[Feature] CertManager Integration (#1778)

CHANGELOG.md

@@ -31,6 +31,7 @@
 - (Feature) (Networking) Pass through Server Header
 - (Feature) (Platform) Shutdown migration to CE
 - (Feature) (Scheduler) Shutdown Integration
+- (Feature) CertManager Integration
 
 ## [1.2.43](https://github.com/arangodb/kube-arangodb/tree/1.2.43) (2024-10-14)
 - (Feature) ArangoRoute CRD

chart/kube-arangodb-arm64/templates/certificates/ca.yaml

@@ -0,0 +1,22 @@
+{{ if .Values.certificate.enabled -}}
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ template "kube-arangodb.operatorName" . }}-ca
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ template "kube-arangodb.name" . }}
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    release: {{ .Release.Name }}
+spec:
+  secretName: {{ template "kube-arangodb.operatorName" . }}-ca
+  duration: {{ .Values.certificate.ca.duration }}
+  issuerRef:
+    name: {{ template "kube-arangodb.operatorName" . }}-ca
+  commonName: {{ .Values.certificate.ca.commonName }}
+  isCA: true
+
+{{- end }}

chart/kube-arangodb-arm64/templates/certificates/certificate.yaml

@@ -0,0 +1,24 @@
+{{ if .Values.certificate.enabled -}}
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ template "kube-arangodb.operatorName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ template "kube-arangodb.name" . }}
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    release: {{ .Release.Name }}
+spec:
+  secretName: {{ template "kube-arangodb.operatorName" . }}-cert
+  duration: {{ .Values.certificate.cert.duration }}
+  issuerRef:
+    name: {{ template "kube-arangodb.operatorName" . }}
+  dnsNames:
+    - {{ template "kube-arangodb.operatorName" . }}
+    - {{ template "kube-arangodb.operatorName" . }}.{{ .Release.Namespace }}
+    - {{ template "kube-arangodb.operatorName" . }}.{{ .Release.Namespace }}.svc
+
+{{- end }}

chart/kube-arangodb-arm64/templates/certificates/issuer.ca.yaml

@@ -0,0 +1,17 @@
+{{ if .Values.certificate.enabled -}}
+
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ template "kube-arangodb.operatorName" . }}-ca
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ template "kube-arangodb.name" . }}
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    release: {{ .Release.Name }}
+spec:
+  selfSigned: {}
+
+{{- end }}

chart/kube-arangodb-arm64/templates/certificates/issuer.yaml

@@ -0,0 +1,18 @@
+{{ if .Values.certificate.enabled -}}
+
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ template "kube-arangodb.operatorName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ template "kube-arangodb.name" . }}
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    release: {{ .Release.Name }}
+spec:
+  ca:
+    secretName: {{ template "kube-arangodb.operatorName" . }}-ca
+
+{{- end }}

chart/kube-arangodb-arm64/templates/deployment.yaml

@@ -93,6 +93,10 @@ spec:
                   image: {{ .Values.operator.image }}
                   args:
                     - --scope={{ .Values.operator.scope }}
+{{- if .Values.certificate.enabled }}
+                    - --server.tls-secret-name={{ template "kube-arangodb.operatorName" . }}-cert
+                    - --api.tls-secret-name={{ template "kube-arangodb.operatorName" . }}-cert
+{{- end -}}
 {{- if .Values.operator.features.deployment }}
                     - --operator.deployment
 {{- end -}}

chart/kube-arangodb-arm64/values.yaml

@@ -44,3 +44,10 @@ rbac:
     acs: true
     at: true
     debug: false
+certificate:
+  enabled: false
+  ca:
+    duration: 43800h
+    commonName: "kube-arangodb.operator.cert"
+  cert:
+    duration: 8760h

chart/kube-arangodb-enterprise-arm64/templates/certificates/ca.yaml

@@ -0,0 +1,22 @@
+{{ if .Values.certificate.enabled -}}
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ template "kube-arangodb.operatorName" . }}-ca
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ template "kube-arangodb.name" . }}
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    release: {{ .Release.Name }}
+spec:
+  secretName: {{ template "kube-arangodb.operatorName" . }}-ca
+  duration: {{ .Values.certificate.ca.duration }}
+  issuerRef:
+    name: {{ template "kube-arangodb.operatorName" . }}-ca
+  commonName: {{ .Values.certificate.ca.commonName }}
+  isCA: true
+
+{{- end }}

chart/kube-arangodb-enterprise-arm64/templates/certificates/certificate.yaml

@@ -0,0 +1,24 @@
+{{ if .Values.certificate.enabled -}}
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ template "kube-arangodb.operatorName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ template "kube-arangodb.name" . }}
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    release: {{ .Release.Name }}
+spec:
+  secretName: {{ template "kube-arangodb.operatorName" . }}-cert
+  duration: {{ .Values.certificate.cert.duration }}
+  issuerRef:
+    name: {{ template "kube-arangodb.operatorName" . }}
+  dnsNames:
+    - {{ template "kube-arangodb.operatorName" . }}
+    - {{ template "kube-arangodb.operatorName" . }}.{{ .Release.Namespace }}
+    - {{ template "kube-arangodb.operatorName" . }}.{{ .Release.Namespace }}.svc
+
+{{- end }}

chart/kube-arangodb-enterprise-arm64/templates/certificates/issuer.ca.yaml

@@ -0,0 +1,17 @@
+{{ if .Values.certificate.enabled -}}
+
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ template "kube-arangodb.operatorName" . }}-ca
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ template "kube-arangodb.name" . }}
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    release: {{ .Release.Name }}
+spec:
+  selfSigned: {}
+
+{{- end }}

chart/kube-arangodb-enterprise-arm64/templates/certificates/issuer.yaml

@@ -0,0 +1,18 @@
+{{ if .Values.certificate.enabled -}}
+
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ template "kube-arangodb.operatorName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ template "kube-arangodb.name" . }}
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    release: {{ .Release.Name }}
+spec:
+  ca:
+    secretName: {{ template "kube-arangodb.operatorName" . }}-ca
+
+{{- end }}

chart/kube-arangodb-enterprise-arm64/templates/deployment.yaml

@@ -93,6 +93,10 @@ spec:
                   image: {{ .Values.operator.image }}
                   args:
                     - --scope={{ .Values.operator.scope }}
+{{- if .Values.certificate.enabled }}
+                    - --server.tls-secret-name={{ template "kube-arangodb.operatorName" . }}-cert
+                    - --api.tls-secret-name={{ template "kube-arangodb.operatorName" . }}-cert
+{{- end -}}
 {{- if .Values.operator.features.deployment }}
                     - --operator.deployment
 {{- end -}}

chart/kube-arangodb-enterprise-arm64/values.yaml

@@ -44,3 +44,10 @@ rbac:
     acs: true
     at: true
     debug: false
+certificate:
+  enabled: false
+  ca:
+    duration: 43800h
+    commonName: "kube-arangodb.operator.cert"
+  cert:
+    duration: 8760h

chart/kube-arangodb-enterprise/templates/certificates/ca.yaml

@@ -0,0 +1,22 @@
+{{ if .Values.certificate.enabled -}}
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ template "kube-arangodb.operatorName" . }}-ca
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ template "kube-arangodb.name" . }}
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    release: {{ .Release.Name }}
+spec:
+  secretName: {{ template "kube-arangodb.operatorName" . }}-ca
+  duration: {{ .Values.certificate.ca.duration }}
+  issuerRef:
+    name: {{ template "kube-arangodb.operatorName" . }}-ca
+  commonName: {{ .Values.certificate.ca.commonName }}
+  isCA: true
+
+{{- end }}

chart/kube-arangodb-enterprise/templates/certificates/certificate.yaml

@@ -0,0 +1,24 @@
+{{ if .Values.certificate.enabled -}}
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ template "kube-arangodb.operatorName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ template "kube-arangodb.name" . }}
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    release: {{ .Release.Name }}
+spec:
+  secretName: {{ template "kube-arangodb.operatorName" . }}-cert
+  duration: {{ .Values.certificate.cert.duration }}
+  issuerRef:
+    name: {{ template "kube-arangodb.operatorName" . }}
+  dnsNames:
+    - {{ template "kube-arangodb.operatorName" . }}
+    - {{ template "kube-arangodb.operatorName" . }}.{{ .Release.Namespace }}
+    - {{ template "kube-arangodb.operatorName" . }}.{{ .Release.Namespace }}.svc
+
+{{- end }}

chart/kube-arangodb-enterprise/templates/certificates/issuer.ca.yaml

@@ -0,0 +1,17 @@
+{{ if .Values.certificate.enabled -}}
+
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ template "kube-arangodb.operatorName" . }}-ca
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ template "kube-arangodb.name" . }}
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    release: {{ .Release.Name }}
+spec:
+  selfSigned: {}
+
+{{- end }}

chart/kube-arangodb-enterprise/templates/certificates/issuer.yaml

@@ -0,0 +1,18 @@
+{{ if .Values.certificate.enabled -}}
+
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ template "kube-arangodb.operatorName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ template "kube-arangodb.name" . }}
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    release: {{ .Release.Name }}
+spec:
+  ca:
+    secretName: {{ template "kube-arangodb.operatorName" . }}-ca
+
+{{- end }}

chart/kube-arangodb-enterprise/templates/deployment.yaml

@@ -93,6 +93,10 @@ spec:
                   image: {{ .Values.operator.image }}
                   args:
                     - --scope={{ .Values.operator.scope }}
+{{- if .Values.certificate.enabled }}
+                    - --server.tls-secret-name={{ template "kube-arangodb.operatorName" . }}-cert
+                    - --api.tls-secret-name={{ template "kube-arangodb.operatorName" . }}-cert
+{{- end -}}
 {{- if .Values.operator.features.deployment }}
                     - --operator.deployment
 {{- end -}}

chart/kube-arangodb-enterprise/values.yaml

@@ -44,3 +44,10 @@ rbac:
     acs: true
     at: true
     debug: false
+certificate:
+  enabled: false
+  ca:
+    duration: 43800h
+    commonName: "kube-arangodb.operator.cert"
+  cert:
+    duration: 8760h

chart/kube-arangodb/templates/certificates/ca.yaml

@@ -0,0 +1,22 @@
+{{ if .Values.certificate.enabled -}}
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ template "kube-arangodb.operatorName" . }}-ca
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ template "kube-arangodb.name" . }}
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    release: {{ .Release.Name }}
+spec:
+  secretName: {{ template "kube-arangodb.operatorName" . }}-ca
+  duration: {{ .Values.certificate.ca.duration }}
+  issuerRef:
+    name: {{ template "kube-arangodb.operatorName" . }}-ca
+  commonName: {{ .Values.certificate.ca.commonName }}
+  isCA: true
+
+{{- end }}

chart/kube-arangodb/templates/certificates/certificate.yaml

@@ -0,0 +1,24 @@
+{{ if .Values.certificate.enabled -}}
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ template "kube-arangodb.operatorName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ template "kube-arangodb.name" . }}
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    release: {{ .Release.Name }}
+spec:
+  secretName: {{ template "kube-arangodb.operatorName" . }}-cert
+  duration: {{ .Values.certificate.cert.duration }}
+  issuerRef:
+    name: {{ template "kube-arangodb.operatorName" . }}
+  dnsNames:
+    - {{ template "kube-arangodb.operatorName" . }}
+    - {{ template "kube-arangodb.operatorName" . }}.{{ .Release.Namespace }}
+    - {{ template "kube-arangodb.operatorName" . }}.{{ .Release.Namespace }}.svc
+
+{{- end }}

chart/kube-arangodb/templates/certificates/issuer.ca.yaml

@@ -0,0 +1,17 @@
+{{ if .Values.certificate.enabled -}}
+
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ template "kube-arangodb.operatorName" . }}-ca
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ template "kube-arangodb.name" . }}
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    release: {{ .Release.Name }}
+spec:
+  selfSigned: {}
+
+{{- end }}

chart/kube-arangodb/templates/certificates/issuer.yaml

@@ -0,0 +1,18 @@
+{{ if .Values.certificate.enabled -}}
+
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ template "kube-arangodb.operatorName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ template "kube-arangodb.name" . }}
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    release: {{ .Release.Name }}
+spec:
+  ca:
+    secretName: {{ template "kube-arangodb.operatorName" . }}-ca
+
+{{- end }}

chart/kube-arangodb/templates/deployment.yaml

@@ -93,6 +93,10 @@ spec:
                   image: {{ .Values.operator.image }}
                   args:
                     - --scope={{ .Values.operator.scope }}
+{{- if .Values.certificate.enabled }}
+                    - --server.tls-secret-name={{ template "kube-arangodb.operatorName" . }}-cert
+                    - --api.tls-secret-name={{ template "kube-arangodb.operatorName" . }}-cert
+{{- end -}}
 {{- if .Values.operator.features.deployment }}
                     - --operator.deployment
 {{- end -}}

chart/kube-arangodb/values.yaml

@@ -45,3 +45,10 @@ rbac:
     acs: true
     at: true
     debug: false
+certificate:
+  enabled: false
+  ca:
+    duration: 43800h
+    commonName: "kube-arangodb.operator.cert"
+  cert:
+    duration: 8760h

docs/helm.md

@@ -130,6 +130,31 @@ Define if RBAC should be enabled.
 
 Default: `true`
 
+### `certificate.enabled`
+
+Define if Cert via CertManager should be enabled.
+
+Default: `false`
+
+### `certificate.ca.duration`
+
+CA Duration.
+
+Default: `43800h`
+
+### `certificate.ca.commonName`
+
+CA CommonName.
+
+Default: `kube-arangodb.operator.cert`
+
+### `certificate.cert.duration`
+
+Cert Duration.
+
+Default: `8760h`
+
+
 ## Alternate namespaces
 
 The `kube-arangodb` chart supports deployment into a non-default namespace.

pkg/server/server.go

@@ -110,7 +110,7 @@ func NewServer(cli typedCore.CoreV1Interface, cfg Config, deps Dependencies) (*S
 
 	var cert, key string
 	if cfg.TLSSecretName != "" && cfg.TLSSecretNamespace != "" {
-		// Load TLS certificate from secret
+		serverLogger.Str("addr", cfg.Address).Str("secret", cfg.TLSSecretName).Str("secret-namespace", cfg.TLSSecretNamespace).Info("Using existing TLS Certificate")
 		s, err := cli.Secrets(cfg.TLSSecretNamespace).Get(context.Background(), cfg.TLSSecretName, meta.GetOptions{})
 		if err != nil {
 			return nil, errors.WithStack(err)
@@ -126,7 +126,7 @@ func NewServer(cli typedCore.CoreV1Interface, cfg Config, deps Dependencies) (*S
 		cert = string(certBytes)
 		key = string(keyBytes)
 	} else {
-		// Secret not specified, create our own TLS certificate
+		serverLogger.Str("addr", cfg.Address).Info("Using SelfSigned TLS Certificate")
 		options := certificates.CreateCertificateOptions{
 			CommonName: cfg.PodName,
 			Hosts:      []string{cfg.PodName, cfg.PodIP},