Enable intermediate certificates with cert-manager

Signed-off-by: James Sturtevant <[email protected]>
kubernetes-sigs · Mar 14, 2024 · 55b69e4 · 55b69e4
1 parent 0feba32
commit 55b69e4
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 8 deletions.
diff --git a/admission-webhook/integration_tests/integration_test.go b/admission-webhook/integration_tests/integration_test.go
@@ -443,10 +443,6 @@ func TestPossibleToUpdatePodWithNewCert(t *testing.T) {
 		t.Skip("Non chart deployment method not supported")
 	}
 
-	//give a few mins to settle rotation
-	// TODO why is this needed?!
-	time.Sleep(120 * time.Second)
-
 	testName2 := testName + "after-rotation"
 	testConfig2, tearDownFunc2 := integrationTestSetup(t, testName2, credSpecTemplates, templates)
 	defer tearDownFunc2()

diff --git a/charts/gmsa/templates/issuer.yaml b/charts/gmsa/templates/issuer.yaml
@@ -16,7 +16,6 @@ spec:
   {{- if .Values.certificates.certReload.enabled }}
   privateKey:
     rotationPolicy: Always
-  isCA: true
   {{- end }}
 ---
 {{ template "cert-manager.apiversion" . }}
@@ -25,6 +24,29 @@ metadata:
   name: {{ .Release.Name }}
   namespace: {{ .Release.Namespace }}
   labels: {{ include "gmsa.chartref" . | nindent 4 }}
+spec:
+  ca:
+    secretName: {{ .Release.Name }}-root-ca
+---
+{{ template "cert-manager.apiversion" . }}
+kind: ClusterIssuer
+metadata:
+  name: {{ .Release.Name }}-ca
 spec:
   selfSigned: {}
-{{- end -}}
+---
+{{ template "cert-manager.apiversion" . }}
+kind: Certificate
+metadata:
+  name: {{ .Release.Name }}-ca
+  namespace: {{ .Release.Namespace }}
+spec:
+  isCA: true
+  commonName: {{ .Release.Name }}-ca
+  secretName: {{ .Release.Name }}-root-ca
+  issuerRef:
+    name: {{ .Release.Name }}-ca
+    kind: ClusterIssuer
+    group: cert-manager.io
+---
+{{- end -}}
diff --git a/charts/gmsa/templates/mutatingwebhook.yaml b/charts/gmsa/templates/mutatingwebhook.yaml
@@ -4,7 +4,7 @@ metadata:
   name: {{ .Release.Name }}
   {{- if .Values.certificates.certManager.enabled }}
   annotations:
-    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Release.Name }}
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Release.Name }}-ca
   {{- end }}
   labels: {{ include "gmsa.chartref" . | nindent 4 }}
 webhooks:

diff --git a/charts/gmsa/templates/validatingwebhook.yaml b/charts/gmsa/templates/validatingwebhook.yaml
@@ -4,7 +4,7 @@ metadata:
   name: {{ .Release.Name }}
   {{- if .Values.certificates.certManager.enabled }}
   annotations:
-    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Release.Name }}
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Release.Name }}-ca
   {{- end }}
   labels: {{ include "gmsa.chartref" . | nindent 4 }}
 webhooks: