mirrors/node-feature-discovery
mirrors/node-feature-discovery
1
0
Fork 0
mirror of https://github.com/kubernetes-sigs/node-feature-discovery.git synced 2025-03-31 04:04:51 +00:00
Code Activity

Fix kustomization template to work with cert-manager

Browse source
This commit is contained in:
Dave Baker 2022-01-04 13:19:09 +00:00
parent f3b714adc4
commit 3e6ae535c7
5 changed files with 68 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

35
deployment/overlays/samples/cert-manager/issuer.yaml
View file

@ -1,3 +1,35 @@
# See https://cert-manager.io/docs/configuration/selfsigned/#bootstrapping-ca-issuers
# - Create a self signed issuer
# - Use this to create a CA cert
# - Use this to now create a CA issuer
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: nfd-ca-bootstrap
namespace: node-feature-discovery
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: nfd-ca-cert
namespace: node-feature-discovery
spec:
isCA: true
secretName: nfd-ca-cert
subject:
organizations:
- node-feature-discovery
commonName: nfd-ca-cert
issuerRef:
name: nfd-ca-bootstrap
kind: Issuer
group: cert-manager.io
---
apiVersion: cert-manager.io/v1 apiVersion: cert-manager.io/v1
kind: Issuer kind: Issuer
metadata: metadata:
@ -5,4 +37,5 @@ metadata:
namespace: node-feature-discovery namespace: node-feature-discovery
spec: spec:
ca: ca:
secretName: nfd-ca-key-pair secretName: nfd-ca-cert

12
deployment/overlays/samples/cert-manager/kustomization.yaml
View file

@ -12,13 +12,6 @@ resources:
generatorOptions: generatorOptions:
disableNameSuffixHash: true disableNameSuffixHash: true
secretGenerator:
- files:
- tls.crt
- tls.key
name: nfd-ca-key-pair
type: kubernetes.io/tls
patches: patches:
- path: args.yaml - path: args.yaml
target: target:
@ -32,3 +25,8 @@ patches:
target: target:
labelSelector: app=nfd labelSelector: app=nfd
name: nfd-worker name: nfd-worker
- path: probes.yaml
target:
labelSelector: app=nfd
name: nfd-master

1
deployment/overlays/samples/cert-manager/master-cert.yaml
View file

@ -13,6 +13,7 @@ spec:
- nfd-master.node-feature-discovery.svc - nfd-master.node-feature-discovery.svc
- nfd-master.node-feature-discovery.svc.cluster.local - nfd-master.node-feature-discovery.svc.cluster.local
- nfd-master - nfd-master
- localhost # needed for grpc_health_probe
issuerRef: issuerRef:
name: nfd-ca-issuer name: nfd-ca-issuer
kind: Issuer kind: Issuer

26
deployment/overlays/samples/cert-manager/probes.yaml Normal file
View file

@ -0,0 +1,26 @@
- op: add
path: /spec/template/spec/containers/0/livenessProbe/exec/command/-
value: "-tls"
- op: add
path: /spec/template/spec/containers/0/livenessProbe/exec/command/-
value: "-tls-ca-cert=/etc/kubernetes/node-feature-discovery/certs/ca.crt"
- op: add
path: /spec/template/spec/containers/0/livenessProbe/exec/command/-
value: "-tls-client-key=/etc/kubernetes/node-feature-discovery/certs/tls.key"
- op: add
path: /spec/template/spec/containers/0/livenessProbe/exec/command/-
value: "-tls-client-cert=/etc/kubernetes/node-feature-discovery/certs/tls.crt"
- op: add
path: /spec/template/spec/containers/0/readinessProbe/exec/command/-
value: "-tls"
- op: add
path: /spec/template/spec/containers/0/readinessProbe/exec/command/-
value: "-tls-ca-cert=/etc/kubernetes/node-feature-discovery/certs/ca.crt"
- op: add
path: /spec/template/spec/containers/0/readinessProbe/exec/command/-
value: "-tls-client-key=/etc/kubernetes/node-feature-discovery/certs/tls.key"
- op: add
path: /spec/template/spec/containers/0/readinessProbe/exec/command/-
value: "-tls-client-cert=/etc/kubernetes/node-feature-discovery/certs/tls.crt"

7
docs/get-started/deployment-and-usage.md
View file

@ -436,17 +436,14 @@ management between nfd-master and the nfd-worker pods.
NFD source code repository contains an example kustomize overlay that can be NFD source code repository contains an example kustomize overlay that can be
used to deploy NFD with cert-manager supplied certificates enabled. The used to deploy NFD with cert-manager supplied certificates enabled. The
instructions below describe steps how to generate a self-signed CA certificate instructions below will install cert-manager and generate a self-signed CA certificate
and set up cert-manager's and set up cert-manager's
[CA Issuer](https://cert-manager.io/docs/configuration/ca/) to sign [CA Issuer](https://cert-manager.io/docs/configuration/ca/) to sign
`Certificate` requests for NFD components in `node-feature-discovery` `Certificate` requests for NFD components in `node-feature-discovery`
namespace. namespace.
```bash ```bash
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.5.1/cert-manager.yaml kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.6.1/cert-manager.yaml
openssl genrsa -out deployment/overlays/samples/cert-manager/tls.key 2048
openssl req -x509 -new -nodes -key deployment/overlays/samples/cert-manager/tls.key -subj "/CN=nfd-ca" \
-days 10000 -out deployment/overlays/samples/cert-manager/tls.crt
kubectl apply -k deployment/overlays/samples/cert-manager kubectl apply -k deployment/overlays/samples/cert-manager
``` ```