Skip to content

Commit

Permalink
docs: add install without cert-manager documentation
Browse files Browse the repository at this point in the history
  • Loading branch information
davidebianchi committed Jun 4, 2024
1 parent a5865c3 commit 9662da9
Show file tree
Hide file tree
Showing 6 changed files with 10,418 additions and 5 deletions.
4 changes: 4 additions & 0 deletions docs/FAQ.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,10 @@ Have you set the [cluster autoscaler](https://github.com/kubernetes/autoscaler/t
If cluster autoscaler is set up, it should be correctly configured to scale down the nodes.
To see the possible issues, check the [cluster autoscaler documentation](https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md#i-have-a-couple-of-nodes-with-low-utilization-but-they-are-not-scaled-down-why).

### I want avoid to deploy cert-manager. What are the alternatives?

You can find alternatives to cert-manager installation in the [cert-manager alternatives](/docs/advanced/webhook-cert-management#without-cert-manager) section.

### How many CO2 is produced by pod?

This calculations are based on the following assumptions:
Expand Down
2 changes: 1 addition & 1 deletion docs/advanced/uninstall.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
---
sidebar_position: 2
sidebar_position: 10
---

# Uninstall
Expand Down
153 changes: 153 additions & 0 deletions docs/advanced/webhook-cert-management.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,153 @@
---
sidebar_position: 1
---

# Certificate Management

`kube-green` webhooks require a valid certificate exposes the webhook server to the Kubernetes API server.

## With cert-manager

By default, `kube-green` webhooks are designed to work with `cert-manager`.
This is the recommended way to manage certificates for the webhook.

## Without cert-manager

If you want to avoid deploying `cert-manager`, you can use the following alternatives.

### Manual management of certificates

To manually manage the certificates, you need to create a K8s secret of type `kubernetes.io/tls` with `tls.crt` and `tls.key` keys.
The certificate in this secret must be signed by a CA and valid for the DNS name:

- SERVICE_NAME
- SERVICE_NAME.NAMESPACE
- SERVICE_NAME.NAMESPACE.svc
- SERVICE_NAME.NAMESPACE.svc.cluster.local

where `SERVICE_NAME` is the name of the service (eg. `kube-green`) and `NAMESPACE` is the namespace where the service is deployed.

The CA which sign the certificate must be set as caBundle of clientConfig in the webhook configuration.

Example of the webhook configuration to patch:

```yaml
webhooks:
- name: vsleepinfo.kb.io
clientConfig:
caBundle: <CA_BUNDLE>
```
Each time the certificate will expire, you will need to update the secret with a new certificate.
### Automated Management of Webhook Certificates
Another solution is to use a tool that automatically rotates the certificates.
You can add it as `initContainer` in the `kube-green` deployment, or set up a specific `Job` which manage it at deploy (for example, as helm hook).

The following is an example of the configured `initContainer`. It is needed to replace `<SERVICE_NAME>` and `<SECRET_NAME>` with the correct ones.

```yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: kube-green
spec:
template:
spec:
initContainers:
- name: kube-webhook-certgen
image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:latest
args:
- create
- --host=$(SERVICE_NAME),$(SERVICE_NAME).$(POD_NAMESPACE).svc
- --namespace=$(POD_NAMESPACE)
- --secret-name=$(SECRET_NAME)
- --cert-name=tls.crt
- --key-name=tls.key
env:
- name: SERVICE_NAME
value: <SERVICE_NAME>
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: SECRET_NAME
value: <SECRET_NAME>
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
privileged: false
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- ALL
volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: serviceaccount-token
readOnly: true
- name: kube-webhook-certpatch
image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:latest
args:
- patch
- --namespace=$(POD_NAMESPACE)
- --patch-mutating=false
- --patch-validating=true
- --secret-name=$(SECRET_NAME)
- --webhook-name=kube-green
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: SECRET_NAME
value: SECRET
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
privileged: false
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- ALL
volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: serviceaccount-token
readOnly: true
containers:
- name: kube-green
image: ghcr.io/kube-green/kube-green:latest
...other configuration...
volumeMounts:
- name: webhook-tls
mountPath: /tmp/k8s-webhook-server/serving-certs
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: serviceaccount-token
readOnly: true
volumes:
- name: webhook-tls
secret:
secretName: <SECRET_NAME>
optional: true
- name: serviceaccount-token
projected:
defaultMode: 0444
sources:
- serviceAccountToken:
expirationSeconds: 3600
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
```
17 changes: 15 additions & 2 deletions docusaurus.config.js
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@

const {themes} = require('prism-react-renderer');
const lightCodeTheme = themes.github;
const darkCodeTheme = themes.dracula;
const darkCodeTheme = themes.vsDark;

const LOGO_IMAGE = 'img/logo.svg';
const GITHUB_BASE_URL = 'https://github.com/kube-green/kube-green.github.io/'
Expand Down Expand Up @@ -86,7 +86,20 @@ const config = {
},
prism: {
theme: lightCodeTheme,
darkTheme: darkCodeTheme,
darkTheme: {
...darkCodeTheme,
styles: [
...darkCodeTheme.styles,
{
types: ['key'],
languages: ['yaml'],
style: {
color: 'rgb(215, 186, 125)'
}
}
]
},
additionalLanguages: ['yaml', 'json'],
},
algolia: {
appId: 'OO5LH8JODS',
Expand Down
4 changes: 2 additions & 2 deletions package.json
Original file line number Diff line number Diff line change
Expand Up @@ -28,9 +28,9 @@
"react-player": "^2.16.0"
},
"devDependencies": {
"@docusaurus/module-type-aliases": "^3.1.0",
"@docusaurus/module-type-aliases": "^3.4.0",
"@docusaurus/tsconfig": "^3.4.0",
"@docusaurus/types": "^3.1.0",
"@docusaurus/types": "^3.4.0",
"@types/js-yaml": "^4.0.9",
"@typescript-eslint/eslint-plugin": "^6.19.0",
"@typescript-eslint/parser": "^6.19.0",
Expand Down
Loading

0 comments on commit 9662da9

Please sign in to comment.