Gitiles
Code Review Sign In
gerrit.hackerspace.pl / hscloud / 0f8859188530bd12130363953bd45f9c45388ae8 / . / cluster / kube / lib / cert-manager.libsonnet
blob: 56d95851f0e210a45a03676a24500fd8bea981d0 [file] [log] [blame]
Piotr Dobrowolski79ddbc52019-04-02 13:20:15 +0200[diff] [blame]1# Deploy a per-cluster cert-manager
2
3local kube = import "../../../kube/kube.libsonnet";
4
5{
6 local cm = self,
7 Environment: {
8 local env = self,
9 local cfg = env.cfg,
10
11 cfg:: {
12 namespace: "cert-manager",
Serge Bazanski3dd3ff52023-03-31 22:40:09 +0000[diff] [blame]13 leaderElectionNamespace: "kube-system",
Piotr Dobrowolski2afe6042019-04-02 14:43:34 +0200[diff] [blame]14 enableWebhook: false,
Serge Bazanski3dd3ff52023-03-31 22:40:09 +0000[diff] [blame]15 version: "v1.5.0",
Piotr Dobrowolski79ddbc52019-04-02 13:20:15 +0200[diff] [blame]16 },
17
18 metadata:: {
19 namespace: cfg.namespace,
20 },
21
22 namespace: kube.Namespace(cfg.namespace) {
23 metadata+: {
24 labels: { "certmanager.k8s.io/disable-validation": "true" },
25 },
26 },
Piotr Dobrowolski79ddbc52019-04-02 13:20:15 +0200[diff] [blame]27 sas: {
28 cainjector: kube.ServiceAccount("cert-manager-cainjector") {
29 metadata+: env.metadata,
30 },
31 webhook: kube.ServiceAccount("cert-manager-webhook") {
32 metadata+: env.metadata,
33 },
Serge Bazanski3dd3ff52023-03-31 22:40:09 +0000[diff] [blame]34 certManager: kube.ServiceAccount("cert-manager") {
Piotr Dobrowolski79ddbc52019-04-02 13:20:15 +0200[diff] [blame]35 metadata+: env.metadata,
36 },
37 },
38
Serge Bazanski3dd3ff52023-03-31 22:40:09 +0000[diff] [blame]39 crds: (std.native("parseYaml"))(importstr "./cert-manager.crds.yaml"),
Piotr Dobrowolski79ddbc52019-04-02 13:20:15 +0200[diff] [blame]40
Serge Bazanski3dd3ff52023-03-31 22:40:09 +0000[diff] [blame]41 rbac: (import "./cert-manager-rbac.libsonnet") {
42 env:: env,
43 sas:: env.sas,
Piotr Dobrowolski79ddbc52019-04-02 13:20:15 +0200[diff] [blame]44 },
Serge Bazanski3dd3ff52023-03-31 22:40:09 +0000[diff] [blame]45
Piotr Dobrowolski79ddbc52019-04-02 13:20:15 +0200[diff] [blame]46 deployments: {
47 cainjector: kube.Deployment("cert-manager-cainjector") {
48 metadata+: env.metadata,
49 spec+: {
50 replicas: 1,
51 template+: {
52 spec+: {
53 serviceAccountName: env.sas.cainjector.metadata.name,
54 containers_: {
55 cainjector: kube.Container("cainjector") {
Sergiusz Bazanskid16454b2019-08-29 17:21:49 +0200[diff] [blame]56 image: "quay.io/jetstack/cert-manager-cainjector:" + cfg.version,
Piotr Dobrowolski79ddbc52019-04-02 13:20:15 +0200[diff] [blame]57 args: [
Serge Bazanski3dd3ff52023-03-31 22:40:09 +0000[diff] [blame]58 "--v=2",
59 "--leader-election-namespace=%s" % [cfg.leaderElectionNamespace],
Piotr Dobrowolski79ddbc52019-04-02 13:20:15 +0200[diff] [blame]60 ],
61 env_: {
62 POD_NAMESPACE: kube.FieldRef("metadata.namespace"),
63 },
64 },
65 },
66 },
67 },
68 },
69 },
70 webhook: kube.Deployment("cert-manager-webhook") {
71 metadata+: env.metadata {
72 labels: {
73 app: "webhook",
74 },
75 },
76 spec+: {
Serge Bazanski3dd3ff52023-03-31 22:40:09 +0000[diff] [blame]77 replicas: if cfg.enableWebhook then 1 else 0,
Piotr Dobrowolski79ddbc52019-04-02 13:20:15 +0200[diff] [blame]78 template+: {
79 spec+: {
80 serviceAccountName: env.sas.webhook.metadata.name,
81 containers_: {
82 webhook: kube.Container("webhook") {
Sergiusz Bazanskid16454b2019-08-29 17:21:49 +0200[diff] [blame]83 image: "quay.io/jetstack/cert-manager-webhook:" + cfg.version,
Piotr Dobrowolski79ddbc52019-04-02 13:20:15 +0200[diff] [blame]84 args: [
Serge Bazanski3dd3ff52023-03-31 22:40:09 +0000[diff] [blame]85 "--v=2",
86 "--secure-port=10250",
87 "--dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)",
88 "--dynamic-serving-ca-secret-name=cert-manager-webhook-ca",
89 "--dynamic-serving-dns-names=cert-manager-webhook,cert-manager-webhook.cert-manager,cert-manager-webhook.cert-manager.svc",
Piotr Dobrowolski79ddbc52019-04-02 13:20:15 +0200[diff] [blame]90 ],
91 env_: {
92 POD_NAMESPACE: kube.FieldRef("metadata.namespace"),
93 },
Serge Bazanski3dd3ff52023-03-31 22:40:09 +0000[diff] [blame]94 ports_: {
95 https: { containerPort: 10250 },
Piotr Dobrowolski79ddbc52019-04-02 13:20:15 +0200[diff] [blame]96 },
97 },
98 },
Piotr Dobrowolski79ddbc52019-04-02 13:20:15 +0200[diff] [blame]99 },
100 },
101 },
102 },
103 certmanager: kube.Deployment("cert-manager") {
104 metadata+: env.metadata,
105 spec+: {
106 replicas: 1,
107 template+: {
108 spec+: {
Serge Bazanski3dd3ff52023-03-31 22:40:09 +0000[diff] [blame]109 serviceAccountName: env.sas.certManager.metadata.name,
Sergiusz Bazanskiaa76e552019-12-29 02:49:30 +0100[diff] [blame]110 dnsPolicy: "None",
111 dnsConfig: {
112 nameservers: ["8.8.8.8"],
113 },
Serge Bazanski3dd3ff52023-03-31 22:40:09 +0000[diff] [blame]114 # TODO: liveness probe, readiness probe
Piotr Dobrowolski79ddbc52019-04-02 13:20:15 +0200[diff] [blame]115 containers_: {
116 webhook: kube.Container("cert-manager") {
Sergiusz Bazanskid16454b2019-08-29 17:21:49 +0200[diff] [blame]117 image: "quay.io/jetstack/cert-manager-controller:" + cfg.version,
Piotr Dobrowolski79ddbc52019-04-02 13:20:15 +0200[diff] [blame]118 args: [
Serge Bazanski3dd3ff52023-03-31 22:40:09 +0000[diff] [blame]119 "--v=2",
Piotr Dobrowolski79ddbc52019-04-02 13:20:15 +0200[diff] [blame]120 "--cluster-resource-namespace=%s" % [cfg.namespace],
Serge Bazanski3dd3ff52023-03-31 22:40:09 +0000[diff] [blame]121 "--leader-election-namespace=%s" % [cfg.leaderElectionNamespace],
Piotr Dobrowolski79ddbc52019-04-02 13:20:15 +0200[diff] [blame]122 ],
123 env_: {
124 POD_NAMESPACE: kube.FieldRef("metadata.namespace"),
125 },
126 ports_: {
127 metrics: { containerPort: 9402 },
128 },
129 resources: {
130 requests: {
131 cpu: "10m",
132 memory: "32Mi",
133 },
134 },
135 },
136 },
137 },
138 },
139 },
140 },
141 },
Serge Bazanski3dd3ff52023-03-31 22:40:09 +0000[diff] [blame]142 services: {
143 certmanager: kube.Service("cert-manager") {
144 metadata+: env.metadata,
radex8b8f3872023-11-24 11:09:46 +0100[diff] [blame]145 target:: env.deployments.certmanager,
Serge Bazanski3dd3ff52023-03-31 22:40:09 +0000[diff] [blame]146 spec+: {
147 type: "ClusterIP",
148 ports: [
149 { name: "tcp-prometheus-servicemonitor", port: 9402, targetPort: 9402, protocol: "TCP"},
150 ],
151 },
152 },
153 webhook: kube.Service("cert-manager-webhook") {
154 metadata+: env.metadata,
radex8b8f3872023-11-24 11:09:46 +0100[diff] [blame]155 target:: env.deployments.webhook,
Serge Bazanski3dd3ff52023-03-31 22:40:09 +0000[diff] [blame]156 spec+: {
157 type: "ClusterIP",
158 ports: [
159 { name: "https", port: 443, targetPort: 10250, protocol: "TCP" },
160 ],
161 },
Piotr Dobrowolski79ddbc52019-04-02 13:20:15 +0200[diff] [blame]162 },
163 },
Piotr Dobrowolskifc514a92019-05-05 12:12:13 +0200[diff] [blame]164 apiservice: if cfg.enableWebhook then kube._Object("apiregistration.k8s.io/v1beta1", "APIService", "v1beta1.admission.certmanager.k8s.io") {
Piotr Dobrowolski79ddbc52019-04-02 13:20:15 +0200[diff] [blame]165 spec+: {
166 version: "v1beta1",
167 group: "admission.certmanager.k8s.io",
168 groupPriorityMinimum: 1000,
169 versionPriority: 15,
170 service: {
171 name: env.service.metadata.name,
172 namespace: cfg.namespace,
173 },
174 },
175 },
Piotr Dobrowolskifc514a92019-05-05 12:12:13 +0200[diff] [blame]176
Serge Bazanski3dd3ff52023-03-31 22:40:09 +0000[diff] [blame]177 webhooks: if cfg.enableWebhook then {
178 mutating: kube._Object("admissionregistration.k8s.io/v1", "MutatingWebhookConfiguration", "cert-manager-webhook") {
179 metadata+: {
180 annotations: {
181 "cert-manager.io/inject-ca-from-secret": "%s/cert-manager-webhook-ca" % [cfg.namespace],
Piotr Dobrowolski79ddbc52019-04-02 13:20:15 +0200[diff] [blame]182 },
183 },
Serge Bazanski3dd3ff52023-03-31 22:40:09 +0000[diff] [blame]184 webhooks: [
185 {
186 name: "webhook.cert-manager.io",
187 rules: [
Piotr Dobrowolski79ddbc52019-04-02 13:20:15 +0200[diff] [blame]188 {
Serge Bazanski3dd3ff52023-03-31 22:40:09 +0000[diff] [blame]189 apiGRoups: ["cert-manager.io", "acme.cert-manager.io"],
190 apiVersions: ["v1"],
191 operations: ["CREATE", "UPDATE"],
192 resources: ["*/*"],
Piotr Dobrowolski79ddbc52019-04-02 13:20:15 +0200[diff] [blame]193 }
Serge Bazanski3dd3ff52023-03-31 22:40:09 +0000[diff] [blame]194 ],
195 admissionReviewVersions: ["v1", "v1beta1"],
196 matchPolicy: "Equivalent",
197 timeoutSeconds: 10,
198 failurePolicy: "Fail",
199 sideEffects: "None",
200 clientConfig: {
201 service: {
202 name: "cert-manager-webhook",
203 namespace: cfg.namespace,
204 path: "/mutate",
Piotr Dobrowolski79ddbc52019-04-02 13:20:15 +0200[diff] [blame]205 },
Piotr Dobrowolski79ddbc52019-04-02 13:20:15 +0200[diff] [blame]206 },
Piotr Dobrowolski79ddbc52019-04-02 13:20:15 +0200[diff] [blame]207 }
Serge Bazanski3dd3ff52023-03-31 22:40:09 +0000[diff] [blame]208 ],
209 },
210 validating: kube._Object("admissionregistration.k8s.io/v1", "ValidatingWebhookConfiguration", "cert-manager-webhook") {
211 metadata+: {
212 annotations: {
213 "cert-manager.io/inject-ca-from-secret": "%s/cert-manager-webhook-ca" % [cfg.namespace],
214 },
Piotr Dobrowolski79ddbc52019-04-02 13:20:15 +0200[diff] [blame]215 },
Serge Bazanski3dd3ff52023-03-31 22:40:09 +0000[diff] [blame]216 // Copied from official yaml
217 webhooks: [
218 {
219 name: "webhook.cert-manager.io",
220 namespaceSelector: {
221 matchExpressions: [
222 {
223 key: "cert-manager.io/disable-validation",
224 operator: "NotIn",
225 values: ["true"],
226 },
227 {
228 key: "name",
229 operator: "NotIn",
230 values: ["cert-manager"],
231 },
Piotr Dobrowolski79ddbc52019-04-02 13:20:15 +0200[diff] [blame]232 ],
Piotr Dobrowolski79ddbc52019-04-02 13:20:15 +0200[diff] [blame]233 },
Serge Bazanski3dd3ff52023-03-31 22:40:09 +0000[diff] [blame]234 rules: [
235 {
236 apiGroups: ["cert-manager.io", "acme.cert-manager.io"],
237 apiVersions: ["v1"],
238 operations: ["CREATE", "UPDATE"],
239 resources: ["*/*"],
240 }
241 ],
242 admissionReviewVersions: ["v1", "v1beta1"],
243 matchPolicy: "Equivalent",
244 timeoutSeconds: 10,
245 failurePolicy: "Fail",
246 sideEffects: "None",
247 clientConfig: {
248 service: {
249 name: "cert-manager-webhook",
250 namespace: cfg.namespace,
251 path: "/validate",
252 },
253 },
254 },
255 ],
256 },
Piotr Dobrowolski79ddbc52019-04-02 13:20:15 +0200[diff] [blame]257 },
258 },
Piotr Dobrowolski79ddbc52019-04-02 13:20:15 +0200[diff] [blame]259}