From 87039752a9ff9f6d62f2ed47d8ed20dfac2a1966 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20R=C5=AF=C5=BEi=C4=8Dka?= Date: Fri, 6 Jan 2023 22:37:45 +0100 Subject: [PATCH] feat(helm): Ask cert-manager for EC keys by default --- charts/ingress-nginx/README.md | 2 ++ .../templates/admission-webhooks/cert-manager.yaml | 6 ++++++ charts/ingress-nginx/values.yaml | 11 +++++++++++ 3 files changed, 19 insertions(+) diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index 17547912d..241fbe69c 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -237,8 +237,10 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.addHeaders | object | `{}` | Will add custom headers before sending response traffic to the client according to: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#add-headers | | controller.admissionWebhooks.annotations | object | `{}` | | | controller.admissionWebhooks.certManager.admissionCert.duration | string | `""` | | +| controller.admissionWebhooks.certManager.admissionCert.extraConfig | object | `{"privateKey":{"algorithm":"ECDSA","size":256}}` | Extra configuration for the admission webhook certificate. Can contain anything a cert-manager's [`CertificateSpec`](https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec) can. | | controller.admissionWebhooks.certManager.enabled | bool | `false` | | | controller.admissionWebhooks.certManager.rootCert.duration | string | `""` | | +| controller.admissionWebhooks.certManager.rootCert.extraConfig | object | `{"privateKey":{"algorithm":"ECDSA","size":256}}` | Extra configuration for the admission webhook CA certificate. Can contain anything a cert-manager's [`CertificateSpec`](https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec) can. | | controller.admissionWebhooks.certificate | string | `"/usr/local/certificates/cert"` | | | controller.admissionWebhooks.createSecretJob.resources | object | `{}` | | | controller.admissionWebhooks.createSecretJob.securityContext.allowPrivilegeEscalation | bool | `false` | | diff --git a/charts/ingress-nginx/templates/admission-webhooks/cert-manager.yaml b/charts/ingress-nginx/templates/admission-webhooks/cert-manager.yaml index 55fab471c..6e8946454 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/cert-manager.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/cert-manager.yaml @@ -26,6 +26,9 @@ spec: subject: organizations: - ingress-nginx + {{- with .Values.controller.admissionWebhooks.certManager.rootCert.extraConfig }} + {{- toYaml . | nindent 2 }} + {{- end }} --- # Create an Issuer that uses the above generated CA certificate to issue certs apiVersion: cert-manager.io/v1 @@ -60,4 +63,7 @@ spec: subject: organizations: - ingress-nginx-admission + {{- with .Values.controller.admissionWebhooks.certManager.admissionCert.extraConfig }} + {{- toYaml . | nindent 2 }} + {{- end }} {{- end -}} diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 1cd74dad0..4df2f6311 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -639,12 +639,23 @@ controller: rootCert: # default to be 5y duration: "" + # -- Extra configuration for the admission webhook CA certificate. Can contain anything a cert-manager's [`CertificateSpec`](https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec) can. + extraConfig: + privateKey: + algorithm: ECDSA + size: 256 + admissionCert: # default to be 1y duration: "" # issuerRef: # name: "issuer" # kind: "ClusterIssuer" + # -- Extra configuration for the admission webhook certificate. Can contain anything a cert-manager's [`CertificateSpec`](https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec) can. + extraConfig: + privateKey: + algorithm: ECDSA + size: 256 metrics: port: 10254 portName: metrics