Skip to content

Commit

Permalink
adjustments for gateways and configuration of default private key sizes
Browse files Browse the repository at this point in the history
  • Loading branch information
@MartinWeindel
MartinWeindel committed Apr 24, 2024
1 parent 6e4f483 commit 09dad08
Show file tree
Hide file tree
Showing 10 changed files with 255 additions and 1 deletion.
9 changes: 9 additions & 0 deletions charts/internal/shoot-cert-management-seed/templates/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,15 @@ spec:
{{- range $idx, $flag := .Values.additionalConfiguration }}
- {{ $flag }}
{{- end }}
{{- if .Values.configuration.privateKeyDefaults.algorithm }}
- --default-private-key-algorithm={{ .Values.configuration.privateKeyDefaults.algorithm }}
{{- end }}
{{- if .Values.configuration.privateKeyDefaults.sizeRSA }}
- --default-rsa-private-key-size={{ .Values.configuration.privateKeyDefaults.sizeRSA }}
{{- end }}
{{- if .Values.configuration.privateKeyDefaults.sizeECDSA }}
- --default-ecdsa-private-key-size={{ .Values.configuration.privateKeyDefaults.sizeECDSA }}
{{- end }}
{{- if .Values.configuration.caCertificates }}
env:
- name: LEGO_CA_SYSTEM_CERT_POOL
Expand Down
4 changes: 4 additions & 0 deletions charts/internal/shoot-cert-management-seed/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,10 @@ configuration:
# -----END CERTIFICATE-----
deactivateAuthorizations: true
certExpirationAlertDays: 15
privateKeyDefaults:
algorithm: RSA
sizeRSA: 3072
sizeECDSA: 384

additionalConfiguration:
- --kubeconfig.disable-deploy-crds
Expand Down
22 changes: 21 additions & 1 deletion charts/internal/shoot-cert-management-shoot/templates/rbac.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@ metadata:
app.kubernetes.io/managed-by: {{ .Release.Service }}
rules:
- apiGroups:
- "extensions"
- "networking.k8s.io"
resources:
- ingresses
Expand All @@ -17,6 +16,26 @@ rules:
- list
- update
- watch
- apiGroups:
- "gateway.networking.k8s.io"
resources:
- gateways
- httproutes
verbs:
- get
- list
- update
- watch
- apiGroups:
- "networking.istio.io"
resources:
- gateways
- virtualservices
verbs:
- get
- list
- update
- watch
- apiGroups:
- ""
resources:
Expand Down Expand Up @@ -84,6 +103,7 @@ rules:
- list
- update
- create
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
Expand Down
69 changes: 69 additions & 0 deletions hack/api-reference/service.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -112,6 +112,20 @@ Alerting
<p>Alerting contains configuration for alerting of certificate expiration.</p>
</td>
</tr>
<tr>
<td>
<code>privateKeyDefaults</code></br>
<em>
<a href="#service.cert.extensions.gardener.cloud/v1alpha1.PrivateKeyDefaults">
PrivateKeyDefaults
</a>
</em>
</td>
<td>
<em>(Optional)</em>
<p>PrivateKeyDefaults default algorithm and sizes for certificate private keys.</p>
</td>
</tr>
</tbody>
</table>
<h3 id="service.cert.extensions.gardener.cloud/v1alpha1.ACMEExternalAccountBinding">ACMEExternalAccountBinding
Expand Down Expand Up @@ -409,6 +423,61 @@ Format <code>host</code> or <code>host:port</code>, e.g. &ldquo;8.8.8.8&rdquo; s
</tr>
</tbody>
</table>
<h3 id="service.cert.extensions.gardener.cloud/v1alpha1.PrivateKeyDefaults">PrivateKeyDefaults
</h3>
<p>
(<em>Appears on:</em>
<a href="#service.cert.extensions.gardener.cloud/v1alpha1.CertConfig">CertConfig</a>)
</p>
<p>
<p>PrivateKeyDefaults default algorithm and sizes for certificate private keys.</p>
</p>
<table>
<thead>
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<code>algorithm</code></br>
<em>
string
</em>
</td>
<td>
<em>(Optional)</em>
<p>Algorithm is the default algorithm (&lsquo;RSA&rsquo; or &lsquo;ECDSA&rsquo;)</p>
</td>
</tr>
<tr>
<td>
<code>sizeRSA</code></br>
<em>
int
</em>
</td>
<td>
<em>(Optional)</em>
<p>SizeRSA is the default size for RSA algorithm.</p>
</td>
</tr>
<tr>
<td>
<code>sizeECDSA</code></br>
<em>
int
</em>
</td>
<td>
<em>(Optional)</em>
<p>SizeECDSA is the default size for ECDSA algorithm.</p>
</td>
</tr>
</tbody>
</table>
<h3 id="service.cert.extensions.gardener.cloud/v1alpha1.ShootIssuers">ShootIssuers
</h3>
<p>
Expand Down
13 changes: 13 additions & 0 deletions pkg/apis/service/types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,19 @@ type CertConfig struct {

// Alerting contains configuration for alerting of certificate expiration.
Alerting *Alerting

// PrivateKeyDefaults default algorithm and sizes for certificate private keys.
PrivateKeyDefaults *PrivateKeyDefaults
}

// PrivateKeyDefaults default algorithm and sizes for certificate private keys.
type PrivateKeyDefaults struct {
// Algorithm is the default algorithm ('RSA' or 'ECDSA')
Algorithm *string
// SizeRSA is the default size for RSA algorithm.
SizeRSA *int
// SizeECDSA is the default size for ECDSA algorithm.
SizeECDSA *int
}

// Alerting contains configuration for alerting of certificate expiration.
Expand Down
17 changes: 17 additions & 0 deletions pkg/apis/service/v1alpha1/types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,23 @@ type CertConfig struct {
// Alerting contains configuration for alerting of certificate expiration.
// +optional
Alerting *Alerting `json:"alerting,omitempty"`

// PrivateKeyDefaults default algorithm and sizes for certificate private keys.
// +optional
PrivateKeyDefaults *PrivateKeyDefaults `json:"privateKeyDefaults,omitempty"`
}

// PrivateKeyDefaults default algorithm and sizes for certificate private keys.
type PrivateKeyDefaults struct {
// Algorithm is the default algorithm ('RSA' or 'ECDSA')
// +optional
Algorithm *string `json:"algorithm,omitempty"`
// SizeRSA is the default size for RSA algorithm.
// +optional
SizeRSA *int `json:"sizeRSA,omitempty"`
// SizeECDSA is the default size for ECDSA algorithm.
// +optional
SizeECDSA *int `json:"sizeECDSA,omitempty"`
}

// Alerting contains configuration for alerting of certificate expiration.
Expand Down
36 changes: 36 additions & 0 deletions pkg/apis/service/v1alpha1/zz_generated.conversion.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

36 changes: 36 additions & 0 deletions pkg/apis/service/v1alpha1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

36 changes: 36 additions & 0 deletions pkg/apis/service/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

14 changes: 14 additions & 0 deletions pkg/controller/actuator.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -302,6 +302,20 @@ func (a *actuator) createSeedResources(ctx context.Context, certConfig *service.
cfg["certExpirationAlertDays"] = *certConfig.Alerting.CertExpirationAlertDays
}

if certConfig.PrivateKeyDefaults != nil {
defaults := map[string]interface{}{}
if certConfig.PrivateKeyDefaults.Algorithm != nil {
defaults["algorithm"] = *certConfig.PrivateKeyDefaults.Algorithm
}
if certConfig.PrivateKeyDefaults.SizeRSA != nil {
defaults["sizeRSA"] = *certConfig.PrivateKeyDefaults.SizeRSA
}
if certConfig.PrivateKeyDefaults.SizeECDSA != nil {
defaults["sizeECDSA"] = *certConfig.PrivateKeyDefaults.SizeECDSA
}
cfg["privateKeyDefaults"] = defaults
}

certManagementConfig, err = chart.InjectImages(certManagementConfig, imagevector.ImageVector(), []string{v1alpha1.CertManagementImageName})
if err != nil {
return fmt.Errorf("failed to find image version for %s: %v", v1alpha1.CertManagementImageName, err)
Expand Down

0 comments on commit 09dad08

Please sign in to comment.