# cert-manager configuration for Gravitee APIM # Self-signed CA + namespace-scoped Issuer # # To switch to HashiCorp Vault later: # 1. Replace `gravitee-ca-issuer` (Issuer kind: CA) with a Vault Issuer: # apiVersion: cert-manager.io/v1 # kind: Issuer # metadata: {name: gravitee-ca-issuer, namespace: gravitee-apim} # spec: # vault: # server: https://vault.sttlab.pc:8200 # path: pki/sign/gravitee # auth: { kubernetes: { ... } } # 2. Keep the Certificate resources below unchanged - they reference # `gravitee-ca-issuer` by name, so the swap is transparent. --- # Step 1: bootstrap a self-signed Issuer (only used to sign the CA cert) apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: gravitee-selfsigned-bootstrap namespace: gravitee-apim spec: selfSigned: {} --- # Step 2: create a CA certificate signed by the bootstrap issuer apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: gravitee-ca namespace: gravitee-apim spec: isCA: true commonName: gravitee-ca.sttlab.pc secretName: gravitee-ca-tls duration: 87600h # 10 years privateKey: algorithm: RSA size: 4096 issuerRef: name: gravitee-selfsigned-bootstrap kind: Issuer group: cert-manager.io --- # Step 3: the actual CA Issuer used by all Gravitee certs # This is the resource to replace when integrating Vault PKI later apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: gravitee-ca-issuer namespace: gravitee-apim spec: ca: secretName: gravitee-ca-tls --- # ---------------------------- # Ingress certificates (one per public host) # ---------------------------- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: console-tls namespace: gravitee-apim spec: secretName: console-tls dnsNames: - console.gravitee.sttlab.pc issuerRef: name: gravitee-ca-issuer kind: Issuer --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: portal-tls namespace: gravitee-apim spec: secretName: portal-tls dnsNames: - portal.gravitee.sttlab.pc issuerRef: name: gravitee-ca-issuer kind: Issuer --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: api-tls namespace: gravitee-apim spec: secretName: api-tls dnsNames: - api.gravitee.sttlab.pc issuerRef: name: gravitee-ca-issuer kind: Issuer --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: gateway-tls namespace: gravitee-apim spec: secretName: gateway-tls dnsNames: - gateway.gravitee.sttlab.pc issuerRef: name: gravitee-ca-issuer kind: Issuer --- # ---------------------------- # Internal TLS server certs (cluster.local hostnames) # ---------------------------- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: mongodb-tls namespace: gravitee-apim spec: secretName: mongodb-tls commonName: mongodb.gravitee-apim.svc.cluster.local dnsNames: - mongodb - mongodb.gravitee-apim - mongodb.gravitee-apim.svc - mongodb.gravitee-apim.svc.cluster.local - mongodb-0.mongodb-headless.gravitee-apim.svc.cluster.local issuerRef: name: gravitee-ca-issuer kind: Issuer --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: elasticsearch-tls namespace: gravitee-apim spec: secretName: elasticsearch-tls commonName: gravitee-es-master.gravitee-apim.svc.cluster.local dnsNames: - gravitee-es-master - gravitee-es-master.gravitee-apim - gravitee-es-master.gravitee-apim.svc - gravitee-es-master.gravitee-apim.svc.cluster.local issuerRef: name: gravitee-ca-issuer kind: Issuer keystores: jks: create: true passwordSecretRef: name: gravitee-jks-password key: password --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: gateway-internal-tls namespace: gravitee-apim spec: secretName: gateway-internal-tls commonName: graviteeio-apim-gateway.gravitee-apim.svc.cluster.local dnsNames: - graviteeio-apim-gateway - graviteeio-apim-gateway.gravitee-apim - graviteeio-apim-gateway.gravitee-apim.svc - graviteeio-apim-gateway.gravitee-apim.svc.cluster.local - gateway.gravitee.sttlab.pc issuerRef: name: gravitee-ca-issuer kind: Issuer keystores: pkcs12: create: true passwordSecretRef: name: gravitee-jks-password key: password --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: api-internal-tls namespace: gravitee-apim spec: secretName: api-internal-tls commonName: graviteeio-apim-api.gravitee-apim.svc.cluster.local dnsNames: - graviteeio-apim-api - graviteeio-apim-api.gravitee-apim - graviteeio-apim-api.gravitee-apim.svc - graviteeio-apim-api.gravitee-apim.svc.cluster.local - api.gravitee.sttlab.pc issuerRef: name: gravitee-ca-issuer kind: Issuer keystores: pkcs12: create: true passwordSecretRef: name: gravitee-jks-password key: password