✨ adding cert-manager stuff

k8s/spire/base/cert-intermediate.yaml

@@ -0,0 +1,18 @@
+# Create intermediate CA certificate signed by root
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: spire-ca
+  namespace: spire
+spec:
+  isCA: true
+  commonName: "Spire Intermediate CA"
+  dnsNames:
+  - "spire.tunnel.threadr.ai"
+  secretName: spire-ca-key-pair  # This matches what the ClusterIssuer expects
+  duration: 8760h # 1 year
+  renewBefore: 720h # 30 days
+  issuerRef:
+    name: spire-root-issuer  # Sign using our root issuer
+    kind: ClusterIssuer
+    group: cert-manager.io

k8s/spire/base/new-cert.yaml

@@ -0,0 +1,17 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: spire-ca
+  namespace: spire
+spec:
+  commonName: "Spire Intermediate CA"
+  dnsNames:
+  - "spire.tunnel.threadr.ai"
+  duration: 8760h
+  isCA: true
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: spire-root-issuer
+  renewBefore: 720h
+  secretName: spire-ca-intermediate-key-pair  # Changed secret name

k8s/spire/base/new-issuer.yaml

@@ -0,0 +1,7 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: spire-ca-issuer
+spec:
+  ca:
+    secretName: spire-ca-intermediate-key-pair  # Use the new secret name

k8s/spire/base/pg-secret.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: spire-postgres
+  namespace: spire
+type: Opaque
+stringData:
+  DB_PASSWORD: ""

k8s/spire/base/server-configmap.yaml

@@ -32,8 +32,8 @@ data:
 
       UpstreamAuthority "cert-manager" {
         plugin_data {
-          issuer_name = "spire-ca-issuer"
-          issuer_kind = "ClusterIssuer"
+          issuer_name = "spire-intermediate-issuer"
+          issuer_kind = "Issuer"
           issuer_group = "cert-manager.io"
           namespace = "spire"
           ca_bundle_path = "/etc/cert-manager/ca/ca.crt"

k8s/spire/base/spiffe-pod-test.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: spiffe-test
+  namespace: default
+spec:
+  serviceAccount: default
+  containers:
+    - name: spiffe-test
+      image: nicolaka/netshoot
+      command: ["/bin/sh", "-c", "while true; do sleep 30; done"]
+      env:
+        - name: SPIFFE_ENDPOINT_SOCKET
+          value: /run/spire/sockets/agent.sock
+      volumeMounts:
+        - name: spire-agent-socket
+          mountPath: /run/spire/sockets
+          readOnly: true
+  volumes:
+    - name: spire-agent-socket
+      hostPath:
+        path: /run/spire/sockets
+        type: Directory

k8s/spire/base/spire-ca-issuer.yaml

@@ -0,0 +1,9 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: spire-ca-issuer
+  namespace: spire
+spec:
+  ca:
+    secretName: spire-ca-key-pair
+

k8s/spire/base/spire-ca.yaml

@@ -0,0 +1,28 @@
+# First create an intermediate certificate
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: spire-intermediate-ca
+  namespace: spire
+spec:
+  isCA: true
+  commonName: "Spire Intermediate CA"
+  secretName: spire-intermediate-ca
+  duration: 8760h # 1 year
+  renewBefore: 720h # 30 days
+  dnsNames:
+    - "spire.tunnel.threadr.ai"
+  issuerRef:
+    name: spire-root-issuer
+    kind: ClusterIssuer
+    group: cert-manager.io
+---
+# Then create an issuer using the intermediate certificate
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: spire-intermediate-issuer
+  namespace: spire
+spec:
+  ca:
+    secretName: spire-intermediate-ca