[Feature Request] generate TLS certificates using cert-manager

[luismacosta]

What was changed

Add certificates.yaml + secret.yaml to templates
Add README.md

Why?

generate certificates using cert-manager

How was this tested

• Deployed cert-manager helm-chart
• Deployed temporal helm chart, 0.57.0, using temporal/charts/temporal/tests/certificates.yaml as values.yaml, with my own tls.crt + tls.key

Cert-manager will:

• Use the temporal-issuer (which refers to the CA).
• Ask the CA (from the tls-certs secret) to sign a new certificate.
• Create the temporal-tls-certs secret in the same namespace — this secret will contain:
  • tls.crt: the signed certificate
  • tls.key: the private key
  • Optionally, ca.crt: the CA certificate (if configured)

➜  ~ kubectl get secret -n temporal

NAME                          TYPE                   DATA       AGE
temporal-tls-certs            kubernetes.io/tls      3          3h38m
tls-certs                     Opaque                 2          153m


➜  ~ kubectl get certificate  -n temporal

NAME                READY          SECRET                       AGE
temporal-cert       True           temporal-tls-certs           5h35m


➜  ~ kubectl get certificaterequests  -n temporal-data

NAME              APPROVED   DENIED   READY   ISSUER            REQUESTER                                                                      AGE
temporal-cert-1   True                True    temporal-issuer   system:serviceaccount:cert-manager:test-cert-manager  5h

@robholland Can you please review? Thanks

[tomwheeler]

I have no prior experience with cert-manager, and while I was able to deploy that into Kubernetes, it will take me some time to read through its documentation and learn how to generate certificates. As I was waiting on my deployment to come online, I read through the code and found a few typos, for which I have provided suggestions.

I'll need to do a more detailed review, but these typos will need to be fixed so I wanted to point them out now.

[luismacosta]

I have no prior experience with cert-manager, and while I was able to deploy that into Kubernetes, it will take me some time to read through its documentation and learn how to generate certificates. As I was waiting on my deployment to come online, I read through the code and found a few typos, for which I have provided suggestions.

I'll need to do a more detailed review, but these typos will need to be fixed so I wanted to point them out now.

Thanks Tom.
typos corrected.

[luiscosta18]

Hello @PhillypHenning @robholland @tomwheeler

Can you please review and merge if everything looks good to you? Thanks.

[spanktar]

Having just gone through the process of creating certs and CAs for Temporal, this is a welcome piece of work. Thanks @luismacosta! Can you elaborate a little on what isCA is doing here?

[luiscosta18]

Having just gone through the process of creating certs and CAs for Temporal, this is a welcome piece of work. Thanks @luismacosta! Can you elaborate a little on what isCA is doing here?

isCA: true
The resulting certificate will have the CA bit set in its extensions (BasicConstraints: CA:TRUE).
This means the certificate can be used to sign and issue other certificates. Essentially, it becomes a root or intermediate CA certificate.

isCA: false (default)
The certificate is treated as a leaf/end-entity certificate, used for things like securing HTTPS connections (TLS), client authentication, etc. It cannot sign other certificates.

[robholland]

Hey @luiscosta18 we're ready to revive this now, sorry for the long delay. Please could you update this to the latest main. Please remove the README which isn't relevant to the certs feature.

[luiscosta18]

Hello @robholland @tomwheeler @PhillypHenning

Please close this PR.
I've created a new one #820
Thanks