kubeconfig /etc/kubernetes/konnectivity-server.conf config set-context system:konnectivity-server@kubernetes --cluster kubernetes --user system:konnectivity-server
-kubectl --kubeconfig /etc/kubernetes/konnectivity-server.conf config use-context system:konnectivity-server@kubernetes
-kubectl create secret generic "${FULL_NAME}-konnectivity-server-conf" --from-file=/etc/kubernetes/konnectivity-server.conf --dry-run=client -o yaml | kubectl apply -f -
-{{- end }}
-
 # wait for cluster
 echo "Waiting for api-server endpoint ${FULL_NAME}-apiserver:6443..."
 until kubectl --kubeconfig /etc/kubernetes/admin.conf cluster-info >/dev/null 2>/dev/null; do

deploy/helm/kubernetes/templates/admin-configmap.yaml

@@ -0,0 +1,30 @@
+{{- if .Values.admin.enabled }}
+{{- $fullName := include "kubernetes.fullname" . -}}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ $fullName }}-admin-conf
+data:
+  admin.conf: |
+    apiVersion: v1
+    clusters:
+    - cluster:
+        certificate-authority: /pki/admin-client/ca.crt
+        server: https://{{ $fullName }}-apiserver:{{ .Values.apiServer.service.port }}
+      name: default-cluster
+    contexts:
+    - context:
+        cluster: default-cluster
+        namespace: default
+        user: default-auth
+      name: default-context
+    current-context: default-context
+    kind: Config
+    preferences: {}
+    users:
+    - name: default-auth
+      user:
+        client-certificate: /pki/admin-client/tls.crt
+        client-key: /pki/admin-client/tls.key
+{{- end }}

deploy/helm/kubernetes/templates/admin-deployment.yaml

@@ -80,16 +80,21 @@ spec:
         - mountPath: /etc/kubernetes/
           name: kubeconfig
           readOnly: true
+        - mountPath: /pki/admin-client
+          name: pki-admin-client
         {{- with .Values.admin.extraVolumeMounts }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
       {{- with .Values.admin.sidecars }}
       {{- toYaml . | nindent 6 }}
       {{- end }}
       volumes:
-      - secret:
-          secretName: "{{ $fullName }}-admin-conf"
+      - configMap:
+          name: "{{ $fullName }}-admin-conf"
         name: kubeconfig
+      - secret:
+          secretName: "{{ $fullName }}-pki-admin-client"
+        name: pki-admin-client
       {{- with .Values.admin.extraVolumes }}
       {{- toYaml . | nindent 6 }}
       {{- end }}

deploy/helm/kubernetes/templates/apiserver-deployment.yaml

@@ -146,7 +146,7 @@ spec:
           secretName: "{{ $fullName }}-pki-front-proxy-client"
         name: pki-front-proxy-client
       - secret:
-          secretName: "{{ $fullName }}-pki-apiserver"
+          secretName: "{{ $fullName }}-pki-apiserver-server"
         name: pki-apiserver
       - secret:
           secretName: "{{ $fullName }}-pki-apiserver-etcd-client"

deploy/helm/kubernetes/templates/controller-manager-configmap.yaml

@@ -0,0 +1,30 @@
+{{- if .Values.controllerManager.enabled }}
+{{- $fullName := include "kubernetes.fullname" . -}}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ $fullName }}-controller-manager-conf
+data:
+  controller-manager.conf: |
+    apiVersion: v1
+    clusters:
+    - cluster:
+        certificate-authority: /pki/controller-manager-client/ca.crt
+        server: https://{{ $fullName }}-apiserver:{{ .Values.apiServer.service.port }}
+      name: default-cluster
+    contexts:
+    - context:
+        cluster: default-cluster
+        namespace: default
+        user: default-auth
+      name: default-context
+    current-context: default-context
+    kind: Config
+    preferences: {}
+    users:
+    - name: default-auth
+      user:
+        client-certificate: /pki/controller-manager-client/tls.crt
+        client-key: /pki/controller-manager-client/tls.key
+{{- end }}

deploy/helm/kubernetes/templates/controller-manager-deployment.yaml

@@ -92,6 +92,10 @@ spec:
         - mountPath: /etc/kubernetes/
           name: kubeconfig
           readOnly: true
+        - mountPath: /pki/controller-manager-server
+          name: pki-controller-manager-server
+        - mountPath: /pki/controller-manager-client
+          name: pki-controller-manager-client
         - mountPath: /pki/ca
           name: pki-ca
         - mountPath: /pki/front-proxy-client
@@ -105,9 +109,15 @@ spec:
       {{- toYaml . | nindent 6 }}
       {{- end }}
       volumes:
-      - secret:
-          secretName: "{{ $fullName }}-controller-manager-conf"
+      - configMap:
+          name: "{{ $fullName }}-controller-manager-conf"
         name: kubeconfig
+      - secret:
+          secretName: "{{ $fullName }}-pki-controller-manager-server"
+        name: pki-controller-manager-server
+      - secret:
+          secretName: "{{ $fullName }}-pki-controller-manager-client"
+        name: pki-controller-manager-client
       - secret:
           secretName: "{{ $fullName }}-pki-ca"
         name: pki-ca

deploy/helm/kubernetes/templates/konnectivity-server-configmap.yaml

@@ -0,0 +1,30 @@
+{{- if .Values.konnectivityServer.enabled }}
+{{- $fullName := include "kubernetes.fullname" . -}}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ $fullName }}-konnectivity-server-conf
+data:
+  konnectivity-server.conf: |
+    apiVersion: v1
+    clusters:
+    - cluster:
+        certificate-authority: /pki/konnectivity-server-client/ca.crt
+        server: https://{{ $fullName }}-apiserver:{{ .Values.apiServer.service.port }}
+      name: default-cluster
+    contexts:
+    - context:
+        cluster: default-cluster
+        namespace: default
+        user: default-auth
+      name: default-context
+    current-context: default-context
+    kind: Config
+    preferences: {}
+    users:
+    - name: default-auth
+      user:
+        client-certificate: /pki/konnectivity-server-client/tls.crt
+        client-key: /pki/konnectivity-server-client/tls.key
+{{- end }}

deploy/helm/kubernetes/templates/konnectivity-server-deployment.yaml

@@ -108,6 +108,8 @@ spec:
           name: pki-apiserver
         - mountPath: /pki/konnectivity-server
           name: pki-konnectivity-server
+        - mountPath: /pki/konnectivity-server-client
+          name: pki-konnectivity-server-client
         - mountPath: /etc/kubernetes/
           name: kubeconfig
           readOnly: true
@@ -119,13 +121,16 @@ spec:
       {{- end }}
       volumes:
       - secret:
-          secretName: "{{ $fullName }}-pki-apiserver"
+          secretName: "{{ $fullName }}-pki-apiserver-server"
         name: pki-apiserver
       - secret:
           secretName: "{{ $fullName }}-pki-konnectivity-server"
         name: pki-konnectivity-server
       - secret:
-          secretName: "{{ $fullName }}-konnectivity-server-conf"
+          secretName: "{{ $fullName }}-pki-konnectivity-server-client"
+        name: pki-konnectivity-server-client
+      - configMap:
+          name: "{{ $fullName }}-konnectivity-server-conf"
         name: kubeconfig
       {{- with .Values.konnectivityServer.extraVolumes }}
       {{- toYaml . | nindent 6 }}

deploy/helm/kubernetes/templates/kubeadm-job.yaml

@@ -92,7 +92,7 @@ spec:
           secretName: "{{ $fullName }}-pki-front-proxy-client"
         name: pki-front-proxy-client
       - secret:
-          secretName: "{{ $fullName }}-pki-apiserver"
+          secretName: "{{ $fullName }}-pki-apiserver-server"
         name: pki-apiserver
       - secret:
           secretName: "{{ $fullName }}-pki-apiserver-etcd-client"