Skip to content
This repository has been archived by the owner on Aug 4, 2022. It is now read-only.

Commit

Permalink
Merge pull request #1 from jfrog/add-cert-manager-certs
Browse files Browse the repository at this point in the history 
add cert-manager tls certs generation
  • Loading branch information
@rimusz
rimusz authored Jul 3, 2019
2 parents e6a95e4 + f99c0c6 commit 17aaddd
Show file tree
Hide file tree
Showing 15 changed files with 291 additions and 179 deletions.
23 changes: 18 additions & 5 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,9 @@ kubectl create secret docker-registry regsecret --docker-server=${DOCKER_REGISTR
./webhook/webhook-patch-ca-bundle.sh
```

### Deploy Kubenab to Kubernetes
**Note:** You can skip this step and use Helm chart install with TLS certs generated by the [cert-manager](https://github.com/jetstack/cert-manager)

### Deploy Kubenab to Kubernetes with self generated TLS Certs

* Deploy using kubectl
```bash
Expand All @@ -60,10 +62,10 @@ kubectl create -f deployment/kubenab-svc.yaml

* Deploy using Helm Chart
```bash
helm install --name kubenab --set docker.registrySecret=regsecret,docker.registryUrl=jfrog,whitelistNamespaces="kube-system,default",whitelistRegistries="jfrog" chart/kubenab/
helm install --name kubenab --set docker.registrySecret=regsecret,docker.registryUrl=jfrog,whitelistNamespaces="kube-system,default",whitelistRegistries="jfrog",tls.secretName=kubenab-certs chart/kubenab/
```

### Configure `MutatingAdmissionWebhook` and `ValidatingAdmissionWebhook`
#### Configure `MutatingAdmissionWebhook` and `ValidatingAdmissionWebhook`

**Note**: Replace `${CA_BUNDLE}` with value generated by running `./webhook/webhook-patch-ca-bundle.sh`

Expand All @@ -76,13 +78,24 @@ Note: Use MutatingAdmissionWebhook only if you want to enforce pulling of docker
If your container image is `nginx` then Kubenab will append `REGISTRY_URL` to it. e.g `nginx` will become `jfrog/nginx`

```bash
# Configure ValidatingWebhookConfiguration
# Configure ValidatingAdmissionWebhook
kubectl create -f webhook/kubenab-validating-webhook-configuration.yaml
```

Note: Use MutatingAdmissionWebhook only if you want to check pulling of docker image from Private Docker Registry e.g [JFrog Artifactory](https://jfrog.com/artifactory/).
Note: Use ValidatingAdmissionWebhook only if you want to check pulling of docker image from Private Docker Registry e.g [JFrog Artifactory](https://jfrog.com/artifactory/).
If your container image does not contain `REGISTRY_URL` then Kubenab will deny request to run that pod.


### Deploy Kubenab to Kubernetes with cert-manager generated TLS Certs

* Deploy using Helm Chart
```bash
helm install --name kubenab --set docker.registrySecret=regsecret,docker.registryUrl=jfrog,whitelistNamespaces="kube-system,default",whitelistRegistries="jfrog" chart/kubenab/
```

`ValidatingAdmissionWebhook` is enabled by default, use `mutatingWebhook.enabled="true"` to enable `MutatingAdmissionWebhook`.


### Test Kubenab

```bash
Expand Down
1 change: 1 addition & 0 deletions chart/kubenab/.helmignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,3 +19,4 @@
.project
.idea/
*.tmproj
.vscode/
20 changes: 11 additions & 9 deletions chart/kubenab/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,17 +1,19 @@
apiVersion: v1
appVersion: "0.0.5"
description: A Helm chart for Kubenab
name: kubenab
version: 0.2.1
version: 0.0.5
appVersion: 0.3.0
home: https://github.com/jfrog/kubenab
description: Kubenab Helm chart
keywords:
- DevOps
- devops
- helm
- kubernetes
- docker
home: https://github.com/kubenab/kubenab
- jfrog
- security
sources:
- https://github.com/kubenab/kubenab
- https://github.com/jfrog/kubenab
maintainers:
- name: kubenab
email: jainishshah@yahoo.com
icon: https://raw.githubusercontent.com/kubenab/containerize-go-microservice/master/static/logo.jpg
- name: rimusz
email: rimasm@jfrog.com
icon: https://raw.githubusercontent.com/jfrog/artifactory-dcos/master/images/jfrog_med.png
26 changes: 14 additions & 12 deletions chart/kubenab/templates/NOTES.txt
View file
Original file line number Diff line number Diff line change
@@ -1,19 +1,21 @@
1. Get the application URL by running these commands:
{{- if .Values.ingress.enabled }}
{{- range .Values.ingress.hosts }}
http{{ if $.Values.ingress.tls }}s{{ end }}://{{ . }}{{ $.Values.ingress.path }}
{{- if not .Values.docker.registryUrl }}

#############################################################
#### ERROR: You did not provide Private Registry RUL ####
#############################################################

All pods do not go to the running state if the instances
settings were not provided.

{{- end }}
{{- else if contains "NodePort" .Values.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "kubenab.fullname" . }})

1. Get the application URL by running these commands:
{{- if contains "NodePort" .Values.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "kubenab.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT
{{- else if contains "LoadBalancer" .Values.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status of by running 'kubectl get svc -w {{ template "kubenab.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "kubenab.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
echo http://$SERVICE_IP:{{ .Values.service.port }}
{{- else if contains "ClusterIP" .Values.service.type }}
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "kubenab.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "kubenab.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
echo "Visit http://127.0.0.1:8080 to use your application"
kubectl port-forward $POD_NAME 8080:80
{{- end }}
27 changes: 16 additions & 11 deletions chart/kubenab/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,20 +24,25 @@ If release name contains chart name it will be used as a full name.
{{- end -}}
{{- end -}}

{{/*
Create the name of the service account to use
*/}}
{{- define "kubenab.serviceAccountName" -}}
{{- if .Values.serviceAccount.create -}}
{{ default (include "kubenab.fullname" .) .Values.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- end -}}

{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "kubenab.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}

{{- define "kubenab.selfSignedIssuer" -}}
{{ printf "%s-selfsign" (include "kubenab.fullname" .) }}
{{- end -}}

{{- define "kubenab.rootCAIssuer" -}}
{{ printf "%s-ca" (include "kubenab.fullname" .) }}
{{- end -}}

{{- define "kubenab.rootCACertificate" -}}
{{ printf "%s-ca" (include "kubenab.fullname" .) }}
{{- end -}}

{{- define "kubenab.servingCertificate" -}}
{{ printf "%s-kubenab-tls" (include "kubenab.fullname" .) }}
{{- end -}}
43 changes: 23 additions & 20 deletions chart/kubenab/templates/deployment.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,27 +1,29 @@
apiVersion: apps/v1beta2
{{- if .Values.docker.registryUrl }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "kubenab.fullname" . }}
name: {{ include "kubenab.fullname" . }}
labels:
app: {{ template "kubenab.name" . }}
chart: {{ template "kubenab.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
app.kubernetes.io/name: {{ include "kubenab.name" . }}
helm.sh/chart: {{ include "kubenab.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
app: {{ template "kubenab.name" . }}
release: {{ .Release.Name }}
app.kubernetes.io/name: {{ include "kubenab.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
template:
metadata:
labels:
app: {{ template "kubenab.name" . }}
release: {{ .Release.Name }}
app.kubernetes.io/name: {{ include "kubenab.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
spec:
serviceAccountName: {{ include "kubenab.fullname" . }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
- name: {{ .Values.imagePullSecrets }}
- name: {{ .Values.imagePullSecrets }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
Expand All @@ -41,23 +43,24 @@ spec:
containerPort: 443
protocol: TCP
volumeMounts:
- name: tls
mountPath: /etc/admission-controller/tls
- name: tls
mountPath: /etc/admission-controller/tls
resources:
{{ toYaml .Values.resources | indent 12 }}
{{- with .Values.nodeSelector }}
{{- toYaml .Values.resources | nindent 12 }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 8 }}
{{- end }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{ toYaml . | indent 8 }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{ toYaml . | indent 8 }}
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: tls
secret:
secretName: {{ .Values.tlsSecretName }}
secretName: {{ .Values.tls.secretName | default (printf "%s" ( include "kubenab.servingCertificate" .)) }}
{{- end }}
38 changes: 0 additions & 38 deletions chart/kubenab/templates/ingress.yaml
View file

This file was deleted.

26 changes: 26 additions & 0 deletions chart/kubenab/templates/mutating-webhook.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
{{- if .Values.mutatingWebhook.enabled -}}
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
name: {{ include "kubenab.fullname" . }}-mutate
labels:
app.kubernetes.io/name: {{ include "kubenab.name" . }}
helm.sh/chart: {{ include "kubenab.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
annotations:
certmanager.k8s.io/inject-ca-from: "{{ .Release.Namespace }}/{{ include "kubenab.servingCertificate" . }}"
webhooks:
- name: kubenab-mutate.k8s.io
rules:
- operations: [ "CREATE" ]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
failurePolicy: Ignore
clientConfig:
service:
name: {{ include "kubenab.fullname" . }}
namespace: {{ .Release.Namespace }}
path: "/mutate"
{{- end -}}
80 changes: 80 additions & 0 deletions chart/kubenab/templates/pki.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
{{- if not .Values.tls.secretName -}}
{{- if or .Values.mutatingWebhook.enabled .Values.validatingWebhook.enabled }}
---
# Create a selfsigned Issuer, in order to create a root CA certificate for
# signing kubenab serving certificates
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
name: {{ include "kubenab.selfSignedIssuer" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
app.kubernetes.io/name: {{ include "kubenab.name" . }}
helm.sh/chart: {{ include "kubenab.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
spec:
selfSigned: {}

---

# Generate a CA Certificate used to sign certificates for the kubenab
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: {{ include "kubenab.rootCACertificate" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
app.kubernetes.io/name: {{ include "kubenab.name" . }}
helm.sh/chart: {{ include "kubenab.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
spec:
secretName: {{ include "kubenab.rootCACertificate" . }}
duration: 43800h # 5y
issuerRef:
name: {{ include "kubenab.selfSignedIssuer" . }}
commonName: "ca.kubenab.kubenab"
isCA: true

---

# Create an Issuer that uses the above generated CA certificate to issue certs
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
name: {{ include "kubenab.rootCAIssuer" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
app.kubernetes.io/name: {{ include "kubenab.name" . }}
helm.sh/chart: {{ include "kubenab.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
spec:
ca:
secretName: {{ include "kubenab.rootCACertificate" . }}

---

# Finally, generate a serving certificate for the kubenab to use
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: {{ include "kubenab.servingCertificate" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
app.kubernetes.io/name: {{ include "kubenab.name" . }}
helm.sh/chart: {{ include "kubenab.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
spec:
secretName: {{ include "kubenab.servingCertificate" . }}
duration: 8760h # 1y
issuerRef:
name: {{ include "kubenab.rootCAIssuer" . }}
dnsNames:
- {{ include "kubenab.fullname" . }}
- {{ include "kubenab.fullname" . }}.{{ .Release.Namespace }}
- {{ include "kubenab.fullname" . }}.{{ .Release.Namespace }}.svc
{{- end }}
{{- end -}}
12 changes: 6 additions & 6 deletions chart/kubenab/templates/role.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "kubenab.fullname" . }}
name: {{ include "kubenab.fullname" . }}
labels:
app: {{ template "kubenab.name" . }}
chart: {{ template "kubenab.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
app.kubernetes.io/name: {{ include "kubenab.name" . }}
helm.sh/chart: {{ include "kubenab.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
rules:
{{ toYaml .Values.rbac.role.rules }}
{{- end }}
{{- end }}
Loading

0 comments on commit 17aaddd

Please # to comment.