-
Notifications
You must be signed in to change notification settings - Fork 4
/
bootstrap_ca.yaml
102 lines (94 loc) · 2.51 KB
/
bootstrap_ca.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
# SelfSigned issuers are a simple signal that a Certificate should be signed
# using its own private key
# SelfSigned issuers are cert-manager's way of creating root certificates.
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: selfsigned-issuer
spec:
selfSigned: {}
---
# The first certificate we need is our root certificate.
# Root certificates are self-signed, must be CAs, and tend to last longer
# than most other certificates.
# We create the root certificate in the "cert-manager" so it can be used as
# a ClusterIssuer
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: workshop-root
namespace: cert-manager
spec:
isCA: true
commonName: root.linkerd.cluster.local
secretName: linkerd-trust-anchor
duration: 8760h # 365 days
privateKey:
algorithm: ECDSA
size: 256
issuerRef:
name: selfsigned-issuer
kind: ClusterIssuer
group: cert-manager.io
usages:
- cert sign
- crl sign
---
# Once we're created our root certificate, we create a CA issuer
# using that root certificate.
# The CA issuer is cert-manager's way of doing in-cluster issuance.
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: workshop-intermediate-issuer
spec:
ca:
secretName: linkerd-trust-anchor
---
# Next we want to create an intermediate certificate, which will
# be used to issue the certificates which will actually be used
# in our mesh later!
# The intermediate can be shorter lived than the root since it's
# easier to rotate
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: linkerd-identity-issuer
namespace: linkerd
spec:
isCA: true
commonName: identity.linkerd.cluster.local
secretName: linkerd-identity-issuer
duration: 48h
privateKey:
algorithm: ECDSA
size: 256
issuerRef:
name: workshop-intermediate-issuer
kind: ClusterIssuer
group: cert-manager.io
dnsNames:
- identity.linkerd.cluster.local
usages:
- cert sign
- crl sign
- server auth
- client auth
---
# Finally, create a trust bundle so we can distribute our long-lived
# root certificate to different namespaces.
# This uses trust-manager to ensure that our root certificate is
# available in every namespace (even though we only actually need it in the
# linkerd namespace in practice for our purposes here)
apiVersion: trust.cert-manager.io/v1alpha1
kind: Bundle
metadata:
name: linkerd-identity-trust-roots
spec:
sources:
- secret:
name: "linkerd-trust-anchor"
key: "ca.crt"
target:
configMap:
key: "ca-bundle.crt"