Issue certificates for libvirt tls in initContainer
diff --git a/charts/libvirt/values.yaml b/charts/libvirt/values.yaml
index 66aa7bb..7314f78 100644
--- a/charts/libvirt/values.yaml
+++ b/charts/libvirt/values.yaml
@@ -105,6 +105,10 @@
secret_uuid: null
user_secret_name: null
libvirt:
+ # Issuer to issue a certificate for libvirt api when listen_tls is enabled.
+ issuer:
+ kind: ClusterIssuer
+ name: ca-clusterissuer
listen_tcp: "1"
listen_tls: "0"
auth_tcp: "none"
@@ -128,52 +132,6 @@
issuer:
kind: ClusterIssuer
name: ca-clusterissuer
- # Script is included here (vs in bin/) to allow overriding, in the case that
- # communication happens over an IP other than the pod IP for some reason.
- cert_init_sh: |
- #!/bin/bash
- set -x
-
- # Script to create certs for each libvirt pod based on pod IP (by default).
-
- cat <<EOF | kubectl apply -f -
- apiVersion: cert-manager.io/v1
- kind: Certificate
- metadata:
- name: ${POD_NAME}-${TYPE}
- namespace: ${POD_NAMESPACE}
- ownerReferences:
- - apiVersion: v1
- kind: Pod
- name: ${POD_NAME}
- uid: ${POD_UID}
- spec:
- secretName: ${POD_NAME}-${TYPE}
- commonName: ${POD_IP}
- usages:
- - client auth
- - server auth
- dnsNames:
- - ${HOSTNAME}
- ipAddresses:
- - ${POD_IP}
- issuerRef:
- kind: ${ISSUER_KIND}
- name: ${ISSUER_NAME}
- EOF
-
- kubectl -n ${POD_NAMESPACE} wait --for=condition=Ready --timeout=300s \
- certificate/${POD_NAME}-${TYPE}
-
- # NOTE(mnaser): cert-manager does not clean-up the secrets when the certificate
- # is deleted, so we should add an owner reference to the secret
- # to ensure that it is cleaned up when the pod is deleted.
- kubectl -n ${POD_NAMESPACE} patch secret ${POD_NAME}-${TYPE} \
- --type=json -p='[{"op": "add", "path": "/metadata/ownerReferences", "value": [{"apiVersion": "v1", "kind": "Pod", "name": "'${POD_NAME}'", "uid": "'${POD_UID}'"}]}]'
-
- kubectl -n ${POD_NAMESPACE} get secret ${POD_NAME}-${TYPE} -o jsonpath='{.data.tls\.crt}' | base64 -d > /tmp/${TYPE}.crt
- kubectl -n ${POD_NAMESPACE} get secret ${POD_NAME}-${TYPE} -o jsonpath='{.data.tls\.key}' | base64 -d > /tmp/${TYPE}.key
- kubectl -n ${POD_NAMESPACE} get secret ${POD_NAME}-${TYPE} -o jsonpath='{.data.ca\.crt}' | base64 -d > /tmp/${TYPE}-ca.crt
pod:
probes:
@@ -310,6 +268,53 @@
- endpoint: internal
service: local_image_registry
+scripts:
+ # Script is included here (vs in bin/) to allow overriding.
+ cert_init_sh: |
+ #!/bin/bash
+ set -x
+
+ # Script to create certs for each libvirt pod based on pod IP (by default).
+
+ cat <<EOF | kubectl apply -f -
+ apiVersion: cert-manager.io/v1
+ kind: Certificate
+ metadata:
+ name: ${POD_NAME}-${TYPE}
+ namespace: ${POD_NAMESPACE}
+ ownerReferences:
+ - apiVersion: v1
+ kind: Pod
+ name: ${POD_NAME}
+ uid: ${POD_UID}
+ spec:
+ secretName: ${POD_NAME}-${TYPE}
+ commonName: ${POD_IP}
+ usages:
+ - client auth
+ - server auth
+ dnsNames:
+ - ${HOSTNAME}
+ ipAddresses:
+ - ${POD_IP}
+ issuerRef:
+ kind: ${ISSUER_KIND}
+ name: ${ISSUER_NAME}
+ EOF
+
+ kubectl -n ${POD_NAMESPACE} wait --for=condition=Ready --timeout=300s \
+ certificate/${POD_NAME}-${TYPE}
+
+ # NOTE(mnaser): cert-manager does not clean-up the secrets when the certificate
+ # is deleted, so we should add an owner reference to the secret
+ # to ensure that it is cleaned up when the pod is deleted.
+ kubectl -n ${POD_NAMESPACE} patch secret ${POD_NAME}-${TYPE} \
+ --type=json -p='[{"op": "add", "path": "/metadata/ownerReferences", "value": [{"apiVersion": "v1", "kind": "Pod", "name": "'${POD_NAME}'", "uid": "'${POD_UID}'"}]}]'
+
+ kubectl -n ${POD_NAMESPACE} get secret ${POD_NAME}-${TYPE} -o jsonpath='{.data.tls\.crt}' | base64 -d > /tmp/${TYPE}.crt
+ kubectl -n ${POD_NAMESPACE} get secret ${POD_NAME}-${TYPE} -o jsonpath='{.data.tls\.key}' | base64 -d > /tmp/${TYPE}.key
+ kubectl -n ${POD_NAMESPACE} get secret ${POD_NAME}-${TYPE} -o jsonpath='{.data.ca\.crt}' | base64 -d > /tmp/${TYPE}-ca.crt
+
manifests:
configmap_bin: true
configmap_etc: true