kustomize: add support for cert-manager

Add an example kustomize overlay for enabling cert-manager in an NFD
deployment.

deployment/overlays/samples/cert-manager/args.yaml

@@ -0,0 +1,9 @@
+- op: add
+  path: /spec/template/spec/containers/0/args/-
+  value: "-ca-file=/etc/kubernetes/node-feature-discovery/certs/ca.crt"
+- op: add
+  path: /spec/template/spec/containers/0/args/-
+  value: "-key-file=/etc/kubernetes/node-feature-discovery/certs/tls.key"
+- op: add
+  path: /spec/template/spec/containers/0/args/-
+  value: "-cert-file=/etc/kubernetes/node-feature-discovery/certs/tls.crt"

deployment/overlays/samples/cert-manager/issuer.yaml

@@ -0,0 +1,8 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: nfd-ca-issuer
+  namespace: node-feature-discovery
+spec:
+  ca:
+    secretName: nfd-ca-key-pair

deployment/overlays/samples/cert-manager/kustomization.yaml

@@ -0,0 +1,34 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: node-feature-discovery
+
+resources:
+- ../../default
+- issuer.yaml
+- master-cert.yaml
+- workers-cert.yaml
+
+generatorOptions:
+  disableNameSuffixHash: true
+
+secretGenerator:
+- files:
+  - tls.crt
+  - tls.key
+  name: nfd-ca-key-pair
+  type: kubernetes.io/tls
+
+patches:
+- path: args.yaml
+  target:
+    labelSelector: app=nfd
+    name: nfd.*
+- path: master-mounts.yaml
+  target:
+    labelSelector: app=nfd
+    name: nfd-master
+- path: worker-mounts.yaml
+  target:
+    labelSelector: app=nfd
+    name: nfd-worker

deployment/overlays/samples/cert-manager/master-cert.yaml

@@ -0,0 +1,19 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: nfd-master-cert
+  namespace: node-feature-discovery
+spec:
+  secretName: nfd-master-cert
+  subject:
+    organizations:
+    - node-feature-discovery
+  commonName: nfd-master
+  dnsNames:
+  - nfd-master.node-feature-discovery.svc
+  - nfd-master.node-feature-discovery.svc.cluster.local
+  - nfd-master
+  issuerRef:
+    name: nfd-ca-issuer
+    kind: Issuer
+    group: cert-manager.io

deployment/overlays/samples/cert-manager/master-mounts.yaml

@@ -0,0 +1,13 @@
+- op: add
+  path: /spec/template/spec/volumes/-
+  value:
+    name: nfd-master-cert
+    secret:
+      secretName: nfd-master-cert
+
+- op: add
+  path: /spec/template/spec/containers/0/volumeMounts/-
+  value:
+    name: nfd-master-cert
+    mountPath: /etc/kubernetes/node-feature-discovery/certs
+    readOnly: true

deployment/overlays/samples/cert-manager/worker-mounts.yaml

@@ -0,0 +1,13 @@
+- op: add
+  path: /spec/template/spec/volumes/-
+  value:
+    name: nfd-worker-cert
+    secret:
+      secretName: nfd-worker-cert
+
+- op: add
+  path: /spec/template/spec/containers/0/volumeMounts/-
+  value:
+    name: nfd-worker-cert
+    mountPath: /etc/kubernetes/node-feature-discovery/certs
+    readOnly: true

deployment/overlays/samples/cert-manager/workers-cert.yaml

@@ -0,0 +1,17 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: nfd-workers-cert
+  namespace: node-feature-discovery
+spec:
+  secretName: nfd-worker-cert
+  subject:
+    organizations:
+    - node-feature-discovery
+  commonName: nfd-worker
+  dnsNames:
+  - nfd-worker.node-feature-discovery.svc.cluster.local
+  issuerRef:
+    name: nfd-ca-issuer
+    kind: Issuer
+    group: cert-manager.io