Add webhook cert auto-rotating

linkerd-viz/templates/tap-certificate.yaml

@@ -0,0 +1,19 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: tap
+spec:
+  secretName: tap-k8s-tls
+  duration: 24h
+  renewBefore: 1h
+  issuerRef:
+    name: webhook-issuer
+    kind: Issuer
+  commonName: tap.linkerd-viz.svc
+  dnsNames:
+  - tap.linkerd-viz.svc
+  isCA: false
+  privateKey:
+    algorithm: ECDSA
+  usages:
+  - server auth

linkerd-viz/templates/tap-injector-certificate.yaml

@@ -0,0 +1,19 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: linkerd-tap-injector
+spec:
+  secretName: tap-injector-k8s-tls
+  duration: 24h
+  renewBefore: 1h
+  issuerRef:
+    name: webhook-issuer
+    kind: Issuer
+  commonName: tap-injector.linkerd-viz.svc
+  dnsNames:
+  - tap-injector.linkerd-viz.svc
+  isCA: false
+  privateKey:
+    algorithm: ECDSA
+  usages:
+  - server auth

linkerd-viz/templates/webhook-issuer.yaml

@@ -0,0 +1,7 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: webhook-issuer
+spec:
+  ca:
+    secretName: webhook-issuer-tls

linkerd-viz/values.yaml

@@ -1,4 +1,32 @@
 linkerd-viz:
+  tap:
+    externalSecret: true
+    caBundle: |
+      -----BEGIN CERTIFICATE-----
+      MIIBjTCCATOgAwIBAgIQOOvm1fwbj66IoBnM+oKjbzAKBggqhkjOPQQDAjAlMSMw
+      IQYDVQQDExpyb290LmxpbmtlcmQuY2x1c3Rlci5sb2NhbDAeFw0yNDEwMjQyMjIx
+      MjVaFw0zNDEwMjIyMjIxMjVaMCUxIzAhBgNVBAMTGnJvb3QubGlua2VyZC5jbHVz
+      dGVyLmxvY2FsMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELj/OdEiXV5kUJAha
+      7+dKe4yiViuVtDMkhzIaWoR/ZHqd270MWXvoBpNP9emICtX/3ihRkO12WHOLtnPi
+      GXFc1aNFMEMwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYD
+      VR0OBBYEFHDt80xkzE3Exi1WM+VVzzyXhEQoMAoGCCqGSM49BAMCA0gAMEUCIQDX
+      BpIMV3NMh5L43WVSrcTTy1CzPjRgvuVLXiywYJyBvAIgdL0sulAwaHxROQs4Unxb
+      tIay7PKwoMrycoW6DiZV4C8=
+      -----END CERTIFICATE-----
+  tapInjector:
+    externalSecret: true
+    caBundle: |
+      -----BEGIN CERTIFICATE-----
+      MIIBjTCCATOgAwIBAgIQOOvm1fwbj66IoBnM+oKjbzAKBggqhkjOPQQDAjAlMSMw
+      IQYDVQQDExpyb290LmxpbmtlcmQuY2x1c3Rlci5sb2NhbDAeFw0yNDEwMjQyMjIx
+      MjVaFw0zNDEwMjIyMjIxMjVaMCUxIzAhBgNVBAMTGnJvb3QubGlua2VyZC5jbHVz
+      dGVyLmxvY2FsMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELj/OdEiXV5kUJAha
+      7+dKe4yiViuVtDMkhzIaWoR/ZHqd270MWXvoBpNP9emICtX/3ihRkO12WHOLtnPi
+      GXFc1aNFMEMwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYD
+      VR0OBBYEFHDt80xkzE3Exi1WM+VVzzyXhEQoMAoGCCqGSM49BAMCA0gAMEUCIQDX
+      BpIMV3NMh5L43WVSrcTTy1CzPjRgvuVLXiywYJyBvAIgdL0sulAwaHxROQs4Unxb
+      tIay7PKwoMrycoW6DiZV4C8=
+      -----END CERTIFICATE-----
   dashboard:
     service:
       annotations:

linkerd/init.sh

@@ -7,3 +7,22 @@ step-cli certificate create root.linkerd.cluster.local ca.crt ca.key \
     --namespace=linkerd &&
   yq e -i '.["linkerd-control-plane"].identityTrustAnchorsPEM=load_str("ca.crt")' values.yaml &&
   rm ca.crt ca.key
+
+step-cli certificate create webhook.linkerd.cluster.local webhook_ca.crt webhook_ca.key \
+  --profile root-ca --no-password --insecure --san webhook.linkerd.cluster.local &&
+  kubectl create secret tls \
+    webhook-issuer-tls \
+    --cert=webhook_ca.crt \
+    --key=webhook_ca.key \
+    --namespace=linkerd &&
+  kubectl create secret tls \
+    webhook-issuer-tls \
+    --cert=webhook_ca.crt \
+    --key=webhook_ca.key \
+    --namespace=linkerd-viz &&
+  yq e -i '.["linkerd-control-plane"].policyValidator.caBundle=load_str("webhook_ca.crt")' values.yaml &&
+  yq e -i '.["linkerd-control-plane"].proxyInjector.caBundle=load_str("webhook_ca.crt")' values.yaml &&
+  yq e -i '.["linkerd-control-plane"].profileValidator.caBundle=load_str("webhook_ca.crt")' values.yaml &&
+  yq e -i '.["linkerd-viz"].tap.caBundle=load_str("webhook_ca.crt")' ../linkerd-viz/values.yaml &&
+  yq e -i '.["linkerd-viz"].tapInjector.caBundle=load_str("webhook_ca.crt")' ../linkerd-viz/values.yaml &&
+  rm webhook_ca.crt webhook_ca.key

linkerd/templates/policy-validator-certificate.yaml

@@ -0,0 +1,20 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: linkerd-policy-validator
+spec:
+  secretName: linkerd-policy-validator-k8s-tls
+  duration: 24h
+  renewBefore: 1h
+  issuerRef:
+    name: webhook-issuer
+    kind: Issuer
+  commonName: linkerd-policy-validator.linkerd.svc
+  dnsNames:
+  - linkerd-policy-validator.linkerd.svc
+  isCA: false
+  privateKey:
+    algorithm: ECDSA
+    encoding: PKCS8
+  usages:
+  - server auth

linkerd/templates/proxy-injector-certificate.yaml

@@ -0,0 +1,19 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: linkerd-proxy-injector
+spec:
+  secretName: linkerd-proxy-injector-k8s-tls
+  duration: 24h
+  renewBefore: 1h
+  issuerRef:
+    name: webhook-issuer
+    kind: Issuer
+  commonName: linkerd-proxy-injector.linkerd.svc
+  dnsNames:
+  - linkerd-proxy-injector.linkerd.svc
+  isCA: false
+  privateKey:
+    algorithm: ECDSA
+  usages:
+  - server auth

linkerd/templates/sp-validator-certificate.yaml

@@ -0,0 +1,19 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: linkerd-sp-validator
+spec:
+  secretName: linkerd-sp-validator-k8s-tls
+  duration: 24h
+  renewBefore: 1h
+  issuerRef:
+    name: webhook-issuer
+    kind: Issuer
+  commonName: linkerd-sp-validator.linkerd.svc
+  dnsNames:
+  - linkerd-sp-validator.linkerd.svc
+  isCA: false
+  privateKey:
+    algorithm: ECDSA
+  usages:
+  - server auth

linkerd/templates/webhook-issuer.yaml

@@ -0,0 +1,7 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: webhook-issuer
+spec:
+  ca:
+    secretName: webhook-issuer-tls

linkerd/values.yaml

@@ -17,6 +17,48 @@ linkerd-control-plane:
     -----END CERTIFICATE-----
   proxy:
     nativeSidecar: true
+  policyValidator:
+    externalSecret: true
+    caBundle: |
+      -----BEGIN CERTIFICATE-----
+      MIIBjTCCATOgAwIBAgIQOOvm1fwbj66IoBnM+oKjbzAKBggqhkjOPQQDAjAlMSMw
+      IQYDVQQDExpyb290LmxpbmtlcmQuY2x1c3Rlci5sb2NhbDAeFw0yNDEwMjQyMjIx
+      MjVaFw0zNDEwMjIyMjIxMjVaMCUxIzAhBgNVBAMTGnJvb3QubGlua2VyZC5jbHVz
+      dGVyLmxvY2FsMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELj/OdEiXV5kUJAha
+      7+dKe4yiViuVtDMkhzIaWoR/ZHqd270MWXvoBpNP9emICtX/3ihRkO12WHOLtnPi
+      GXFc1aNFMEMwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYD
+      VR0OBBYEFHDt80xkzE3Exi1WM+VVzzyXhEQoMAoGCCqGSM49BAMCA0gAMEUCIQDX
+      BpIMV3NMh5L43WVSrcTTy1CzPjRgvuVLXiywYJyBvAIgdL0sulAwaHxROQs4Unxb
+      tIay7PKwoMrycoW6DiZV4C8=
+      -----END CERTIFICATE-----
+  proxyInjector:
+    externalSecret: true
+    caBundle: |
+      -----BEGIN CERTIFICATE-----
+      MIIBjTCCATOgAwIBAgIQOOvm1fwbj66IoBnM+oKjbzAKBggqhkjOPQQDAjAlMSMw
+      IQYDVQQDExpyb290LmxpbmtlcmQuY2x1c3Rlci5sb2NhbDAeFw0yNDEwMjQyMjIx
+      MjVaFw0zNDEwMjIyMjIxMjVaMCUxIzAhBgNVBAMTGnJvb3QubGlua2VyZC5jbHVz
+      dGVyLmxvY2FsMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELj/OdEiXV5kUJAha
+      7+dKe4yiViuVtDMkhzIaWoR/ZHqd270MWXvoBpNP9emICtX/3ihRkO12WHOLtnPi
+      GXFc1aNFMEMwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYD
+      VR0OBBYEFHDt80xkzE3Exi1WM+VVzzyXhEQoMAoGCCqGSM49BAMCA0gAMEUCIQDX
+      BpIMV3NMh5L43WVSrcTTy1CzPjRgvuVLXiywYJyBvAIgdL0sulAwaHxROQs4Unxb
+      tIay7PKwoMrycoW6DiZV4C8=
+      -----END CERTIFICATE-----
+  profileValidator:
+    externalSecret: true
+    caBundle: |
+      -----BEGIN CERTIFICATE-----
+      MIIBjTCCATOgAwIBAgIQOOvm1fwbj66IoBnM+oKjbzAKBggqhkjOPQQDAjAlMSMw
+      IQYDVQQDExpyb290LmxpbmtlcmQuY2x1c3Rlci5sb2NhbDAeFw0yNDEwMjQyMjIx
+      MjVaFw0zNDEwMjIyMjIxMjVaMCUxIzAhBgNVBAMTGnJvb3QubGlua2VyZC5jbHVz
+      dGVyLmxvY2FsMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELj/OdEiXV5kUJAha
+      7+dKe4yiViuVtDMkhzIaWoR/ZHqd270MWXvoBpNP9emICtX/3ihRkO12WHOLtnPi
+      GXFc1aNFMEMwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYD
+      VR0OBBYEFHDt80xkzE3Exi1WM+VVzzyXhEQoMAoGCCqGSM49BAMCA0gAMEUCIQDX
+      BpIMV3NMh5L43WVSrcTTy1CzPjRgvuVLXiywYJyBvAIgdL0sulAwaHxROQs4Unxb
+      tIay7PKwoMrycoW6DiZV4C8=
+      -----END CERTIFICATE-----
 linkerd2-cni:
   repairController:
     enabled: true