Add webhook cert auto-rotating

2025-09-23 23:49:51 +02:00
parent 8a9425b150
commit 9dce6c79ea
10 changed files with 199 additions and 0 deletions
--- a/linkerd/init.sh
+++ b/linkerd/init.sh
@@ -7,3 +7,22 @@ step-cli certificate create root.linkerd.cluster.local ca.crt ca.key \
    --namespace=linkerd &&
  yq e -i '.["linkerd-control-plane"].identityTrustAnchorsPEM=load_str("ca.crt")' values.yaml &&
  rm ca.crt ca.key
+
+step-cli certificate create webhook.linkerd.cluster.local webhook_ca.crt webhook_ca.key \
+  --profile root-ca --no-password --insecure --san webhook.linkerd.cluster.local &&
+  kubectl create secret tls \
+    webhook-issuer-tls \
+    --cert=webhook_ca.crt \
+    --key=webhook_ca.key \
+    --namespace=linkerd &&
+  kubectl create secret tls \
+    webhook-issuer-tls \
+    --cert=webhook_ca.crt \
+    --key=webhook_ca.key \
+    --namespace=linkerd-viz &&
+  yq e -i '.["linkerd-control-plane"].policyValidator.caBundle=load_str("webhook_ca.crt")' values.yaml &&
+  yq e -i '.["linkerd-control-plane"].proxyInjector.caBundle=load_str("webhook_ca.crt")' values.yaml &&
+  yq e -i '.["linkerd-control-plane"].profileValidator.caBundle=load_str("webhook_ca.crt")' values.yaml &&
+  yq e -i '.["linkerd-viz"].tap.caBundle=load_str("webhook_ca.crt")' ../linkerd-viz/values.yaml &&
+  yq e -i '.["linkerd-viz"].tapInjector.caBundle=load_str("webhook_ca.crt")' ../linkerd-viz/values.yaml &&
+  rm webhook_ca.crt webhook_ca.key
--- a/linkerd/templates/policy-validator-certificate.yaml
+++ b/linkerd/templates/policy-validator-certificate.yaml
@@ -0,0 +1,20 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: linkerd-policy-validator
+spec:
+  secretName: linkerd-policy-validator-k8s-tls
+  duration: 24h
+  renewBefore: 1h
+  issuerRef:
+    name: webhook-issuer
+    kind: Issuer
+  commonName: linkerd-policy-validator.linkerd.svc
+  dnsNames:
+  - linkerd-policy-validator.linkerd.svc
+  isCA: false
+  privateKey:
+    algorithm: ECDSA
+    encoding: PKCS8
+  usages:
+  - server auth
--- a/linkerd/templates/proxy-injector-certificate.yaml
+++ b/linkerd/templates/proxy-injector-certificate.yaml
@@ -0,0 +1,19 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: linkerd-proxy-injector
+spec:
+  secretName: linkerd-proxy-injector-k8s-tls
+  duration: 24h
+  renewBefore: 1h
+  issuerRef:
+    name: webhook-issuer
+    kind: Issuer
+  commonName: linkerd-proxy-injector.linkerd.svc
+  dnsNames:
+  - linkerd-proxy-injector.linkerd.svc
+  isCA: false
+  privateKey:
+    algorithm: ECDSA
+  usages:
+  - server auth
--- a/linkerd/templates/sp-validator-certificate.yaml
+++ b/linkerd/templates/sp-validator-certificate.yaml
@@ -0,0 +1,19 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: linkerd-sp-validator
+spec:
+  secretName: linkerd-sp-validator-k8s-tls
+  duration: 24h
+  renewBefore: 1h
+  issuerRef:
+    name: webhook-issuer
+    kind: Issuer
+  commonName: linkerd-sp-validator.linkerd.svc
+  dnsNames:
+  - linkerd-sp-validator.linkerd.svc
+  isCA: false
+  privateKey:
+    algorithm: ECDSA
+  usages:
+  - server auth
--- a/linkerd/templates/webhook-issuer.yaml
+++ b/linkerd/templates/webhook-issuer.yaml
@@ -0,0 +1,7 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: webhook-issuer
+spec:
+  ca:
+    secretName: webhook-issuer-tls
--- a/linkerd/values.yaml
+++ b/linkerd/values.yaml
@@ -17,6 +17,48 @@ linkerd-control-plane:
    -----END CERTIFICATE-----
  proxy:
    nativeSidecar: true
+  policyValidator:
+    externalSecret: true
+    caBundle: |
+      -----BEGIN CERTIFICATE-----
+      MIIBjTCCATOgAwIBAgIQOOvm1fwbj66IoBnM+oKjbzAKBggqhkjOPQQDAjAlMSMw
+      IQYDVQQDExpyb290LmxpbmtlcmQuY2x1c3Rlci5sb2NhbDAeFw0yNDEwMjQyMjIx
+      MjVaFw0zNDEwMjIyMjIxMjVaMCUxIzAhBgNVBAMTGnJvb3QubGlua2VyZC5jbHVz
+      dGVyLmxvY2FsMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELj/OdEiXV5kUJAha
+      7+dKe4yiViuVtDMkhzIaWoR/ZHqd270MWXvoBpNP9emICtX/3ihRkO12WHOLtnPi
+      GXFc1aNFMEMwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYD
+      VR0OBBYEFHDt80xkzE3Exi1WM+VVzzyXhEQoMAoGCCqGSM49BAMCA0gAMEUCIQDX
+      BpIMV3NMh5L43WVSrcTTy1CzPjRgvuVLXiywYJyBvAIgdL0sulAwaHxROQs4Unxb
+      tIay7PKwoMrycoW6DiZV4C8=
+      -----END CERTIFICATE-----
+  proxyInjector:
+    externalSecret: true
+    caBundle: |
+      -----BEGIN CERTIFICATE-----
+      MIIBjTCCATOgAwIBAgIQOOvm1fwbj66IoBnM+oKjbzAKBggqhkjOPQQDAjAlMSMw
+      IQYDVQQDExpyb290LmxpbmtlcmQuY2x1c3Rlci5sb2NhbDAeFw0yNDEwMjQyMjIx
+      MjVaFw0zNDEwMjIyMjIxMjVaMCUxIzAhBgNVBAMTGnJvb3QubGlua2VyZC5jbHVz
+      dGVyLmxvY2FsMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELj/OdEiXV5kUJAha
+      7+dKe4yiViuVtDMkhzIaWoR/ZHqd270MWXvoBpNP9emICtX/3ihRkO12WHOLtnPi
+      GXFc1aNFMEMwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYD
+      VR0OBBYEFHDt80xkzE3Exi1WM+VVzzyXhEQoMAoGCCqGSM49BAMCA0gAMEUCIQDX
+      BpIMV3NMh5L43WVSrcTTy1CzPjRgvuVLXiywYJyBvAIgdL0sulAwaHxROQs4Unxb
+      tIay7PKwoMrycoW6DiZV4C8=
+      -----END CERTIFICATE-----
+  profileValidator:
+    externalSecret: true
+    caBundle: |
+      -----BEGIN CERTIFICATE-----
+      MIIBjTCCATOgAwIBAgIQOOvm1fwbj66IoBnM+oKjbzAKBggqhkjOPQQDAjAlMSMw
+      IQYDVQQDExpyb290LmxpbmtlcmQuY2x1c3Rlci5sb2NhbDAeFw0yNDEwMjQyMjIx
+      MjVaFw0zNDEwMjIyMjIxMjVaMCUxIzAhBgNVBAMTGnJvb3QubGlua2VyZC5jbHVz
+      dGVyLmxvY2FsMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELj/OdEiXV5kUJAha
+      7+dKe4yiViuVtDMkhzIaWoR/ZHqd270MWXvoBpNP9emICtX/3ihRkO12WHOLtnPi
+      GXFc1aNFMEMwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYD
+      VR0OBBYEFHDt80xkzE3Exi1WM+VVzzyXhEQoMAoGCCqGSM49BAMCA0gAMEUCIQDX
+      BpIMV3NMh5L43WVSrcTTy1CzPjRgvuVLXiywYJyBvAIgdL0sulAwaHxROQs4Unxb
+      tIay7PKwoMrycoW6DiZV4C8=
+      -----END CERTIFICATE-----
 linkerd2-cni:
  repairController:
    enabled: true