diff --git a/class/defaults.yml b/class/defaults.yml index 037fcd5f6..8f76b8707 100644 --- a/class/defaults.yml +++ b/class/defaults.yml @@ -57,8 +57,6 @@ parameters: insecureSkipTLSVerify: false tls: certSecretName: appcat-apiserver-tls - serverCert: "" - serverKey: "?{vaultkv:${cluster:tenant}/${cluster:name}/appcat/apiserver/apiserver-key}" resources: requests: cpu: 100m diff --git a/component/appcat_apiserver.jsonnet b/component/appcat_apiserver.jsonnet index 033df8de3..bd9420b1b 100644 --- a/component/appcat_apiserver.jsonnet +++ b/component/appcat_apiserver.jsonnet @@ -60,31 +60,12 @@ local clusterRoleBinding = kube.ClusterRoleBinding(clusterRoleAPIServer.metadata ], }; -local certSecret = - if apiserverParams.tls.certSecretName != null && apiserverParams.enabled == true then - assert std.length(apiserverParams.tls.serverCert) > 0 : 'apiserver.tls.serverCert is required'; - assert std.length(apiserverParams.tls.serverKey) > 0 : 'apiserver.tls.serverKey is required'; - kube.Secret(apiserverParams.tls.certSecretName) { - metadata+: { - namespace: apiserverParams.namespace, - }, - stringData: { - 'tls.key': apiserverParams.tls.serverKey, - 'tls.crt': apiserverParams.tls.serverCert, - }, - } - else - null; - local extraDeploymentArgs = - if certSecret != null then + if apiserverParams.tls.certSecretName != null then [ '--tls-cert-file=/apiserver.local.config/certificates/tls.crt', '--tls-private-key-file=/apiserver.local.config/certificates/tls.key', - ] - else - [] -; + ] else null; local apiserver = loadManifest('aggregated-apiserver.yaml') { metadata+: { @@ -105,18 +86,17 @@ local apiserver = loadManifest('aggregated-apiserver.yaml') { c for c in super.containers ], - } + if certSecret != null then + } + if apiserverParams.tls.certSecretName != null then { volumes: [ { name: 'apiserver-certs', secret: { - secretName: certSecret.metadata.name, + secretName: apiserverParams.tls.certSecretName, }, }, ], - } - else {}, + } else {}, }, }, }; @@ -129,6 +109,11 @@ local service = loadManifest('service.yaml') { local apiService = loadManifest('apiservice.yaml') { + metadata+: { + annotations: { + 'cert-manager.io/inject-ca-from': apiserverParams.namespace + '/apiserver-certificate', + }, + }, spec+: { service: { @@ -140,19 +125,58 @@ local apiService = loadManifest('apiservice.yaml') { apiserverParams.apiservice + ( - if apiserverParams.tls.serverCert != null - && apiserverParams.tls.serverCert != '' - && apiserverParams.apiservice.insecureSkipTLSVerify == false + if apiserverParams.apiservice.insecureSkipTLSVerify == false then { - caBundle: std.base64(params.apiserver.tls.serverCert), insecureSkipTLSVerify:: null, } - else - {} + else {} ), }; +local apiIssuer = { + apiVersion: 'cert-manager.io/v1', + kind: 'Issuer', + metadata: { + name: 'api-server-issuer', + namespace: apiserverParams.namespace, + }, + spec: { + selfSigned: {}, + }, +}; + +local apiCertificate = { + apiVersion: 'cert-manager.io/v1', + kind: 'Certificate', + metadata: { + name: 'apiserver-certificate', + namespace: apiserverParams.namespace, + }, + spec: { + dnsNames: [ service.metadata.name + '.' + apiserverParams.namespace + '.svc' ], + duration: '87600h0m0s', + issuerRef: { + group: 'cert-manager.io', + kind: 'Issuer', + name: apiIssuer.metadata.name, + }, + privateKey: { + algorithm: 'RSA', + encoding: 'PKCS1', + size: 4096, + }, + renewBefore: '2400h0m0s', + secretName: apiserverParams.tls.certSecretName, + subject: { + organizations: [ 'vshn-appcat' ], + }, + usages: [ + 'server auth', + 'client auth', + ], + }, +}; if apiserverParams.enabled == true then { 'apiserver/10_namespace': namespace, @@ -161,8 +185,9 @@ if apiserverParams.enabled == true then { 'apiserver/10_cluster_role_binding': clusterRoleBinding, 'apiserver/20_service_account': serviceAccount, 'apiserver/10_apiserver_envs': envs, - [if certSecret != null then 'apiserver/20_certs']: certSecret, 'apiserver/30_deployment': apiserver, 'apiserver/30_service': service, 'apiserver/30_api_service': apiService, + [if apiserverParams.tls.certSecretName != null then 'apiserver/31_api_issuer']: apiIssuer, + [if apiserverParams.tls.certSecretName != null then 'apiserver/31_api_certificate']: apiCertificate, } else {} diff --git a/tests/golden/apiserver/appcat/appcat/apiserver/20_certs.yaml b/tests/golden/apiserver/appcat/appcat/apiserver/20_certs.yaml deleted file mode 100644 index 1bb30f2b0..000000000 --- a/tests/golden/apiserver/appcat/appcat/apiserver/20_certs.yaml +++ /dev/null @@ -1,98 +0,0 @@ -apiVersion: v1 -data: {} -kind: Secret -metadata: - annotations: {} - labels: - name: appcat-apiserver-tls - name: appcat-apiserver-tls - namespace: appcat-apiserver -stringData: - tls.crt: | - -----BEGIN CERTIFICATE----- - MIIFrTCCA5WgAwIBAgIUPqD+5tckpe9g/GJYzZBEtkI5YXkwDQYJKoZIhvcNAQEL - BQAwZjELMAkGA1UEBhMCdW4xCzAJBgNVBAgMAnN0MQowCAYDVQQHDAFsMQowCAYD - VQQKDAFvMQswCQYDVQQLDAJvdTElMCMGA1UEAwwcYXBwY2F0LWNlcnRpZmljYXRl - LWF1dGhvcml0eTAeFw0yMzAyMjEwOTA5MzdaFw0zMzAyMTgwOTA5MzdaMGYxCzAJ - BgNVBAYTAnVuMQswCQYDVQQIDAJzdDEKMAgGA1UEBwwBbDEKMAgGA1UECgwBbzEL - MAkGA1UECwwCb3UxJTAjBgNVBAMMHGFwcGNhdC1jZXJ0aWZpY2F0ZS1hdXRob3Jp - dHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDpe8aqHKBqMyJAy8XY - iAcplLdvCrzV2GwAVzSB+CZ6gX4XB6lXyRv2r1CzLumcRwQDxHy3PHDDvub18j1r - 8gcwk7lXIcxohN9tMIIhHs153Q3U5pWY3sTXWRoa1JhlzpGZ/CXY51RRekLmntCK - lD379u4+AEtiOZjmOICPd+jaYGtHygD1QeAfYld8fLpOGSR+RvXtYskoxhVW94vj - Iy/Mqc4okw8W55ZcuNxztY9SnEoN7SQ6uiZm/tDwqc0Vbjs9GcqLwIedwMnKyc7Q - 5UTnmTkc0yWiXHdMOTERwCnedvq9/tf4f4FLRH2Cda3l9X5v1opHkiUfWYRp2Wq2 - WLgi6Rxn59wNXD5nCiPjRESsx6gYB2JOoQ/wiAqrgOIjuTKFKMPAhbFBTiQtTLqS - RzQ7haTtbVkmYwlCS+Nh70Hoc6PLcnLyJNk8okB/FNGeimo3BgEBn9Q981NEmQ+f - spVJXFHMtaeMeu9UYDDhPlhY3GOk3DNAQlnEmYqWa0WDhvx1srSYrzrJxzcHhPij - 4zCM0naBP42mHQqOXo1jYxFJiU361mGe9JyBmCvgGWum+9Iw6tbJ6krrx6Iwqc21 - bvFWPUCMAGJ98IhVRgENP2tdoT7sfFzgbFyJK1aMLxg+Xt/rdjWH4qj/4bTxSrnH - cVJYjbw08ozzfvwrN5q2i6lb0QIDAQABo1MwUTAdBgNVHQ4EFgQUBayMqPgYXeuR - W22jZXFtfrXJnXIwHwYDVR0jBBgwFoAUBayMqPgYXeuRW22jZXFtfrXJnXIwDwYD - VR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAxQXjgLnt006y1T1ATxNj - zH0DdVPzBF4VgwdrKOIJewYG3UvBuuSnBF+QYpSsF1+xFu/DfuOEiwZvv1k3D879 - yCViBvF39KmwZ7CyZRBAZbOFtnNKq93mfjh3Rz8Ng+Gm0DqF2sRXJGsumORXtbQ9 - 90dOGmC2ZECKzsQ27z+WOgMT9yf1bGX4/9t+KkPsOpoOOmkRtQ7oJx06COVr+uUH - ojKHnaQTHFEzQoGZ8XR4g9xX0ihI+QjMWVB+FxMNu1cFZD08aN1V5kKX7stRfHi4 - MHrcYR2ClwIV4vRt2RTOgLVHwro16DBsnxYXlIaPROEZMYaPj6BAKl9gPpmwFAXm - d2kyXVsiOBpEv/4nADm+Io3Z8njzda210PI3qSQpyMfJ+MD/rNgUI56MejDXg1Kg - 3ImuLKpDpTyIC1mf8fXFf9FGeFx306+rAPXILh0jlrFGaQ0KpQK9LLRi7X4iehbb - WwGNHS1X4oOw2rcPdB4ek9tVs+TB3/X5gIGPMxjVyZ7lH7j48Cd5WQwXlMhXeXmJ - nwkcolkfakPgZVGjMrmxEoRVbH6X0xgclQqlmwfTY7Ycpb2cKZQm9rhqvYhHuDN9 - kiHPmyJXBzNySYhwyqG6gzvGvhOcr7X48hrnciwNT0i6oYNj+E+eupKVK1c0R1t1 - 3pi/SUE+zGtXa4ZfvyDNWeM= - -----END CERTIFICATE----- - tls.key: | - -----BEGIN PRIVATE KEY----- - MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQDpe8aqHKBqMyJA - y8XYiAcplLdvCrzV2GwAVzSB+CZ6gX4XB6lXyRv2r1CzLumcRwQDxHy3PHDDvub1 - 8j1r8gcwk7lXIcxohN9tMIIhHs153Q3U5pWY3sTXWRoa1JhlzpGZ/CXY51RRekLm - ntCKlD379u4+AEtiOZjmOICPd+jaYGtHygD1QeAfYld8fLpOGSR+RvXtYskoxhVW - 94vjIy/Mqc4okw8W55ZcuNxztY9SnEoN7SQ6uiZm/tDwqc0Vbjs9GcqLwIedwMnK - yc7Q5UTnmTkc0yWiXHdMOTERwCnedvq9/tf4f4FLRH2Cda3l9X5v1opHkiUfWYRp - 2Wq2WLgi6Rxn59wNXD5nCiPjRESsx6gYB2JOoQ/wiAqrgOIjuTKFKMPAhbFBTiQt - TLqSRzQ7haTtbVkmYwlCS+Nh70Hoc6PLcnLyJNk8okB/FNGeimo3BgEBn9Q981NE - mQ+fspVJXFHMtaeMeu9UYDDhPlhY3GOk3DNAQlnEmYqWa0WDhvx1srSYrzrJxzcH - hPij4zCM0naBP42mHQqOXo1jYxFJiU361mGe9JyBmCvgGWum+9Iw6tbJ6krrx6Iw - qc21bvFWPUCMAGJ98IhVRgENP2tdoT7sfFzgbFyJK1aMLxg+Xt/rdjWH4qj/4bTx - SrnHcVJYjbw08ozzfvwrN5q2i6lb0QIDAQABAoICACTtM41h+6jwL2GqGL9XPDLC - V4STYSw9D0+6ew53LbbAVi3UQ18j6m1Iau375GyX+rWR1NuyDm+W+LY7OqWg4Kw5 - IN379XUuVpvRSTNtyLeWU4KxeUV1LhKVAADwUK4BTpvY+i9k3rwIJx6MTZUtPuRj - uGhL6aA+VcVLeGG4aDZpe24eL6qaYZT1G7sPivOhHFlwZaLGtePh+CwJ+LDSttOa - o4VdRMytkeVWQ191fpZlK30qXUmAeWRetrLpWAskpO/T7WnO6GP1wrR02GXHbO9o - F1VMu64DC8cdYHpbNwP9M0jrTkL5/3vk+Ciy7e7ptbaAatxI6+Aaa0vGXA881to5 - RyZ6pZxD6wg9UX9P2Q9xYzfR4LeSJFcHzVb8pylbeuCV69x2tiWArfVtxFRMrR78 - SCiPBtnpxm63j/P71naNl9CERd6+WgEzg0UES24QW1dUqzV3F/h5Qg3xg7bwK025 - ynOGyVwoUHfhrX46te/0B9u7goaNddniA+KboYkFKLXg36J3CHWv/pX5GJlaIIe8 - eFFRT7KiZIvdNR2OZ7xMHotnJMgMwdh6LbBbOAsX2993gLDN99zjvyZJ5OLdOSca - VrhBRCQ2bXIPpGX7uCx0MMo9Ht085utxntQVSjphlf0wQy0TNHPzDemuHJxYxWUd - 5C/dPG5wbWqBIBRAeaZBAoIBAQD3iG7YbyNoQlYnZ2VY5wpea7OPqbRYQsfl+GbA - 5V8oSfxNB2sMZvdC8NtnvwC9XPCLXOWj77jrlEmtoZyv2Bm+FpZCvjvPSiQb3PBh - NVkzkFTqx/eQWnmD0PTXX60VEKeE3ceuCR1Sckd8VwbmeMLvG5KXXaRmwoJZX+Po - uHF3s26JKGOm19JN/wG0VklzGjYOiU+X4ycp2Fu4K0jxWxjNeaoZq3vhp3Tgo98K - jO4o5pqBSwvduaXHGNG7ON7L8FTg9h+z380qB3HJEdrEbB6V1T4eePqgRg7b+7Mw - kNVSwvHN9zuipTgV+ru5qSZtMmtYKK2WYPIsRdXGojcVBtRZAoIBAQDxeFEKlRNo - pyxd0MD3obiUSzTYuTvXPWi/NNoHI92FOFvJ3hynMIxQa0Jj/QYqJgpB8++aM+6f - 1Jd0U7Z7sPqY18UT4sZIsn/zE0yFNzIauZXWTPe6CGMeKe9xbPRF4b+G4d7qAhgU - S1okszO43DwmCxi7FaA0ftkjGjVASAv9zi07o5aZnZubyj0ZHDRiW5jPI2mU3rwN - RfNHl0Kj90c81WOjo0/dJErInlfTgncg2Eo7mk6RhxnmdDpgiTYeUrmAG6EhGv6P - x6/qVl9BhQ746FlhpFCZbWId5tiYnX+5or92GKx3TTrg2RbEW0f+Rw1CyFDEEjpa - /WSeFJhx0jQ5AoIBAFDHUj0JT8m3VDw5rsYrZ6PWi9uHKxZefLOcs5OhhsM0GcTd - dd6vP2O2DDO4Djq9uLYSE9LC6VrfooeqJOLxp7zzzAdt40DLVitNl5hxe3GrWTrh - FPYjwGH279/VFju4mqJuabpuuQXty0xVbigKIrs7CUSiR4NNWJJoC40nm8fPY3QZ - HSQWbEgNvvWl7wRD+n4V60aK1339YDkizwQMkXSEjrEf2CaUqjyg3amowhPQ5Xzq - C65I5kOp4s+xSGvPOzPKvh/KGj7r/QL786OEERseYs449rkVA8ZgRmLD8Qm4Gob3 - dpumRT5O+7Ij9ClQed1kMPnRG1a9V30h9M3E08kCggEAVeV35qzLH7JALQtCaZSE - xXPPU7zo1ZNJvKK/YETY2zgGJtQ1GyBA+aZ+EnWCiOHJSlbNB+yrWP3V9pKE2pFF - Q7OVrpI/+MJOk5hs4wKUdz9HVtlAUlQDdkpym8WnS2iXqhKVKmceS7HWWjHJF1x4 - pQvTe1GhEKuC8GK1SK2YXmvGWW3C99hB73RMsa7/z3FH9X9iYoutF4enl/LtyMgA - 9lnuPNquYTs0wxLYqSvC1tM57OPiSRBnHTyBO6/zqWvCAxlRAybIITtmj5S0A+mi - PtbgXMSHy1xGx95DdF6qfc2wEAGM8E9vv2ZaG/VgscpypCv/1w+o5I85CKbI58xf - uQKCAQAbhwAN+QH5xuMZONhqmzbMUt9nipzp/+UiQwomyuiRJ5mlAUHwHl4GF2CQ - Wx35C+NoH2goVyelz7Bo8XwV8eLVRsKsuCLLL5sCLGxbVDuV/L+Ztm7KXND2CljR - YeB0jT3HnHiBejH6gRifkDf0bNXKld8XPMWFvvQohPxpHgc+bjsGfEKSYuDfIOo2 - P/acq2LX9w5US1Ao4JrU6v9fVXsPGimyKPJspamUHAjXz0ip8YEk6GoYYtJK/2fc - VN1CjPHpXj4RZlmGHj8SIXGaLsf5+eJmJ6FRtznlM+OYmXt9kTwAMVJjK6PuM4yC - 73WWkY9/mi6QSBoGdLOLUbJx/UtN - -----END PRIVATE KEY----- -type: Opaque diff --git a/tests/golden/apiserver/appcat/appcat/apiserver/30_api_service.yaml b/tests/golden/apiserver/appcat/appcat/apiserver/30_api_service.yaml index d32f4e7ee..7fd2f51a2 100644 --- a/tests/golden/apiserver/appcat/appcat/apiserver/30_api_service.yaml +++ b/tests/golden/apiserver/appcat/appcat/apiserver/30_api_service.yaml @@ -1,6 +1,8 @@ apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: + annotations: + cert-manager.io/inject-ca-from: appcat-apiserver/apiserver-certificate labels: api: appcat apiserver: 'true' diff --git a/tests/golden/apiserver/appcat/appcat/apiserver/31_api_certificate.yaml b/tests/golden/apiserver/appcat/appcat/apiserver/31_api_certificate.yaml new file mode 100644 index 000000000..02bd07549 --- /dev/null +++ b/tests/golden/apiserver/appcat/appcat/apiserver/31_api_certificate.yaml @@ -0,0 +1,25 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: apiserver-certificate + namespace: appcat-apiserver +spec: + dnsNames: + - appcat.appcat-apiserver.svc + duration: 87600h0m0s + issuerRef: + group: cert-manager.io + kind: Issuer + name: api-server-issuer + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 4096 + renewBefore: 2400h0m0s + secretName: appcat-apiserver-tls + subject: + organizations: + - vshn-appcat + usages: + - server auth + - client auth diff --git a/tests/golden/apiserver/appcat/appcat/apiserver/31_api_issuer.yaml b/tests/golden/apiserver/appcat/appcat/apiserver/31_api_issuer.yaml new file mode 100644 index 000000000..2531c0713 --- /dev/null +++ b/tests/golden/apiserver/appcat/appcat/apiserver/31_api_issuer.yaml @@ -0,0 +1,7 @@ +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: api-server-issuer + namespace: appcat-apiserver +spec: + selfSigned: {} diff --git a/tests/golden/vshn/appcat/appcat/apiserver/20_certs.yaml b/tests/golden/vshn/appcat/appcat/apiserver/20_certs.yaml deleted file mode 100644 index 1bb30f2b0..000000000 --- a/tests/golden/vshn/appcat/appcat/apiserver/20_certs.yaml +++ /dev/null @@ -1,98 +0,0 @@ -apiVersion: v1 -data: {} -kind: Secret -metadata: - annotations: {} - labels: - name: appcat-apiserver-tls - name: appcat-apiserver-tls - namespace: appcat-apiserver -stringData: - tls.crt: | - -----BEGIN CERTIFICATE----- - MIIFrTCCA5WgAwIBAgIUPqD+5tckpe9g/GJYzZBEtkI5YXkwDQYJKoZIhvcNAQEL - BQAwZjELMAkGA1UEBhMCdW4xCzAJBgNVBAgMAnN0MQowCAYDVQQHDAFsMQowCAYD - VQQKDAFvMQswCQYDVQQLDAJvdTElMCMGA1UEAwwcYXBwY2F0LWNlcnRpZmljYXRl - LWF1dGhvcml0eTAeFw0yMzAyMjEwOTA5MzdaFw0zMzAyMTgwOTA5MzdaMGYxCzAJ - BgNVBAYTAnVuMQswCQYDVQQIDAJzdDEKMAgGA1UEBwwBbDEKMAgGA1UECgwBbzEL - MAkGA1UECwwCb3UxJTAjBgNVBAMMHGFwcGNhdC1jZXJ0aWZpY2F0ZS1hdXRob3Jp - dHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDpe8aqHKBqMyJAy8XY - iAcplLdvCrzV2GwAVzSB+CZ6gX4XB6lXyRv2r1CzLumcRwQDxHy3PHDDvub18j1r - 8gcwk7lXIcxohN9tMIIhHs153Q3U5pWY3sTXWRoa1JhlzpGZ/CXY51RRekLmntCK - lD379u4+AEtiOZjmOICPd+jaYGtHygD1QeAfYld8fLpOGSR+RvXtYskoxhVW94vj - Iy/Mqc4okw8W55ZcuNxztY9SnEoN7SQ6uiZm/tDwqc0Vbjs9GcqLwIedwMnKyc7Q - 5UTnmTkc0yWiXHdMOTERwCnedvq9/tf4f4FLRH2Cda3l9X5v1opHkiUfWYRp2Wq2 - WLgi6Rxn59wNXD5nCiPjRESsx6gYB2JOoQ/wiAqrgOIjuTKFKMPAhbFBTiQtTLqS - RzQ7haTtbVkmYwlCS+Nh70Hoc6PLcnLyJNk8okB/FNGeimo3BgEBn9Q981NEmQ+f - spVJXFHMtaeMeu9UYDDhPlhY3GOk3DNAQlnEmYqWa0WDhvx1srSYrzrJxzcHhPij - 4zCM0naBP42mHQqOXo1jYxFJiU361mGe9JyBmCvgGWum+9Iw6tbJ6krrx6Iwqc21 - bvFWPUCMAGJ98IhVRgENP2tdoT7sfFzgbFyJK1aMLxg+Xt/rdjWH4qj/4bTxSrnH - cVJYjbw08ozzfvwrN5q2i6lb0QIDAQABo1MwUTAdBgNVHQ4EFgQUBayMqPgYXeuR - W22jZXFtfrXJnXIwHwYDVR0jBBgwFoAUBayMqPgYXeuRW22jZXFtfrXJnXIwDwYD - VR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAxQXjgLnt006y1T1ATxNj - zH0DdVPzBF4VgwdrKOIJewYG3UvBuuSnBF+QYpSsF1+xFu/DfuOEiwZvv1k3D879 - yCViBvF39KmwZ7CyZRBAZbOFtnNKq93mfjh3Rz8Ng+Gm0DqF2sRXJGsumORXtbQ9 - 90dOGmC2ZECKzsQ27z+WOgMT9yf1bGX4/9t+KkPsOpoOOmkRtQ7oJx06COVr+uUH - ojKHnaQTHFEzQoGZ8XR4g9xX0ihI+QjMWVB+FxMNu1cFZD08aN1V5kKX7stRfHi4 - MHrcYR2ClwIV4vRt2RTOgLVHwro16DBsnxYXlIaPROEZMYaPj6BAKl9gPpmwFAXm - d2kyXVsiOBpEv/4nADm+Io3Z8njzda210PI3qSQpyMfJ+MD/rNgUI56MejDXg1Kg - 3ImuLKpDpTyIC1mf8fXFf9FGeFx306+rAPXILh0jlrFGaQ0KpQK9LLRi7X4iehbb - WwGNHS1X4oOw2rcPdB4ek9tVs+TB3/X5gIGPMxjVyZ7lH7j48Cd5WQwXlMhXeXmJ - nwkcolkfakPgZVGjMrmxEoRVbH6X0xgclQqlmwfTY7Ycpb2cKZQm9rhqvYhHuDN9 - kiHPmyJXBzNySYhwyqG6gzvGvhOcr7X48hrnciwNT0i6oYNj+E+eupKVK1c0R1t1 - 3pi/SUE+zGtXa4ZfvyDNWeM= - -----END CERTIFICATE----- - tls.key: | - -----BEGIN PRIVATE KEY----- - MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQDpe8aqHKBqMyJA - y8XYiAcplLdvCrzV2GwAVzSB+CZ6gX4XB6lXyRv2r1CzLumcRwQDxHy3PHDDvub1 - 8j1r8gcwk7lXIcxohN9tMIIhHs153Q3U5pWY3sTXWRoa1JhlzpGZ/CXY51RRekLm - ntCKlD379u4+AEtiOZjmOICPd+jaYGtHygD1QeAfYld8fLpOGSR+RvXtYskoxhVW - 94vjIy/Mqc4okw8W55ZcuNxztY9SnEoN7SQ6uiZm/tDwqc0Vbjs9GcqLwIedwMnK - yc7Q5UTnmTkc0yWiXHdMOTERwCnedvq9/tf4f4FLRH2Cda3l9X5v1opHkiUfWYRp - 2Wq2WLgi6Rxn59wNXD5nCiPjRESsx6gYB2JOoQ/wiAqrgOIjuTKFKMPAhbFBTiQt - TLqSRzQ7haTtbVkmYwlCS+Nh70Hoc6PLcnLyJNk8okB/FNGeimo3BgEBn9Q981NE - mQ+fspVJXFHMtaeMeu9UYDDhPlhY3GOk3DNAQlnEmYqWa0WDhvx1srSYrzrJxzcH - hPij4zCM0naBP42mHQqOXo1jYxFJiU361mGe9JyBmCvgGWum+9Iw6tbJ6krrx6Iw - qc21bvFWPUCMAGJ98IhVRgENP2tdoT7sfFzgbFyJK1aMLxg+Xt/rdjWH4qj/4bTx - SrnHcVJYjbw08ozzfvwrN5q2i6lb0QIDAQABAoICACTtM41h+6jwL2GqGL9XPDLC - V4STYSw9D0+6ew53LbbAVi3UQ18j6m1Iau375GyX+rWR1NuyDm+W+LY7OqWg4Kw5 - IN379XUuVpvRSTNtyLeWU4KxeUV1LhKVAADwUK4BTpvY+i9k3rwIJx6MTZUtPuRj - uGhL6aA+VcVLeGG4aDZpe24eL6qaYZT1G7sPivOhHFlwZaLGtePh+CwJ+LDSttOa - o4VdRMytkeVWQ191fpZlK30qXUmAeWRetrLpWAskpO/T7WnO6GP1wrR02GXHbO9o - F1VMu64DC8cdYHpbNwP9M0jrTkL5/3vk+Ciy7e7ptbaAatxI6+Aaa0vGXA881to5 - RyZ6pZxD6wg9UX9P2Q9xYzfR4LeSJFcHzVb8pylbeuCV69x2tiWArfVtxFRMrR78 - SCiPBtnpxm63j/P71naNl9CERd6+WgEzg0UES24QW1dUqzV3F/h5Qg3xg7bwK025 - ynOGyVwoUHfhrX46te/0B9u7goaNddniA+KboYkFKLXg36J3CHWv/pX5GJlaIIe8 - eFFRT7KiZIvdNR2OZ7xMHotnJMgMwdh6LbBbOAsX2993gLDN99zjvyZJ5OLdOSca - VrhBRCQ2bXIPpGX7uCx0MMo9Ht085utxntQVSjphlf0wQy0TNHPzDemuHJxYxWUd - 5C/dPG5wbWqBIBRAeaZBAoIBAQD3iG7YbyNoQlYnZ2VY5wpea7OPqbRYQsfl+GbA - 5V8oSfxNB2sMZvdC8NtnvwC9XPCLXOWj77jrlEmtoZyv2Bm+FpZCvjvPSiQb3PBh - NVkzkFTqx/eQWnmD0PTXX60VEKeE3ceuCR1Sckd8VwbmeMLvG5KXXaRmwoJZX+Po - uHF3s26JKGOm19JN/wG0VklzGjYOiU+X4ycp2Fu4K0jxWxjNeaoZq3vhp3Tgo98K - jO4o5pqBSwvduaXHGNG7ON7L8FTg9h+z380qB3HJEdrEbB6V1T4eePqgRg7b+7Mw - kNVSwvHN9zuipTgV+ru5qSZtMmtYKK2WYPIsRdXGojcVBtRZAoIBAQDxeFEKlRNo - pyxd0MD3obiUSzTYuTvXPWi/NNoHI92FOFvJ3hynMIxQa0Jj/QYqJgpB8++aM+6f - 1Jd0U7Z7sPqY18UT4sZIsn/zE0yFNzIauZXWTPe6CGMeKe9xbPRF4b+G4d7qAhgU - S1okszO43DwmCxi7FaA0ftkjGjVASAv9zi07o5aZnZubyj0ZHDRiW5jPI2mU3rwN - RfNHl0Kj90c81WOjo0/dJErInlfTgncg2Eo7mk6RhxnmdDpgiTYeUrmAG6EhGv6P - x6/qVl9BhQ746FlhpFCZbWId5tiYnX+5or92GKx3TTrg2RbEW0f+Rw1CyFDEEjpa - /WSeFJhx0jQ5AoIBAFDHUj0JT8m3VDw5rsYrZ6PWi9uHKxZefLOcs5OhhsM0GcTd - dd6vP2O2DDO4Djq9uLYSE9LC6VrfooeqJOLxp7zzzAdt40DLVitNl5hxe3GrWTrh - FPYjwGH279/VFju4mqJuabpuuQXty0xVbigKIrs7CUSiR4NNWJJoC40nm8fPY3QZ - HSQWbEgNvvWl7wRD+n4V60aK1339YDkizwQMkXSEjrEf2CaUqjyg3amowhPQ5Xzq - C65I5kOp4s+xSGvPOzPKvh/KGj7r/QL786OEERseYs449rkVA8ZgRmLD8Qm4Gob3 - dpumRT5O+7Ij9ClQed1kMPnRG1a9V30h9M3E08kCggEAVeV35qzLH7JALQtCaZSE - xXPPU7zo1ZNJvKK/YETY2zgGJtQ1GyBA+aZ+EnWCiOHJSlbNB+yrWP3V9pKE2pFF - Q7OVrpI/+MJOk5hs4wKUdz9HVtlAUlQDdkpym8WnS2iXqhKVKmceS7HWWjHJF1x4 - pQvTe1GhEKuC8GK1SK2YXmvGWW3C99hB73RMsa7/z3FH9X9iYoutF4enl/LtyMgA - 9lnuPNquYTs0wxLYqSvC1tM57OPiSRBnHTyBO6/zqWvCAxlRAybIITtmj5S0A+mi - PtbgXMSHy1xGx95DdF6qfc2wEAGM8E9vv2ZaG/VgscpypCv/1w+o5I85CKbI58xf - uQKCAQAbhwAN+QH5xuMZONhqmzbMUt9nipzp/+UiQwomyuiRJ5mlAUHwHl4GF2CQ - Wx35C+NoH2goVyelz7Bo8XwV8eLVRsKsuCLLL5sCLGxbVDuV/L+Ztm7KXND2CljR - YeB0jT3HnHiBejH6gRifkDf0bNXKld8XPMWFvvQohPxpHgc+bjsGfEKSYuDfIOo2 - P/acq2LX9w5US1Ao4JrU6v9fVXsPGimyKPJspamUHAjXz0ip8YEk6GoYYtJK/2fc - VN1CjPHpXj4RZlmGHj8SIXGaLsf5+eJmJ6FRtznlM+OYmXt9kTwAMVJjK6PuM4yC - 73WWkY9/mi6QSBoGdLOLUbJx/UtN - -----END PRIVATE KEY----- -type: Opaque diff --git a/tests/golden/vshn/appcat/appcat/apiserver/30_api_service.yaml b/tests/golden/vshn/appcat/appcat/apiserver/30_api_service.yaml index d32f4e7ee..5ee968325 100644 --- a/tests/golden/vshn/appcat/appcat/apiserver/30_api_service.yaml +++ b/tests/golden/vshn/appcat/appcat/apiserver/30_api_service.yaml @@ -1,6 +1,8 @@ apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: + annotations: + cert-manager.io/inject-ca-from: appcat-apiserver/apiserver-certificate labels: api: appcat apiserver: 'true' @@ -8,7 +10,6 @@ metadata: spec: group: api.appcat.vshn.io groupPriorityMinimum: 2000 - insecureSkipTLSVerify: true service: name: appcat namespace: appcat-apiserver diff --git a/tests/golden/vshn/appcat/appcat/apiserver/31_api_certificate.yaml b/tests/golden/vshn/appcat/appcat/apiserver/31_api_certificate.yaml new file mode 100644 index 000000000..02bd07549 --- /dev/null +++ b/tests/golden/vshn/appcat/appcat/apiserver/31_api_certificate.yaml @@ -0,0 +1,25 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: apiserver-certificate + namespace: appcat-apiserver +spec: + dnsNames: + - appcat.appcat-apiserver.svc + duration: 87600h0m0s + issuerRef: + group: cert-manager.io + kind: Issuer + name: api-server-issuer + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 4096 + renewBefore: 2400h0m0s + secretName: appcat-apiserver-tls + subject: + organizations: + - vshn-appcat + usages: + - server auth + - client auth diff --git a/tests/golden/vshn/appcat/appcat/apiserver/31_api_issuer.yaml b/tests/golden/vshn/appcat/appcat/apiserver/31_api_issuer.yaml new file mode 100644 index 000000000..2531c0713 --- /dev/null +++ b/tests/golden/vshn/appcat/appcat/apiserver/31_api_issuer.yaml @@ -0,0 +1,7 @@ +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: api-server-issuer + namespace: appcat-apiserver +spec: + selfSigned: {} diff --git a/tests/vshn.yml b/tests/vshn.yml index 1f95d4564..48649d629 100644 --- a/tests/vshn.yml +++ b/tests/vshn.yml @@ -31,97 +31,6 @@ parameters: apiserver: enabled: true namespace: appcat-apiserver - apiservice: - insecureSkipTLSVerify: true - tls: - serverCert: | - -----BEGIN CERTIFICATE----- - MIIFrTCCA5WgAwIBAgIUPqD+5tckpe9g/GJYzZBEtkI5YXkwDQYJKoZIhvcNAQEL - BQAwZjELMAkGA1UEBhMCdW4xCzAJBgNVBAgMAnN0MQowCAYDVQQHDAFsMQowCAYD - VQQKDAFvMQswCQYDVQQLDAJvdTElMCMGA1UEAwwcYXBwY2F0LWNlcnRpZmljYXRl - LWF1dGhvcml0eTAeFw0yMzAyMjEwOTA5MzdaFw0zMzAyMTgwOTA5MzdaMGYxCzAJ - BgNVBAYTAnVuMQswCQYDVQQIDAJzdDEKMAgGA1UEBwwBbDEKMAgGA1UECgwBbzEL - MAkGA1UECwwCb3UxJTAjBgNVBAMMHGFwcGNhdC1jZXJ0aWZpY2F0ZS1hdXRob3Jp - dHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDpe8aqHKBqMyJAy8XY - iAcplLdvCrzV2GwAVzSB+CZ6gX4XB6lXyRv2r1CzLumcRwQDxHy3PHDDvub18j1r - 8gcwk7lXIcxohN9tMIIhHs153Q3U5pWY3sTXWRoa1JhlzpGZ/CXY51RRekLmntCK - lD379u4+AEtiOZjmOICPd+jaYGtHygD1QeAfYld8fLpOGSR+RvXtYskoxhVW94vj - Iy/Mqc4okw8W55ZcuNxztY9SnEoN7SQ6uiZm/tDwqc0Vbjs9GcqLwIedwMnKyc7Q - 5UTnmTkc0yWiXHdMOTERwCnedvq9/tf4f4FLRH2Cda3l9X5v1opHkiUfWYRp2Wq2 - WLgi6Rxn59wNXD5nCiPjRESsx6gYB2JOoQ/wiAqrgOIjuTKFKMPAhbFBTiQtTLqS - RzQ7haTtbVkmYwlCS+Nh70Hoc6PLcnLyJNk8okB/FNGeimo3BgEBn9Q981NEmQ+f - spVJXFHMtaeMeu9UYDDhPlhY3GOk3DNAQlnEmYqWa0WDhvx1srSYrzrJxzcHhPij - 4zCM0naBP42mHQqOXo1jYxFJiU361mGe9JyBmCvgGWum+9Iw6tbJ6krrx6Iwqc21 - bvFWPUCMAGJ98IhVRgENP2tdoT7sfFzgbFyJK1aMLxg+Xt/rdjWH4qj/4bTxSrnH - cVJYjbw08ozzfvwrN5q2i6lb0QIDAQABo1MwUTAdBgNVHQ4EFgQUBayMqPgYXeuR - W22jZXFtfrXJnXIwHwYDVR0jBBgwFoAUBayMqPgYXeuRW22jZXFtfrXJnXIwDwYD - VR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAxQXjgLnt006y1T1ATxNj - zH0DdVPzBF4VgwdrKOIJewYG3UvBuuSnBF+QYpSsF1+xFu/DfuOEiwZvv1k3D879 - yCViBvF39KmwZ7CyZRBAZbOFtnNKq93mfjh3Rz8Ng+Gm0DqF2sRXJGsumORXtbQ9 - 90dOGmC2ZECKzsQ27z+WOgMT9yf1bGX4/9t+KkPsOpoOOmkRtQ7oJx06COVr+uUH - ojKHnaQTHFEzQoGZ8XR4g9xX0ihI+QjMWVB+FxMNu1cFZD08aN1V5kKX7stRfHi4 - MHrcYR2ClwIV4vRt2RTOgLVHwro16DBsnxYXlIaPROEZMYaPj6BAKl9gPpmwFAXm - d2kyXVsiOBpEv/4nADm+Io3Z8njzda210PI3qSQpyMfJ+MD/rNgUI56MejDXg1Kg - 3ImuLKpDpTyIC1mf8fXFf9FGeFx306+rAPXILh0jlrFGaQ0KpQK9LLRi7X4iehbb - WwGNHS1X4oOw2rcPdB4ek9tVs+TB3/X5gIGPMxjVyZ7lH7j48Cd5WQwXlMhXeXmJ - nwkcolkfakPgZVGjMrmxEoRVbH6X0xgclQqlmwfTY7Ycpb2cKZQm9rhqvYhHuDN9 - kiHPmyJXBzNySYhwyqG6gzvGvhOcr7X48hrnciwNT0i6oYNj+E+eupKVK1c0R1t1 - 3pi/SUE+zGtXa4ZfvyDNWeM= - -----END CERTIFICATE----- - - serverKey: | - -----BEGIN PRIVATE KEY----- - MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQDpe8aqHKBqMyJA - y8XYiAcplLdvCrzV2GwAVzSB+CZ6gX4XB6lXyRv2r1CzLumcRwQDxHy3PHDDvub1 - 8j1r8gcwk7lXIcxohN9tMIIhHs153Q3U5pWY3sTXWRoa1JhlzpGZ/CXY51RRekLm - ntCKlD379u4+AEtiOZjmOICPd+jaYGtHygD1QeAfYld8fLpOGSR+RvXtYskoxhVW - 94vjIy/Mqc4okw8W55ZcuNxztY9SnEoN7SQ6uiZm/tDwqc0Vbjs9GcqLwIedwMnK - yc7Q5UTnmTkc0yWiXHdMOTERwCnedvq9/tf4f4FLRH2Cda3l9X5v1opHkiUfWYRp - 2Wq2WLgi6Rxn59wNXD5nCiPjRESsx6gYB2JOoQ/wiAqrgOIjuTKFKMPAhbFBTiQt - TLqSRzQ7haTtbVkmYwlCS+Nh70Hoc6PLcnLyJNk8okB/FNGeimo3BgEBn9Q981NE - mQ+fspVJXFHMtaeMeu9UYDDhPlhY3GOk3DNAQlnEmYqWa0WDhvx1srSYrzrJxzcH - hPij4zCM0naBP42mHQqOXo1jYxFJiU361mGe9JyBmCvgGWum+9Iw6tbJ6krrx6Iw - qc21bvFWPUCMAGJ98IhVRgENP2tdoT7sfFzgbFyJK1aMLxg+Xt/rdjWH4qj/4bTx - SrnHcVJYjbw08ozzfvwrN5q2i6lb0QIDAQABAoICACTtM41h+6jwL2GqGL9XPDLC - V4STYSw9D0+6ew53LbbAVi3UQ18j6m1Iau375GyX+rWR1NuyDm+W+LY7OqWg4Kw5 - IN379XUuVpvRSTNtyLeWU4KxeUV1LhKVAADwUK4BTpvY+i9k3rwIJx6MTZUtPuRj - uGhL6aA+VcVLeGG4aDZpe24eL6qaYZT1G7sPivOhHFlwZaLGtePh+CwJ+LDSttOa - o4VdRMytkeVWQ191fpZlK30qXUmAeWRetrLpWAskpO/T7WnO6GP1wrR02GXHbO9o - F1VMu64DC8cdYHpbNwP9M0jrTkL5/3vk+Ciy7e7ptbaAatxI6+Aaa0vGXA881to5 - RyZ6pZxD6wg9UX9P2Q9xYzfR4LeSJFcHzVb8pylbeuCV69x2tiWArfVtxFRMrR78 - SCiPBtnpxm63j/P71naNl9CERd6+WgEzg0UES24QW1dUqzV3F/h5Qg3xg7bwK025 - ynOGyVwoUHfhrX46te/0B9u7goaNddniA+KboYkFKLXg36J3CHWv/pX5GJlaIIe8 - eFFRT7KiZIvdNR2OZ7xMHotnJMgMwdh6LbBbOAsX2993gLDN99zjvyZJ5OLdOSca - VrhBRCQ2bXIPpGX7uCx0MMo9Ht085utxntQVSjphlf0wQy0TNHPzDemuHJxYxWUd - 5C/dPG5wbWqBIBRAeaZBAoIBAQD3iG7YbyNoQlYnZ2VY5wpea7OPqbRYQsfl+GbA - 5V8oSfxNB2sMZvdC8NtnvwC9XPCLXOWj77jrlEmtoZyv2Bm+FpZCvjvPSiQb3PBh - NVkzkFTqx/eQWnmD0PTXX60VEKeE3ceuCR1Sckd8VwbmeMLvG5KXXaRmwoJZX+Po - uHF3s26JKGOm19JN/wG0VklzGjYOiU+X4ycp2Fu4K0jxWxjNeaoZq3vhp3Tgo98K - jO4o5pqBSwvduaXHGNG7ON7L8FTg9h+z380qB3HJEdrEbB6V1T4eePqgRg7b+7Mw - kNVSwvHN9zuipTgV+ru5qSZtMmtYKK2WYPIsRdXGojcVBtRZAoIBAQDxeFEKlRNo - pyxd0MD3obiUSzTYuTvXPWi/NNoHI92FOFvJ3hynMIxQa0Jj/QYqJgpB8++aM+6f - 1Jd0U7Z7sPqY18UT4sZIsn/zE0yFNzIauZXWTPe6CGMeKe9xbPRF4b+G4d7qAhgU - S1okszO43DwmCxi7FaA0ftkjGjVASAv9zi07o5aZnZubyj0ZHDRiW5jPI2mU3rwN - RfNHl0Kj90c81WOjo0/dJErInlfTgncg2Eo7mk6RhxnmdDpgiTYeUrmAG6EhGv6P - x6/qVl9BhQ746FlhpFCZbWId5tiYnX+5or92GKx3TTrg2RbEW0f+Rw1CyFDEEjpa - /WSeFJhx0jQ5AoIBAFDHUj0JT8m3VDw5rsYrZ6PWi9uHKxZefLOcs5OhhsM0GcTd - dd6vP2O2DDO4Djq9uLYSE9LC6VrfooeqJOLxp7zzzAdt40DLVitNl5hxe3GrWTrh - FPYjwGH279/VFju4mqJuabpuuQXty0xVbigKIrs7CUSiR4NNWJJoC40nm8fPY3QZ - HSQWbEgNvvWl7wRD+n4V60aK1339YDkizwQMkXSEjrEf2CaUqjyg3amowhPQ5Xzq - C65I5kOp4s+xSGvPOzPKvh/KGj7r/QL786OEERseYs449rkVA8ZgRmLD8Qm4Gob3 - dpumRT5O+7Ij9ClQed1kMPnRG1a9V30h9M3E08kCggEAVeV35qzLH7JALQtCaZSE - xXPPU7zo1ZNJvKK/YETY2zgGJtQ1GyBA+aZ+EnWCiOHJSlbNB+yrWP3V9pKE2pFF - Q7OVrpI/+MJOk5hs4wKUdz9HVtlAUlQDdkpym8WnS2iXqhKVKmceS7HWWjHJF1x4 - pQvTe1GhEKuC8GK1SK2YXmvGWW3C99hB73RMsa7/z3FH9X9iYoutF4enl/LtyMgA - 9lnuPNquYTs0wxLYqSvC1tM57OPiSRBnHTyBO6/zqWvCAxlRAybIITtmj5S0A+mi - PtbgXMSHy1xGx95DdF6qfc2wEAGM8E9vv2ZaG/VgscpypCv/1w+o5I85CKbI58xf - uQKCAQAbhwAN+QH5xuMZONhqmzbMUt9nipzp/+UiQwomyuiRJ5mlAUHwHl4GF2CQ - Wx35C+NoH2goVyelz7Bo8XwV8eLVRsKsuCLLL5sCLGxbVDuV/L+Ztm7KXND2CljR - YeB0jT3HnHiBejH6gRifkDf0bNXKld8XPMWFvvQohPxpHgc+bjsGfEKSYuDfIOo2 - P/acq2LX9w5US1Ao4JrU6v9fVXsPGimyKPJspamUHAjXz0ip8YEk6GoYYtJK/2fc - VN1CjPHpXj4RZlmGHj8SIXGaLsf5+eJmJ6FRtznlM+OYmXt9kTwAMVJjK6PuM4yC - 73WWkY9/mi6QSBoGdLOLUbJx/UtN - -----END PRIVATE KEY----- services: vshn: