# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # The Kubernetes resource file paths in this file assume that you execute # Skaffold from the base directory. # # TODO: Create separate intermediate CAs and issuers in each cluster. apiVersion: skaffold/v3 kind: Config metadata: name: cert-manager annotations: config.kubernetes.io/local-config: "true" build: {} deploy: kubectl: defaultNamespace: "" hooks: after: - host: command: ["kubectl", "wait", "--for=condition=established", "--timeout=30s", "crd", "certificates.cert-manager.io"] - host: command: ["kubectl", "rollout", "status", "--namespace=cert-manager", "deployment", "cert-manager"] - host: command: ["kubectl", "rollout", "status", "--namespace=cert-manager", "deployment", "cert-manager-webhook"] manifests: rawYaml: - https://github.com/cert-manager/cert-manager/releases/download/v1.14.7/cert-manager.yaml # kpt-set: https://github.com/cert-manager/cert-manager/releases/download/${cert-manager-version}/cert-manager.yaml --- apiVersion: skaffold/v3 kind: Config metadata: name: root-ca annotations: config.kubernetes.io/local-config: "true" build: {} deploy: kubeContext: kind-grpc-xds # generate the root CA certificate in the first cluster, and export it for use in the second cluster kubectl: defaultNamespace: cert-manager hooks: after: - host: command: ["kubectl", "wait", "--for=condition=ready", "--timeout=30s", "clusterissuer", "root-ca"] - host: command: ["sh", "-c", "kubectl --context=kind-grpc-xds --namespace=cert-manager get secret root-ca-certificate --output=yaml > k8s/cert-manager/root-ca-external/secret-root-ca.yaml"] manifests: kustomize: paths: ["k8s/cert-manager/root-ca"] --- apiVersion: skaffold/v3 kind: Config metadata: name: root-ca-external annotations: config.kubernetes.io/local-config: "true" build: {} deploy: kubeContext: kind-grpc-xds-2 # install the exported root CA certificate from the first cluster in the second cluster kubectl: defaultNamespace: cert-manager hooks: after: - host: command: ["kubectl", "--context=kind-grpc-xds-2", "wait", "--for=condition=ready", "--timeout=30s", "clusterissuer", "root-ca"] manifests: kustomize: buildArgs: ["--load-restrictor=LoadRestrictionsNone"] paths: ["k8s/cert-manager/root-ca-external"] --- apiVersion: skaffold/v3 kind: Config metadata: name: ca-service-issuer-controller annotations: config.kubernetes.io/local-config: "true" build: {} deploy: kubectl: defaultNamespace: cert-manager hooks: after: - host: command: ["kubectl", "wait", "--for=condition=established", "--timeout=30s", "crd", "googlecasclusterissuers.cas-issuer.jetstack.io"] - host: command: ["kubectl", "rollout", "status", "--namespace=cert-manager", "deployment", "cert-manager-google-cas-issuer"] manifests: kustomize: buildArgs: ["--load-restrictor=LoadRestrictionsNone"] paths: ["k8s/cert-manager/ca-service-issuer-controller"] --- apiVersion: skaffold/v3 kind: Config metadata: name: ca-service-cluster-issuer annotations: config.kubernetes.io/local-config: "true" build: {} manifests: kustomize: buildArgs: ["--load-restrictor=LoadRestrictionsNone"] paths: ["k8s/cert-manager/ca-service-cluster-issuer"]