Add certificate updater

mhoshi-vm · Dec 12, 2024 · cbff45b · cbff45b
1 parent 7b099f5
commit cbff45b
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 19 deletions.
diff --git a/manifests/tpk8s-opinionated.tanzu.japan.com/10.0.0/secretgen/certificate.yaml b/manifests/tpk8s-opinionated.tanzu.japan.com/10.0.0/secretgen/certificate.yaml
@@ -1,43 +1,50 @@
 #@ load("@ytt:data", "data")
 #@ if data.values.tp.ingress.self_signed_cert:
 ---
-apiVersion: secretgen.k14s.io/v1alpha1
-kind: Certificate
+apiVersion: cert-manager.io/v1
+kind: Issuer
 metadata:
-  name: root-ca-cert
+  name: tp-root-issuer
   namespace: #@ data.values.tp.namespace
-  annotations:
-    kapp.k14s.io/change-group: "secrettemplate"
 spec:
-  isCA: true
+  selfSigned: {}
 ---
-apiVersion: secretgen.k14s.io/v1alpha1
+apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: inter-ca-cert
+  name: tp-cert
   namespace: #@ data.values.tp.namespace
-  annotations:
-    kapp.k14s.io/change-group: "secrettemplate"
 spec:
-  caRef:
-    name: root-ca-cert
-  #! https://github.gwd.broadcom.net/TNZ/ensemble-self-managed/blob/master/installer/pkg/install/certificate_step.go#L59
+  isCA: true
   commonName: #@ data.values.tp.ingress.host
-  alternativeNames:
+  secretName: tp-cert
+  dnsNames:
     - localhost
     - #@ data.values.tp.ingress.host
     - #@ "*." + data.values.tp.ingress.host
+  issuerRef:
+    name: tp-root-issuer
+    kind: Issuer
+    group: cert-manager.io
+  privateKey:
+    encoding: PKCS8
+    size: 4096
+  usages:
+    - digital signature
+    - key encipherment
+    - cert sign
+    - server auth
 #@ else:
 ---
 apiVersion: v1
 kind: Secret
 metadata:
-  name: inter-ca-cert
+  name: tp-cert
   namespace: #@ data.values.tp.namespace
   annotations:
     kapp.k14s.io/change-group: "secrettemplate"
 type: Opaque
 stringData:
-  crt.pem: #@ data.values.tp.ingress.certificate
-  key.pem: #@ data.values.tp.ingress.privateKey
+  tls.crt: #@ data.values.tp.ingress.certificate
+  tls.key: #@ data.values.tp.ingress.privateKey
 #@ end
diff --git a/manifests/tpk8s-opinionated.tanzu.japan.com/10.0.0/values-template/secret-template.yaml b/manifests/tpk8s-opinionated.tanzu.japan.com/10.0.0/values-template/secret-template.yaml
@@ -113,8 +113,8 @@ spec:
         ---
         ingress:
           tls:
-            certificate: #@ base64.decode("$(.inter-ca-cert.data.crt\.pem)")
-            privateKey: #@ base64.decode("$(.inter-ca-cert.data.key\.pem)")
+            certificate: #@ base64.decode("$(.tp-cert.tls\.crt)")
+            privateKey: #@ base64.decode("$(.tp-cert.tls\.key)")
         postgresql:
           password: #@ base64.decode("$(.postgres-pass.data.pass)")
         clickhouse: