stt/infra-gravitee-apim
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0d1e5dd9b88da7b32e129f580c66f6238ffeb0c1
infra-gravitee-apim/certificates.yml
T
sttlab 0d1e5dd9b8 First commit
2026-05-03 11:54:33 +00:00

203 lines
4.9 KiB
YAML
Raw Blame History

# cert-manager configuration for Gravitee APIM
# Self-signed CA + namespace-scoped Issuer
#
# To switch to HashiCorp Vault later:
# 1. Replace `gravitee-ca-issuer` (Issuer kind: CA) with a Vault Issuer:
# apiVersion: cert-manager.io/v1
# kind: Issuer
# metadata: {name: gravitee-ca-issuer, namespace: gravitee-apim}
# spec:
# vault:
# server: https://vault.sttlab.pc:8200
# path: pki/sign/gravitee
# auth: { kubernetes: { ... } }
# 2. Keep the Certificate resources below unchanged - they reference
# `gravitee-ca-issuer` by name, so the swap is transparent.
---
# Step 1: bootstrap a self-signed Issuer (only used to sign the CA cert)
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: gravitee-selfsigned-bootstrap
namespace: gravitee-apim
spec:
selfSigned: {}
---
# Step 2: create a CA certificate signed by the bootstrap issuer
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: gravitee-ca
namespace: gravitee-apim
spec:
isCA: true
commonName: gravitee-ca.sttlab.pc
secretName: gravitee-ca-tls
duration: 87600h # 10 years
privateKey:
algorithm: RSA
size: 4096
issuerRef:
name: gravitee-selfsigned-bootstrap
kind: Issuer
group: cert-manager.io
---
# Step 3: the actual CA Issuer used by all Gravitee certs
# This is the resource to replace when integrating Vault PKI later
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: gravitee-ca-issuer
namespace: gravitee-apim
spec:
ca:
secretName: gravitee-ca-tls
---
# ----------------------------
# Ingress certificates (one per public host)
# ----------------------------
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: console-tls
namespace: gravitee-apim
spec:
secretName: console-tls
dnsNames:
- console.gravitee.sttlab.pc
issuerRef:
name: gravitee-ca-issuer
kind: Issuer
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: portal-tls
namespace: gravitee-apim
spec:
secretName: portal-tls
dnsNames:
- portal.gravitee.sttlab.pc
issuerRef:
name: gravitee-ca-issuer
kind: Issuer
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: api-tls
namespace: gravitee-apim
spec:
secretName: api-tls
dnsNames:
- api.gravitee.sttlab.pc
issuerRef:
name: gravitee-ca-issuer
kind: Issuer
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: gateway-tls
namespace: gravitee-apim
spec:
secretName: gateway-tls
dnsNames:
- gateway.gravitee.sttlab.pc
issuerRef:
name: gravitee-ca-issuer
kind: Issuer
---
# ----------------------------
# Internal TLS server certs (cluster.local hostnames)
# ----------------------------
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: mongodb-tls
namespace: gravitee-apim
spec:
secretName: mongodb-tls
commonName: mongodb.gravitee-apim.svc.cluster.local
dnsNames:
- mongodb
- mongodb.gravitee-apim
- mongodb.gravitee-apim.svc
- mongodb.gravitee-apim.svc.cluster.local
- mongodb-0.mongodb-headless.gravitee-apim.svc.cluster.local
issuerRef:
name: gravitee-ca-issuer
kind: Issuer
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: elasticsearch-tls
namespace: gravitee-apim
spec:
secretName: elasticsearch-tls
commonName: gravitee-es-master.gravitee-apim.svc.cluster.local
dnsNames:
- gravitee-es-master
- gravitee-es-master.gravitee-apim
- gravitee-es-master.gravitee-apim.svc
- gravitee-es-master.gravitee-apim.svc.cluster.local
issuerRef:
name: gravitee-ca-issuer
kind: Issuer
keystores:
jks:
create: true
passwordSecretRef:
name: gravitee-jks-password
key: password
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: gateway-internal-tls
namespace: gravitee-apim
spec:
secretName: gateway-internal-tls
commonName: graviteeio-apim-gateway.gravitee-apim.svc.cluster.local
dnsNames:
- graviteeio-apim-gateway
- graviteeio-apim-gateway.gravitee-apim
- graviteeio-apim-gateway.gravitee-apim.svc
- graviteeio-apim-gateway.gravitee-apim.svc.cluster.local
- gateway.gravitee.sttlab.pc
issuerRef:
name: gravitee-ca-issuer
kind: Issuer
keystores:
pkcs12:
create: true
passwordSecretRef:
name: gravitee-jks-password
key: password
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: api-internal-tls
namespace: gravitee-apim
spec:
secretName: api-internal-tls
commonName: graviteeio-apim-api.gravitee-apim.svc.cluster.local
dnsNames:
- graviteeio-apim-api
- graviteeio-apim-api.gravitee-apim
- graviteeio-apim-api.gravitee-apim.svc
- graviteeio-apim-api.gravitee-apim.svc.cluster.local
- api.gravitee.sttlab.pc
issuerRef:
name: gravitee-ca-issuer
kind: Issuer
keystores:
pkcs12:
create: true
passwordSecretRef:
name: gravitee-jks-password
key: password
Reference in New Issue View Git Blame Copy Permalink