✨ cert-manager integration

k8s/spire/base/cert-certificate.yaml

@@ -0,0 +1,54 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: spire-ca
+  namespace: spire
+spec:
+  secretName: spire-ca-key-pair
+  duration: 8760h # 1 year
+  renewBefore: 720h # 30 days
+  commonName: "spire.tunnel.threadr.ai"
+  dnsNames:
+    - "spire.tunnel.threadr.ai"
+  isCA: true
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS1
+    size: 4096
+  issuerRef:
+    name: threadr-issuer
+    kind: ClusterIssuer
+    group: cert-manager.io
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cert-manager-ca
+  namespace: spire
+data:
+  ca.crt: ""
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cert-manager-ca-sync
+  namespace: spire
+rules:
+- apiGroups: [""]
+  resources: ["configmaps"]
+  verbs: ["get", "update"]
+  resourceNames: ["cert-manager-ca"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cert-manager-ca-sync
+  namespace: spire
+subjects:
+- kind: ServiceAccount
+  name: cert-manager
+  namespace: cert-manager
+roleRef:
+  kind: Role
+  name: cert-manager-ca-sync
+  apiGroup: rbac.authorization.k8s.io

k8s/spire/base/cert-configmap.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cert-manager-ca
+  namespace: spire
+data:
+  ca.crt: |
+    # This will be populated by cert-manager

k8s/spire/base/cluster-issuer.yaml

@@ -0,0 +1,7 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: spire-ca-issuer
+spec:
+  ca:
+    secretName: spire-ca-key-pair

k8s/spire/base/kustomization.yaml

@@ -4,6 +4,7 @@ kind: Kustomization
 namespace: spire
 
 resources:
+- cluster-issuer.yaml
 - spire-namespace.yaml
 - agent-account.yaml
 - agent-cluster-role.yaml

k8s/spire/base/server-cluster-role.yaml

@@ -33,6 +33,12 @@ rules:
 - apiGroups: ["authentication.k8s.io"]
   resources: ["tokenreviews"]
   verbs: ["create"]
+- apiGroups: ["cert-manager.io"]
+  resources: ["certificaterequests"]
+  verbs: ["create", "get", "list", "watch"]
+- apiGroups: ["cert-manager.io"]
+  resources: ["clusterissuers"]
+  verbs: ["get", "list", "watch"]
 ---
 # Binds above cluster role to spire-server service account
 kind: ClusterRoleBinding
@@ -46,4 +52,4 @@ subjects:
 roleRef:
   kind: ClusterRole
   name: spire-server-trust-role
-  apiGroup: rbac.authorization.k8s.io
+  apiGroup: rbac.authorization.k8s.io

k8s/spire/base/server-configmap.yaml

@@ -30,6 +30,16 @@ data:
         }
       }
 
+      UpstreamAuthority "cert-manager" {
+        plugin_data {
+          issuer_name = "spire-ca-issuer"
+          issuer_kind = "ClusterIssuer"
+          issuer_group = "cert-manager.io"
+          namespace = "spire"
+          ca_bundle_path = "/etc/cert-manager/ca/ca.crt"
+        }
+      }
+    
       NodeAttestor "k8s_sat" {
         plugin_data {
           clusters = {

k8s/spire/base/server-statefulset.yaml

@@ -46,6 +46,9 @@ spec:
           ports:
             - containerPort: 8081
           volumeMounts:
+            - name: cert-manager-ca
+              mountPath: /etc/cert-manager-ca
+              readOnly: true
             - name: generated-config
               mountPath: /run/spire/config
               readOnly: true
@@ -67,6 +70,12 @@ spec:
             initialDelaySeconds: 5
             periodSeconds: 5
       volumes:
+        - name: cert-manager-ca
+          configMap:
+            name: cert-manager-ca
+            items:
+              - key: ca.crt
+                path: ca.crt
         - name: spire-config-template
           configMap:
             name: spire-server