Skip to content

Commit

Permalink
feat: started making trust manager work
Browse files Browse the repository at this point in the history
  • Loading branch information
tomaspalma committed Aug 1, 2024
1 parent c676fe4 commit b99ac78
Show file tree
Hide file tree
Showing 7 changed files with 65 additions and 9 deletions.
3 changes: 2 additions & 1 deletion services/cert-manager/deploy.sh
Original file line number Diff line number Diff line change
Expand Up @@ -7,4 +7,5 @@ kubectl apply -f $(dirname $0)/00-namespace.yaml

helm upgrade --install -f $(dirname $0)/values.yaml cert-manager jetstack/cert-manager --namespace cert-manager

kubectl apply -f $(dirname $0)/01-cluster-issuer.yaml
kubectl apply -f $(dirname $0)/01-cluster-issuer.yaml

5 changes: 5 additions & 0 deletions services/trust-manager/00-namespace.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: trust-manager
24 changes: 24 additions & 0 deletions services/trust-manager/01-ca.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: trust-manager-selfsigned-issuer
spec:
selfSigned: {}
---

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: trust-manager-example-ca
namespace: cert-manager
spec:
isCA: true
commonName: trust-manager-ca
secretName: trust-manager-ca-secret
privateKey:
algorithm: ECDSA
size: 256
issuerRef:
name: trust-manager-selfsigned-issuer
kind: ClusterIssuer
group: cert-manager.io
11 changes: 11 additions & 0 deletions services/trust-manager/deploy.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
#!/bin/bash

kubectl apply -f "$(dirname "$0")"

helm repo add jetstack https://charts.jetstack.io --force-update

helm upgrade --install trust-manager jetstack/trust-manager \
--namespace trust-manager \
--wait
# --set app.webhook.tls.approverPolicy.enabled=true \
# --set app.webhook.tls.approverPolicy.certManagerNamespace=cert-manager
13 changes: 13 additions & 0 deletions services/vault/03-bundle.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
apiVersion: trust.cert-manager.io/v1alpha1
kind: Bundle
metadata:
name: vault-cluster-bundle # The bundle name will also be used for the target
spec:
sources:
- useDefaultCAs: true
- secret:
name: "trust-manager-ca-secret" # This is a secret from the ca.yaml file from the trust-manager service
key: "tls.crt"
target:
configMap:
key: "trust-bundle.pem"
1 change: 1 addition & 0 deletions services/vault/deploy-vault-prod.sh
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ helm repo update
kubectl apply -f "$(dirname "$0")"/00-namespaces.yaml
kubectl apply -f "$(dirname "$0")"/01-certificates.yaml
kubectl apply -f "$(dirname "$0")"/02-ingress-routes.yaml
kubectl apply -f "$(dirname "$0")"/03-bundle.yaml
kubectl apply -f "$(dirname "$0")"/vault-sa.yaml

helm upgrade --install vault hashicorp/vault --namespace vault --values $(dirname $0)/vault-prod-values.yaml
Expand Down
17 changes: 9 additions & 8 deletions services/vault/vault-prod-values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,15 @@ server:
dev:
enabled: false
logLevel: debug
volumes:
- name: tls
secret:
secretName: vault-tls
volumeMounts:
- name: vault-tls
mountPath: "/vault/tls"
readOnly: true

ui:
enabled: true
serviceType: "ClusterIP"
Expand All @@ -29,14 +38,6 @@ ha:
storage "raft" {
path = "/opt/vault/raft"
#retry_join {
# leader_tls_servername = "vault"
# leader_api_addr = "https://0.0.0.0:8200"
# leader_ca_cert_file = "/opt/vault/tls/vault-ca.pem"
# leader_client_cert_file = "/opt/vault/tls/vault-cert.pem"
# leader_client_key_file = "/opt/vault/tls/vault-key.pem"
#}
}
raft:
enabled: true
Expand Down

0 comments on commit b99ac78

Please sign in to comment.