First commit

certificates.yml

@@ -0,0 +1,202 @@
+# cert-manager configuration for Gravitee APIM
+# Self-signed CA + namespace-scoped Issuer
+#
+# To switch to HashiCorp Vault later:
+#   1. Replace `gravitee-ca-issuer` (Issuer kind: CA) with a Vault Issuer:
+#        apiVersion: cert-manager.io/v1
+#        kind: Issuer
+#        metadata: {name: gravitee-ca-issuer, namespace: gravitee-apim}
+#        spec:
+#          vault:
+#            server: https://vault.sttlab.pc:8200
+#            path: pki/sign/gravitee
+#            auth: { kubernetes: { ... } }
+#   2. Keep the Certificate resources below unchanged - they reference
+#      `gravitee-ca-issuer` by name, so the swap is transparent.
+---
+# Step 1: bootstrap a self-signed Issuer (only used to sign the CA cert)
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: gravitee-selfsigned-bootstrap
+  namespace: gravitee-apim
+spec:
+  selfSigned: {}
+---
+# Step 2: create a CA certificate signed by the bootstrap issuer
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: gravitee-ca
+  namespace: gravitee-apim
+spec:
+  isCA: true
+  commonName: gravitee-ca.sttlab.pc
+  secretName: gravitee-ca-tls
+  duration: 87600h        # 10 years
+  privateKey:
+    algorithm: RSA
+    size: 4096
+  issuerRef:
+    name: gravitee-selfsigned-bootstrap
+    kind: Issuer
+    group: cert-manager.io
+---
+# Step 3: the actual CA Issuer used by all Gravitee certs
+# This is the resource to replace when integrating Vault PKI later
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: gravitee-ca-issuer
+  namespace: gravitee-apim
+spec:
+  ca:
+    secretName: gravitee-ca-tls
+---
+# ----------------------------
+# Ingress certificates (one per public host)
+# ----------------------------
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: console-tls
+  namespace: gravitee-apim
+spec:
+  secretName: console-tls
+  dnsNames:
+    - console.gravitee.sttlab.pc
+  issuerRef:
+    name: gravitee-ca-issuer
+    kind: Issuer
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: portal-tls
+  namespace: gravitee-apim
+spec:
+  secretName: portal-tls
+  dnsNames:
+    - portal.gravitee.sttlab.pc
+  issuerRef:
+    name: gravitee-ca-issuer
+    kind: Issuer
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: api-tls
+  namespace: gravitee-apim
+spec:
+  secretName: api-tls
+  dnsNames:
+    - api.gravitee.sttlab.pc
+  issuerRef:
+    name: gravitee-ca-issuer
+    kind: Issuer
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: gateway-tls
+  namespace: gravitee-apim
+spec:
+  secretName: gateway-tls
+  dnsNames:
+    - gateway.gravitee.sttlab.pc
+  issuerRef:
+    name: gravitee-ca-issuer
+    kind: Issuer
+---
+# ----------------------------
+# Internal TLS server certs (cluster.local hostnames)
+# ----------------------------
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: mongodb-tls
+  namespace: gravitee-apim
+spec:
+  secretName: mongodb-tls
+  commonName: mongodb.gravitee-apim.svc.cluster.local
+  dnsNames:
+    - mongodb
+    - mongodb.gravitee-apim
+    - mongodb.gravitee-apim.svc
+    - mongodb.gravitee-apim.svc.cluster.local
+    - mongodb-0.mongodb-headless.gravitee-apim.svc.cluster.local
+  issuerRef:
+    name: gravitee-ca-issuer
+    kind: Issuer
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: elasticsearch-tls
+  namespace: gravitee-apim
+spec:
+  secretName: elasticsearch-tls
+  commonName: gravitee-es-master.gravitee-apim.svc.cluster.local
+  dnsNames:
+    - gravitee-es-master
+    - gravitee-es-master.gravitee-apim
+    - gravitee-es-master.gravitee-apim.svc
+    - gravitee-es-master.gravitee-apim.svc.cluster.local
+  issuerRef:
+    name: gravitee-ca-issuer
+    kind: Issuer
+  keystores:
+    jks:
+      create: true
+      passwordSecretRef:
+        name: gravitee-jks-password
+        key: password
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: gateway-internal-tls
+  namespace: gravitee-apim
+spec:
+  secretName: gateway-internal-tls
+  commonName: graviteeio-apim-gateway.gravitee-apim.svc.cluster.local
+  dnsNames:
+    - graviteeio-apim-gateway
+    - graviteeio-apim-gateway.gravitee-apim
+    - graviteeio-apim-gateway.gravitee-apim.svc
+    - graviteeio-apim-gateway.gravitee-apim.svc.cluster.local
+    - gateway.gravitee.sttlab.pc
+  issuerRef:
+    name: gravitee-ca-issuer
+    kind: Issuer
+  keystores:
+    pkcs12:
+      create: true
+      passwordSecretRef:
+        name: gravitee-jks-password
+        key: password
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: api-internal-tls
+  namespace: gravitee-apim
+spec:
+  secretName: api-internal-tls
+  commonName: graviteeio-apim-api.gravitee-apim.svc.cluster.local
+  dnsNames:
+    - graviteeio-apim-api
+    - graviteeio-apim-api.gravitee-apim
+    - graviteeio-apim-api.gravitee-apim.svc
+    - graviteeio-apim-api.gravitee-apim.svc.cluster.local
+    - api.gravitee.sttlab.pc
+  issuerRef:
+    name: gravitee-ca-issuer
+    kind: Issuer
+  keystores:
+    pkcs12:
+      create: true
+      passwordSecretRef:
+        name: gravitee-jks-password
+        key: password
+