Add cert-manager CA
This adds a ClusterIssuer CA -- that is, a self-signed CA that is
available cluster-wide. We'll use it to create SSL certs for use
with Zookeeper. It needs to be cluster wide so we can use it in
both the zookeeper and zuul namespaces.
Change-Id: Ifce333ce6edbe2290e7f187dff5e684e75ea645f
diff --git a/k8s/certmanager.yaml b/k8s/certmanager.yaml
new file mode 100644
index 0000000..2cc1c06
--- /dev/null
+++ b/k8s/certmanager.yaml
@@ -0,0 +1,39 @@
+---
+apiVersion: cert-manager.io/v1alpha2
+kind: Issuer
+metadata:
+ name: selfsigned-issuer
+ namespace: cert-manager
+spec:
+ selfSigned: {}
+---
+apiVersion: cert-manager.io/v1alpha2
+kind: Certificate
+metadata:
+ name: ca-cert
+ namespace: cert-manager
+spec:
+ # Secret names are always required.
+ secretName: ca-cert
+ duration: 87600h # 10y
+ renewBefore: 360h # 15d
+ isCA: true
+ keySize: 2048
+ keyAlgorithm: rsa
+ keyEncoding: pkcs1
+ commonName: cacert
+ # At least one of a DNS Name, URI, or IP address is required.
+ dnsNames:
+ - caroot
+ # Issuer references are always required.
+ issuerRef:
+ name: selfsigned-issuer
+---
+apiVersion: cert-manager.io/v1alpha2
+kind: ClusterIssuer
+metadata:
+ name: ca-issuer
+ namespace: cert-manager
+spec:
+ ca:
+ secretName: ca-cert
diff --git a/playbooks/deploy.yaml b/playbooks/deploy.yaml
index cfc2342..073d283 100644
--- a/playbooks/deploy.yaml
+++ b/playbooks/deploy.yaml
@@ -14,6 +14,11 @@
# Set no_log because we are templating in the token
no_log: true
+ - name: Update cert-manager configuration
+ k8s:
+ state: present
+ src: "{{ root }}/k8s/certmanager.yaml"
+
- name: Update Letsencrypt configuration
k8s:
state: present
