...
You can use following command: kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.11.0/cert-manager.yaml
Once started you should see the following 3 pods running:
Code Block | ||||
---|---|---|---|---|
| ||||
$ kubectl get pods -n cert-manager
NAME READY STATUS RESTARTS AGE
cert-manager-5b65cb968c-d2zbv 1/1 Running 0 5h46m
cert-manager-cainjector-56b88bcdf7-7gbj6 1/1 Running 0 5h46m
cert-manager-webhook-c784c79c7-6d57m 1/1 Running 0 5h46m |
Create Issuer
Create a cluster-issuer and a certificate/secret for the root CA
Code Block | ||||
---|---|---|---|---|
| ||||
apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: selfsigned-rootca-cluster-issuer spec: selfSigned: {} --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: selfsigned-rootca namespace: default spec: isCA: true duration: 2160h # 90d renewBefore: 360h # 15d commonName: selfsigned-rootca subject: organizations: - oran organizationalUnits: - oran countries: - Ireland localities: - Dublin streetAddresses: - Main Street secretName: cm-cluster-issuer-rootca-secret privateKey: rotationPolicy: Always algorithm: RSA encoding: PKCS1 size: 2048 issuerRef: name: selfsigned-rootca-cluster-issuer kind: ClusterIssuer group: cert-manager.io dnsNames: - localhost - minikube ipAddresses: - 127.0.0.1 - 192.168.49.2 emailAddresses: - ca@mail.com |
Create an issuer for the root CA
Code Block | ||||
---|---|---|---|---|
| ||||
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: cm-ca-issuer
namespace: default
spec:
ca:
secretName: cm-cluster-issuer-rootca-secret |
Create Certificate
Create a server key/certificate/keystore/truststore
Code Block | ||||
---|---|---|---|---|
| ||||
apiVersion: v1
kind: Secret
metadata:
name: cm-keycloak-jwk-pw
namespace: default
type: Opaque
data:
password: Y2hhbmdlaXQ=
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: keycloak-server-cert
namespace: default
spec:
secretName: cm-keycloak-server-certs
duration: 2160h # 90d
renewBefore: 360h # 15d
subject:
organizations:
- oran
organizationalUnits:
- oran
countries:
- IE
localities:
- Dublin
streetAddresses:
- Main Street
commonName: keycloak
isCA: false
keystores:
jks:
create: true
passwordSecretRef:
name: cm-keycloak-jwk-pw
key: password
privateKey:
algorithm: RSA
encoding: PKCS1
size: 2048
usages:
- server auth
dnsNames:
- keycloak.default
- keycloak
- keycloak.est.tech
emailAddresses:
- server@mail.com
issuerRef:
name: cm-ca-issuer
kind: Issuer
group: cert-manager.io |
his certificate creates a secret "cm-keycloak-server-certs" containing 5 data items: tls.key (private key), tls.crt (Corresponding certificate), ca.crt (CA certificate), keystore.jks (keystore) and truststore.jks (truststore)
The keystore and truststore can be used to start keycloak over https.
Create a client key/certificate
Code Block | ||||
---|---|---|---|---|
| ||||
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: keycloak-client-cert
namespace: default
spec:
secretName:
duration: 2160h # 90d
renewBefore: 360h # 15d
subject:
organizations:
- oran
organizationalUnits:
- oran
countries:
- IE
localities:
- Dublin
streetAddresses:
- Main Street
commonName: keycloak
isCA: false
privateKey:
algorithm: RSA
encoding: PKCS1
size: 2048
usages:
- client auth
dnsNames:
- keycloak.default
- keycloak
- keycloak.est.tech
emailAddresses:
- client@mail.com
issuerRef:
name: cm-ca-issuer
kind: Issuer
group: cert-manager.io |
This certificate creates a secret "cm-keycloak-client-certs" containing 3 data items: tls.key (private key), tls.crt (Corresponding certificate) and ca.crt (CA certificate)
These certs can be used to communicate with the keycloak server over https.
CA injector
cainjector is used to configure the CA certificates for Mutating Webhooks - see link below.
Links
...