Introduction
cert-manager provides X.509 certificate management on Kubernetes.
Setup
Install
Install cert-manager on your cluster by following the instruction in the link below.
You can use following command: kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.11.0/cert-manager.yaml
Once started you should see the following 3 pods running:
$ kubectl get pods -n cert-manager NAME READY STATUS RESTARTS AGE cert-manager-5b65cb968c-d2zbv 1/1 Running 0 5h46m cert-manager-cainjector-56b88bcdf7-7gbj6 1/1 Running 0 5h46m cert-manager-webhook-c784c79c7-6d57m 1/1 Running 0 5h46m
Create Issuer
Create a cluster-issuer and a certificate/secret for the root CA
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: selfsigned-rootca-cluster-issuer
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: selfsigned-rootca
namespace: default
spec:
isCA: true
duration: 2160h # 90d
renewBefore: 360h # 15d
commonName: selfsigned-rootca
subject:
organizations:
- oran
organizationalUnits:
- oran
countries:
- Ireland
localities:
- Dublin
streetAddresses:
- Main Street
secretName: cm-cluster-issuer-rootca-secret
privateKey:
rotationPolicy: Always
algorithm: RSA
encoding: PKCS1
size: 2048
issuerRef:
name: selfsigned-rootca-cluster-issuer
kind: ClusterIssuer
group: cert-manager.io
dnsNames:
- localhost
- minikube
ipAddresses:
- 127.0.0.1
- 192.168.49.2
emailAddresses:
- ca@mail.com
Create an issuer for the root CA
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: cm-ca-issuer
namespace: default
spec:
ca:
secretName: cm-cluster-issuer-rootca-secret
Create Certificate
Create a server key/certificate/keystore/truststore
apiVersion: v1
kind: Secret
metadata:
name: cm-keycloak-jwk-pw
namespace: default
type: Opaque
data:
password: Y2hhbmdlaXQ=
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: keycloak-server-cert
namespace: default
spec:
secretName: cm-keycloak-server-certs
duration: 2160h # 90d
renewBefore: 360h # 15d
subject:
organizations:
- oran
organizationalUnits:
- oran
countries:
- IE
localities:
- Dublin
streetAddresses:
- Main Street
commonName: keycloak
isCA: false
keystores:
jks:
create: true
passwordSecretRef:
name: cm-keycloak-jwk-pw
key: password
privateKey:
algorithm: RSA
encoding: PKCS1
size: 2048
usages:
- server auth
dnsNames:
- keycloak.default
- keycloak
- keycloak.est.tech
emailAddresses:
- server@mail.com
issuerRef:
name: cm-ca-issuer
kind: Issuer
group: cert-manager.io
his certificate creates a secret "cm-keycloak-server-certs" containing 5 data items: tls.key (private key), tls.crt (Corresponding certificate), ca.crt (CA certificate), keystore.jks (keystore) and truststore.jks (truststore)
The keystore and truststore can be used to start keycloak over https.
Create a client key/certificate
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: keycloak-client-cert
namespace: default
spec:
secretName:
duration: 2160h # 90d
renewBefore: 360h # 15d
subject:
organizations:
- oran
organizationalUnits:
- oran
countries:
- IE
localities:
- Dublin
streetAddresses:
- Main Street
commonName: keycloak
isCA: false
privateKey:
algorithm: RSA
encoding: PKCS1
size: 2048
usages:
- client auth
dnsNames:
- keycloak.default
- keycloak
- keycloak.est.tech
emailAddresses:
- client@mail.com
issuerRef:
name: cm-ca-issuer
kind: Issuer
group: cert-manager.io
This certificate creates a secret "cm-keycloak-client-certs" containing 3 data items: tls.key (private key), tls.crt (Corresponding certificate) and ca.crt (CA certificate)
These certs can be used to communicate with the keycloak server over https.
CA injector
cainjector is used to configure the CA certificates for Mutating Webhooks - see link below.