Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
gitpod-io
GitHub Repository: gitpod-io/gitpod
 Path: blob/main/install/installer/pkg/components/cluster/certmanager.go
2501 views
1
// Copyright (c) 2021 Gitpod GmbH. All rights reserved.

2
// Licensed under the GNU Affero General Public License (AGPL).

3
// See License.AGPL.txt in the project root for license information.

4


5
package cluster

6


7
import (

8
	"fmt"

9
	"time"

10


11
	"github.com/gitpod-io/gitpod/installer/pkg/common"

12
	"github.com/gitpod-io/gitpod/installer/pkg/config/v1/experimental"

13


14
	trust "github.com/cert-manager/trust-manager/pkg/apis/trust/v1alpha1"

15
	v1 "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1"

16
	cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1"

17
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

18
	"k8s.io/apimachinery/pkg/runtime"

19
	"k8s.io/utils/pointer"

20
)

21


22
func certmanager(ctx *common.RenderContext) ([]runtime.Object, error) {

23
	issuerName := "gitpod-self-signed-issuer"

24
	secretCAName := "gitpod-identity-trust-root"

25


26
	gitpodCaBundleSources := []trust.BundleSource{

27
		{

28
			UseDefaultCAs: pointer.Bool(true),

29
		},

30
		{

31
			Secret: &trust.SourceObjectKeySelector{

32
				Name:        secretCAName,

33
				KeySelector: trust.KeySelector{Key: "ca.crt"},

34
			},

35
		},

36
	}

37


38
	gitpodCustomCertificateBundleSource := []trust.BundleSource{}

39


40
	if ctx.Config.CustomCACert != nil {

41
		gitpodCaBundleSources = append(gitpodCaBundleSources, trust.BundleSource{

42
			Secret: &trust.SourceObjectKeySelector{

43
				Name:        ctx.Config.CustomCACert.Name,

44
				KeySelector: trust.KeySelector{Key: "ca.crt"},

45
			},

46
		})

47


48
		gitpodCustomCertificateBundleSource = append(gitpodCustomCertificateBundleSource, trust.BundleSource{

49
			Secret: &trust.SourceObjectKeySelector{

50
				Name:        ctx.Config.CustomCACert.Name,

51
				KeySelector: trust.KeySelector{Key: "ca.crt"},

52
			},

53
		})

54
	}

55


56
	// TODO (gpl): This is a workaround to untangle the refactoring of existing infrastructure from

57
	// moving forward with this change

58
	caCertificateNamespace := "cert-manager" // this is the default we want to converge on, eventually

59
	_ = ctx.WithExperimental(func(cfg *experimental.Config) error {

60
		if cfg.WebApp != nil && cfg.WebApp.CertmanagerNamespaceOverride != "" {

61
			caCertificateNamespace = cfg.WebApp.CertmanagerNamespaceOverride

62
		}

63
		return nil

64
	})

65


66
	objects := []runtime.Object{

67
		// Define a self-signed issuer so we can generate a CA

68
		&v1.ClusterIssuer{

69
			TypeMeta: common.TypeMetaCertificateClusterIssuer,

70
			ObjectMeta: metav1.ObjectMeta{

71
				Name:   issuerName,

72
				Labels: common.DefaultLabels(Component),

73
			},

74
			Spec: v1.IssuerSpec{IssuerConfig: v1.IssuerConfig{

75
				SelfSigned: &v1.SelfSignedIssuer{},

76
			}},

77
		},

78
		// Generate that CA

79
		&v1.Certificate{

80
			TypeMeta: common.TypeMetaCertificate,

81
			ObjectMeta: metav1.ObjectMeta{

82
				Name:      "gitpod-trust-anchor",

83
				Namespace: caCertificateNamespace,

84
				Labels:    common.DefaultLabels(Component),

85
			},

86
			Spec: v1.CertificateSpec{

87
				IsCA:       true,

88
				Duration:   &metav1.Duration{Duration: time.Duration(8760 * time.Hour)}, // 365 days

89
				CommonName: "root.gitpod.cluster.local",

90
				SecretName: secretCAName,

91
				PrivateKey: &v1.CertificatePrivateKey{

92
					Algorithm: v1.ECDSAKeyAlgorithm,

93
					Size:      256,

94
				},

95
				IssuerRef: cmmeta.ObjectReference{

96
					Name:  issuerName,

97
					Kind:  v1.ClusterIssuerKind,

98
					Group: "cert-manager.io",

99
				},

100
				SecretTemplate: &v1.CertificateSecretTemplate{

101
					Labels: common.DefaultLabels(Component),

102
				},

103
				Usages: []v1.KeyUsage{

104
					v1.UsageCertSign,

105
					v1.UsageCRLSign,

106
				},

107
			},

108
		},

109
		// Set the CA to our issuer

110
		&v1.ClusterIssuer{

111
			TypeMeta: common.TypeMetaCertificateClusterIssuer,

112
			ObjectMeta: metav1.ObjectMeta{

113
				Name:   common.CertManagerCAIssuer,

114
				Labels: common.DefaultLabels(Component),

115
			},

116
			Spec: v1.IssuerSpec{

117
				IssuerConfig: v1.IssuerConfig{

118
					CA: &v1.CAIssuer{SecretName: secretCAName},

119
				},

120
			},

121
		},

122
		// Generate that CA

123
		&v1.Certificate{

124
			TypeMeta: common.TypeMetaCertificate,

125
			ObjectMeta: metav1.ObjectMeta{

126
				Name:      common.CertManagerCAIssuer,

127
				Namespace: ctx.Namespace,

128
				Labels:    common.DefaultLabels(Component),

129
			},

130
			Spec: v1.CertificateSpec{

131
				IsCA:       true,

132
				Duration:   &metav1.Duration{Duration: time.Duration(2190 * time.Hour)}, // 90 days

133
				CommonName: "ca.gitpod.cluster.local",

134
				SecretName: fmt.Sprintf("%v-intermediate", secretCAName),

135
				PrivateKey: &v1.CertificatePrivateKey{

136
					Algorithm: v1.ECDSAKeyAlgorithm,

137
					Size:      256,

138
				},

139
				IssuerRef: cmmeta.ObjectReference{

140
					Name:  common.CertManagerCAIssuer,

141
					Kind:  v1.ClusterIssuerKind,

142
					Group: "cert-manager.io",

143
				},

144
				SecretTemplate: &v1.CertificateSecretTemplate{

145
					Labels: common.DefaultLabels(Component),

146
				},

147
				Usages: []v1.KeyUsage{

148
					v1.UsageCertSign,

149
					v1.UsageCRLSign,

150
					v1.UsageServerAuth,

151
					v1.UsageClientAuth,

152
				},

153
			},

154
		},

155
		// trust Bundle

156
		&trust.Bundle{

157
			TypeMeta: common.TypeMetaBundle,

158
			ObjectMeta: metav1.ObjectMeta{

159
				Name: "gitpod-ca-bundle",

160
			},

161
			Spec: trust.BundleSpec{

162
				Sources: gitpodCaBundleSources,

163
				Target: trust.BundleTarget{

164
					ConfigMap: &trust.KeySelector{

165
						Key: "ca-certificates.crt",

166
					},

167
				},

168
			},

169
		},

170
		// single gitpod Bundle (used by registry-facade)

171
		&trust.Bundle{

172
			TypeMeta: common.TypeMetaBundle,

173
			ObjectMeta: metav1.ObjectMeta{

174
				Name: "gitpod-ca",

175
			},

176
			Spec: trust.BundleSpec{

177
				Sources: []trust.BundleSource{

178
					{

179
						Secret: &trust.SourceObjectKeySelector{

180
							Name:        secretCAName,

181
							KeySelector: trust.KeySelector{Key: "ca.crt"},

182
						},

183
					},

184
				},

185
				Target: trust.BundleTarget{

186
					ConfigMap: &trust.KeySelector{

187
						Key: "gitpod-ca.crt",

188
					},

189
				},

190
			},

191
		},

192
	}

193


194
	if ctx.Config.CustomCACert != nil {

195
		objects = append(objects,

196
			// trust Bundle for custom SSL certificates

197
			&trust.Bundle{

198
				TypeMeta: common.TypeMetaBundle,

199
				ObjectMeta: metav1.ObjectMeta{

200
					Name: "gitpod-customer-certificate-bundle",

201
				},

202
				Spec: trust.BundleSpec{

203
					Sources: gitpodCustomCertificateBundleSource,

204
					Target: trust.BundleTarget{

205
						ConfigMap: &trust.KeySelector{

206
							Key: "ca-certificates.crt",

207
						},

208
					},

209
				},

210
			})

211
	}

212


213
	return objects, nil

214
}

215


216