From 09b5af74de4af9b0e21d903caf2e7beee562f271 Mon Sep 17 00:00:00 2001 From: Markus Lehtonen Date: Wed, 3 Jan 2024 21:13:15 +0200 Subject: [PATCH] deployment/kustomize: drop the sample cert-manager overlay Drop the deprecated and broken sample overlay. This was an example for enabling TLS with cert-manager. However, the overlay has been broken (and useless) since NodeFeature API was enabled by default - and gRPC disabled - in v0.14. --- .../overlays/samples/cert-manager/args.yaml | 9 ---- .../overlays/samples/cert-manager/issuer.yaml | 41 ------------------- .../samples/cert-manager/kustomization.yaml | 32 --------------- .../samples/cert-manager/master-cert.yaml | 19 --------- .../samples/cert-manager/master-mounts.yaml | 13 ------ .../overlays/samples/cert-manager/probes.yaml | 26 ------------ .../samples/cert-manager/worker-mounts.yaml | 13 ------ .../samples/cert-manager/workers-cert.yaml | 17 -------- docs/deployment/tls.md | 13 +----- 9 files changed, 2 insertions(+), 181 deletions(-) delete mode 100644 deployment/overlays/samples/cert-manager/args.yaml delete mode 100644 deployment/overlays/samples/cert-manager/issuer.yaml delete mode 100644 deployment/overlays/samples/cert-manager/kustomization.yaml delete mode 100644 deployment/overlays/samples/cert-manager/master-cert.yaml delete mode 100644 deployment/overlays/samples/cert-manager/master-mounts.yaml delete mode 100644 deployment/overlays/samples/cert-manager/probes.yaml delete mode 100644 deployment/overlays/samples/cert-manager/worker-mounts.yaml delete mode 100644 deployment/overlays/samples/cert-manager/workers-cert.yaml diff --git a/deployment/overlays/samples/cert-manager/args.yaml b/deployment/overlays/samples/cert-manager/args.yaml deleted file mode 100644 index 8da84e9c2e..0000000000 --- a/deployment/overlays/samples/cert-manager/args.yaml +++ /dev/null @@ -1,9 +0,0 @@ -- op: add - path: /spec/template/spec/containers/0/args/- - value: "-ca-file=/etc/kubernetes/node-feature-discovery/certs/ca.crt" -- op: add - path: /spec/template/spec/containers/0/args/- - value: "-key-file=/etc/kubernetes/node-feature-discovery/certs/tls.key" -- op: add - path: /spec/template/spec/containers/0/args/- - value: "-cert-file=/etc/kubernetes/node-feature-discovery/certs/tls.crt" diff --git a/deployment/overlays/samples/cert-manager/issuer.yaml b/deployment/overlays/samples/cert-manager/issuer.yaml deleted file mode 100644 index 013c67d387..0000000000 --- a/deployment/overlays/samples/cert-manager/issuer.yaml +++ /dev/null @@ -1,41 +0,0 @@ -# See https://cert-manager.io/docs/configuration/selfsigned/#bootstrapping-ca-issuers -# - Create a self signed issuer -# - Use this to create a CA cert -# - Use this to now create a CA issuer ---- -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: nfd-ca-bootstrap - namespace: node-feature-discovery -spec: - selfSigned: {} - ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: nfd-ca-cert - namespace: node-feature-discovery -spec: - isCA: true - secretName: nfd-ca-cert - subject: - organizations: - - node-feature-discovery - commonName: nfd-ca-cert - issuerRef: - name: nfd-ca-bootstrap - kind: Issuer - group: cert-manager.io - ---- -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: nfd-ca-issuer - namespace: node-feature-discovery -spec: - ca: - secretName: nfd-ca-cert - diff --git a/deployment/overlays/samples/cert-manager/kustomization.yaml b/deployment/overlays/samples/cert-manager/kustomization.yaml deleted file mode 100644 index 0a17efa4d2..0000000000 --- a/deployment/overlays/samples/cert-manager/kustomization.yaml +++ /dev/null @@ -1,32 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -namespace: node-feature-discovery - -resources: -- ../../default -- issuer.yaml -- master-cert.yaml -- workers-cert.yaml - -generatorOptions: - disableNameSuffixHash: true - -patches: -- path: args.yaml - target: - labelSelector: app=nfd - name: nfd.* -- path: master-mounts.yaml - target: - labelSelector: app=nfd - name: nfd-master -- path: worker-mounts.yaml - target: - labelSelector: app=nfd - name: nfd-worker -- path: probes.yaml - target: - labelSelector: app=nfd - name: nfd-master - diff --git a/deployment/overlays/samples/cert-manager/master-cert.yaml b/deployment/overlays/samples/cert-manager/master-cert.yaml deleted file mode 100644 index 6ad32d46d9..0000000000 --- a/deployment/overlays/samples/cert-manager/master-cert.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: nfd-master-cert - namespace: node-feature-discovery -spec: - secretName: nfd-master-cert - subject: - organizations: - - node-feature-discovery - commonName: nfd-master - dnsNames: - - nfd-master.node-feature-discovery.svc - - nfd-master.node-feature-discovery.svc.cluster.local - - nfd-master - issuerRef: - name: nfd-ca-issuer - kind: Issuer - group: cert-manager.io diff --git a/deployment/overlays/samples/cert-manager/master-mounts.yaml b/deployment/overlays/samples/cert-manager/master-mounts.yaml deleted file mode 100644 index 9533e962fb..0000000000 --- a/deployment/overlays/samples/cert-manager/master-mounts.yaml +++ /dev/null @@ -1,13 +0,0 @@ -- op: add - path: /spec/template/spec/volumes/- - value: - name: nfd-master-cert - secret: - secretName: nfd-master-cert - -- op: add - path: /spec/template/spec/containers/0/volumeMounts/- - value: - name: nfd-master-cert - mountPath: /etc/kubernetes/node-feature-discovery/certs - readOnly: true diff --git a/deployment/overlays/samples/cert-manager/probes.yaml b/deployment/overlays/samples/cert-manager/probes.yaml deleted file mode 100644 index 30c4854997..0000000000 --- a/deployment/overlays/samples/cert-manager/probes.yaml +++ /dev/null @@ -1,26 +0,0 @@ -- op: add - path: /spec/template/spec/containers/0/livenessProbe/exec/command/- - value: "-tls" -- op: add - path: /spec/template/spec/containers/0/livenessProbe/exec/command/- - value: "-tls-ca-cert=/etc/kubernetes/node-feature-discovery/certs/ca.crt" -- op: add - path: /spec/template/spec/containers/0/livenessProbe/exec/command/- - value: "-tls-client-key=/etc/kubernetes/node-feature-discovery/certs/tls.key" -- op: add - path: /spec/template/spec/containers/0/livenessProbe/exec/command/- - value: "-tls-client-cert=/etc/kubernetes/node-feature-discovery/certs/tls.crt" - -- op: add - path: /spec/template/spec/containers/0/readinessProbe/exec/command/- - value: "-tls" -- op: add - path: /spec/template/spec/containers/0/readinessProbe/exec/command/- - value: "-tls-ca-cert=/etc/kubernetes/node-feature-discovery/certs/ca.crt" -- op: add - path: /spec/template/spec/containers/0/readinessProbe/exec/command/- - value: "-tls-client-key=/etc/kubernetes/node-feature-discovery/certs/tls.key" -- op: add - path: /spec/template/spec/containers/0/readinessProbe/exec/command/- - value: "-tls-client-cert=/etc/kubernetes/node-feature-discovery/certs/tls.crt" - diff --git a/deployment/overlays/samples/cert-manager/worker-mounts.yaml b/deployment/overlays/samples/cert-manager/worker-mounts.yaml deleted file mode 100644 index 1c513a253a..0000000000 --- a/deployment/overlays/samples/cert-manager/worker-mounts.yaml +++ /dev/null @@ -1,13 +0,0 @@ -- op: add - path: /spec/template/spec/volumes/- - value: - name: nfd-worker-cert - secret: - secretName: nfd-worker-cert - -- op: add - path: /spec/template/spec/containers/0/volumeMounts/- - value: - name: nfd-worker-cert - mountPath: /etc/kubernetes/node-feature-discovery/certs - readOnly: true diff --git a/deployment/overlays/samples/cert-manager/workers-cert.yaml b/deployment/overlays/samples/cert-manager/workers-cert.yaml deleted file mode 100644 index 2d6788fe81..0000000000 --- a/deployment/overlays/samples/cert-manager/workers-cert.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: nfd-workers-cert - namespace: node-feature-discovery -spec: - secretName: nfd-worker-cert - subject: - organizations: - - node-feature-discovery - commonName: nfd-worker - dnsNames: - - nfd-worker.node-feature-discovery.svc.cluster.local - issuerRef: - name: nfd-ca-issuer - kind: Issuer - group: cert-manager.io diff --git a/docs/deployment/tls.md b/docs/deployment/tls.md index fb5bfe821b..4de3440a7d 100644 --- a/docs/deployment/tls.md +++ b/docs/deployment/tls.md @@ -36,9 +36,7 @@ the nfd-worker has been signed by the specified root certificate (-ca-file). Additional hardening can be enabled by specifying `-verify-node-name` in nfd-master args, in which case nfd-master verifies that the NodeName presented by nfd-worker matches the Common Name (CN) or a Subject Alternative Name (SAN) -of its certificate. Note that `-verify-node-name` complicates certificate -management and is not yet supported in the helm or kustomize deployment -methods. +of its certificate. ## Automated TLS certificate management using cert-manager @@ -58,14 +56,7 @@ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/ Alternatively, you can refer to cert-manager documentation for other installation methods such as the Helm chart they provide. -To use the kustomize overlay to install node-feature-discovery with TLS enabled, -you may use the following: - -```bash -kubectl apply -k deployment/overlays/samples/cert-manager -``` - -To make use of the helm chart, override `values.yaml` to enable both the +When using the Helm chart to deploy NFD, override `values.yaml` to enable both the `tls.enabled` and `tls.certManager` options. Note that if you do not enable `tls.certManager`, helm will successfully install the application, but deployment will wait until certificates are manually created, as demonstrated