mirror of
https://github.com/kubernetes-sigs/node-feature-discovery.git
synced 2025-03-15 04:57:56 +00:00
Merge pull request #712 from dbaker-rh/helm-certs
Enable TLS and cert-manager created certs for helm chart
This commit is contained in:
commit
ec15f4f24c
7 changed files with 179 additions and 47 deletions
|
@ -0,0 +1,64 @@
|
||||||
|
{{- if .Values.tls.certManager }}
|
||||||
|
---
|
||||||
|
apiVersion: cert-manager.io/v1
|
||||||
|
kind: Certificate
|
||||||
|
metadata:
|
||||||
|
name: nfd-master-cert
|
||||||
|
spec:
|
||||||
|
secretName: nfd-master-cert
|
||||||
|
subject:
|
||||||
|
organizations:
|
||||||
|
- node-feature-discovery
|
||||||
|
commonName: nfd-master
|
||||||
|
dnsNames:
|
||||||
|
# must match the service name
|
||||||
|
- {{ include "node-feature-discovery.fullname" . }}-master
|
||||||
|
# first one is configured for use by the worker; below are for completeness
|
||||||
|
- {{ include "node-feature-discovery.fullname" . }}-master.{{ $.Release.Namespace }}.svc
|
||||||
|
- {{ include "node-feature-discovery.fullname" . }}-master.{{ $.Release.Namespace }}.svc.cluster.local
|
||||||
|
# localhost needed for grpc_health_probe
|
||||||
|
- localhost
|
||||||
|
issuerRef:
|
||||||
|
name: nfd-ca-issuer
|
||||||
|
kind: Issuer
|
||||||
|
group: cert-manager.io
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: cert-manager.io/v1
|
||||||
|
kind: Certificate
|
||||||
|
metadata:
|
||||||
|
name: nfd-worker-cert
|
||||||
|
spec:
|
||||||
|
secretName: nfd-worker-cert
|
||||||
|
subject:
|
||||||
|
organizations:
|
||||||
|
- node-feature-discovery
|
||||||
|
commonName: nfd-worker
|
||||||
|
dnsNames:
|
||||||
|
- {{ include "node-feature-discovery.fullname" . }}-worker.{{ $.Release.Namespace }}.svc.cluster.local
|
||||||
|
issuerRef:
|
||||||
|
name: nfd-ca-issuer
|
||||||
|
kind: Issuer
|
||||||
|
group: cert-manager.io
|
||||||
|
|
||||||
|
{{- if .Values.topologyUpdater.enable }}
|
||||||
|
---
|
||||||
|
apiVersion: cert-manager.io/v1
|
||||||
|
kind: Certificate
|
||||||
|
metadata:
|
||||||
|
name: nfd-topology-updater-cert
|
||||||
|
spec:
|
||||||
|
secretName: nfd-topology-updater-cert
|
||||||
|
subject:
|
||||||
|
organizations:
|
||||||
|
- node-feature-discovery
|
||||||
|
commonName: nfd-topology-updater
|
||||||
|
dnsNames:
|
||||||
|
- {{ include "node-feature-discovery.fullname" . }}-topology-updater.{{ $.Release.Namespace }}.svc.cluster.local
|
||||||
|
issuerRef:
|
||||||
|
name: nfd-ca-issuer
|
||||||
|
kind: Issuer
|
||||||
|
group: cert-manager.io
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,39 @@
|
||||||
|
{{- if .Values.tls.certManager }}
|
||||||
|
# See https://cert-manager.io/docs/configuration/selfsigned/#bootstrapping-ca-issuers
|
||||||
|
# - Create a self signed issuer
|
||||||
|
# - Use this to create a CA cert
|
||||||
|
# - Use this to now create a CA issuer
|
||||||
|
---
|
||||||
|
apiVersion: cert-manager.io/v1
|
||||||
|
kind: Issuer
|
||||||
|
metadata:
|
||||||
|
name: nfd-ca-bootstrap
|
||||||
|
spec:
|
||||||
|
selfSigned: {}
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: cert-manager.io/v1
|
||||||
|
kind: Certificate
|
||||||
|
metadata:
|
||||||
|
name: nfd-ca-cert
|
||||||
|
spec:
|
||||||
|
isCA: true
|
||||||
|
secretName: nfd-ca-cert
|
||||||
|
subject:
|
||||||
|
organizations:
|
||||||
|
- node-feature-discovery
|
||||||
|
commonName: nfd-ca-cert
|
||||||
|
issuerRef:
|
||||||
|
name: nfd-ca-bootstrap
|
||||||
|
kind: Issuer
|
||||||
|
group: cert-manager.io
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: cert-manager.io/v1
|
||||||
|
kind: Issuer
|
||||||
|
metadata:
|
||||||
|
name: nfd-ca-issuer
|
||||||
|
spec:
|
||||||
|
ca:
|
||||||
|
secretName: nfd-ca-cert
|
||||||
|
{{- end }}
|
|
@ -34,12 +34,28 @@ spec:
|
||||||
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
||||||
livenessProbe:
|
livenessProbe:
|
||||||
exec:
|
exec:
|
||||||
command: ["/usr/bin/grpc_health_probe", "-addr=:8080"]
|
command:
|
||||||
|
- "/usr/bin/grpc_health_probe"
|
||||||
|
- "-addr=:8080"
|
||||||
|
{{- if .Values.tls.enable }}
|
||||||
|
- "-tls"
|
||||||
|
- "-tls-ca-cert=/etc/kubernetes/node-feature-discovery/certs/ca.crt"
|
||||||
|
- "-tls-client-key=/etc/kubernetes/node-feature-discovery/certs/tls.key"
|
||||||
|
- "-tls-client-cert=/etc/kubernetes/node-feature-discovery/certs/tls.crt"
|
||||||
|
{{- end }}
|
||||||
initialDelaySeconds: 10
|
initialDelaySeconds: 10
|
||||||
periodSeconds: 10
|
periodSeconds: 10
|
||||||
readinessProbe:
|
readinessProbe:
|
||||||
exec:
|
exec:
|
||||||
command: ["/usr/bin/grpc_health_probe", "-addr=:8080"]
|
command:
|
||||||
|
- "/usr/bin/grpc_health_probe"
|
||||||
|
- "-addr=:8080"
|
||||||
|
{{- if .Values.tls.enable }}
|
||||||
|
- "-tls"
|
||||||
|
- "-tls-ca-cert=/etc/kubernetes/node-feature-discovery/certs/ca.crt"
|
||||||
|
- "-tls-client-key=/etc/kubernetes/node-feature-discovery/certs/tls.key"
|
||||||
|
- "-tls-client-cert=/etc/kubernetes/node-feature-discovery/certs/tls.crt"
|
||||||
|
{{- end }}
|
||||||
initialDelaySeconds: 5
|
initialDelaySeconds: 5
|
||||||
periodSeconds: 10
|
periodSeconds: 10
|
||||||
failureThreshold: 10
|
failureThreshold: 10
|
||||||
|
@ -63,30 +79,20 @@ spec:
|
||||||
- "--extra-label-ns={{- join "," .Values.master.extraLabelNs }}"
|
- "--extra-label-ns={{- join "," .Values.master.extraLabelNs }}"
|
||||||
{{- end }}
|
{{- end }}
|
||||||
- "-featurerules-controller={{ .Values.master.featureRulesController }}"
|
- "-featurerules-controller={{ .Values.master.featureRulesController }}"
|
||||||
## Enable TLS authentication
|
{{- if .Values.tls.enable }}
|
||||||
## The example below assumes having the root certificate named ca.crt stored in
|
- "--ca-file=/etc/kubernetes/node-feature-discovery/certs/ca.crt"
|
||||||
## a ConfigMap named nfd-ca-cert, and, the TLS authentication credentials stored
|
- "--key-file=/etc/kubernetes/node-feature-discovery/certs/tls.key"
|
||||||
## in a TLS Secret named nfd-master-cert.
|
- "--cert-file=/etc/kubernetes/node-feature-discovery/certs/tls.crt"
|
||||||
## Additional hardening can be enabled by specifying --verify-node-name in
|
volumeMounts:
|
||||||
## args, in which case node name will be checked against the worker's
|
- name: nfd-master-cert
|
||||||
## TLS certificate.
|
mountPath: "/etc/kubernetes/node-feature-discovery/certs"
|
||||||
# - "--ca-file=/etc/kubernetes/node-feature-discovery/trust/ca.crt"
|
readOnly: true
|
||||||
# - "--key-file=/etc/kubernetes/node-feature-discovery/certs/tls.key"
|
volumes:
|
||||||
# - "--cert-file=/etc/kubernetes/node-feature-discovery/certs/tls.crt"
|
- name: nfd-master-cert
|
||||||
# volumeMounts:
|
secret:
|
||||||
# - name: nfd-ca-cert
|
secretName: nfd-master-cert
|
||||||
# mountPath: "/etc/kubernetes/node-feature-discovery/trust"
|
## /TLS ##
|
||||||
# readOnly: true
|
{{- end }}
|
||||||
# - name: nfd-master-cert
|
|
||||||
# mountPath: "/etc/kubernetes/node-feature-discovery/certs"
|
|
||||||
# readOnly: true
|
|
||||||
# volumes:
|
|
||||||
# - name: nfd-ca-cert
|
|
||||||
# configMap:
|
|
||||||
# name: nfd-ca-cert
|
|
||||||
# - name: nfd-master-cert
|
|
||||||
# secret:
|
|
||||||
# secretName: nfd-master-cert
|
|
||||||
{{- with .Values.master.nodeSelector }}
|
{{- with .Values.master.nodeSelector }}
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
{{- toYaml . | nindent 8 }}
|
{{- toYaml . | nindent 8 }}
|
||||||
|
|
|
@ -50,6 +50,11 @@ spec:
|
||||||
{{- else }}
|
{{- else }}
|
||||||
- "--watch-namespace=*"
|
- "--watch-namespace=*"
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
{{- if .Values.tls.enable }}
|
||||||
|
- "--ca-file=/etc/kubernetes/node-feature-discovery/certs/ca.crt"
|
||||||
|
- "--key-file=/etc/kubernetes/node-feature-discovery/certs/tls.key"
|
||||||
|
- "--cert-file=/etc/kubernetes/node-feature-discovery/certs/tls.crt"
|
||||||
|
{{- end }}
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: kubelet-config
|
- name: kubelet-config
|
||||||
mountPath: /host-var/lib/kubelet/config.yaml
|
mountPath: /host-var/lib/kubelet/config.yaml
|
||||||
|
@ -57,6 +62,12 @@ spec:
|
||||||
mountPath: /host-var/lib/kubelet/pod-resources/kubelet.sock
|
mountPath: /host-var/lib/kubelet/pod-resources/kubelet.sock
|
||||||
- name: host-sys
|
- name: host-sys
|
||||||
mountPath: /host-sys
|
mountPath: /host-sys
|
||||||
|
{{- if .Values.tls.enable }}
|
||||||
|
- name: nfd-topology-updater-cert
|
||||||
|
mountPath: "/etc/kubernetes/node-feature-discovery/certs"
|
||||||
|
readOnly: true
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
resources:
|
resources:
|
||||||
{{- toYaml .Values.topologyUpdater.resources | nindent 12 }}
|
{{- toYaml .Values.topologyUpdater.resources | nindent 12 }}
|
||||||
securityContext:
|
securityContext:
|
||||||
|
@ -79,6 +90,12 @@ spec:
|
||||||
{{- else }}
|
{{- else }}
|
||||||
path: /var/lib/kubelet/pod-resources/kubelet.sock
|
path: /var/lib/kubelet/pod-resources/kubelet.sock
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
{{- if .Values.tls.enable }}
|
||||||
|
- name: nfd-topology-updater-cert
|
||||||
|
secret:
|
||||||
|
secretName: nfd-topology-updater-cert
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
{{- with .Values.topologyUpdater.nodeSelector }}
|
{{- with .Values.topologyUpdater.nodeSelector }}
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
{{- toYaml . | nindent 8 }}
|
{{- toYaml . | nindent 8 }}
|
||||||
|
|
|
@ -42,13 +42,11 @@ spec:
|
||||||
- "nfd-worker"
|
- "nfd-worker"
|
||||||
args:
|
args:
|
||||||
- "--server={{ include "node-feature-discovery.fullname" . }}-master:{{ .Values.master.service.port }}"
|
- "--server={{ include "node-feature-discovery.fullname" . }}-master:{{ .Values.master.service.port }}"
|
||||||
## Enable TLS authentication (1/3)
|
{{- if .Values.tls.enable }}
|
||||||
## The example below assumes having the root certificate named ca.crt stored in
|
- "--ca-file=/etc/kubernetes/node-feature-discovery/certs/ca.crt"
|
||||||
## a ConfigMap named nfd-ca-cert, and, the TLS authentication credentials stored
|
- "--key-file=/etc/kubernetes/node-feature-discovery/certs/tls.key"
|
||||||
## in a TLS Secret named nfd-worker-cert
|
- "--cert-file=/etc/kubernetes/node-feature-discovery/certs/tls.crt"
|
||||||
# - "--ca-file=/etc/kubernetes/node-feature-discovery/trust/ca.crt"
|
{{- end }}
|
||||||
# - "--key-file=/etc/kubernetes/node-feature-discovery/certs/tls.key"
|
|
||||||
# - "--cert-file=/etc/kubernetes/node-feature-discovery/certs/tls.crt"
|
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: host-boot
|
- name: host-boot
|
||||||
mountPath: "/host-boot"
|
mountPath: "/host-boot"
|
||||||
|
@ -76,13 +74,11 @@ spec:
|
||||||
- name: nfd-worker-conf
|
- name: nfd-worker-conf
|
||||||
mountPath: "/etc/kubernetes/node-feature-discovery"
|
mountPath: "/etc/kubernetes/node-feature-discovery"
|
||||||
readOnly: true
|
readOnly: true
|
||||||
## Enable TLS authentication (2/3)
|
{{- if .Values.tls.enable }}
|
||||||
# - name: nfd-ca-cert
|
- name: nfd-worker-cert
|
||||||
# mountPath: "/etc/kubernetes/node-feature-discovery/trust"
|
mountPath: "/etc/kubernetes/node-feature-discovery/certs"
|
||||||
# readOnly: true
|
readOnly: true
|
||||||
# - name: nfd-worker-cert
|
{{- end }}
|
||||||
# mountPath: "/etc/kubernetes/node-feature-discovery/certs"
|
|
||||||
# readOnly: true
|
|
||||||
volumes:
|
volumes:
|
||||||
- name: host-boot
|
- name: host-boot
|
||||||
hostPath:
|
hostPath:
|
||||||
|
@ -113,13 +109,11 @@ spec:
|
||||||
items:
|
items:
|
||||||
- key: nfd-worker.conf
|
- key: nfd-worker.conf
|
||||||
path: nfd-worker.conf
|
path: nfd-worker.conf
|
||||||
## Enable TLS authentication (3/3)
|
{{- if .Values.tls.enable }}
|
||||||
# - name: nfd-ca-cert
|
- name: nfd-worker-cert
|
||||||
# configMap:
|
secret:
|
||||||
# name: nfd-ca-cert
|
secretName: nfd-worker-cert
|
||||||
# - name: nfd-worker-cert
|
{{- end }}
|
||||||
# secret:
|
|
||||||
# secretName: nfd-worker-cert
|
|
||||||
{{- with .Values.worker.nodeSelector }}
|
{{- with .Values.worker.nodeSelector }}
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
{{- toYaml . | nindent 8 }}
|
{{- toYaml . | nindent 8 }}
|
||||||
|
|
|
@ -429,3 +429,13 @@ rbac:
|
||||||
## Annotations for the Service Account
|
## Annotations for the Service Account
|
||||||
##
|
##
|
||||||
serviceAccountAnnotations: {}
|
serviceAccountAnnotations: {}
|
||||||
|
|
||||||
|
# Optionally use encryption for worker <--> master comms
|
||||||
|
# TODO: verify hostname is not yet supported
|
||||||
|
#
|
||||||
|
# If you do not enable certManager (and have it installed) you will
|
||||||
|
# need to manually, or otherwise, provision the TLS certs as secrets
|
||||||
|
tls:
|
||||||
|
enable: false
|
||||||
|
certManager: false
|
||||||
|
|
||||||
|
|
|
@ -291,6 +291,8 @@ We have introduced the following Chart parameters.
|
||||||
| `nameOverride` | string | | Override the name of the chart |
|
| `nameOverride` | string | | Override the name of the chart |
|
||||||
| `fullnameOverride` | string | | Override a default fully qualified app name |
|
| `fullnameOverride` | string | | Override a default fully qualified app name |
|
||||||
| `nodeFeatureRule.createCRD` | bool | true | Specifies whether to create the NodeFeatureRule CRD |
|
| `nodeFeatureRule.createCRD` | bool | true | Specifies whether to create the NodeFeatureRule CRD |
|
||||||
|
| `tls.enable` | bool | false | Specifies whether to use TLS for communications between components |
|
||||||
|
| `tls.certManager` | bool | false | If enabled, requires [cert-manager](https://cert-manager.io/docs/) to be installed and will automatically create the required TLS certificates |
|
||||||
|
|
||||||
##### Master pod parameters
|
##### Master pod parameters
|
||||||
|
|
||||||
|
|
Loading…
Add table
Reference in a new issue