infra
/
kubernetes
1
0
Fork 0
Code Pull Requests 4 Activity

loki-ca: Add cert-manager issuer for Loki CA 

The Loki CA is used to issue client certificates for Grafana Loki.  This
_cert-manager_ ClusterIssuer will allow applications running in
Kubernetes (e.g. Grafana) to request a Certificate that they can use to
access the Loki HTTP API.
etcd
Dustin 2024-02-20 09:17:37 -06:00
parent d08cc6fb0f
commit d4efb735bf
5 changed files with 80 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
loki-ca/README.md Normal file
View File

@ -0,0 +1,24 @@
# Private CA for Grafana Loki Client Authentication
## Generate CA Key/Certificate
```sh
openssl genpkey -algorithm ED25519 -out loki-ca.key
openssl req -new -config openssl.cnf -key loki-ca.key -x509 -out loki-ca.crt -days 3653
```
## Create SealedSecret
```sh
kubectl create secret tls -n cert-manager loki-ca --cert loki-ca.crt --key loki-ca.key --dry-run=client -o yaml | kubeseal -o yaml > secrets.yaml
```
_Note_: the SealedSecret is stored in the _cert-manager_ namespace since it is
used by a ClusterIssuer.
## Deploy
```sh
kubectl apply -f .
```

11
loki-ca/loki-ca.crt Normal file
View File

@ -0,0 +1,11 @@
-----BEGIN CERTIFICATE-----
MIIBlDCCAUagAwIBAgIUGNZ/ASP8F2ytev3YplTk4jA5a2EwBQYDK2VwMEgxCzAJ
BgNVBAYTAlVTMRgwFgYDVQQKDA9EdXN0aW4gQy4gSGF0Y2gxDTALBgNVBAsMBExv
a2kxEDAOBgNVBAMMB0xva2kgQ0EwHhcNMjQwMjIwMTUwMTQxWhcNMzQwMjIwMTUw
MTQxWjBIMQswCQYDVQQGEwJVUzEYMBYGA1UECgwPRHVzdGluIEMuIEhhdGNoMQ0w
CwYDVQQLDARMb2tpMRAwDgYDVQQDDAdMb2tpIENBMCowBQYDK2VwAyEAnmMawEIo
WfzFaLgpSiaPD+DHg28NHknMFcs7XpyTM9CjQjBAMB0GA1UdDgQWBBTFth3c4S/f
y0BphQy9SucnKN2pLzASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwIBBjAF
BgMrZXADQQCn0JWERsXdJA4kMM45ZXhVgAciwLNQ8ikoucsJcbWBp7bSMjcMVi51
I+slotQvQES/vfqp/zZFNl7KKyeeQ0sD
-----END CERTIFICATE-----

13
loki-ca/loki-ca.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: v1
kind: Namespace
metadata:
name: loki-ca
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: loki-ca
spec:
ca:
secretName: loki-ca

17
loki-ca/openssl.cnf Normal file
View File

@ -0,0 +1,17 @@
[req]
distinguished_name = root_ca_dn
prompt = no
default_md = sha512
x509_extensions = root_ca
string_mask = utf8only
[root_ca_dn]
countryName = US
organizationName = Dustin C. Hatch
organizationalUnitName = Loki
commonName = Loki CA
[root_ca]
subjectKeyIdentifier = hash
basicConstraints = critical,CA:true,pathlen:0
keyUsage = cRLSign, keyCertSign

15
loki-ca/secrets.yaml Normal file
View File

@ -0,0 +1,15 @@
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: loki-ca
namespace: cert-manager
spec:
encryptedData:
tls.crt: AgCAvqpGFq6pZYDF8DjUu0B9CrI9J0yLTgsjsbYeWVuIFU9ie/RsSkrccFdVg4od+Sd+NbIfw7eMA+ZiPIzqiW4IdMR4vXi1hmqfjl5n5MMRTPTfTfB/gOAVO3mNur2Fnutloo47ZueXA6JznMSqwPu6pAhypSIFwfgScF2EANkTBEWClxvF5U/RY4hlO6nbV56FPbGBvXE1ZCk5ejzLyY9ldz8rdt/T5VdioH82fX5rlzlGdKOyjYCOK81Flo59jwIRr5cLggd3/ddLn1xGaHORU/8PngWbHcyEI7lkByZ1cpFeG2kZ0DwceH9RLuhu1pS3FobYRGdt3QAGpGLQoNLJGsU5y43JwcyDA5qlQHhoszBRerDsi8vidNLiFD1X+85tGT2aInl4ysfL28w/koE6uo8GvUzp8d+NlK/P55MK4Xrtbu8NgSNKbBdaV0cLAxZpnyrJ5xqdkfmGEDxTltZ+XckMpEq2k0PrsrOfhCG9/xLN4vp0AISbxXFTEADhvz6ZCgxdndsnt3RW+CxAWGTslV9tY6GWSEWkG6P9/J5swetHTwRGJMWftUYHFY0C9rqZBJNKAInEDf3BA0fZelqMaQ2afZD+7upgO5Wst+hw6oGmVs555SoWSScIkdWTVQFBfvIatY/s0MH7v4LnSOEM61ZVPwXbL/GLKsVy6CcH/IOH7pKOlBK42mA9T0/QzRiA7ZAPj0yYslHhKPGqz90ojBv/ch3Y+142/IgrlWPr+xJvLYuU4AWRglthyFHjOpSkmFvH21MqzyRT+AxORJAsSepCCRz1hHx9KruC4M8iuQ9QEGZHsT+8IkWbWKo4AGllCEyF34jdMUuIYcon0e8+H3jPQvk4aM1X5d1V4ZfvqPswlcrxklGRMsT2wMEFpFXElHXwBgKTGD0FDTH7/DwMsioCmfz0hg/P5GsZ2ziNUqFC+/ngSWOPyuo6Jgt303tEbX8p972VMOtfFyqh2mR53jE2QeM9w0zgDKHxpAN6Pu5WLsj0N5VYBesLFsukEMUFlo+ltBvQO+AKv67E8B/LPPDbwViyEZFZoNPrffC9B2lhltVYfRtfuCjlPUMy5TVixugDxrqwA/6eQtIUOokSHb3GsDpdKjEKhs0KLqhkDU3A9BnrKhRbaOisMxPLuYUPMd8OVst515EZVwv+lKp74oY6UDk6bUAX34GkdVw7g6QO140WRqLkb4bjAjFcwsat1h06P5AcNDCrwAfnPFtxyicAnAi4Cq960j8+7bHnMdrY7aakKy5gIxlkwcHnUheg0wvh2TJH1juvDArVDh4TU9J76F3jKRL5YCJXq2Gg1NExOfUYKMpFE0MXjg2jemBwDpsczttdcs0zo0vnbYmS8wxhiawdnNuPtYZ0m/XxYlw9qocjfy8QCrs7eaK9F2BH0L5dIx894SPsv7nk3/jnENakcgpzU8aKrfCRfR+qEJfoQ7yg701qLfO709KUNjOWxa9r0QTxQS+TGVrvlqdEJ2lASlM6UOHqE7ZbmKHg
tls.key: AgACeNJFSJlXIzdU6DntcdHA1CZoSdi+CacD3pqMYJRyJDPlbFi06eaWNqPT08wIfh2QTternOewBt3jlsLtD3p5VF9GY1EtDNradEpK8POd2e44tMvQusA85rSM5iDwFKQDHswTcmxW/x/d5OnefydJnDaAifCycYYmvXtjJDrnQ1lJJ9oBxnS9y3mqTpQzrSNuVuC4JjpXzzCvx05CDFE6fDxkFwJoDWKPbaZD1wXfi0kbjAPlzANWzGHS/p/dSrMQvyCWiF/dVeMcXTCCgUyKfaZqDZCRgQh006d6+M4z0t2RHB3Jk59hPErhVOt8tHWHckuz3b2Ux/cisF89yl1zsh9WmNyCSRoArPet+lkx6GpS6/kJJ+z7qIHboJYEFA6+Vt+rG6knOIRGo7gnzc02URzGG0caaSorRUnD6sLteKkWHUccU9CFinbWQZloIfkKZMadIEQqhQJhcRAbN86tAUTntyVjSia4IXMRhGPtwJrdwZr57CCfkDkjSaxluWga9z5bxtoVIITYHaf1gHQ3J4YS8HCJdQFRtEjAqipm6BXYloujVE3dAHAb3l54ORW61lGLpJP6fKLLH6ZVJu65KulTdaokzuIzLY6xvoJtDKAlP1Y146OdowMWvlXitZ4kZLa0LT2jiN3FfaUrl4FnZEu1wC0vdu+nnbYLJ5WGHUnQLTQqHSMK/zW02W/cs2Tf8dbCvL8E5KL8dHPHHtC/8BH4f530pamEJDGdQuhMAZwJ1T8ohWHFG4XMT83pMqYChIlqlX8Yzd2RlNPlB1U0ROTftIYqx5Fd5DU4dxofydspBQaWbXLQ2fQF3k28zMNjSSZwyBL15nFf78hDGS3GeQ7W3YlpxA==
template:
metadata:
name: loki-ca
namespace: cert-manager
type: kubernetes.io/tls