Merge pull request #287 from mbaldessari/letsencrypt

Add an experimental letsencypt chart

Author: mbaldessari

Makefile

@@ -110,7 +110,7 @@ helmlint: ## run helm lint
 	@for t in $(CHARTS); do common/scripts/lint.sh $$t $(TEST_OPTS); if [ $$? != 0 ]; then exit 1; fi; done
 
 API_URL ?= https://raw.githubusercontent.com/hybrid-cloud-patterns/ocp-schemas/main/openshift/4.10/
-KUBECONFORM_SKIP ?= -skip 'CustomResourceDefinition'
+KUBECONFORM_SKIP ?= -skip 'CustomResourceDefinition,ClusterIssuer,CertManager,Certificate'
 # We need to skip 'CustomResourceDefinition' as openapi2jsonschema seems to be unable to generate them ATM
 .PHONY: kubeconform
 kubeconform: ## run helm kubeconform

letsencrypt/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

letsencrypt/Chart.yaml

@@ -0,0 +1,16 @@
+apiVersion: v2
+name: letsencrypt
+description: A Helm chart to add letsencrypt support to Validated Patterns
+
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.16.0"

letsencrypt/README.md

@@ -0,0 +1,68 @@
+# Letsencrypt support for Validated patterns
+
+This is an *EXPERIMENTAL* and *UNSUPPORTED* chart to enable letsencrypt support in the pattern.
+Currently the only supported cloud for this is AWS.
+
+In order to enable this chart in your patterns, please add and edit the following lines to `values-AWS.yaml`:
+
+    letsencrypt:
+      region: eu-central-1 # region of the cluster
+      server: https://acme-v02.api.letsencrypt.org/directory
+      # staging URL
+      # server: https://acme-staging-v02.api.letsencrypt.org/directory
+      email: foo@bar.it
+
+    clusterGroup:
+      applications:
+        letsencrypt:
+          name: letsencrypt
+          namespace: letsencrypt
+          project: default
+          path: common/letsencrypt
+
+Once the above is enabled in a pattern, a certain amount of time (~15/20 minutes or so) is needed for all the cluster operators to settle, all the HTTPS routes will have a wildcard certificate signed by letsencrypt. By default also the API endpoint will use a certificate signed by letsencrypt.
+
+## Limitations
+
+Please be aware of the following gotchas when using this chart:
+
+1. Once the API certificate has been replaced with the letsencrypt one, the `oc` commands might fail with x509 unknown certificate authority errors.
+   You need to remove the previous CA from the kubeconfig file. Run: `oc config set-cluster <clustername> --certificate-authority="/dev/null" --embed-certs`
+2. When you switch to non-staging letsencrypt certificates, things might fail if you asked for too many certificates over the last few days.
+3. The cluster takes ~20-30 mins to fully settle when both the API endpoint and the default ingress certificates are implemented
+
+## Implementation
+
+This chart creates a Cloud Credential that is allowed to write and read DNS entries via Route53 in AWS. That credential is then used by cert-manager to prove ownership of the DNS zone and answer the ACME DNS01 challenges.
+We ask for a single wildcard certificate for the default Ingress *.apps.domain and one non-wildcard certificate for the API endpoint api.domain.
+We use Argo's Server-Side Apply feature to patch in the Ingress Controller and the API endpoint certificates.
+Currently we also patch the main cluster-wide Argo instance to set the tls route to `reencrypt` in order have a proper cert there. Once issue 297 in the gitops-operator repository is fixed, we can drop that.
+
+## Parameters
+
+### global parameters
+
+This section contains the global parameters consumed by this chart
+
+| Name                        | Description                                                                                          | Value              |
+| --------------------------- | ---------------------------------------------------------------------------------------------------- | ------------------ |
+| `global.localClusterDomain` | String containing the domain including the apps. prefix. Gets set by the Validated Pattern framework | `apps.example.com` |
+
+### letsencrypt parameters
+
+This section contains all the parameters for the letsencrypt
+chart in order to request CA signed certificates in a Validated Pattern
+
+| Name                             | Description                                                                                                           | Value                                                    |
+| -------------------------------- | --------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------- |
+| `letsencrypt.enabled`            | Boolean to enable this feature and request a wildcard cert for the default Infress (*.apps.domain) (defaults to True) | `true`                                                   |
+| `letsencrypt.api_endpoint`       | Boolean to enable letsencrypt certs on the API endpoint too (defaults to True)                                        | `true`                                                   |
+| `letsencrypt.region`             | String that defines the region used by the route53/dns01 resolver in cert-manager (required)                          | `eu-central-1`                                           |
+| `letsencrypt.email`              | String containing the email used when requesting certificates to letsencrypt (required)                               | `test@example.com`                                       |
+| `letsencrypt.server`             | String containing the letsencrypt ACME URL (Defaults to the staging server)                                           | `https://acme-staging-v02.api.letsencrypt.org/directory` |
+| `letsencrypt.organizations`      | List of organization names to be put in a certificate (Defaults to [hybrid-cloud-patterns.io])                        | `["hybrid-cloud-patterns.io"]`                           |
+| `letsencrypt.usages`             | List of certificate uses. See API cert-manager.io/v1.KeyUsage (Defaults to [server auth])                             | `["server auth"]`                                        |
+| `letsencrypt.duration`           | Duration of the requested letsencrypt certificates (Defaults to 168h0m0s)                                             | `168h0m0s`                                               |
+| `letsencrypt.renewBefore`        | How long before expiration date should the certs be renewed (Defaults to 28h0m0s)                                     | `28h0m0s`                                                |
+| `letsencrypt.nameservers`        | List of DNS server (ip:port strings) to be used when doing DNS01 challenges (Defaults to [8.8.8.8:53, 1.1.1.1:53])    | `["8.8.8.8:53","1.1.1.1:53"]`                            |
+| `letsencrypt.certmanagerChannel` | String the channel to install cert-manager from (Defaults to "stable-v1")                                             | `stable-v1`                                              |

letsencrypt/templates/api-cert.yaml

@@ -0,0 +1,28 @@
+{{ if and (.Values.letsencrypt.enabled) (.Values.letsencrypt.api_endpoint) }}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: api-validated-patterns-cert
+  namespace: openshift-config
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+spec:
+  secretName: api-validated-patterns-letsencrypt-cert
+  duration: {{ .Values.letsencrypt.duration }}
+  renewBefore: {{ .Values.letsencrypt.renewBefore }}
+  commonName: 'api.{{ $.Values.global.localClusterDomain | replace "apps." "" }}'
+  usages:
+    {{- range .Values.letsencrypt.usages }}
+    - {{ . }}
+    {{- end }}
+  dnsNames:
+  - api.{{ $.Values.global.localClusterDomain | replace "apps." "" }}
+  issuerRef:
+    name: validated-patterns-issuer
+    kind: ClusterIssuer
+  subject:
+    organizations:
+    {{- range .Values.letsencrypt.organizations }}
+    - {{ . }}
+    {{- end }}
+{{- end }}

letsencrypt/templates/cert-manager-installation.yaml

@@ -0,0 +1,38 @@
+{{ if .Values.letsencrypt.enabled }}
+---
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  name: openshift-cert-manager-operator
+  namespace: cert-manager-operator
+spec:
+  channel: "{{ .Values.letsencrypt.certmanagerChannel }}"
+  installPlanApproval: Automatic
+  name: openshift-cert-manager-operator
+  source: redhat-operators
+  sourceNamespace: openshift-marketplace
+---
+apiVersion: operators.coreos.com/v1
+kind: OperatorGroup
+metadata:
+  name: cert-manager-operator
+  namespace: cert-manager-operator
+spec:
+  targetNamespaces:
+  - cert-manager-operator
+---
+apiVersion: operator.openshift.io/v1alpha1
+kind: CertManager
+metadata:
+  name: cluster
+  annotations:
+    argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true
+spec:
+  managementState: "Managed"
+  unsupportedConfigOverrides:
+    # Here's an example to supply custom DNS settings.
+    controller:
+      args:
+        - "--dns01-recursive-nameservers={{ with index .Values.letsencrypt.nameservers 0 }}{{ . }}{{- end }},{{ with index .Values.letsencrypt.nameservers 1 }}{{ . }}{{- end }}"
+        - "--dns01-recursive-nameservers-only"
+{{- end }}

letsencrypt/templates/credentials-request.yaml

@@ -0,0 +1,24 @@
+{{ if .Values.letsencrypt.enabled }}
+apiVersion: cloudcredential.openshift.io/v1
+kind: CredentialsRequest
+metadata:
+  name: letsencrypt-cert-manager-dns
+  namespace: openshift-cloud-credential-operator
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+spec:
+  providerSpec:
+    apiVersion: cloudcredential.openshift.io/v1
+    kind: AWSProviderSpec
+    statementEntries:
+    - action:
+      - 'route53:ChangeResourceRecordSets'
+      - 'route53:GetChange'
+      - 'route53:ListHostedZonesByName'
+      - 'route53:ListHostedZones'
+      effect: Allow
+      resource: '*'
+  secretRef:
+    name: cert-manager-dns-credentials
+    namespace: cert-manager
+{{- end }}

letsencrypt/templates/default-routes.yaml

@@ -0,0 +1,46 @@
+{{ if .Values.letsencrypt.enabled }}
+---
+apiVersion: operator.openshift.io/v1
+kind: IngressController
+metadata:
+  name: default
+  namespace: openshift-ingress-operator
+  annotations:
+    argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true
+spec:
+  routeAdmission:
+    wildcardPolicy: WildcardsAllowed
+  defaultCertificate:
+    name: lets-encrypt-wildcart-cert-tls
+# Patch the cluster-wide argocd instance so it uses the ingress tls cert
+---
+apiVersion: argoproj.io/v1alpha1
+kind: ArgoCD
+metadata:
+  name: openshift-gitops
+  namespace: openshift-gitops
+  annotations:
+    argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true
+spec:
+  server:
+    route:
+      enabled: true
+      tls:
+         termination: reencrypt
+{{ if .Values.letsencrypt.api_endpoint }}
+---
+apiVersion: config.openshift.io/v1
+kind: APIServer
+metadata:
+  name: cluster
+  annotations:
+    argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true
+spec:
+  servingCerts:
+    namedCertificates:
+      - names:
+        - api.{{ $.Values.global.localClusterDomain | replace "apps." "" }}
+        servingCertificate:
+          name: api-validated-patterns-letsencrypt-cert
+{{- end }}
+{{- end }}

letsencrypt/templates/issuer.yaml

@@ -0,0 +1,25 @@
+{{ if .Values.letsencrypt.enabled }}
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: validated-patterns-issuer
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+spec:
+  acme:
+    server: {{ .Values.letsencrypt.server }}
+    email: {{ .Values.letsencrypt.email }}
+    privateKeySecretRef:
+      name: validated-patterns-issuer-account-key
+    solvers:
+    - selector: {}
+      dns01:
+        route53:
+          region: {{ .Values.letsencrypt.region }}
+          accessKeyIDSecretRef:
+            name: cert-manager-dns-credentials
+            key: aws_access_key_id
+          secretAccessKeySecretRef:
+            name: cert-manager-dns-credentials
+            key: aws_secret_access_key
+{{- end }}

letsencrypt/templates/namespaces.yaml

@@ -0,0 +1,20 @@
+{{ if .Values.letsencrypt.enabled }}
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cert-manager-operator
+spec:
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cert-manager
+spec:
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: letsencrypt
+spec:
+---
+{{- end }}