From 81f71cd025bb720e611a710f5b74cc365811f561 Mon Sep 17 00:00:00 2001 From: Marco Kilchhofer Date: Tue, 18 Jul 2023 08:10:19 +0200 Subject: [PATCH] chore(helm-chart): Rework without implementing transitive secret --- .github/workflows/lint-test-chart.yaml | 23 ++++- charts/metrics-server/README.md | 67 +++---------- .../metrics-server/ci/tls-custom-values.yaml | 85 ----------------- .../ci/tls-existing-values.yaml | 93 ------------------- .../ci/tls-existingSecret-values.yaml | 12 +++ .../metrics-server/templates/apiservice.yaml | 30 ++---- .../metrics-server/templates/certificate.yaml | 2 +- .../templates/extra-manifests.yaml | 4 - charts/metrics-server/values.yaml | 59 ++---------- 9 files changed, 67 insertions(+), 308 deletions(-) delete mode 100644 charts/metrics-server/ci/tls-custom-values.yaml delete mode 100644 charts/metrics-server/ci/tls-existing-values.yaml create mode 100644 charts/metrics-server/ci/tls-existingSecret-values.yaml delete mode 100644 charts/metrics-server/templates/extra-manifests.yaml diff --git a/.github/workflows/lint-test-chart.yaml b/.github/workflows/lint-test-chart.yaml index db532992b1..12ffed8814 100644 --- a/.github/workflows/lint-test-chart.yaml +++ b/.github/workflows/lint-test-chart.yaml @@ -78,6 +78,27 @@ jobs: --set installCRDs=true \ --set extraArgs='{--enable-certificate-owner-ref}' + - name: Prepare existing secret test scenario + if: fromJSON(steps.changes.outputs.changed) + run: | + openssl req -x509 -newkey rsa:2048 -sha256 -days 365 \ + -nodes -keyout ${{ runner.temp }}/tls.key -out ${{ runner.temp }}/tls.crt \ + -subj "/CN=metrics-server" \ + -addext "subjectAltName=DNS:metrics-server,DNS:metrics-server.kube-system.svc" + + kubectl -n kube-system create secret generic metrics-server-existing \ + --from-file=${{ runner.temp }}/tls.key \ + --from-file=${{ runner.temp }}/tls.crt + + cat <> charts/metrics-server/ci/tls-existingSecret-values.yaml + apiService: + insecureSkipTLSVerify: false + caBundle: | + $(cat ${{ runner.temp }}/tls.crt | sed -e "s/^/ /g") + EOF + + rm ${{ runner.temp }}/tls.key ${{ runner.temp }}/tls.crt + - name: Run chart-testing install if: fromJSON(steps.changes.outputs.changed) - run: ct install + run: ct install --namespace kube-system diff --git a/charts/metrics-server/README.md b/charts/metrics-server/README.md index bbbf93679f..71963e9e3d 100644 --- a/charts/metrics-server/README.md +++ b/charts/metrics-server/README.md @@ -86,8 +86,8 @@ The following table lists the configurable parameters of the _Metrics Server_ ch | `topologySpreadConstraints` | Pod Topology Spread Constraints. | `[]` | | `deploymentAnnotations` | Annotations to add to the deployment. | `{}` | | `schedulerName` | scheduler to set to the deployment. | `""` | -| `tls.type` | TLS option to use. Either use `metrics-server` for self-signed certificates, `secret`, `existingSecret`, `cert-manager` or `helm` | `"metrics-server"` | -| `tls.certManager.clusterDomain` | Kubernetes cluster domain. Used to configure Subject Alt Names for the certificate | `"cluster.local"` | +| `tls.type` | TLS option to use. Either use `metrics-server` for self-signed certificates, `helm`, `cert-manager` or `existingSecret`. | `"metrics-server"` | +| `tls.clusterDomain` | Kubernetes cluster domain. Used to configure Subject Alt Names for the certificate when using `tls.type` `helm` or `cert-manager`. | `"cluster.local"` | | `tls.certManager.addInjectorAnnotations` | Automatically add the cert-manager.io/inject-ca-from annotation to the APIService resource. | `true` | | `tls.certManager.existingIssuer.enabled` | Use an existing cert-manager issuer | `false` | | `tls.certManager.existingIssuer.kind` | Kind of the existing cert-manager issuer | `"Issuer"` | @@ -97,15 +97,10 @@ The following table lists the configurable parameters of the _Metrics Server_ ch | `tls.certManager.annotations` | Add extra annotations to the Certificate resource | `{}` | | `tls.certManager.labels` | Add extra labels to the Certificate resource | `{}` | | `tls.existingSecret.name` | Name of the existing Secret to use for TLS | `""` | -| `tls.secret.annotations` | Add extra annotations to the Secret resource | `{}` | -| `tls.secret.labels` | Add extra labels to the Secret resource | `{}` | -| `tls.secret.crt` | The server certificate to use for metrics-server. Use PEM format | `""` | -| `tls.secret.key` | The private key of the certificate to use for metrics-server. Use PEM format. | `""` | -| `extraObjects` | List of extra manifests to deploy. Will be passed through `tpl` to support templating | `[]` | ## Hardening metrics-server -By default, metrics-server is using a self-signed certificate which is generated during startup. The APIservice is registered with `.spec.insecureSkipTLSVerify` set to `true` as you can see here: +By default, metrics-server is using a self-signed certificate which is generated during startup. The `APIservice` resource is registered with `.spec.insecureSkipTLSVerify` set to `true` as you can see here: ```yaml apiVersion: apiregistration.k8s.io/v1 @@ -120,12 +115,13 @@ spec: #.. ``` -To harden metrics-server, you have these 4 options described in the following section. +To harden metrics-server, you have these options described in the following section. ### Option 1: Let helm generate a self-signed certificate -This option is probably the easiest solution for you. We delegate helm the generation process for self-signed certificates. +This option is probably the easiest solution for you. We delegate the process to generate a self-signed certificate to helm. As helm generates them during deploy time, helm can also inject the `apiService.caBundle` for you. + **The only disadvantage of using this method is that it is not GitOps friendly** (e.g. Argo CD). If you are using one of these GitOps tools with drift detection, it will always detect changes. However if you are deploying the helm chart via Terraform for example (or maybe even Flux), this method is perfectly fine. @@ -154,59 +150,26 @@ tls: There are other optional parameters, if you want to customize the behavior of the certificate even more. -### Option 3: Provide certificate data - -You can use an arbitrary PKI solution and generate a certificate for metrics-server. You need the following data in PEM format: - -- The server certificate which is issued with 3 Subject Alt Names: - - `metrics-server.` - - `metrics-server..svc` - - `metrics-server..svc.cluster.local` -- The server key file -- The CA certificate *(optional, you can also provide the server certificate to `apiService.caBundle`)* - -To use this method, please setup your values file like this: - -```yaml -apiService: - insecureSkipTLSVerify: false - caBundle: | - -----BEGIN CERTIFICATE----- - ... - -----END CERTIFICATE----- - - -tls: - type: secret - secret: - crt: | - -----BEGIN CERTIFICATE----- - ... - -----END CERTIFICATE----- - - key: | - -----BEGIN RSA PRIVATE KEY----- - ... - -----END RSA PRIVATE KEY----- -``` - -### Option 4: Use existing Secret +### Option 3: Use existing Secret This option allows you to reuse an existing Secret. This Secrets can have an arbitrary origin, e.g. - Created via kubectl / Terraform / etc. -- Synced from a secrets management solution like AWS SecretsManager, HashiCorp Vault, etc. +- Synced from a secret management solution like AWS Secrets Manager, HashiCorp Vault, etc. -You still need to pass the CA certificate to ensure proper configuration of the `APIservice` resource, -but the sensitive information (the private key) can be read via Secret. Same as in the previous option "2", -`apiService.caBundle` can also be the server certificate. +When using this type of TLS option, the keys `tls.key` and the `tls.crt` key must be provided in the data field of the +existing Secret. + +You need to pass the certificate of the issuing CA (or the certificate itself) via `apiService.caBundle` to ensure +proper configuration of the `APIservice` resource. Otherwise you cannot set `apiService.insecureSkipTLSVerify` to +`false`. To use this method, please setup your values file like this: ```yaml apiService: insecureSkipTLSVerify: false - caBundle: + caBundle: | -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- diff --git a/charts/metrics-server/ci/tls-custom-values.yaml b/charts/metrics-server/ci/tls-custom-values.yaml deleted file mode 100644 index 220ae7a815..0000000000 --- a/charts/metrics-server/ci/tls-custom-values.yaml +++ /dev/null @@ -1,85 +0,0 @@ -args: - - --kubelet-insecure-tls - -apiService: - insecureSkipTLSVerify: false - # dummy certificate only (generated by cert-manager once) - caBundle: | - -----BEGIN CERTIFICATE----- - MIIDYjCCAkqgAwIBAgIQUK3jdPbBzeYoPwPg0WJZ/DANBgkqhkiG9w0BAQsFADAZ - MRcwFQYDVQQDEw5tZXRyaWNzLXNlcnZlcjAeFw0yMzA3MTQxMTA3MjBaFw0yMzEw - MTIxMTA3MjBaMBkxFzAVBgNVBAMTDm1ldHJpY3Mtc2VydmVyMIIBIjANBgkqhkiG - 9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2c8M9HJtbRnrKQ60ChYfGguKUw1g2DLbFhvm - piivnv9ltRAXt7WQos42alAm2PuR/sDRBcWH0+OD+u3Kf75kARZb95l/eEwH1Ntw - 2fvIfWnKdzcqd86C3M4ywNiBQ8BbpT24XNiV6Hs12OwHeNHjXkUGx5ObCtxbkFXj - rjb8UNOjD/+QvGQthrkAnJtPfnIKaInXc6/NwCtCTCdgcF1ut+FbWjePv9o0EHvG - SzI4MWXXGjfnxtFjmykzAXLfqJrXoMFF3ttUAmA7CQXOCJHUSAT6Pog7SnjSgh8O - 5sCUM8qGFQ5rQO/6tBij7W/qK5/xP8gjjI6Qejh4F2eQhrz0ewIDAQABo4GlMIGi - MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMHMG - A1UdEQRsMGqCGm1ldHJpY3Mtc2VydmVyLmt1YmUtc3lzdGVtgh5tZXRyaWNzLXNl - cnZlci5rdWJlLXN5c3RlbS5zdmOCLG1ldHJpY3Mtc2VydmVyLmt1YmUtc3lzdGVt - LnN2Yy5jbHVzdGVyLmxvY2FsMA0GCSqGSIb3DQEBCwUAA4IBAQC1d5rqbyDrlaNq - DlgX3W/fx6g4bioQRHOqswuM3KEwDHzIGfIki6K3+S7EGg8pGAQDqH4ckHmS1tbj - bcOTljpDqcNdlt5yKiZWt1VSECM0JhEpZ3jrFbJjp6l6YDbOx7KJHGCOirJ/aKCK - MMpp1Y5OsM+JJEMIMnFAcyl/eIet5t5+hUSQb+CMjrXnkdKITpaNOFsScRGQ2wBJ - RGzQds448r8YdLZPuipKLxkdtpCHLA32gT5QbCZnPe7F88hm2NAlbQN7hY2Ictqp - mzVO3OglgG1OS1glOL0niWUErK9PNfDjp7VMvpU3eIBH7lpwBAUvjtGHGlfWU796 - ObtNgW0o - -----END CERTIFICATE----- - -tls: - type: secret - secret: - # dummy certificate only (generated by cert-manager once) - crt: | - -----BEGIN CERTIFICATE----- - MIIDYjCCAkqgAwIBAgIQUK3jdPbBzeYoPwPg0WJZ/DANBgkqhkiG9w0BAQsFADAZ - MRcwFQYDVQQDEw5tZXRyaWNzLXNlcnZlcjAeFw0yMzA3MTQxMTA3MjBaFw0yMzEw - MTIxMTA3MjBaMBkxFzAVBgNVBAMTDm1ldHJpY3Mtc2VydmVyMIIBIjANBgkqhkiG - 9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2c8M9HJtbRnrKQ60ChYfGguKUw1g2DLbFhvm - piivnv9ltRAXt7WQos42alAm2PuR/sDRBcWH0+OD+u3Kf75kARZb95l/eEwH1Ntw - 2fvIfWnKdzcqd86C3M4ywNiBQ8BbpT24XNiV6Hs12OwHeNHjXkUGx5ObCtxbkFXj - rjb8UNOjD/+QvGQthrkAnJtPfnIKaInXc6/NwCtCTCdgcF1ut+FbWjePv9o0EHvG - SzI4MWXXGjfnxtFjmykzAXLfqJrXoMFF3ttUAmA7CQXOCJHUSAT6Pog7SnjSgh8O - 5sCUM8qGFQ5rQO/6tBij7W/qK5/xP8gjjI6Qejh4F2eQhrz0ewIDAQABo4GlMIGi - MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMHMG - A1UdEQRsMGqCGm1ldHJpY3Mtc2VydmVyLmt1YmUtc3lzdGVtgh5tZXRyaWNzLXNl - cnZlci5rdWJlLXN5c3RlbS5zdmOCLG1ldHJpY3Mtc2VydmVyLmt1YmUtc3lzdGVt - LnN2Yy5jbHVzdGVyLmxvY2FsMA0GCSqGSIb3DQEBCwUAA4IBAQC1d5rqbyDrlaNq - DlgX3W/fx6g4bioQRHOqswuM3KEwDHzIGfIki6K3+S7EGg8pGAQDqH4ckHmS1tbj - bcOTljpDqcNdlt5yKiZWt1VSECM0JhEpZ3jrFbJjp6l6YDbOx7KJHGCOirJ/aKCK - MMpp1Y5OsM+JJEMIMnFAcyl/eIet5t5+hUSQb+CMjrXnkdKITpaNOFsScRGQ2wBJ - RGzQds448r8YdLZPuipKLxkdtpCHLA32gT5QbCZnPe7F88hm2NAlbQN7hY2Ictqp - mzVO3OglgG1OS1glOL0niWUErK9PNfDjp7VMvpU3eIBH7lpwBAUvjtGHGlfWU796 - ObtNgW0o - -----END CERTIFICATE----- - - # dummy certificate only (generated by cert-manager once) - key: | - -----BEGIN RSA PRIVATE KEY----- - MIIEpAIBAAKCAQEA2c8M9HJtbRnrKQ60ChYfGguKUw1g2DLbFhvmpiivnv9ltRAX - t7WQos42alAm2PuR/sDRBcWH0+OD+u3Kf75kARZb95l/eEwH1Ntw2fvIfWnKdzcq - d86C3M4ywNiBQ8BbpT24XNiV6Hs12OwHeNHjXkUGx5ObCtxbkFXjrjb8UNOjD/+Q - vGQthrkAnJtPfnIKaInXc6/NwCtCTCdgcF1ut+FbWjePv9o0EHvGSzI4MWXXGjfn - xtFjmykzAXLfqJrXoMFF3ttUAmA7CQXOCJHUSAT6Pog7SnjSgh8O5sCUM8qGFQ5r - QO/6tBij7W/qK5/xP8gjjI6Qejh4F2eQhrz0ewIDAQABAoIBAQC1DgZI1S3dOWRf - 1tcWY1krP1iWvVI5pdy0vjC3Aq8qTkdvgZcVoRpAG4bkTQhd6pFr4UBfudm06zV0 - y2I/WjarKLj+U1zA1QLVkCx5J3F7vwsMmpD00ne5sLZD1DVv6mDENVAh7fB/NpyG - W33Ck0abwGloUWzaVF7Q1nTTBuYrEJmnLhgvWaUSv8KhcPko6uWLeuFCUaVarjaf - ghP1i1nA4ILXdHKWCZXSBxCH+EvWu68/avlfh4bptx7XmmPowayJQXvS1PK7WDg5 - QbT9RYG6Hy2l+okqdk/ikfQb3Bh0TR0W2XImxzuq3zRnT4mHSVzd1Xy6rMgrFZaq - Iy76eHnRAoGBAO9+ZQllDK1GHKdIJu0mamMraP8HovKU5jasNPPw1A/t3nTie8nw - xHqyDk69sdrxKqvnv76oS8gSGQRcnjFhf0u2BizuNnF8hKq1T5yPY6IiH317Pa8b - stGfcaZYy0uTKv3WCT/Jbhkl2j0MtAENz8GsYR9G5L9n4NuUkTOzVO11AoGBAOjS - DIOc18uH5JF9Cc4C3MHfK+6Rdeb/+7RVtOLmTP1T6UNXfcWgyb++IrhDtik1LlSt - D0M5rcFF6YsQMOiR6RmQRbBdH/nuwcR7Bmp4KcFVLMsSx/P2nJo0exifecBI2sXC - FhKWp/rKICSNPWpDjXUPpWjG04qHWiGcZsMXGGwvAoGBAKV6nQ9vveGf9z5ysUrd - Z1cccJD+0s1wqt0OAgyn068p+bKjp0ryTKBGlXI8yj5wsr5TA/8VxD76mkSURk3y - gwVqQTwcYIvrsLNPUjHoNbyafU2zsPxkVBtZYyrAYb/XcTYxBPUJFkTUDcZvF5U+ - 2NWGaRk2X+oNOaYfMnEZsU3dAoGAMjJnhFDirf1EqKGe5Y30btBhNnSiSQXUDROV - hn5FBzF6T4yjj2KVXQPvlG707XmL3bHaYpIjBlK+gb8h7GLZMSvL+rR5WnfBy00D - Gx2BUy+8EqSf+9el+BFsoOhxZaXPlWe9PpDA8u91cqwJG8ooy55t+WM05N897ZU9 - Cr8GAv0CgYBX/P0Ijw4x32Xb3y8uP3IaL9fHHBJZwuz0wVQlteNeV06gdlmp2NMs - 9dbs8jMztJLTQ6SGnVxiDZg+ZFPWFD5wmyRQG5dz/norpzp8QFuZVIkK3VfSVHgl - kFQUZ8+mby4FJDLcPIUccPd9xSOvF55zfSfsktLjMa232sPzrZqcLA== - -----END RSA PRIVATE KEY----- diff --git a/charts/metrics-server/ci/tls-existing-values.yaml b/charts/metrics-server/ci/tls-existing-values.yaml deleted file mode 100644 index 50536079cf..0000000000 --- a/charts/metrics-server/ci/tls-existing-values.yaml +++ /dev/null @@ -1,93 +0,0 @@ -args: - - --kubelet-insecure-tls - -apiService: - insecureSkipTLSVerify: false - # same dummy certificate as we are using in tls-custom-values.yaml - caBundle: | - -----BEGIN CERTIFICATE----- - MIIDYjCCAkqgAwIBAgIQUK3jdPbBzeYoPwPg0WJZ/DANBgkqhkiG9w0BAQsFADAZ - MRcwFQYDVQQDEw5tZXRyaWNzLXNlcnZlcjAeFw0yMzA3MTQxMTA3MjBaFw0yMzEw - MTIxMTA3MjBaMBkxFzAVBgNVBAMTDm1ldHJpY3Mtc2VydmVyMIIBIjANBgkqhkiG - 9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2c8M9HJtbRnrKQ60ChYfGguKUw1g2DLbFhvm - piivnv9ltRAXt7WQos42alAm2PuR/sDRBcWH0+OD+u3Kf75kARZb95l/eEwH1Ntw - 2fvIfWnKdzcqd86C3M4ywNiBQ8BbpT24XNiV6Hs12OwHeNHjXkUGx5ObCtxbkFXj - rjb8UNOjD/+QvGQthrkAnJtPfnIKaInXc6/NwCtCTCdgcF1ut+FbWjePv9o0EHvG - SzI4MWXXGjfnxtFjmykzAXLfqJrXoMFF3ttUAmA7CQXOCJHUSAT6Pog7SnjSgh8O - 5sCUM8qGFQ5rQO/6tBij7W/qK5/xP8gjjI6Qejh4F2eQhrz0ewIDAQABo4GlMIGi - MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMHMG - A1UdEQRsMGqCGm1ldHJpY3Mtc2VydmVyLmt1YmUtc3lzdGVtgh5tZXRyaWNzLXNl - cnZlci5rdWJlLXN5c3RlbS5zdmOCLG1ldHJpY3Mtc2VydmVyLmt1YmUtc3lzdGVt - LnN2Yy5jbHVzdGVyLmxvY2FsMA0GCSqGSIb3DQEBCwUAA4IBAQC1d5rqbyDrlaNq - DlgX3W/fx6g4bioQRHOqswuM3KEwDHzIGfIki6K3+S7EGg8pGAQDqH4ckHmS1tbj - bcOTljpDqcNdlt5yKiZWt1VSECM0JhEpZ3jrFbJjp6l6YDbOx7KJHGCOirJ/aKCK - MMpp1Y5OsM+JJEMIMnFAcyl/eIet5t5+hUSQb+CMjrXnkdKITpaNOFsScRGQ2wBJ - RGzQds448r8YdLZPuipKLxkdtpCHLA32gT5QbCZnPe7F88hm2NAlbQN7hY2Ictqp - mzVO3OglgG1OS1glOL0niWUErK9PNfDjp7VMvpU3eIBH7lpwBAUvjtGHGlfWU796 - ObtNgW0o - -----END CERTIFICATE----- - -tls: - type: existingSecret - existingSecret: - name: metrics-server-existing - -extraObjects: - # same dummy certificate as we are using in tls-custom-values.yaml - - apiVersion: v1 - kind: Secret - metadata: - name: metrics-server-existing - namespace: '{{ .Release.Namespace }}' - type: Opaque - stringData: - tls.crt: | - -----BEGIN CERTIFICATE----- - MIIDYjCCAkqgAwIBAgIQUK3jdPbBzeYoPwPg0WJZ/DANBgkqhkiG9w0BAQsFADAZ - MRcwFQYDVQQDEw5tZXRyaWNzLXNlcnZlcjAeFw0yMzA3MTQxMTA3MjBaFw0yMzEw - MTIxMTA3MjBaMBkxFzAVBgNVBAMTDm1ldHJpY3Mtc2VydmVyMIIBIjANBgkqhkiG - 9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2c8M9HJtbRnrKQ60ChYfGguKUw1g2DLbFhvm - piivnv9ltRAXt7WQos42alAm2PuR/sDRBcWH0+OD+u3Kf75kARZb95l/eEwH1Ntw - 2fvIfWnKdzcqd86C3M4ywNiBQ8BbpT24XNiV6Hs12OwHeNHjXkUGx5ObCtxbkFXj - rjb8UNOjD/+QvGQthrkAnJtPfnIKaInXc6/NwCtCTCdgcF1ut+FbWjePv9o0EHvG - SzI4MWXXGjfnxtFjmykzAXLfqJrXoMFF3ttUAmA7CQXOCJHUSAT6Pog7SnjSgh8O - 5sCUM8qGFQ5rQO/6tBij7W/qK5/xP8gjjI6Qejh4F2eQhrz0ewIDAQABo4GlMIGi - MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMHMG - A1UdEQRsMGqCGm1ldHJpY3Mtc2VydmVyLmt1YmUtc3lzdGVtgh5tZXRyaWNzLXNl - cnZlci5rdWJlLXN5c3RlbS5zdmOCLG1ldHJpY3Mtc2VydmVyLmt1YmUtc3lzdGVt - LnN2Yy5jbHVzdGVyLmxvY2FsMA0GCSqGSIb3DQEBCwUAA4IBAQC1d5rqbyDrlaNq - DlgX3W/fx6g4bioQRHOqswuM3KEwDHzIGfIki6K3+S7EGg8pGAQDqH4ckHmS1tbj - bcOTljpDqcNdlt5yKiZWt1VSECM0JhEpZ3jrFbJjp6l6YDbOx7KJHGCOirJ/aKCK - MMpp1Y5OsM+JJEMIMnFAcyl/eIet5t5+hUSQb+CMjrXnkdKITpaNOFsScRGQ2wBJ - RGzQds448r8YdLZPuipKLxkdtpCHLA32gT5QbCZnPe7F88hm2NAlbQN7hY2Ictqp - mzVO3OglgG1OS1glOL0niWUErK9PNfDjp7VMvpU3eIBH7lpwBAUvjtGHGlfWU796 - ObtNgW0o - -----END CERTIFICATE----- - tls.key: | - -----BEGIN RSA PRIVATE KEY----- - MIIEpAIBAAKCAQEA2c8M9HJtbRnrKQ60ChYfGguKUw1g2DLbFhvmpiivnv9ltRAX - t7WQos42alAm2PuR/sDRBcWH0+OD+u3Kf75kARZb95l/eEwH1Ntw2fvIfWnKdzcq - d86C3M4ywNiBQ8BbpT24XNiV6Hs12OwHeNHjXkUGx5ObCtxbkFXjrjb8UNOjD/+Q - vGQthrkAnJtPfnIKaInXc6/NwCtCTCdgcF1ut+FbWjePv9o0EHvGSzI4MWXXGjfn - xtFjmykzAXLfqJrXoMFF3ttUAmA7CQXOCJHUSAT6Pog7SnjSgh8O5sCUM8qGFQ5r - QO/6tBij7W/qK5/xP8gjjI6Qejh4F2eQhrz0ewIDAQABAoIBAQC1DgZI1S3dOWRf - 1tcWY1krP1iWvVI5pdy0vjC3Aq8qTkdvgZcVoRpAG4bkTQhd6pFr4UBfudm06zV0 - y2I/WjarKLj+U1zA1QLVkCx5J3F7vwsMmpD00ne5sLZD1DVv6mDENVAh7fB/NpyG - W33Ck0abwGloUWzaVF7Q1nTTBuYrEJmnLhgvWaUSv8KhcPko6uWLeuFCUaVarjaf - ghP1i1nA4ILXdHKWCZXSBxCH+EvWu68/avlfh4bptx7XmmPowayJQXvS1PK7WDg5 - QbT9RYG6Hy2l+okqdk/ikfQb3Bh0TR0W2XImxzuq3zRnT4mHSVzd1Xy6rMgrFZaq - Iy76eHnRAoGBAO9+ZQllDK1GHKdIJu0mamMraP8HovKU5jasNPPw1A/t3nTie8nw - xHqyDk69sdrxKqvnv76oS8gSGQRcnjFhf0u2BizuNnF8hKq1T5yPY6IiH317Pa8b - stGfcaZYy0uTKv3WCT/Jbhkl2j0MtAENz8GsYR9G5L9n4NuUkTOzVO11AoGBAOjS - DIOc18uH5JF9Cc4C3MHfK+6Rdeb/+7RVtOLmTP1T6UNXfcWgyb++IrhDtik1LlSt - D0M5rcFF6YsQMOiR6RmQRbBdH/nuwcR7Bmp4KcFVLMsSx/P2nJo0exifecBI2sXC - FhKWp/rKICSNPWpDjXUPpWjG04qHWiGcZsMXGGwvAoGBAKV6nQ9vveGf9z5ysUrd - Z1cccJD+0s1wqt0OAgyn068p+bKjp0ryTKBGlXI8yj5wsr5TA/8VxD76mkSURk3y - gwVqQTwcYIvrsLNPUjHoNbyafU2zsPxkVBtZYyrAYb/XcTYxBPUJFkTUDcZvF5U+ - 2NWGaRk2X+oNOaYfMnEZsU3dAoGAMjJnhFDirf1EqKGe5Y30btBhNnSiSQXUDROV - hn5FBzF6T4yjj2KVXQPvlG707XmL3bHaYpIjBlK+gb8h7GLZMSvL+rR5WnfBy00D - Gx2BUy+8EqSf+9el+BFsoOhxZaXPlWe9PpDA8u91cqwJG8ooy55t+WM05N897ZU9 - Cr8GAv0CgYBX/P0Ijw4x32Xb3y8uP3IaL9fHHBJZwuz0wVQlteNeV06gdlmp2NMs - 9dbs8jMztJLTQ6SGnVxiDZg+ZFPWFD5wmyRQG5dz/norpzp8QFuZVIkK3VfSVHgl - kFQUZ8+mby4FJDLcPIUccPd9xSOvF55zfSfsktLjMa232sPzrZqcLA== - -----END RSA PRIVATE KEY----- diff --git a/charts/metrics-server/ci/tls-existingSecret-values.yaml b/charts/metrics-server/ci/tls-existingSecret-values.yaml new file mode 100644 index 0000000000..8daa8483cb --- /dev/null +++ b/charts/metrics-server/ci/tls-existingSecret-values.yaml @@ -0,0 +1,12 @@ +args: + - --kubelet-insecure-tls + +## Set via GH action (step "Prepare existing secret test scenario") +# apiService: +# insecureSkipTLSVerify: false +# caBundle: | + +tls: + type: existingSecret + existingSecret: + name: metrics-server-existing diff --git a/charts/metrics-server/templates/apiservice.yaml b/charts/metrics-server/templates/apiservice.yaml index 392d59a7da..a70af37747 100644 --- a/charts/metrics-server/templates/apiservice.yaml +++ b/charts/metrics-server/templates/apiservice.yaml @@ -1,33 +1,23 @@ -{{ $commonName := include "metrics-server.fullname" . }} -{{ $ns := .Release.Namespace }} -{{- $altNames := list -}} -{{- $altNames = append $altNames (printf "%s.%s" $commonName $ns) -}} -{{- $altNames = append $altNames (printf "%s.%s.svc" $commonName $ns) -}} -{{- $altNames = append $altNames (printf "%s.%s.svc.%s" $commonName $ns .Values.tls.certManager.clusterDomain) -}} -{{- $certs := genSelfSignedCert $commonName nil $altNames 36500 -}} -{{- if or (eq .Values.tls.type "secret") (eq .Values.tls.type "helm") }} +{{- $altNames := list }} +{{- $certs := dict }} + +{{- if eq .Values.tls.type "helm" }} +{{- $commonName := include "metrics-server.fullname" . }} +{{- $ns := .Release.Namespace }} +{{- $altNames = append $altNames (printf "%s.%s" $commonName $ns) }} +{{- $altNames = append $altNames (printf "%s.%s.svc" $commonName $ns) }} +{{- $altNames = append $altNames (printf "%s.%s.svc.%s" $commonName $ns .Values.tls.clusterDomain) }} +{{- $certs = genSelfSignedCert $commonName nil $altNames 36500 }} apiVersion: v1 kind: Secret metadata: name: {{ include "metrics-server.fullname" . }} - {{- with .Values.tls.secret.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} labels: {{- include "metrics-server.labels" . | nindent 4 }} - {{- with .Values.tls.secret.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} type: Opaque data: - {{- if eq .Values.tls.type "secret" }} - tls.crt: {{ .Values.tls.secret.crt | b64enc | quote }} - tls.key: {{ .Values.tls.secret.key | b64enc | quote }} - {{- else }} tls.crt: {{ $certs.Cert| b64enc | quote }} tls.key: {{ $certs.Key | b64enc | quote }} - {{- end }} {{- end }} --- {{- if .Values.apiService.create }} diff --git a/charts/metrics-server/templates/certificate.yaml b/charts/metrics-server/templates/certificate.yaml index 74ec6a3f98..93d3413f4d 100644 --- a/charts/metrics-server/templates/certificate.yaml +++ b/charts/metrics-server/templates/certificate.yaml @@ -21,7 +21,7 @@ spec: dnsNames: - {{ include "metrics-server.fullname" . }}.{{ .Release.Namespace }} - {{ include "metrics-server.fullname" . }}.{{ .Release.Namespace }}.svc - - {{ include "metrics-server.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.tls.certManager.clusterDomain }} + - {{ include "metrics-server.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.tls.clusterDomain }} secretName: {{ include "metrics-server.fullname" . }} usages: - server auth diff --git a/charts/metrics-server/templates/extra-manifests.yaml b/charts/metrics-server/templates/extra-manifests.yaml deleted file mode 100644 index a9bb3b6ba8..0000000000 --- a/charts/metrics-server/templates/extra-manifests.yaml +++ /dev/null @@ -1,4 +0,0 @@ -{{ range .Values.extraObjects }} ---- -{{ tpl (toYaml .) $ }} -{{ end }} diff --git a/charts/metrics-server/values.yaml b/charts/metrics-server/values.yaml index 3ed6ee638a..bdbc86021c 100644 --- a/charts/metrics-server/values.yaml +++ b/charts/metrics-server/values.yaml @@ -176,17 +176,16 @@ deploymentAnnotations: {} schedulerName: "" tls: - # Either use `metrics-server`, `secret`, `existingSecret`, `cert-manager` or `helm`. Details: - # `metrics-server` : Metrics-server will generate self-signed certs - # `secret` : Create a new secret with user-provided key and certificate - # `existingSecret` : Reuse an existing secret. No new secret will be created - # `cert-manager` : Use cert-manager.io to create and maintain the certificate for you - # `helm` : Helm will generate the certificate + # Set the TLS method to use. Supported values: + # - `metrics-server` : Metrics-server will generate a self-signed certificate + # - `helm` : Helm will generate a self-signed certificate + # - `cert-manager` : Use cert-manager.io to create and maintain the certificate + # - `existingSecret` : Reuse an existing secret. No new secret will be created type: "metrics-server" + # Kubernetes cluster domain. Used to configure Subject Alt Names for the certificate + clusterDomain: cluster.local certManager: - # Kubernetes cluster domain. Used to configure Subject Alt Names for the certificate - clusterDomain: cluster.local # Automatically add the cert-manager.io/inject-ca-from annotation to the APIService resource. # See https://cert-manager.io/docs/concepts/ca-injector addInjectorAnnotations: true @@ -211,47 +210,3 @@ tls: existingSecret: # Name of the existing Secret to use for TLS name: "" - - secret: - # Add extra annotations to the Secret resource - annotations: {} - # Add extra labels to the Secret resource - labels: {} - # The server certificate to use for metrics-server. Use PEM format - crt: "" - # The private key of the certificate to use for metrics-server. Use PEM format. - key: "" - -# List of extra manifests to deploy. Will be passed through `tpl` to support templating -extraObjects: [] - # - apiVersion: external-secrets.io/v1beta1 - # kind: ExternalSecret - # metadata: - # name: my-external-secret - # namespace: '{{ .Release.Namespace }}' - # spec: - # secretStoreRef: - # kind: ClusterSecretStore - # name: my-secret-store - # target: - # name: my-kubernetes-secret - # data: - # - secretKey: secretKey - # remoteRef: - # key: /path/to/my-secret - - # - apiVersion: secrets.hashicorp.com/v1beta1 - # kind: VaultStaticSecret - # metadata: - # name: my-external-vault-secret - # namespace: '{{ .Release.Namespace }}' - # spec: - # type: kv-v2 - # mount: kvv2 - # path: webapp/config - # destination: - # name: secretkv - # create: true - # refreshAfter: 30s - # refreshAfter: 30s - # vaultAuthRef: static-auth