Add cert-manager and PKI in workload clusters
What does this MR do and why?
Add cert-manager in workload clusters and create a CA in each workload cluster
- Enable cert-manager and sylva-ca units in workload clusters
- Target the correct namespace in each kustomization for workload cluster case
- Variablize the PKI parameters. In the workload clusters, the CA name is related to the cluster name. For the management cluster, it is backward compliant
- The external secret operator is not instaled in the workload clusters
- Test cert-manager in management and workload clusters for both self-signed and PKI signed issuers
- Tests are relying on gitlab CI tools
Example
For the management cluster:
| Resource type | Resource name | Resource namespace |
|---|---|---|
| ClusterIssuer | selfsigned-issuer | N.A. |
| kustomization | sylva-ca | sylva-system |
| certificate | sylva-selfsigned-ca | cert-manager |
| certificate:spec:commonName | Sylva CA | cert-manager |
| certificate:spec:subject:organizations | Sylva | cert-manager |
| secrets | ca-key-pair | cert-manager |
| secrets | extra-ca-cert | cert-manager |
| ClusterIssuer | ca-issuer | N.A. |
| role | eso-store-cert-manager-role | cert-manager |
| ServiceAccount | eso-store-cert-manager-sa | cert-manager |
| RoleBinding | eso-store-cert-manager-role-binding | cert-manager |
For a workload cluster (the workloadcluster name is my-workload-kubeadm-capd):
| Resource type | Resource name | Resource namespace |
|---|---|---|
| ClusterIssuer | selfsigned-issuer | N.A. |
| kustomization | sylva-ca | my-workload-kubeadm-capd in the management cluster |
| certificate | my-workload-kubeadm-capd-selfsigned-ca | cert-manager |
| certificate:spec:commonName | my-workload-kubeadm-capd CA | cert-manager |
| certificate:spec:subject:organizations | my-workload-kubeadm-capd | cert-manager |
| secrets | ca-key-pair | cert-manager |
| secrets | extra-ca-cert | cert-manager |
| ClusterIssuer | ca-issuer | N.A. |
Related reference(s)
Close #1463 (closed)
Test coverage
Current tests are
- Create a self-sign issuer and a certificate
- Rely on the installed CA to generate a certificate
Tests results and links are the following ones
Edited by vladimir braquet