From b7eb1cf9364d71c889ddffe83c2ff208dfd5d890 Mon Sep 17 00:00:00 2001
From: Antoine Gatineau <43171889+infra-monkey@users.noreply.github.com>
Date: Fri, 5 Nov 2021 17:43:52 +0100
Subject: [PATCH] cert-manager: add trusted internal ca when configured (#8135)

* cert-manager: add trusted internal ca when configured

* wrong check for inventory variable

* Update documentation
---
 docs/cert_manager.md                          | 14 ++++++++++++
 .../sample/group_vars/k8s_cluster/addons.yml  |  4 ++++
 .../templates/cert-manager.yml.j2             | 22 +++++++++++++++++++
 3 files changed, 40 insertions(+)

diff --git a/docs/cert_manager.md b/docs/cert_manager.md
index 34378a56a..4ed28afc2 100644
--- a/docs/cert_manager.md
+++ b/docs/cert_manager.md
@@ -88,6 +88,20 @@ Certificates issued by public ACME servers are typically trusted by client’s c
   - [DNS01 Challenges](https://cert-manager.io/v1.5-docs/configuration/acme/dns01/)
 - [ACME FAQ](https://cert-manager.io/v1.5-docs/faq/acme/)
 
+#### ACME With An Internal Certificate Authority
+
+The ACME Issuer with an internal certificate authority requires cert-manager to trust the certificate authority. This trust must be done at the cert-manager deployment level.
+To add a trusted certificate authority to cert-manager, add it's certificate to `group_vars/k8s-cluster/addons.yml`:
+
+```yaml
+cert_manager_trusted_internal_ca: |
+  -----BEGIN CERTIFICATE-----
+  [REPLACE with your CA certificate]
+  -----END CERTIFICATE-----
+```
+
+Once the CA is trusted, you can define your issuer normally.
+
 ### Create New TLS Root CA Certificate and Key
 
 #### Install Cloudflare PKI/TLS `cfssl` Toolkit
diff --git a/inventory/sample/group_vars/k8s_cluster/addons.yml b/inventory/sample/group_vars/k8s_cluster/addons.yml
index 5f5e37f44..2e077dd80 100644
--- a/inventory/sample/group_vars/k8s_cluster/addons.yml
+++ b/inventory/sample/group_vars/k8s_cluster/addons.yml
@@ -129,6 +129,10 @@ ingress_alb_enabled: false
 # Cert manager deployment
 cert_manager_enabled: false
 # cert_manager_namespace: "cert-manager"
+# cert_manager_trusted_internal_ca: |
+#   -----BEGIN CERTIFICATE-----
+#   [REPLACE with your CA certificate]
+#   -----END CERTIFICATE-----
 
 # MetalLB deployment
 metallb_enabled: false
diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2
index 200ab2680..3f51b19ad 100644
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2
@@ -875,6 +875,17 @@ spec:
           resources:
             {}
 ---
+{% if cert_manager_trusted_internal_ca is defined %}
+apiVersion: v1
+data:
+  internal-ca.pem: |
+    {{ cert_manager_trusted_internal_ca | indent(width=4, indentfirst=False) }}
+kind: ConfigMap
+metadata:
+  name: ca-internal-truststore
+  namespace: {{ cert_manager_namespace }}
+---
+{% endif %}
 # Source: cert-manager/templates/deployment.yaml
 apiVersion: apps/v1
 kind: Deployment
@@ -928,6 +939,17 @@ spec:
                 fieldPath: metadata.namespace
           resources:
             {}
+{% if cert_manager_trusted_internal_ca is defined %}
+          volumeMounts:
+          - mountPath: /etc/ssl/certs/internal-ca.pem
+            name: ca-internal-truststore
+            subPath: internal-ca.pem
+        volumes:
+        - configMap:
+            defaultMode: 420
+            name: ca-internal-truststore
+          name: ca-internal-truststore
+{% endif %}
 ---
 # Source: cert-manager/templates/webhook-deployment.yaml
 apiVersion: apps/v1
-- 
GitLab