Merge branch 'feat/certificates-add-self-signed-ca' into 'main'

feat(certificates): add self-signed CA and corresponding certificate

See merge request unboundsoftware/local-k8s!188

certs/README.md

@@ -0,0 +1,38 @@
+# Certificates
+
+This section contains the CA certificates used for testing.
+The only step necessary is to [install](#install-and-trust-the-CA) the CA.
+The rest of the documentation is for reference.
+
+## Setup
+
+First we generate a key for our CA certificate:
+
+```shell
+openssl genrsa -out local-ca.key 2048
+```
+
+Then generate the CA certificate:
+
+```shell
+openssl req -new -x509 -nodes -days 365000 \
+   -key local-ca.key \
+   -out local-ca.pem
+```
+
+Generate a k8s secret:
+
+```shell
+kubectl create secret generic ca-key-pair2 \
+  --from-literal=tls.crt="$(cat local-ca.pem)" \
+  --from-literal=tls.key="$(cat local-ca.key)"
+```
+
+The [certificates.yaml](../kind/certificates.yaml) contains the secrets already and wil be used by cert-manager
+to sign certificates.
+
+## Install and trust the CA
+
+```shell
+sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" local-ca.pem
+```

certs/local-ca.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC1t0ZQvIylVS86
+KoHI2zraBpyUOj+rwOBoGNhk9hkqyE4tZHGbV5/iIp6t7V+pJydkqwlO2TsSFG0d
+We3ubxGANE+rsxejGfd2Mo7s/IwAs1ifdu1mOKj+JOY0ypMkykIoS9KywYd6v40H
+WL57IC5ITMB3TEc4pTOJm5PyOobHgVc6YofjQlh2kyrU//XPoV45neXZ/rlPsIKi
+rD+8mHZ55pt3yvT0wSGw4DZRkTRgBQY99jcKX89waw1iNGR1viMqbhgONOqBd9UX
+kyMPWUNqEbfYIw2mqLijdKjsvYIIKy4my+TDUEJCvom0wMd0cPF2uWEvjRQW/3kS
+S73aVD6RAgMBAAECggEAA1d4rlw2GFKpHBOGcEbBarUCBO/O4yR+4l5imSi1bPkv
+oHVFnMSCjWQMyvufulQ2ZnGGw35wyacg6PZ4aHdLORi9LLxazB/ahYy63omeZ+NK
+1yCwXCR6mk6pAehS+gA5ZNUc7Z1r4mP9y4uXcfUB8a5uDUOUo7c8a8sCo34g1smQ
+FMarqKWWDeEfQv5nMO9OG6o9WdGjCi6xkyB+n8ZgRGCtfYOEgO5SDcxBsgLUavF+
+Lwv+xCgLyJCttMgO1vHbnrdPH2uPYVrlibbXbKfJxaVKpAarluw0Ad17MXjpGvDj
+W0FOutRjwwWPmYUwXuxCceaOer2vKUIVjmbn1E+USQKBgQD+1nk9WP5/YfGZXUhr
+D0W+I8Fd1ob+3qVTEsiDHnbcKIk/weGw0OwvSQlXF9DUOyvpYG77IK+SvEvNo+UK
+k8QR8hz58qq1vk7l6AqlELKjLIfblSMwlmWjXngmo31Zgzatgj+0wJ57/yQRA6WH
+PkAP5mL5Ok2ryaMMCtmXtGbl3wKBgQC2i24rVTy7XxDM1Wt1exdDAy4jEACt/XZ2
+oYwwyvNJshv2j7e6UPF0t44/2+xhovSSbWvUemGoOYESO1gDWFrkfcp7ahKTOBkc
+bWRlHzCaf4AdEK0wanRAE9CybcN6CFAIIbrr7J7fHSxPQQoyKy53aIfx67Ji1Yzw
+HKyOT9sJjwKBgQCg8XcUhZYFgSgCgeVwp+6WDSLcTtZnNNoYwy4bkSvkEz3LJHmT
+H/9qRag+du4Oe2haNeshcx0vgPgm4bGPoo8b/lrKiLXDnnNZw9ilMwx+/Wq4BVJ6
+JyH9sXYUgQBzfekUX8Q4NcZh7Vsr26+44Fm5MPmlCWtwaSIuQtP1eZva5QKBgQCL
+UkGEWyreCwGEhELeyFKJt8ynwBf0s2WNx2B7APrMPV7wQOJGFm8i2NF91blFD51A
+gLjy03DjdvgW1Sooa2/7wjIfHWcN65vmwWsFbtemozdBd6/nKuiM21LGS9YMtnl2
+q1/Bnrfmq5pc5tQEVEbDpglTz8M3gatuu0PL3hDb6wKBgE0J+j4DiqDajPiBZCCm
+LChDx05Y1N11yl/aiclfuUJ6ay1CANM+/pFFtDwhC75Grog2hKn6ISu7R1Q7Of6u
+zHL59It4RDWvTDBZZNOESk3zgnyRp8h1ooe6+cyBwuz0CL5zAcLSOVxXCczeJ+bA
+I81gVl6G430Q8uVsQNriTTgk
+-----END PRIVATE KEY-----

certs/local-ca.pem

@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID6zCCAtOgAwIBAgIUJ5L6dCicY2Pr7gYosf23mTIYWWAwDQYJKoZIhvcNAQEL
+BQAwgYMxCzAJBgNVBAYTAlNFMR4wHAYDVQQIDBVWw4PCpHN0cmEgR8ODwrZ0YWxh
+bmQxEjAQBgNVBAcMCVN2YW5lc3VuZDEwMC4GA1UECgwnVW5ib3VuZCBTb2Z0d2Fy
+ZSBEZXZlbG9wbWVudCBTdmVuc2thIEFCMQ4wDAYDVQQDDAVsb2NhbDAgFw0yNTEy
+MTAwNjM1NDBaGA8zMDI1MDQxMjA2MzU0MFowgYMxCzAJBgNVBAYTAlNFMR4wHAYD
+VQQIDBVWw4PCpHN0cmEgR8ODwrZ0YWxhbmQxEjAQBgNVBAcMCVN2YW5lc3VuZDEw
+MC4GA1UECgwnVW5ib3VuZCBTb2Z0d2FyZSBEZXZlbG9wbWVudCBTdmVuc2thIEFC
+MQ4wDAYDVQQDDAVsb2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ALW3RlC8jKVVLzoqgcjbOtoGnJQ6P6vA4GgY2GT2GSrITi1kcZtXn+Iinq3tX6kn
+J2SrCU7ZOxIUbR1Z7e5vEYA0T6uzF6MZ93Yyjuz8jACzWJ927WY4qP4k5jTKkyTK
+QihL0rLBh3q/jQdYvnsgLkhMwHdMRzilM4mbk/I6hseBVzpih+NCWHaTKtT/9c+h
+Xjmd5dn+uU+wgqKsP7yYdnnmm3fK9PTBIbDgNlGRNGAFBj32Nwpfz3BrDWI0ZHW+
+IypuGA406oF31ReTIw9ZQ2oRt9gjDaaouKN0qOy9gggrLibL5MNQQkK+ibTAx3Rw
+8Xa5YS+NFBb/eRJLvdpUPpECAwEAAaNTMFEwHQYDVR0OBBYEFArFf7jQ/EcwPsDq
+PuBqaVgL5bqEMB8GA1UdIwQYMBaAFArFf7jQ/EcwPsDqPuBqaVgL5bqEMA8GA1Ud
+EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBACN8RLwk4vj8s8KGM1aDydlX
+UbHjdZVa7Cgq6oCm/Le5DuEqRAcNv6/E6LT7g6nMwmJPRROh217MX26+LcrifLiD
+1dpYHl79A+7RvHW2okvOucXg+qN03qShhv70jgJu0q4BfNJjRo27u0QoUMmJZ5ZG
+vyeLTi72d3iuwKtPk6/Q7nUGMiGDN9cKY+GvMB65U4sWX807ZbgxtfOfB/Lrbydo
+UEQSpMGe6DiDj5gZcvHcNEEP6ZG8riaF406At3y86LA19XbYj4AJI1xZVPO+eb/C
+mW5CaMrDgyLhGx1XRoVY9KfWjzJzjR/A1MPevpVbA1Oom0DkV3OCeaBcncr5faA=
+-----END CERTIFICATE-----

kind/certificates.yaml

@@ -1,7 +1,35 @@
+apiVersion: v1
+data:
+  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQ2ekNDQXRPZ0F3SUJBZ0lVSjVMNmRDaWNZMlByN2dZb3NmMjNtVElZV1dBd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2dZTXhDekFKQmdOVkJBWVRBbE5GTVI0d0hBWURWUVFJREJWV3c0UENwSE4wY21FZ1I4T0R3clowWVd4aApibVF4RWpBUUJnTlZCQWNNQ1ZOMllXNWxjM1Z1WkRFd01DNEdBMVVFQ2d3blZXNWliM1Z1WkNCVGIyWjBkMkZ5ClpTQkVaWFpsYkc5d2JXVnVkQ0JUZG1WdWMydGhJRUZDTVE0d0RBWURWUVFEREFWc2IyTmhiREFnRncweU5URXkKTVRBd05qTTFOREJhR0E4ek1ESTFNRFF4TWpBMk16VTBNRm93Z1lNeEN6QUpCZ05WQkFZVEFsTkZNUjR3SEFZRApWUVFJREJWV3c0UENwSE4wY21FZ1I4T0R3clowWVd4aGJtUXhFakFRQmdOVkJBY01DVk4yWVc1bGMzVnVaREV3Ck1DNEdBMVVFQ2d3blZXNWliM1Z1WkNCVGIyWjBkMkZ5WlNCRVpYWmxiRzl3YldWdWRDQlRkbVZ1YzJ0aElFRkMKTVE0d0RBWURWUVFEREFWc2IyTmhiRENDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQgpBTFczUmxDOGpLVlZMem9xZ2NqYk90b0duSlE2UDZ2QTRHZ1kyR1QyR1NySVRpMWtjWnRYbitJaW5xM3RYNmtuCkoyU3JDVTdaT3hJVWJSMVo3ZTV2RVlBMFQ2dXpGNk1aOTNZeWp1ejhqQUN6V0o5MjdXWTRxUDRrNWpUS2t5VEsKUWloTDByTEJoM3EvalFkWXZuc2dMa2hNd0hkTVJ6aWxNNG1iay9JNmhzZUJWenBpaCtOQ1dIYVRLdFQvOWMraApYam1kNWRuK3VVK3dncUtzUDd5WWRubm1tM2ZLOVBUQkliRGdObEdSTkdBRkJqMzJOd3BmejNCckRXSTBaSFcrCkl5cHVHQTQwNm9GMzFSZVRJdzlaUTJvUnQ5Z2pEYWFvdUtOMHFPeTlnZ2dyTGliTDVNTlFRa0sraWJUQXgzUncKOFhhNVlTK05GQmIvZVJKTHZkcFVQcEVDQXdFQUFhTlRNRkV3SFFZRFZSME9CQllFRkFyRmY3alEvRWN3UHNEcQpQdUJxYVZnTDVicUVNQjhHQTFVZEl3UVlNQmFBRkFyRmY3alEvRWN3UHNEcVB1QnFhVmdMNWJxRU1BOEdBMVVkCkV3RUIvd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBQ044Ukx3azR2ajhzOEtHTTFhRHlkbFgKVWJIamRaVmE3Q2dxNm9DbS9MZTVEdUVxUkFjTnY2L0U2TFQ3ZzZuTXdtSlBSUk9oMjE3TVgyNitMY3JpZkxpRAoxZHBZSGw3OUErN1J2SFcyb2t2T3VjWGcrcU4wM3FTaGh2NzBqZ0p1MHE0QmZOSmpSbzI3dTBRb1VNbUpaNVpHCnZ5ZUxUaTcyZDNpdXdLdFBrNi9RN25VR01pR0ROOWNLWStHdk1CNjVVNHNXWDgwN1piZ3h0Zk9mQi9McmJ5ZG8KVUVRU3BNR2U2RGlEajVnWmN2SGNORUVQNlpHOHJpYUY0MDZBdDN5ODZMQTE5WGJZajRBSkkxeFpWUE8rZWIvQwptVzVDYU1yRGd5TGhHeDFYUm9WWTlLZldqekp6alIvQTFNUGV2cFZiQTFPb20wRGtWM09DZWFCY25jcjVmYUE9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
+  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRQzF0MFpRdkl5bFZTODYKS29ISTJ6cmFCcHlVT2orcndPQm9HTmhrOWhrcXlFNHRaSEdiVjUvaUlwNnQ3VitwSnlka3F3bE8yVHNTRkcwZApXZTN1YnhHQU5FK3JzeGVqR2ZkMk1vN3MvSXdBczFpZmR1MW1PS2orSk9ZMHlwTWt5a0lvUzlLeXdZZDZ2NDBICldMNTdJQzVJVE1CM1RFYzRwVE9KbTVQeU9vYkhnVmM2WW9malFsaDJreXJVLy9YUG9WNDVuZVhaL3JsUHNJS2kKckQrOG1IWjU1cHQzeXZUMHdTR3c0RFpSa1RSZ0JRWTk5amNLWDg5d2F3MWlOR1IxdmlNcWJoZ09OT3FCZDlVWApreU1QV1VOcUViZllJdzJtcUxpamRLanN2WUlJS3k0bXkrVERVRUpDdm9tMHdNZDBjUEYydVdFdmpSUVcvM2tTClM3M2FWRDZSQWdNQkFBRUNnZ0VBQTFkNHJsdzJHRktwSEJPR2NFYkJhclVDQk8vTzR5Uis0bDVpbVNpMWJQa3YKb0hWRm5NU0NqV1FNeXZ1ZnVsUTJabkdHdzM1d3lhY2c2UFo0YUhkTE9SaTlMTHhhekIvYWhZeTYzb21lWitOSwoxeUN3WENSNm1rNnBBZWhTK2dBNVpOVWM3WjFyNG1QOXk0dVhjZlVCOGE1dURVT1VvN2M4YThzQ28zNGcxc21RCkZNYXJxS1dXRGVFZlF2NW5NTzlPRzZvOVdkR2pDaTZ4a3lCK244WmdSR0N0ZllPRWdPNVNEY3hCc2dMVWF2RisKTHd2K3hDZ0x5SkN0dE1nTzF2SGJucmRQSDJ1UFlWcmxpYmJYYktmSnhhVktwQWFybHV3MEFkMTdNWGpwR3ZEagpXMEZPdXRSand3V1BtWVV3WHV4Q2NlYU9lcjJ2S1VJVmptYm4xRStVU1FLQmdRRCsxbms5V1A1L1lmR1pYVWhyCkQwVytJOEZkMW9iKzNxVlRFc2lESG5iY0tJay93ZUd3ME93dlNRbFhGOURVT3l2cFlHNzdJSytTdkV2Tm8rVUsKazhRUjhoejU4cXExdms3bDZBcWxFTEtqTElmYmxTTXdsbVdqWG5nbW8zMVpnemF0Z2orMHdKNTcveVFSQTZXSApQa0FQNW1MNU9rMnJ5YU1NQ3RtWHRHYmwzd0tCZ1FDMmkyNHJWVHk3WHhETTFXdDFleGREQXk0akVBQ3QvWFoyCm9Zd3d5dk5Kc2h2Mmo3ZTZVUEYwdDQ0LzIreGhvdlNTYld2VWVtR29PWUVTTzFnRFdGcmtmY3A3YWhLVE9Ca2MKYldSbEh6Q2FmNEFkRUswd2FuUkFFOUN5YmNONkNGQUlJYnJyN0o3ZkhTeFBRUW95S3k1M2FJZng2N0ppMVl6dwpIS3lPVDlzSmp3S0JnUUNnOFhjVWhaWUZnU2dDZ2VWd3ArNldEU0xjVHRabk5Ob1l3eTRia1N2a0V6M0xKSG1UCkgvOXFSYWcrZHU0T2UyaGFOZXNoY3gwdmdQZ200YkdQb284Yi9scktpTFhEbm5OWnc5aWxNd3grL1dxNEJWSjYKSnlIOXNYWVVnUUJ6ZmVrVVg4UTROY1poN1ZzcjI2KzQ0Rm01TVBtbENXdHdhU0l1UXRQMWVadmE1UUtCZ1FDTApVa0dFV3lyZUN3R0VoRUxleUZLSnQ4eW53QmYwczJXTngyQjdBUHJNUFY3d1FPSkdGbThpMk5GOTFibEZENTFBCmdMankwM0RqZHZnVzFTb29hMi83d2pJZkhXY042NXZtd1dzRmJ0ZW1vemRCZDYvbkt1aU0yMUxHUzlZTXRubDIKcTEvQm5yZm1xNXBjNXRRRVZFYkRwZ2xUejhNM2dhdHV1MFBMM2hEYjZ3S0JnRTBKK2o0RGlxRGFqUGlCWkNDbQpMQ2hEeDA1WTFOMTF5bC9haWNsZnVVSjZheTFDQU5NKy9wRkZ0RHdoQzc1R3JvZzJoS242SVN1N1IxUTdPZjZ1CnpITDU5SXQ0UkRXdlREQlpaTk9FU2szemdueVJwOGgxb29lNitjeUJ3dXowQ0w1ekFjTFNPVnhYQ2N6ZUorYkEKSTgxZ1ZsNkc0MzBROHVWc1FOcmlUVGdrCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
+kind: Secret
+metadata:
+  name: ca-key-pair
+  namespace: default
+type: Opaque
+---
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
   name: self-signed
   namespace: default
 spec:
-  selfSigned: {}
+  ca:
+    secretName: ca-key-pair
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: self-signed-cert
+  namespace: default
+spec:
+  subject:
+    organizations:
+    - shiny
+  dnsNames:
+  - shiny
+  - auth0
+  - staging-shiny.unbound.se
+  secretName: self-signed-cert-tls
+  issuerRef:
+    name: self-signed