feat(certificates): add self-signed CA and corresponding certificate

Adds a self-signed CA configuration and a certificate for the shiny organization. This change creates a Kubernetes Secret for the CA key pair and an Issuer that references this Secret. A Certificate resource is created to automate certificate provisioning for specified DNS names, improving the infrastructure's security and facilitating testing.
2025-12-10 07:46:52 +01:00
parent fd6dcca181
commit 57b1aef485
4 changed files with 118 additions and 1 deletions
@@ -0,0 +1,38 @@
+# Certificates
+
+This section contains the CA certificates used for testing.
+The only step necessary is to [install](#install-and-trust-the-CA) the CA.
+The rest of the documentation is for reference.
+
+## Setup
+
+First we generate a key for our CA certificate:
+
+```shell
+openssl genrsa -out local-ca.key 2048
+```
+
+Then generate the CA certificate:
+
+```shell
+openssl req -new -x509 -nodes -days 365000 \
+   -key local-ca.key \
+   -out local-ca.pem
+```
+
+Generate a k8s secret:
+
+```shell
+kubectl create secret generic ca-key-pair2 \
+  --from-literal=tls.crt="$(cat local-ca.pem)" \
+  --from-literal=tls.key="$(cat local-ca.key)"
+```
+
+The [certificates.yaml](../kind/certificates.yaml) contains the secrets already and wil be used by cert-manager
+to sign certificates.
+
+## Install and trust the CA
+
+```shell
+sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" local-ca.pem
+```