Add webhook cert auto-rotating

2025-09-23 23:49:51 +02:00
parent 8a9425b150
commit 9dce6c79ea
10 changed files with 199 additions and 0 deletions
--- a/linkerd-viz/templates/tap-certificate.yaml
+++ b/linkerd-viz/templates/tap-certificate.yaml
@@ -0,0 +1,19 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: tap
+spec:
+  secretName: tap-k8s-tls
+  duration: 24h
+  renewBefore: 1h
+  issuerRef:
+    name: webhook-issuer
+    kind: Issuer
+  commonName: tap.linkerd-viz.svc
+  dnsNames:
+  - tap.linkerd-viz.svc
+  isCA: false
+  privateKey:
+    algorithm: ECDSA
+  usages:
+  - server auth
--- a/linkerd-viz/templates/tap-injector-certificate.yaml
+++ b/linkerd-viz/templates/tap-injector-certificate.yaml
@@ -0,0 +1,19 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: linkerd-tap-injector
+spec:
+  secretName: tap-injector-k8s-tls
+  duration: 24h
+  renewBefore: 1h
+  issuerRef:
+    name: webhook-issuer
+    kind: Issuer
+  commonName: tap-injector.linkerd-viz.svc
+  dnsNames:
+  - tap-injector.linkerd-viz.svc
+  isCA: false
+  privateKey:
+    algorithm: ECDSA
+  usages:
+  - server auth
--- a/linkerd-viz/templates/webhook-issuer.yaml
+++ b/linkerd-viz/templates/webhook-issuer.yaml
@@ -0,0 +1,7 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: webhook-issuer
+spec:
+  ca:
+    secretName: webhook-issuer-tls
--- a/linkerd-viz/values.yaml
+++ b/linkerd-viz/values.yaml
@@ -1,4 +1,32 @@
 linkerd-viz:
+  tap:
+    externalSecret: true
+    caBundle: |
+      -----BEGIN CERTIFICATE-----
+      MIIBjTCCATOgAwIBAgIQOOvm1fwbj66IoBnM+oKjbzAKBggqhkjOPQQDAjAlMSMw
+      IQYDVQQDExpyb290LmxpbmtlcmQuY2x1c3Rlci5sb2NhbDAeFw0yNDEwMjQyMjIx
+      MjVaFw0zNDEwMjIyMjIxMjVaMCUxIzAhBgNVBAMTGnJvb3QubGlua2VyZC5jbHVz
+      dGVyLmxvY2FsMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELj/OdEiXV5kUJAha
+      7+dKe4yiViuVtDMkhzIaWoR/ZHqd270MWXvoBpNP9emICtX/3ihRkO12WHOLtnPi
+      GXFc1aNFMEMwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYD
+      VR0OBBYEFHDt80xkzE3Exi1WM+VVzzyXhEQoMAoGCCqGSM49BAMCA0gAMEUCIQDX
+      BpIMV3NMh5L43WVSrcTTy1CzPjRgvuVLXiywYJyBvAIgdL0sulAwaHxROQs4Unxb
+      tIay7PKwoMrycoW6DiZV4C8=
+      -----END CERTIFICATE-----
+  tapInjector:
+    externalSecret: true
+    caBundle: |
+      -----BEGIN CERTIFICATE-----
+      MIIBjTCCATOgAwIBAgIQOOvm1fwbj66IoBnM+oKjbzAKBggqhkjOPQQDAjAlMSMw
+      IQYDVQQDExpyb290LmxpbmtlcmQuY2x1c3Rlci5sb2NhbDAeFw0yNDEwMjQyMjIx
+      MjVaFw0zNDEwMjIyMjIxMjVaMCUxIzAhBgNVBAMTGnJvb3QubGlua2VyZC5jbHVz
+      dGVyLmxvY2FsMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELj/OdEiXV5kUJAha
+      7+dKe4yiViuVtDMkhzIaWoR/ZHqd270MWXvoBpNP9emICtX/3ihRkO12WHOLtnPi
+      GXFc1aNFMEMwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYD
+      VR0OBBYEFHDt80xkzE3Exi1WM+VVzzyXhEQoMAoGCCqGSM49BAMCA0gAMEUCIQDX
+      BpIMV3NMh5L43WVSrcTTy1CzPjRgvuVLXiywYJyBvAIgdL0sulAwaHxROQs4Unxb
+      tIay7PKwoMrycoW6DiZV4C8=
+      -----END CERTIFICATE-----
  dashboard:
    service:
      annotations: