Eventing TLS: Create Cert-Manager resources

[pierDipi]

As the Eventing TLS feature track describes we should provision a few TLS certificates using Cert Manager like the following:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: <component-prefix>-server-tls
  namespace: knative-eventing
spec:
  # Secret names are always required.
  secretName: <component-prefix>-server-tls

  secretTemplate:
    labels:
      app.kubernetes.io/component: <component-name>
      app.kubernetes.io/name: knative-eventing

  duration: 2160h # 90d
  renewBefore: 360h # 15d
  subject:
    organizations:
      - local
  isCA: false
  privateKey:
    algorithm: RSA
    encoding: PKCS1
    size: 2048

  usages:
    - <component> server TLS

  dnsNames:
    - <component-dns-name_based_on_service_definition>

  issuerRef:
    name: selfsigned-issuer
    kind: Issuer
    group: cert-manager.io

for each component:

• mt-broker-ingress (service definition)
• mt-broker-filter (service definition)
• imc-dispatcher (service definition)

Each certificate should be connected to a self-signed issuer:

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: selfsigned-issuer
  namespace: knative-eventing
spec:
  selfSigned: {}

The Certificate resources and the Issuer should then be bundled in a eventing-tls-networking.yaml artifact during the release

Additional Info

• https://docs.google.com/document/d/1H-x_oji8LqkCyd7tlsSyclmUe7FAmEJPgRxOU_0pkn8/edit?resourcekey=0-lzDIPJsZOP3G17QE_g1lHw#
• Related to Eventing TLS: Install Cert Manager as part of the test setup phase #6835

/good-first-issue
/kind feature

[knative-prow]

@pierDipi: The label(s) kind/feature cannot be applied, because the repository doesn't have them.

Details

In response to this:

As the Eventing TLS feature track describes we should provision a few TLS certificates using Cert Manager like the following:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
 name: <component-prefix>-server-tls
 namespace: knative-eventing
spec:
 # Secret names are always required.
 secretName: <component-prefix>-server-tls

 secretTemplate:
   labels:
     app.kubernetes.io/component: <component-name>
     app.kubernetes.io/name: knative-eventing

 duration: 2160h # 90d
 renewBefore: 360h # 15d
 subject:
   organizations:
     - local
 isCA: false
 privateKey:
   algorithm: RSA
   encoding: PKCS1
   size: 2048

 usages:
   - <component> server TLS

 dnsNames:
   - <component-dns-name_based_on_service_definition>

 issuerRef:
   name: selfsigned-issuer
   kind: Issuer
   group: cert-manager.io

for each component:

• mt-broker-ingress (service definition)
• mt-broker-filter (service definition)
• imc-dispatcher (service definition)

Each certificate should be connected to a self-signed issuer:

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
 name: selfsigned-issuer
 namespace: knative-eventing
spec:
 selfSigned: {}

The Certificate resources and the Issuer should then be bundled in a eventing-tls-networking.yaml artifact during the release

Additional Info

• https://docs.google.com/document/d/1H-x_oji8LqkCyd7tlsSyclmUe7FAmEJPgRxOU_0pkn8/edit?resourcekey=0-lzDIPJsZOP3G17QE_g1lHw#

/good-first-issue
/kind feature

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[knative-prow]

@pierDipi:
This request has been marked as suitable for new contributors.

Please ensure the request meets the requirements listed here.

If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-good-first-issue command.

Details

In response to this:

As the Eventing TLS feature track describes we should provision a few TLS certificates using Cert Manager like the following:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
 name: <component-prefix>-server-tls
 namespace: knative-eventing
spec:
 # Secret names are always required.
 secretName: <component-prefix>-server-tls

 secretTemplate:
   labels:
     app.kubernetes.io/component: <component-name>
     app.kubernetes.io/name: knative-eventing

 duration: 2160h # 90d
 renewBefore: 360h # 15d
 subject:
   organizations:
     - local
 isCA: false
 privateKey:
   algorithm: RSA
   encoding: PKCS1
   size: 2048

 usages:
   - <component> server TLS

 dnsNames:
   - <component-dns-name_based_on_service_definition>

 issuerRef:
   name: selfsigned-issuer
   kind: Issuer
   group: cert-manager.io

for each component:

• mt-broker-ingress (service definition)
• mt-broker-filter (service definition)
• imc-dispatcher (service definition)

Each certificate should be connected to a self-signed issuer:

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
 name: selfsigned-issuer
 namespace: knative-eventing
spec:
 selfSigned: {}

The Certificate resources and the Issuer should then be bundled in a eventing-tls-networking.yaml artifact during the release

Additional Info

• https://docs.google.com/document/d/1H-x_oji8LqkCyd7tlsSyclmUe7FAmEJPgRxOU_0pkn8/edit?resourcekey=0-lzDIPJsZOP3G17QE_g1lHw#

/good-first-issue
/kind feature

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[Rahul-Kumar-prog]

/assign

[pierDipi]

just one note on this issue, this issue is blocked by #6835 since we need to create the Cert-Manager setup (in #6835) and after that we can use Cert-Manager resources (in this issue)

[Rahul-Kumar-prog]

So should I make a PR or I have to wait for these issue get fixed first ?

[pierDipi]

Ideally, we have that issue solved first to test that the Cert-Manager manifests are working

[Rahul-Kumar-prog]

I have done that changes that describe in the issue. should I create a pull-request?

[pierDipi]

Did you test it using cert-manager?
It's fine to open a PR if you can show in the PR description that after applying the new manifests cert-manager creates the TLS secrets we expect