docs: Certificate Defaulting with Kyverno

- Add a turotial using Kyverno to override Certificate defaults
- YAML resources with public links for easy downloading
- Add tutorial to main page list
- Rewritten from the original draft to ensure it is a tutorial and flows well

Signed-off-by: Peter Fiddes <[email protected]>

Author: hawksight

.spelling

@@ -634,6 +634,8 @@ v1.13.
 v1.12.5
 v1.12.6
 v1.12.7
+v1.14.0
+v1.14.X
 liveness
 apiservices
 arm64

content/docs/manifest.json

@@ -578,6 +578,10 @@
             {
               "title": "Managing public trust in kubernetes with trust-manager",
               "path": "/docs/tutorials/getting-started-with-trust-manager/README.md"
+            },
+            {
+              "title": "Setting default certificate values",
+              "path": "/docs/tutorials/certificate-defaults/README.md"
             }
           ]
         },

content/docs/tutorials/README.md

@@ -25,6 +25,8 @@ for you to learn from. Take a look!
 - [Securing an Istio service mesh with cert-manager](./istio-csr/istio-csr.md): Tutorial for
   securing an Istio service mesh using a cert-manager issuer.
 - [Obtaining SSL certificates with the ZeroSSL](./zerossl/zerossl.md): Tutorial describing usage of the ZeroSSL as external ACME server.
+- [Managing public trust in Kubernetes with trust-manager](./getting-started-with-trust-manager/README.md): Learn how to deploy and configure trust-manager to automatically distribute your approved Public CA configuration to your Kubernetes cluster.
+- [Learn how to set Certificate defaults automatically](./certificate-defaults/README.md): Learn how to use Kyverno `ClusterPolicy` to set default values for cert-manager `Certificates`.
 
 ### External Tutorials
 

content/docs/tutorials/certificate-defaults/README.md

@@ -0,0 +1,8 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: test-minimal
+  namespace: default
+spec:
+  dnsNames:
+  - example.com

public/docs/tutorials/certificate-defaults/cert-test-minimal.yaml

@@ -0,0 +1,19 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: test-revision-override
+  namespace: default
+spec:
+  dnsNames:
+  - example.com
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: not-my-corp-issuer
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS8
+    rotationPolicy: Never
+    size: 4096
+  revisionHistoryLimit: 44
+  secretName: test-revision-override-cert

public/docs/tutorials/certificate-defaults/cert-test-revision-override.yaml

@@ -0,0 +1,13 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: test-revision
+  namespace: default
+spec:
+  dnsNames:
+  - example.com
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: not-my-corp-issuer
+  secretName: test-revision-cert

public/docs/tutorials/certificate-defaults/cert-test-revision.yaml

@@ -0,0 +1,45 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: 0-mutate-certificate-defaults
+spec:
+  failurePolicy: Fail
+  rules:
+  # Set a sane default for the history field if not already present
+  - name: set-revisionHistoryLimit
+    match:
+      any:
+      - resources:
+          kinds:
+          - Certificate
+    mutate:
+      patchStrategicMerge:
+        spec:
+          # +(...) This is the clever syntax for if not already set
+          +(revisionHistoryLimit): 2
+  # Set rotation to always if not already set
+  - name: set-privateKey-rotationPolicy
+    match:
+      any:
+      - resources:
+          kinds:
+          - Certificate
+    mutate:
+      patchStrategicMerge:
+        spec:
+          privateKey:
+            +(rotationPolicy): Always
+  # Set private key details for algorithm an size
+  - name: set-privateKey-details
+    match:
+      any:
+      - resources:
+          kinds:
+          - Certificate
+    mutate:
+      patchStrategicMerge:
+        spec:
+          privateKey:
+            +(algorithm): ECDSA
+            +(size): 521
+            +(encoding): PKCS1

public/docs/tutorials/certificate-defaults/cpol-mutate-certificate-defaults.yaml

@@ -0,0 +1,31 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: 1-mutate-certificate-required
+spec:
+  rules:
+  # Test if we can set a secretName when one is not provided
+  - name: set-default-secret-name
+    match:
+      any:
+      - resources:
+          kinds:
+          - Certificate
+    mutate:
+      patchStrategicMerge:
+        spec:
+          +(secretName): "{{request.object.metadata.name}}-cert"
+  # Test if we can set a default issuerRef
+  - name: set-default-issuer-ref
+    match:
+      any:
+      - resources:
+          kinds:
+          - Certificate
+    mutate:
+      patchStrategicMerge:
+        spec:
+          +(issuerRef):
+            name: our-corp-issuer
+            kind: ClusterIssuer
+            group: cert-manager.io

public/docs/tutorials/certificate-defaults/cpol-mutate-certificate-required.yaml

@@ -0,0 +1,24 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: validate-certificate
+spec:
+  rules:
+  # Test from the kyverno examples to validate any subdomain of corp.com applied the correct issuer
+  - name: restrict-corp-cert-issuer
+    match:
+      any:
+      - resources:
+          kinds:
+          - Certificate
+    validate:
+      message: When requesting a cert for this domain, you must use our corporate issuer.
+      pattern:
+        spec:
+          (dnsNames): ["*.corp.com"]
+          issuerRef:
+            name: our-corp-issuer
+            kind: ClusterIssuer
+            group: cert-manager.io
+  validationFailureAction: Enforce
+  background: true