From 3e6ae535c7319bc69236849a9c9fafa84a7e368c Mon Sep 17 00:00:00 2001
From: Dave Baker <dbaker@redhat.com>
Date: Tue, 4 Jan 2022 13:19:09 +0000
Subject: [PATCH] Fix kustomization template to work with cert-manager

---
 .../overlays/samples/cert-manager/issuer.yaml | 35 ++++++++++++++++++-
 .../samples/cert-manager/kustomization.yaml   | 12 +++----
 .../samples/cert-manager/master-cert.yaml     |  1 +
 .../overlays/samples/cert-manager/probes.yaml | 26 ++++++++++++++
 docs/get-started/deployment-and-usage.md      |  7 ++--
 5 files changed, 68 insertions(+), 13 deletions(-)
 create mode 100644 deployment/overlays/samples/cert-manager/probes.yaml

diff --git a/deployment/overlays/samples/cert-manager/issuer.yaml b/deployment/overlays/samples/cert-manager/issuer.yaml
index 2e523158a..013c67d38 100644
--- a/deployment/overlays/samples/cert-manager/issuer.yaml
+++ b/deployment/overlays/samples/cert-manager/issuer.yaml
@@ -1,3 +1,35 @@
+# See https://cert-manager.io/docs/configuration/selfsigned/#bootstrapping-ca-issuers
+# - Create a self signed issuer
+# - Use this to create a CA cert
+# - Use this to now create a CA issuer
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: nfd-ca-bootstrap
+  namespace: node-feature-discovery
+spec:
+  selfSigned: {}
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: nfd-ca-cert
+  namespace: node-feature-discovery
+spec:
+  isCA: true
+  secretName: nfd-ca-cert
+  subject:
+    organizations:
+    - node-feature-discovery
+  commonName: nfd-ca-cert
+  issuerRef:
+    name: nfd-ca-bootstrap
+    kind: Issuer
+    group: cert-manager.io
+
+---
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
@@ -5,4 +37,5 @@ metadata:
   namespace: node-feature-discovery
 spec:
   ca:
-    secretName: nfd-ca-key-pair
+    secretName: nfd-ca-cert
+
diff --git a/deployment/overlays/samples/cert-manager/kustomization.yaml b/deployment/overlays/samples/cert-manager/kustomization.yaml
index 91aeec66c..0a17efa4d 100644
--- a/deployment/overlays/samples/cert-manager/kustomization.yaml
+++ b/deployment/overlays/samples/cert-manager/kustomization.yaml
@@ -12,13 +12,6 @@ resources:
 generatorOptions:
   disableNameSuffixHash: true
 
-secretGenerator:
-- files:
-  - tls.crt
-  - tls.key
-  name: nfd-ca-key-pair
-  type: kubernetes.io/tls
-
 patches:
 - path: args.yaml
   target:
@@ -32,3 +25,8 @@ patches:
   target:
     labelSelector: app=nfd
     name: nfd-worker
+- path: probes.yaml
+  target:
+    labelSelector: app=nfd
+    name: nfd-master
+
diff --git a/deployment/overlays/samples/cert-manager/master-cert.yaml b/deployment/overlays/samples/cert-manager/master-cert.yaml
index 6ad32d46d..c2247c2ce 100644
--- a/deployment/overlays/samples/cert-manager/master-cert.yaml
+++ b/deployment/overlays/samples/cert-manager/master-cert.yaml
@@ -13,6 +13,7 @@ spec:
   - nfd-master.node-feature-discovery.svc
   - nfd-master.node-feature-discovery.svc.cluster.local
   - nfd-master
+  - localhost    # needed for grpc_health_probe
   issuerRef:
     name: nfd-ca-issuer
     kind: Issuer
diff --git a/deployment/overlays/samples/cert-manager/probes.yaml b/deployment/overlays/samples/cert-manager/probes.yaml
new file mode 100644
index 000000000..30c485499
--- /dev/null
+++ b/deployment/overlays/samples/cert-manager/probes.yaml
@@ -0,0 +1,26 @@
+- op: add
+  path: /spec/template/spec/containers/0/livenessProbe/exec/command/-
+  value: "-tls"
+- op: add
+  path: /spec/template/spec/containers/0/livenessProbe/exec/command/-
+  value: "-tls-ca-cert=/etc/kubernetes/node-feature-discovery/certs/ca.crt"
+- op: add
+  path: /spec/template/spec/containers/0/livenessProbe/exec/command/-
+  value: "-tls-client-key=/etc/kubernetes/node-feature-discovery/certs/tls.key"
+- op: add
+  path: /spec/template/spec/containers/0/livenessProbe/exec/command/-
+  value: "-tls-client-cert=/etc/kubernetes/node-feature-discovery/certs/tls.crt"
+
+- op: add
+  path: /spec/template/spec/containers/0/readinessProbe/exec/command/-
+  value: "-tls"
+- op: add
+  path: /spec/template/spec/containers/0/readinessProbe/exec/command/-
+  value: "-tls-ca-cert=/etc/kubernetes/node-feature-discovery/certs/ca.crt"
+- op: add
+  path: /spec/template/spec/containers/0/readinessProbe/exec/command/-
+  value: "-tls-client-key=/etc/kubernetes/node-feature-discovery/certs/tls.key"
+- op: add
+  path: /spec/template/spec/containers/0/readinessProbe/exec/command/-
+  value: "-tls-client-cert=/etc/kubernetes/node-feature-discovery/certs/tls.crt"
+
diff --git a/docs/get-started/deployment-and-usage.md b/docs/get-started/deployment-and-usage.md
index 01f443ab8..656dcf27a 100644
--- a/docs/get-started/deployment-and-usage.md
+++ b/docs/get-started/deployment-and-usage.md
@@ -436,17 +436,14 @@ management between nfd-master and the nfd-worker pods.
 
 NFD source code repository contains an example kustomize overlay that can be
 used to deploy NFD with cert-manager supplied certificates enabled. The
-instructions below describe steps how to generate a self-signed CA certificate
+instructions below will install cert-manager and generate a self-signed CA certificate
 and set up cert-manager's
 [CA Issuer](https://cert-manager.io/docs/configuration/ca/) to sign
 `Certificate` requests for NFD components in `node-feature-discovery`
 namespace.
 
 ```bash
-kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.5.1/cert-manager.yaml
-openssl genrsa -out deployment/overlays/samples/cert-manager/tls.key 2048
-openssl req -x509 -new -nodes -key deployment/overlays/samples/cert-manager/tls.key -subj "/CN=nfd-ca" \
-        -days 10000 -out deployment/overlays/samples/cert-manager/tls.crt
+kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.6.1/cert-manager.yaml
 kubectl apply -k deployment/overlays/samples/cert-manager
 ```