From 9794a7b6c51208c55586ec8bd4e96723c6ad7d5f Mon Sep 17 00:00:00 2001
From: Andreas Geissler <andreas-geissler@telekom.de>
Date: Tue, 26 Jul 2022 13:51:08 +0200
Subject: [PLATFORM] Create Ingress Certificates for ServiceMesh

Add issuers and self-signed certificates for the Ingress controller
Additionally a new override file is created for Istio Ingress setup

Issue-ID: OOM-3001

Signed-off-by: Andreas Geissler <andreas-geissler@telekom.de>
Change-Id: I6da12e54ecc4bbb15e3bcf1aa259e50f5be320b6
---
 .../oom-cert-service/templates/certificate.yaml    | 53 ++++++++++++++++++++++
 1 file changed, 53 insertions(+)

(limited to 'kubernetes/platform/components/oom-cert-service/templates/certificate.yaml')

diff --git a/kubernetes/platform/components/oom-cert-service/templates/certificate.yaml b/kubernetes/platform/components/oom-cert-service/templates/certificate.yaml
index fd317703e3..8f49424b54 100644
--- a/kubernetes/platform/components/oom-cert-service/templates/certificate.yaml
+++ b/kubernetes/platform/components/oom-cert-service/templates/certificate.yaml
@@ -14,4 +14,57 @@
 # limitations under the License.
 */}}
 
+{{- if .Values.global.cmpv2Enabled }}
 {{ include "certManagerCertificate.certificate" . }}
+{{- end -}}
+
+{{- if (include "common.onServiceMesh" .) }}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: ingress-ca-certificate
+  namespace: {{ .Values.tls.issuer.ingressCa.namespace }}
+spec:
+  isCA: true
+  commonName: "{{ .Values.global.ingress.virtualhost.baseurl }}" #not important as it is self signed
+  secretName: {{ .Values.tls.issuer.ingressCa.secret.name }}
+  usages:
+    - server auth
+    - client auth
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: {{ .Values.tls.issuer.ingressSelfsigned.name }}
+    kind: Issuer
+    group: cert-manager.io
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: ingress-selfsigned-certificate
+  namespace: {{ .Values.tls.issuer.ingressSelfsigned.namespace }}
+spec:
+  secretName: ingress-tls-secret
+  privateKey:
+    rotationPolicy: Always
+    algorithm: RSA
+    encoding: PKCS1
+    size: 4096
+  duration: 9000h0m0s # 1 Year
+  renewBefore: 4000h0m0s #9 months
+  commonName: "*.{{ .Values.global.ingress.virtualhost.baseurl }}"
+#  usages:
+#    - server auth
+#    - client auth
+  dnsNames:
+    - {{ .Values.global.ingress.virtualhost.baseurl }}
+    - "*.{{ .Values.global.ingress.virtualhost.baseurl }}"
+    - "*.*.{{ .Values.global.ingress.virtualhost.baseurl }}"
+    - "*.*.*.{{ .Values.global.ingress.virtualhost.baseurl }}"
+  issuerRef:
+    name: {{ .Values.tls.issuer.ingressCa.name }}
+    kind: Issuer
+    group: cert-manager.io
+{{- end -}}
-- 
cgit 1.2.3-korg