docs: Certificate Defaulting with Kyverno

- Add a turotial using Kyverno to override Certificate defaults
- YAML resources with public links for easy downloading
- Add tutorial to main page list
- Rewritten from the original draft to ensure it is a tutorial and flows well

Signed-off-by: Peter Fiddes <[email protected]>

.spelling

@@ -634,6 +634,8 @@ v1.13.
 v1.12.5
 v1.12.6
 v1.12.7
+v1.14.0
+v1.14.X
 liveness
 apiservices
 arm64

content/docs/manifest.json

@@ -578,6 +578,10 @@
             {
               "title": "Managing public trust in kubernetes with trust-manager",
               "path": "/docs/tutorials/getting-started-with-trust-manager/README.md"
+            },
+            {
+              "title": "Setting default certificate values",
+              "path": "/docs/tutorials/certificate-defaults/README.md"
             }
           ]
         },

content/docs/tutorials/README.md

@@ -25,6 +25,8 @@ for you to learn from. Take a look!
 - [Securing an Istio service mesh with cert-manager](./istio-csr/istio-csr.md): Tutorial for
   securing an Istio service mesh using a cert-manager issuer.
 - [Obtaining SSL certificates with the ZeroSSL](./zerossl/zerossl.md): Tutorial describing usage of the ZeroSSL as external ACME server.
+- [Managing public trust in Kubernetes with trust-manager](./getting-started-with-trust-manager/README.md): Learn how to deploy and configure trust-manager to automatically distribute your approved Public CA configuration to your Kubernetes cluster.
+- [Learn how to set Certificate defaults automatically](./certificate-defaults/README.md): Learn how to use Kyverno `ClusterPolicy` to set default values for cert-manager `Certificates`.
 
 ### External Tutorials
 

public/docs/tutorials/certificate-defaults/cert-test-minimal.yaml

@@ -0,0 +1,8 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: test-minimal
+  namespace: default
+spec:
+  dnsNames:
+  - example.com

public/docs/tutorials/certificate-defaults/cert-test-revision-override.yaml

@@ -0,0 +1,19 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: test-revision-override
+  namespace: default
+spec:
+  dnsNames:
+  - example.com
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: not-my-corp-issuer
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS8
+    rotationPolicy: Never
+    size: 4096
+  revisionHistoryLimit: 44
+  secretName: test-revision-override-cert

public/docs/tutorials/certificate-defaults/cert-test-revision.yaml

@@ -0,0 +1,13 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: test-revision
+  namespace: default
+spec:
+  dnsNames:
+  - example.com
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: not-my-corp-issuer
+  secretName: test-revision-cert

public/docs/tutorials/certificate-defaults/cpol-mutate-certificate-defaults.yaml

@@ -0,0 +1,45 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: 0-mutate-certificate-defaults
+spec:
+  failurePolicy: Fail
+  rules:
+  # Set a sane default for the history field if not already present
+  - name: set-revisionHistoryLimit
+    match:
+      any:
+      - resources:
+          kinds:
+          - Certificate
+    mutate:
+      patchStrategicMerge:
+        spec:
+          # +(...) This is the clever syntax for if not already set
+          +(revisionHistoryLimit): 2
+  # Set rotation to always if not already set
+  - name: set-privateKey-rotationPolicy
+    match:
+      any:
+      - resources:
+          kinds:
+          - Certificate
+    mutate:
+      patchStrategicMerge:
+        spec:
+          privateKey:
+            +(rotationPolicy): Always
+  # Set private key details for algorithm an size
+  - name: set-privateKey-details
+    match:
+      any:
+      - resources:
+          kinds:
+          - Certificate
+    mutate:
+      patchStrategicMerge:
+        spec:
+          privateKey:
+            +(algorithm): ECDSA
+            +(size): 521
+            +(encoding): PKCS1

public/docs/tutorials/certificate-defaults/cpol-mutate-certificate-required.yaml

@@ -0,0 +1,31 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: 1-mutate-certificate-required
+spec:
+  rules:
+  # Test if we can set a secretName when one is not provided
+  - name: set-default-secret-name
+    match:
+      any:
+      - resources:
+          kinds:
+          - Certificate
+    mutate:
+      patchStrategicMerge:
+        spec:
+          +(secretName): "{{request.object.metadata.name}}-cert"
+  # Test if we can set a default issuerRef
+  - name: set-default-issuer-ref
+    match:
+      any:
+      - resources:
+          kinds:
+          - Certificate
+    mutate:
+      patchStrategicMerge:
+        spec:
+          +(issuerRef):
+            name: our-corp-issuer
+            kind: ClusterIssuer
+            group: cert-manager.io

public/docs/tutorials/certificate-defaults/cpol-validate-certificate.yaml

@@ -0,0 +1,24 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: validate-certificate
+spec:
+  rules:
+  # Test from the kyverno examples to validate any subdomain of corp.com applied the correct issuer
+  - name: restrict-corp-cert-issuer
+    match:
+      any:
+      - resources:
+          kinds:
+          - Certificate
+    validate:
+      message: When requesting a cert for this domain, you must use our corporate issuer.
+      pattern:
+        spec:
+          (dnsNames): ["*.corp.com"]
+          issuerRef:
+            name: our-corp-issuer
+            kind: ClusterIssuer
+            group: cert-manager.io
+  validationFailureAction: Enforce
+  background: true

public/docs/tutorials/certificate-defaults/ingress.yaml

@@ -0,0 +1,24 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    cert-manager.io/cluster-issuer: "our-corp-issuer"
+  name: defaults-example
+  namespace: default
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: app.example.com
+    http:
+      paths:
+      - backend:
+          service:
+            name: app
+            port:
+              number: 80
+        path: /
+        pathType: ImplementationSpecific
+  tls:
+    - hosts: 
+      - app.example.com
+      secretName: defaults-example-certificate-tls

public/docs/tutorials/certificate-defaults/mutatingwebhookconfiguration-patch.yaml

@@ -0,0 +1,16 @@
+webhooks:
+- name: webhook.cert-manager.io
+  namespaceSelector: {}
+  objectSelector: {}
+  reinvocationPolicy: Never
+  rules:
+  - apiGroups:
+    - cert-manager.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    resources:
+    - 'certificaterequests'
+    scope: '*'
+