Feature 10947 Cert-manager installation for gRPC authentication
It includes:
- Cert-manager installation
- Custom CA bootstrap
- Mount CA in LCM pod
Change-Id: I8e6d73fb0c179df130f7f4a7f8829bd781713d51
Signed-off-by: Gabriel Cuba <gcuba@whitestack.com>
diff --git a/installers/docker/osm_pods/ca_setup.yaml b/installers/docker/osm_pods/ca_setup.yaml
new file mode 100644
index 0000000..6a3ee65
--- /dev/null
+++ b/installers/docker/osm_pods/ca_setup.yaml
@@ -0,0 +1,46 @@
+# Copyright 2022 Whitestack
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License
+
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+ name: osm-selfsigned-issuer
+spec:
+ selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: osm-ca-certificate
+ namespace: osm
+spec:
+ isCA: true
+ commonName: osm
+ secretName: osm-ca
+ privateKey:
+ algorithm: ECDSA
+ size: 256
+ issuerRef:
+ name: osm-selfsigned-issuer
+ kind: ClusterIssuer
+ group: cert-manager.io
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+ name: ca-issuer
+spec:
+ ca:
+ secretName: osm-ca
\ No newline at end of file
diff --git a/installers/docker/osm_pods/lcm.yaml b/installers/docker/osm_pods/lcm.yaml
index 5472518..3e5a271 100644
--- a/installers/docker/osm_pods/lcm.yaml
+++ b/installers/docker/osm_pods/lcm.yaml
@@ -60,3 +60,16 @@
envFrom:
- secretRef:
name: lcm-secret
+ volumeMounts:
+ - mountPath: /etc/ssl/certs/osm-ca.crt
+ name: osm-ca
+ readOnly: true
+ subPath: osm-ca.crt
+ volumes:
+ - name: osm-ca
+ secret:
+ defaultMode: 420
+ items:
+ - key: tls.crt
+ path: osm-ca.crt
+ secretName: osm-ca
diff --git a/installers/install_kubeadm_cluster.sh b/installers/install_kubeadm_cluster.sh
index 9c0fa2f..648a1be 100755
--- a/installers/install_kubeadm_cluster.sh
+++ b/installers/install_kubeadm_cluster.sh
@@ -184,6 +184,20 @@
[ -z "${DEBUG_INSTALL}" ] || DEBUG end of function
}
+#installs cert-manager
+function install_helm_certmanager() {
+ [ -z "${DEBUG_INSTALL}" ] || DEBUG beginning of function
+ echo "Installing cert-manager"
+ CERTMANAGER_VERSION="v1.9.1"
+ helm repo add jetstack https://charts.jetstack.io
+ helm repo update
+ helm install cert-manager --create-namespace --namespace cert-manager jetstack/cert-manager \
+ --version ${CERTMANAGER_VERSION} --set installCRDs=true --set prometheus.enabled=false \
+ --set clusterResourceNamespace=osm \
+ --set extraArgs="{--enable-certificate-owner-ref=true}"
+ [ -z "${DEBUG_INSTALL}" ] || DEBUG end of function
+}
+
#checks openebs and metallb readiness
function check_for_readiness() {
[ -z "${DEBUG_INSTALL}" ] || DEBUG beginning of function
@@ -220,6 +234,13 @@
COUNT_METALLB_READY=$(echo "${METALLB_READY}" | grep -v -e '^$' | wc -l)
COUNT_METALLB_NOT_READY=$(echo "${METALLB_NOT_READY}" | grep -v -e '^$' | wc -l)
+ # State of CertManager
+ CERTMANAGER_STATE=$(kubectl get pod -n ${CERTMANAGER_NAMESPACE} --no-headers 2>&1)
+ CERTMANAGER_READY=$(echo "${CERTMANAGER_STATE}" | awk '$2=="1/1" || $2=="2/2" {printf ("%s\t%s\t\n", $1, $2)}')
+ CERTMANAGER_NOT_READY=$(echo "${CERTMANAGER_STATE}" | awk '$2!="1/1" && $2!="2/2" {printf ("%s\t%s\t\n", $1, $2)}')
+ COUNT_CERTMANAGER_READY=$(echo "${CERTMANAGER_READY}" | grep -v -e '^$' | wc -l)
+ COUNT_CERTMANAGER_NOT_READY=$(echo "${CERTMANAGER_NOT_READY}" | grep -v -e '^$' | wc -l)
+
# OK sample
if [[ $((${COUNT_OPENEBS_NOT_READY}+${COUNT_METALLB_NOT_READY})) -eq 0 ]]
then
@@ -241,13 +262,21 @@
echo
fi
- # Reports failed statefulsets
+ # Reports failed pods in MetalLB
if [[ "${COUNT_METALLB_NOT_READY}" -ne 0 ]]
then
echo "MetalLB: Waiting for ${COUNT_METALLB_NOT_READY} of $((${COUNT_METALLB_NOT_READY}+${COUNT_METALLB_READY})) pods to be ready:"
echo "${METALLB_NOT_READY}"
echo
fi
+
+ # Reports failed pods in CertManager
+ if [[ "${COUNT_CERTMANAGER_NOT_READY}" -ne 0 ]]
+ then
+ echo "CertManager: Waiting for ${COUNT_CERTMANAGER_NOT_READY} of $((${COUNT_CERTMANAGER_NOT_READY}+${COUNT_CERTMANAGER_READY})) pods to be ready:"
+ echo "${CERTMANAGER_NOT_READY}"
+ echo
+ fi
fi
#------------ NEXT SAMPLE
@@ -342,6 +371,8 @@
track k8scluster k8s_storageclass_ok
install_helm_metallb
track k8scluster k8s_metallb_ok
+install_helm_certmanager
+track k8scluster k8s_certmanager_ok
check_for_readiness
track k8scluster k8s_ready_ok