feat: cert rotator

charts/kubewarden-controller/README.md

@@ -11,21 +11,17 @@ The kubewarden-controller can be deployed using a helm chart.
 
 ## Installing the charts
 
-Make sure you have [`cert-manager` installed](https://cert-manager.io/docs/installation/)
-and then install the kubewarden-controller chart.
-
 If you want to enable telemetry, you also need to install [OpenTelemetry Operator](https://github.com/open-telemetry/opentelemetry-operator).
 
 For example:
 ```console
-$ kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.5.3/cert-manager.yaml
 $ helm repo add kubewarden https://charts.kubewarden.io
 $ helm install --create-namespace -n kubewarden kubewarden-crds kubewarden/kubewarden-crds
 $ helm install --wait -n kubewarden kubewarden-controller kubewarden/kubewarden-controller
 $ helm install --wait -n kubewarden kubewarden-defaults kubewarden/kubewarden-defaults
 ```
 
-This will install cert-manager, kubewarden-crds, kubewarden-controller, and a
+This will install kubewarden-crds, kubewarden-controller, and a
 default PolicyServer on the Kubernetes cluster in the default configuration
 (which includes self-signed TLS certs).
 

charts/kubewarden-controller/questions.yaml

@@ -114,26 +114,6 @@ questions:
     description: |
       Number of replicas of the Controller Deployment
     group: "Controller HA"
-  # Certificates:
-  - variable: tls.source
-    default: "cert-manager-self-signed"
-    description: "Source for TLS certificates"
-    label: TLS certificates source
-    type: enum
-    options:
-      - "cert-manager-self-signed"
-      - "cert-manager"
-    show_subquestion_if: "cert-manager"
-    group: "Certificates"
-    subquestions:
-      - variable: "tls.certManagerIssuerName"
-        type: string
-        default: ""
-        label: cert-manager Issuer name
-        description: |
-          Name of cert-manager Issuer
-        group: "Certificates"
-        show_if: "tls.source=cert-manager"
   # Telemetry:
   - variable: "telemetry.metrics.enabled"
     type: boolean

charts/kubewarden-controller/templates/_helpers.tpl

@@ -142,7 +142,7 @@ Create the name of the service account to use for kubewarden-controller
 - --disable-store
 {{- end }}
 - --extra-ca
-- "/pki/policy-server-root-ca-pem"
+- "/pki/ca.crt"
 {{- if .Values.auditScanner.outputScan }}
 - --output-scan
 {{- end }}

charts/kubewarden-controller/templates/audit-scanner.yaml

@@ -28,13 +28,13 @@ spec:
           {{- end }}
           restartPolicy: {{ .Values.auditScanner.containerRestartPolicy }}
           volumes:
-          - name: policyservers-ca-cert
+          - name: kubewarden-ca
             secret:
               defaultMode: 420
-              secretName: policy-server-root-ca
+              secretName: kuebewarden-ca
               items:
-              - key: policy-server-root-ca-pem
-                path: "policy-server-root-ca-pem"
+              - key: ca.crt
+                path: "ca.crt"
           {{- if .Values.global.affinity }}
           affinity: {{ .Values.global.affinity | toYaml | nindent 14 }}
           {{- end }}
@@ -54,7 +54,7 @@ spec:
             {{- with .Values.containerSecurityContext }}
             volumeMounts:
             - mountPath: "/pki"
-              name: policyservers-ca-cert
+              name: kubewarden-ca
               readOnly: true
             securityContext:
               {{- toYaml . | nindent 14 }}

charts/kubewarden-controller/templates/deployment.yaml

@@ -45,6 +45,7 @@ spec:
         args:
         - --leader-elect
         - --deployments-namespace={{ .Release.Namespace }}
+        - --webhook-service-name={{ include "kubewarden-controller.fullname" . }}-webhook-service
        {{- if .Values.telemetry.metrics.enabled }}
         - --enable-metrics
        {{- end }}
@@ -94,7 +95,7 @@ spec:
       - name: cert
         secret:
           defaultMode: 420
-          secretName: webhook-server-cert
+          secretName: kubewarden-webhook-server-cert
       {{- if .Values.podSecurityContext }}
       securityContext:
 {{ toYaml .Values.podSecurityContext | indent 8 }}

charts/kubewarden-controller/templates/rbac.yaml

@@ -123,6 +123,7 @@ rules:
   - create
   - delete
   - list
+  - get
   - patch
   - watch
 - apiGroups:

charts/kubewarden-controller/templates/webhooks.yaml

@@ -1,9 +1,53 @@
+# generate certificates
+{{ $dnsName :=  printf "%s-webhook-service.%s.svc" (include "kubewarden-controller.fullname" .) .Release.Namespace }}
+{{ $ca := genCA "kubewarden-controller-ca" 365 }}
+{{ $cert := genSignedCert $dnsName nil ( list $dnsName ) 3650 $ca }}
+{{ $caCert := ($ca.Cert | b64enc) }}
+{{ $oldCaCert := "" }}
+{{ $caBundle := $caCert }}
+{{ $caPrivateKey := ($ca.Key | b64enc) }}
+{{ $serverCert := ($cert.Cert | b64enc) }}
+{{ $serverPrivateKey := ($cert.Key | b64enc) }}
+# check if the secrets already exist and if so, use the existing values
+{{ $caSecret := (lookup "v1" "Secret" .Release.Namespace "kubewarden-ca") }}
+{{ if $caSecret }}
+{{ $caCert = (index $caSecret.data "ca.crt") }}
+{{ $caPrivateKey = (index $caSecret.data "ca.key") }}
+{{ $oldCaCert = (index $caSecret.data "old-ca.crt") }}
+{{ $caBundle = printf "%s%s" ($caCert | b64dec) ($oldCaCert | b64dec) | b64enc }}
+{{ end }}
+{{ $serverCertSecret := (lookup "v1" "Secret" .Release.Namespace "kubewarden-webhook-server-cert") }}
+{{ if $serverCertSecret }}
+{{ $serverCert = (index $serverCertSecret.data "tls.crt") }}
+{{ $serverPrivateKey = (index $serverCertSecret.data "tls.key") }}
+{{ end }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: kubewarden-ca
+  namespace: {{ .Release.Namespace }}
+labels:
+  {{- include "kubewarden-controller.labels" . | nindent 4 }}
+data:
+  ca.crt: {{ $caCert }}
+  ca.key: {{ $caPrivateKey }}
+  old-ca.crt: {{ $oldCaCert }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: kubewarden-webhook-server-cert
+  namespace: {{ .Release.Namespace }}
+labels:
+  {{- include "kubewarden-controller.labels" . | nindent 4 }}
+data:
+  tls.crt: {{ $serverCert }}
+  tls.key: {{ $serverPrivateKey }}
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
   annotations:
-    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "kubewarden-controller.fullname" . }}-serving-cert
     {{- include "kubewarden-controller.annotations" . | nindent 4 }}
   name: kubewarden-controller-mutating-webhook-configuration
   labels:
@@ -13,6 +57,7 @@ webhooks:
   - v1
   - v1beta1
   clientConfig:
+    caBundle: {{ $caBundle }}
     service:
       name: {{ include "kubewarden-controller.fullname" . }}-webhook-service
       namespace: {{ .Release.Namespace }}
@@ -34,6 +79,7 @@ webhooks:
     - v1
     - v1beta1
   clientConfig:
+    caBundle: {{ $caBundle }}
     service:
       name: {{ include "kubewarden-controller.fullname" . }}-webhook-service
       namespace: {{ .Release.Namespace }}
@@ -55,6 +101,7 @@ webhooks:
     - v1
     - v1beta1
   clientConfig:
+    caBundle: {{ $caBundle }}
     service:
       name: {{ include "kubewarden-controller.fullname" . }}-webhook-service
       namespace: {{ .Release.Namespace }}
@@ -78,7 +125,6 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   annotations:
-    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "kubewarden-controller.fullname" . }}-serving-cert
     {{- include "kubewarden-controller.annotations" . | nindent 4 }}
   name: kubewarden-controller-validating-webhook-configuration
   labels:
@@ -88,6 +134,7 @@ webhooks:
   - v1
   - v1beta1
   clientConfig:
+    caBundle: {{ $caBundle }}
     service:
       name: {{ include "kubewarden-controller.fullname" . }}-webhook-service
       namespace: {{ .Release.Namespace }}
@@ -109,6 +156,7 @@ webhooks:
   - v1
   - v1beta1
   clientConfig:
+    caBundle: {{ $caBundle }}
     service:
       name: {{ include "kubewarden-controller.fullname" . }}-webhook-service
       namespace: {{ .Release.Namespace }}
@@ -129,6 +177,7 @@ webhooks:
 - admissionReviewVersions:
   - v1
   clientConfig:
+    caBundle: {{ $caBundle }}
     service:
       name: {{ include "kubewarden-controller.fullname" . }}-webhook-service
       namespace: {{ .Release.Namespace }}

charts/kubewarden-controller/values.yaml

@@ -162,17 +162,6 @@ preDeleteJob:
 # kubewarden-controller deployment settings:
 podAnnotations: {}
 nodeSelector: {}
-tls:
-  # source options:
-  # - "cert-manager-self-signed": Scaffold cert-manager integration, and create
-  #   a self-signed certificate with a cert-manager self-signed Issuer. Depends
-  #   on cert-manager. (default)
-  # - "cert-manager": Scafffold cert-manager integration. User configures their
-  #   own Issuer. Depends on cert-manager. Set tls.certManagerIssuerName to the
-  #   desired Issuer.
-  source: cert-manager-self-signed
-  # "cert-manager"-only options:
-  certManagerIssuerName: ""
 # Resource limits & requests
 # Ref: https://kubernetes.io/docs/user-guide/compute-resources/
 resources: