diff options
| author |   Jan Malkiewicz <jan.malkiewicz@nokia.com> | 2020-10-06 14:49:21 +0200 |
|---|---|---|
| committer | Jan Malkiewicz <jan.malkiewicz@nokia.com> | 2020-10-08 18:09:51 +0200 |
| commit | 6ff92492d2d1712443fa2bef73f28bd8b8554e23 (patch) | |
| tree | 412f3011d267c1c934f383a8047a88e935203e59 /certServiceK8sExternalProvider/deploy | |
| parent | b1ec7f0d28bcd699c9dc5aaf23e902f04145863c (diff) | |
[OOM-K8S-CERT-EXTERNAL-PROVIDER] Create mock implementation
This project is a GOlang implementation of an external provider for kubernetes cert-manager.
External provider will use OOM CertService as backend signing CA.
Mock implementation only logs intent of certificate signing.
In order to provide the ultimate implemenatation please extend file 'certservice-provisioner.go'.
Issue-ID: OOM-2559
Signed-off-by: Jan Malkiewicz <jan.malkiewicz@nokia.com>
Change-Id: Ib3de4ca4c54424042ddaa50507375815cc3da7f4
Diffstat (limited to 'certServiceK8sExternalProvider/deploy')
5 files changed, 621 insertions, 0 deletions
diff --git a/certServiceK8sExternalProvider/deploy/_certificte_example_.yaml b/certServiceK8sExternalProvider/deploy/_certificte_example_.yaml new file mode 100644 index 00000000..dff8cacf --- /dev/null +++ b/certServiceK8sExternalProvider/deploy/_certificte_example_.yaml @@ -0,0 +1,50 @@ +# ============LICENSE_START======================================================= +# oom-certservice-k8s-external-provider +# ================================================================================ +# Copyright (c) 2019 Smallstep Labs, Inc. +# Modifications copyright (C) 2020 Nokia. All rights reserved. +# ================================================================================ +# This source code was copied from the following git repository: +# https://github.com/smallstep/step-issuer +# The source code was modified for usage in the ONAP project. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= +# + +apiVersion: cert-manager.io/v1alpha2 +kind: Certificate +metadata: + name: _sample_cert_name_ + namespace: onap +spec: + # The secret name to store the signed certificate + secretName: _sample_secret_name_ + # Common Name + commonName: certissuer.onap.org + # DNS SAN + dnsNames: + - localhost + - certissuer.onap.org + # IP Address SAN + ipAddresses: + - "127.0.0.1" + # Duration of the certificate + duration: 24h + # Renew 8 hours before the certificate expiration + renewBefore: 8h + # The reference to the step issuer + issuerRef: + group: certmanager.onap.org + kind: CertificateRequest + name: certservice-issuer diff --git a/certServiceK8sExternalProvider/deploy/configuration.yaml b/certServiceK8sExternalProvider/deploy/configuration.yaml new file mode 100644 index 00000000..711e5948 --- /dev/null +++ b/certServiceK8sExternalProvider/deploy/configuration.yaml @@ -0,0 +1,34 @@ +# ============LICENSE_START======================================================= +# oom-certservice-k8s-external-provider +# ================================================================================ +# Copyright (c) 2019 Smallstep Labs, Inc. +# Modifications copyright (C) 2020 Nokia. All rights reserved. +# ================================================================================ +# This source code was copied from the following git repository: +# https://github.com/smallstep/step-issuer +# The source code was modified for usage in the ONAP project. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= +# + +apiVersion: certmanager.onap.org/v1beta1 +kind: CertServiceIssuer +metadata: + name: certservice-issuer + namespace: onap +spec: + url: https://certservice.default.svc.cluster.local + keyRef: + name: certservice-key + key: key diff --git a/certServiceK8sExternalProvider/deploy/crd.yaml b/certServiceK8sExternalProvider/deploy/crd.yaml new file mode 100644 index 00000000..5c61de4f --- /dev/null +++ b/certServiceK8sExternalProvider/deploy/crd.yaml @@ -0,0 +1,140 @@ +# ============LICENSE_START======================================================= +# oom-certservice-k8s-external-provider +# ================================================================================ +# Copyright (c) 2019 Smallstep Labs, Inc. +# Modifications copyright (C) 2020 Nokia. All rights reserved. +# ================================================================================ +# This source code was copied from the following git repository: +# https://github.com/smallstep/step-issuer +# The source code was modified for usage in the ONAP project. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= +# + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.2.5 + creationTimestamp: null + name: certserviceissuers.certmanager.onap.org +spec: + group: certmanager.onap.org + names: + kind: CertServiceIssuer + listKind: CertServiceIssuerList + plural: certserviceissuers + singular: certserviceissuer + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: CertServiceIssuer is the Schema for the certserviceissuers API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: CertServiceIssuerSpec defines the desired state of CertServiceIssuer + properties: + url: + description: URL is the base URL for the certservice certificates instance. + type: string + keyRef: + description: keyRef is a reference to a Secret containing the + provisioner password used to decrypt the provisioner private key. + properties: + key: + description: The key of the secret to select from. Must be a + valid secret key. + type: string + name: + description: The name of the secret in the pod's namespace to + select from. + type: string + required: + - name + - key + type: object + required: + - url + - keyRef + type: object + status: + description: CertServiceIssuerStatus defines the observed state of CertServiceIssuer + properties: + conditions: + items: + description: CertServiceIssuerCondition contains condition information for + the certservice issuer. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the details + of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation for + the condition's last transition. + type: string + status: + allOf: + - enum: + - "True" + - "False" + - Unknown + - enum: + - "True" + - "False" + - Unknown + description: Status of the condition, one of ('True', 'False', + 'Unknown'). + type: string + type: + description: Type of the condition, currently ('Ready'). + enum: + - Ready + type: string + required: + - status + - type + type: object + type: array + type: object + type: object + version: v1beta1 + versions: + - name: v1beta1 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/certServiceK8sExternalProvider/deploy/deployment.yaml b/certServiceK8sExternalProvider/deploy/deployment.yaml new file mode 100644 index 00000000..c2c617cf --- /dev/null +++ b/certServiceK8sExternalProvider/deploy/deployment.yaml @@ -0,0 +1,87 @@ +# ============LICENSE_START======================================================= +# oom-certservice-k8s-external-provider +# ================================================================================ +# Copyright (c) 2019 Smallstep Labs, Inc. +# Modifications copyright (C) 2020 Nokia. All rights reserved. +# ================================================================================ +# This source code was copied from the following git repository: +# https://github.com/smallstep/step-issuer +# The source code was modified for usage in the ONAP project. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= +# + +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + prometheus.io/port: "8443" + prometheus.io/scheme: https + prometheus.io/scrape: "true" + labels: + control-plane: controller-manager + name: certservice-issuer-controller-manager-metrics-service + namespace: onap +spec: + ports: + - name: https + port: 8443 + targetPort: https + selector: + control-plane: controller-manager +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + control-plane: controller-manager + name: certservice-issuer-controller-manager + namespace: onap +spec: + replicas: 1 + selector: + matchLabels: + control-plane: controller-manager + template: + metadata: + labels: + control-plane: controller-manager + spec: + containers: + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.0 + name: kube-rbac-proxy + ports: + - containerPort: 8443 + name: https + - args: + - --metrics-addr=127.0.0.1:8080 + - --enable-leader-election + command: + - /oom-certservice-k8s-external-provider + image: onap/oom-certservice-k8s-external-provider:1.0.0 + name: oom-certservice-k8s-external-provider + resources: + limits: + cpu: 100m + memory: 50Mi + requests: + cpu: 100m + memory: 30Mi + terminationGracePeriodSeconds: 10 diff --git a/certServiceK8sExternalProvider/deploy/roles.yaml b/certServiceK8sExternalProvider/deploy/roles.yaml new file mode 100644 index 00000000..5025e11e --- /dev/null +++ b/certServiceK8sExternalProvider/deploy/roles.yaml @@ -0,0 +1,310 @@ +# ============LICENSE_START======================================================= +# oom-certservice-k8s-external-provider +# ================================================================================ +# Copyright (c) 2019 Smallstep Labs, Inc. +# Modifications copyright (C) 2020 Nokia. All rights reserved. +# ================================================================================ +# This source code was copied from the following git repository: +# https://github.com/smallstep/step-issuer +# The source code was modified for usage in the ONAP project. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= +# + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.2.5 + creationTimestamp: null + name: certserviceissuers.certmanager.onap.org +spec: + group: certmanager.onap.org + names: + kind: CertServiceIssuer + listKind: CertServiceIssuerList + plural: certserviceissuers + singular: certserviceissuer + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: CertServiceIssuer is the Schema for the certserviceissuers API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: CertServiceIssuerSpec defines the desired state of CertServiceIssuer + properties: + caBundle: + description: CABundle is a base64 encoded TLS certificate used to verify + connections to the certservice certificates server. If not set the system + root certificates are used to validate the TLS connection. + format: byte + type: string + provisioner: + description: Provisioner contains the certservice certificates provisioner + configuration. + properties: + kid: + description: KeyID is the kid property of the JWK provisioner. + type: string + name: + description: Names is the name of the JWK provisioner. + type: string + passwordRef: + description: PasswordRef is a reference to a Secret containing the + provisioner password used to decrypt the provisioner private key. + properties: + key: + description: The key of the secret to select from. Must be a + valid secret key. + type: string + name: + description: The name of the secret in the pod's namespace to + select from. + type: string + required: + - name + type: object + required: + - kid + - name + - passwordRef + type: object + url: + description: URL is the base URL for the certservice certificates instance. + type: string + required: + - provisioner + - url + type: object + status: + description: CertServiceIssuerStatus defines the observed state of CertServiceIssuer + properties: + conditions: + items: + description: CertServiceIssuerCondition contains condition information for + the certservice issuer. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the details + of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation for + the condition's last transition. + type: string + status: + allOf: + - enum: + - "True" + - "False" + - Unknown + - enum: + - "True" + - "False" + - Unknown + description: Status of the condition, one of ('True', 'False', + 'Unknown'). + type: string + type: + description: Type of the condition, currently ('Ready'). + enum: + - Ready + type: string + required: + - status + - type + type: object + type: array + type: object + type: object + version: v1beta1 + versions: + - name: v1beta1 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: certservice-issuer-leader-election-role + namespace: onap +rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - update + - patch + - apiGroups: + - "" + resources: + - events + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: certservice-issuer-manager-role +rules: + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - apiGroups: + - cert-manager.io + resources: + - certificaterequests + verbs: + - get + - list + - update + - watch + - apiGroups: + - cert-manager.io + resources: + - certificaterequests/status + verbs: + - get + - patch + - update + - apiGroups: + - certmanager.onap.org + resources: + - certserviceissuers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - certmanager.onap.org + resources: + - certserviceissuers/status + verbs: + - get + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: certservice-issuer-proxy-role +rules: + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: certservice-issuer-leader-election-rolebinding + namespace: onap +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: certservice-issuer-leader-election-role +subjects: + - kind: ServiceAccount + name: default + namespace: onap +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: certservice-issuer-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: certservice-issuer-manager-role +subjects: + - kind: ServiceAccount + name: default + namespace: onap +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: certservice-issuer-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: certservice-issuer-proxy-role +subjects: + - kind: ServiceAccount + name: default + namespace: onap |