docs(sandbox-manager): add a best practice for managing and deploying sandbox-manager self-signed certificates using cert-manager

Signed-off-by: AiRanthem <zhongtianyun.zty@alibaba-inc.com>

Author: AiRanthem

.gitignore

@@ -26,6 +26,8 @@ go.work.sum
 *.swp
 *.swo
 *~
+
+*.crt
 *.pem
 vendor/*
 dev/

config/sandbox-manager/deployment.yaml

@@ -4,21 +4,21 @@ metadata:
   name: sandbox-manager
   namespace: sandbox-system
   labels:
-    control-plane: sandbox-manager
+    component: sandbox-manager
     app.kubernetes.io/name: sandbox-manager
     app.kubernetes.io/managed-by: kustomize
 spec:
   replicas: 1
   selector:
     matchLabels:
-      control-plane: sandbox-manager
+      component: sandbox-manager
       app.kubernetes.io/name: sandbox-manager
   template:
     metadata:
       annotations:
         kubectl.kubernetes.io/default-container: controller
       labels:
-        control-plane: sandbox-manager
+        component: sandbox-manager
         app.kubernetes.io/name: sandbox-manager
     spec:
       serviceAccountName: sandbox-manager
@@ -62,7 +62,7 @@ spec:
                 fieldRef:
                   fieldPath: metadata.namespace
             - name: PEER_SELECTOR
-              value: control-plane=sandbox-manager
+              value: component=sandbox-manager
             - name: KUBE_CLIENT_QPS
               value: "10000"
             - name: KUBE_CLIENT_BURST

config/sandbox-manager/ingress.yaml

@@ -4,14 +4,15 @@ metadata:
   name: sandbox-manager
   namespace: sandbox-system
   labels:
-    control-plane: sandbox-manager
+    component: sandbox-manager
     app.kubernetes.io/name: sandbox-manager
     app.kubernetes.io/managed-by: kustomize
 spec:
   ingressClassName: nginx
   tls:
     - hosts:
         - "*.replace.with.your.domain"
+        - "replace.with.your.domain"
       secretName: sandbox-manager-tls
   rules:
     - host: "*.replace.with.your.domain"
@@ -24,3 +25,13 @@ spec:
                 name: sandbox-manager
                 port:
                   number: 7788
+    - host: "replace.with.your.domain"
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: sandbox-manager
+                port:
+                  number: 7788

config/sandbox-manager/rbac.yaml

@@ -3,7 +3,7 @@ kind: ClusterRole
 metadata:
   name: sandbox-manager
   labels:
-    control-plane: sandbox-manager
+    component: sandbox-manager
     app.kubernetes.io/name: sandbox-manager
 rules:
   - apiGroups: [""]
@@ -34,7 +34,7 @@ metadata:
   name: sandbox-manager-secrets
   namespace: sandbox-system
   labels:
-    control-plane: sandbox-manager
+    component: sandbox-manager
     app.kubernetes.io/name: sandbox-manager
 rules:
   - apiGroups: [ "" ]
@@ -48,7 +48,7 @@ kind: ClusterRoleBinding
 metadata:
   name: sandbox-manager
   labels:
-    control-plane: sandbox-manager
+    component: sandbox-manager
     app.kubernetes.io/name: sandbox-manager
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -65,7 +65,7 @@ metadata:
   name: sandbox-manager-secrets
   namespace: sandbox-system
   labels:
-    control-plane: sandbox-manager
+    component: sandbox-manager
     app.kubernetes.io/name: sandbox-manager
 roleRef:
   apiGroup: rbac.authorization.k8s.io

config/sandbox-manager/secret.yaml

@@ -4,7 +4,7 @@ metadata:
   name: e2b-key-store
   namespace: sandbox-system
   labels:
-    control-plane: sandbox-manager
+    component: sandbox-manager
     app.kubernetes.io/name: sandbox-manager
 type: Opaque
 data: { }

config/sandbox-manager/service.yaml

@@ -4,7 +4,7 @@ metadata:
   name: sandbox-manager
   namespace: sandbox-system
   labels:
-    control-plane: sandbox-manager
+    component: sandbox-manager
     app.kubernetes.io/name: sandbox-manager
     app.kubernetes.io/managed-by: kustomize
 spec:
@@ -15,5 +15,5 @@ spec:
       protocol: TCP
       name: http-envoy
   selector:
-    control-plane: sandbox-manager
+    component: sandbox-manager
     app.kubernetes.io/name: sandbox-manager

config/sandbox-manager/serviceaccount.yaml

@@ -4,7 +4,7 @@ metadata:
   name: sandbox-manager
   namespace: sandbox-system
   labels:
-    control-plane: sandbox-manager
+    component: sandbox-manager
     app.kubernetes.io/name: sandbox-manager
     app.kubernetes.io/managed-by: kustomize
 automountServiceAccountToken: true

docs/best-practices/cert-manager-zh_CN.md

@@ -0,0 +1,54 @@
+# 最佳实践：使用 cert-manager 管理 sandbox-manager 自签证书
+
+本文提供了一种使用 cert-manager 来管理和部署 sandbox-manager 自签证书的最佳实践。
+
+## 前提条件
+
+1. 集群中已安装 sandbox-manager
+2. 确保具备 kubectl 命令行工具并具有相应权限
+
+## 步骤一：安装 cert-manager
+
+如果您还没有安装 cert-manager，请参考 [官方文档](https://cert-manager.io/docs/installation/) 进行安装。
+
+## 步骤二：通过 cert-manager 自动管理证书
+
+1. 将 [cert-manager.yaml](cert-manager.yaml) 中的 "*.your.domain.com" 与 "your.domain.com" 替换为你的域名。
+2. 将配置添加到 Kubernetes 集群中：`kubectl apply -f cert-manager.yaml`
+
+## 步骤三：验证证书状态
+
+检查证书是否正确创建和颁发：
+
+```bash
+kubectl get certificates -n sandbox-system
+kubectl describe certificate sandbox-manager-ingress-cert -n sandbox-system
+kubectl describe secret sandbox-manager-tls -n sandbox-system
+```
+
+检查 Ingress 状态：
+
+```bash
+kubectl get ingress sandbox-manager -n sandbox-system
+kubectl describe ingress sandbox-manager -n sandbox-system
+```
+
+## 步骤四：配置客户端信任
+
+由于您使用的是自签名证书，客户端需要信任根 CA 证书。
+
+### 4.1 获取 CA 证书
+
+```bash
+kubectl get secret sandbox-ca-key-pair -n sandbox-system -o jsonpath='{.data.tls\.crt}' | base64 -d > ca.crt
+```
+
+### 4.2 配置客户端
+
+客户端需要设置环境变量 `SSL_CERT_FILE` 为获取的 CA 证书路径：
+
+```bash
+export SSL_CERT_FILE=/path/to/ca.crt
+```
+
+或者将 CA 证书添加到系统的信任存储中。

docs/best-practices/cert-manager.md

@@ -0,0 +1,56 @@
+# Best Practice: Managing sandbox-manager Self-Signed Certificates with cert-manager
+
+This document provides a best practice for managing and deploying sandbox-manager self-signed certificates using
+cert-manager.
+
+## Prerequisites
+
+1. sandbox-manager is installed in the cluster
+2. Ensure kubectl command-line tool is available with appropriate permissions
+
+## Step 1: Install cert-manager
+
+If you haven't installed cert-manager yet, please refer to
+the [official documentation](https://cert-manager.io/docs/installation/) for installation.
+
+## Step 2: Automatic Certificate Management with cert-manager
+
+1. Replace "*.your.domain.com" and "your.domain.com" in [cert-manager.yaml](cert-manager.yaml) with your domain.
+2. Add the configuration to the Kubernetes cluster: `kubectl apply -f cert-manager.yaml`
+
+## Step 3: Verify Certificate Status
+
+Check if certificates are created and issued correctly:
+
+```bash
+kubectl get certificates -n sandbox-system
+kubectl describe certificate sandbox-manager-ingress-cert -n sandbox-system
+kubectl describe secret sandbox-manager-tls -n sandbox-system
+```
+
+Check Ingress status:
+
+```bash
+kubectl get ingress sandbox-manager -n sandbox-system
+kubectl describe ingress sandbox-manager -n sandbox-system
+```
+
+## Step 4: Configure Client Trust
+
+Since you are using self-signed certificates, clients need to trust the root CA certificate.
+
+### 4.1 Obtain CA Certificate
+
+```bash
+kubectl get secret sandbox-ca-key-pair -n sandbox-system -o jsonpath='{.data.tls\.crt}' | base64 -d > ca.crt
+```
+
+### 4.2 Configure Client
+
+Clients need to set the environment variable `SSL_CERT_FILE` to the path of the obtained CA certificate:
+
+```bash
+export SSL_CERT_FILE=/path/to/ca.crt
+```
+
+Or add the CA certificate to the system's trust store.

docs/best-practices/cert-manager.yaml

@@ -0,0 +1,59 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: sandbox-ca-issuer
+  namespace: sandbox-system
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: sandbox-signing-issuer
+  namespace: sandbox-system
+spec:
+  ca:
+    secretName: sandbox-ca-key-pair
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: sandbox-ca
+  namespace: sandbox-system
+spec:
+  isCA: true
+  duration: 87600h # 10 years
+  secretName: sandbox-ca-key-pair
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: sandbox-ca-issuer
+    kind: Issuer
+    group: cert-manager.io
+  commonName: sandbox-ca
+  subject:
+    organizations:
+      - openkruise
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: sandbox-manager-ingress-cert
+  namespace: sandbox-system
+spec:
+  secretName: sandbox-manager-tls
+  duration: 2160h # 90 days
+  renewBefore: 360h # 15 days
+  subject:
+    organizations:
+      - openkruise
+  isCA: false
+  dnsNames:
+    - "*.your.domian.com"
+    - "your.domian.com"
+  issuerRef:
+    name: sandbox-signing-issuer
+    kind: Issuer
+    group: cert-manager.io