Refactor CA Logic (#84)

The way this was done was a little half-baked, everything was separate
except the self-signed issuer, which would lead to really confusing
logic to enable it based on both whether it was required by the client
CA or server CA, compounded by the fact the server CA needed to generate
it in different circumstanes whether or not the CA was provided from an
external source.  This separates concerns, so the logic is vastly
simplified, and makes client CA stuff un-conditional, as they are all
internal anyway and not accessed by a browser.

charts/core/Chart.yaml

@@ -4,8 +4,8 @@ description: A Helm chart for deploying Unikorn Core
 
 type: application
 
-version: v0.1.74
-appVersion: v0.1.74
+version: v0.1.75
+appVersion: v0.1.75
 
 icon: https://assets.unikorn-cloud.org/images/logos/dark-on-light/icon.svg
 

charts/core/templates/client-certificate.yaml → charts/core/templates/client-ca/certificate.yaml

@@ -1,4 +1,3 @@
-{{- if (and .Values.clientCA .Values.clientCA.enabled .Values.clientCA.generate) }}
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -10,7 +9,7 @@ spec:
   issuerRef:
     group: cert-manager.io
     kind: Issuer
-    name: unikorn-self-signed-issuer
+    name: unikorn-self-signed-client-issuer
   privateKey:
     algorithm: RSA
     encoding: PKCS8
@@ -19,4 +18,3 @@ spec:
   isCA: true
   commonName: Unikorn Client CA
   duration: 87600h
-{{- end }}

charts/core/templates/client-clusterissuer.yaml → charts/core/templates/client-ca/clusterissuer.yaml

@@ -1,4 +1,3 @@
-{{- if (and .Values.ca .Values.ca.enabled) }}
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
@@ -8,4 +7,3 @@ metadata:
 spec:
   ca:
     secretName: unikorn-client-ca
-{{- end }}

charts/core/templates/client-ca/issuer.yaml

@@ -0,0 +1,9 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: unikorn-self-signed-client-issuer
+  namespace: {{ .Values.certManager.namespace }}
+  labels:
+    {{- include "unikorn.labels" . | nindent 4 }}
+spec:
+  selfSigned: {}

charts/core/values.yaml

@@ -21,16 +21,3 @@ ca:
   # These must be base64 encoded strings.
   # certificate: SSBhbSBjb21wbGV0ZSBub25zZW5zZS4gIFRoYW5rIHlvdSBmb3IgcmVhZGluZyB0aGlzLiAgR2V0IGEgbGlmZSE=
   # privateKey: SSBhbSBjb21wbGV0ZSBub25zZW5zZS4gIFRoYW5rIHlvdSBmb3IgcmVhZGluZyB0aGlzLiAgR2V0IGEgbGlmZSE=
-
-# Unikorn uses mTLS for credentialless authentication between componets.  This is
-# only used in asynchronous controllers where a user access token is not availabile.
-clientCA:
-  # Enable CA and issuer creation.
-  enabled: true
-
-  # Generate a self signed CA.
-  # This is typically used at a single site to act as the trust root.
-  # You will need to (somehow) distribute this to other sites so that services
-  # can issue certificates as the CA is rotated.  The other option is to just
-  # issue them here at the root and distribute then to the services themselves.
-  generate: true