-
Notifications
You must be signed in to change notification settings - Fork 3
/
provision-chart-cert-manager.sh
114 lines (111 loc) · 3.23 KB
/
provision-chart-cert-manager.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
#!/bin/bash
source /vagrant/lib.sh
cert_manager_chart_version="${1:-1.12.1}"; shift || true
# provision cert-manager.
# NB YOU MUST INSTALL CERT-MANAGER TO THE cert-manager NAMESPACE. the CRDs have it hard-coded.
# NB YOU CANNOT INSTALL MULTIPLE INSTANCES OF CERT-MANAGER IN A CLUSTER.
# NB the CRDs have to be installaled separately from the chart.
# TODO would it make sense to have a separate helm chart for installing the CRDs?
# see https://artifacthub.io/packages/helm/cert-manager/cert-manager
# see https://github.com/jetstack/cert-manager/tree/master/deploy/charts/cert-manager
# see https://cert-manager.io/docs/installation/supported-releases/
# see https://cert-manager.io/docs/configuration/selfsigned/#bootstrapping-ca-issuers
# see https://cert-manager.io/docs/usage/ingress/
helm repo add jetstack https://charts.jetstack.io
helm repo update
title 'Installing cert-manager crds'
kubectl apply -f "https://github.com/jetstack/cert-manager/releases/download/v$cert_manager_chart_version/cert-manager.crds.yaml"
title 'Installing cert-manager'
helm upgrade --install \
cert-manager \
jetstack/cert-manager \
--namespace cert-manager \
--version "$cert_manager_chart_version" \
--create-namespace \
--wait \
--values <(cat <<EOF
# TODO remove this after https://github.com/cert-manager/cert-manager/pull/5259 lands in a release.
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
cainjector:
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
webhook:
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
startupapicheck:
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
EOF
)
kubectl apply -f - <<'EOF'
---
# see https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.ClusterIssuer
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: selfsigned
spec:
selfSigned: {}
---
# see https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.Certificate
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: ingress
namespace: cert-manager
spec:
isCA: true
subject:
organizations:
- Example
organizationalUnits:
- Kubernetes
commonName: Kubernetes Ingress
privateKey:
algorithm: ECDSA # NB Ed25519 is not yet supported by chrome 93 or firefox 91.
size: 256
duration: 8h # NB this is so low for testing purposes. default is 2160h (90 days).
secretName: ingress-tls
issuerRef:
name: selfsigned
kind: ClusterIssuer
group: cert-manager.io
---
# see https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.ClusterIssuer
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: ingress
spec:
ca:
secretName: ingress-tls
EOF