Introduction
cert-manager provides X.509 certificate management on Kubernetes.
Setup
Install
Install cert-manager on your cluster by following the instruction in the link below.
You can use following command: kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.11.0/cert-manager.yaml
Once started you should see the following 3 pods running:
$ kubectl get pods -n cert-manager NAME READY STATUS RESTARTS AGE cert-manager-5b65cb968c-d2zbv 1/1 Running 0 5h46m cert-manager-cainjector-56b88bcdf7-7gbj6 1/1 Running 0 5h46m cert-manager-webhook-c784c79c7-6d57m 1/1 Running 0 5h46m
Create Issuer
Create a cluster-issuer and a certificate/secret for the root CA
apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: selfsigned-rootca-cluster-issuer spec: selfSigned: {} --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: selfsigned-rootca namespace: default spec: isCA: true duration: 2160h # 90d renewBefore: 360h # 15d commonName: selfsigned-rootca subject: organizations: - oran organizationalUnits: - oran countries: - Ireland localities: - Dublin streetAddresses: - Main Street secretName: cm-cluster-issuer-rootca-secret privateKey: rotationPolicy: Always algorithm: RSA encoding: PKCS1 size: 2048 issuerRef: name: selfsigned-rootca-cluster-issuer kind: ClusterIssuer group: cert-manager.io dnsNames: - localhost - minikube ipAddresses: - 127.0.0.1 - 192.168.49.2 emailAddresses: - ca@mail.com
Create an issuer for the root CA
apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: cm-ca-issuer namespace: default spec: ca: secretName: cm-cluster-issuer-rootca-secret
Create Certificate
Create a server key/certificate/keystore/truststore
apiVersion: v1 kind: Secret metadata: name: cm-keycloak-jwk-pw namespace: default type: Opaque data: password: Y2hhbmdlaXQ= --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: keycloak-server-cert namespace: default spec: secretName: cm-keycloak-server-certs duration: 2160h # 90d renewBefore: 360h # 15d subject: organizations: - oran organizationalUnits: - oran countries: - IE localities: - Dublin streetAddresses: - Main Street commonName: keycloak isCA: false keystores: jks: create: true passwordSecretRef: name: cm-keycloak-jwk-pw key: password privateKey: algorithm: RSA encoding: PKCS1 size: 2048 usages: - server auth dnsNames: - keycloak.default - keycloak - keycloak.est.tech emailAddresses: - server@mail.com issuerRef: name: cm-ca-issuer kind: Issuer group: cert-manager.io
his certificate creates a secret "cm-keycloak-server-certs" containing 5 data items: tls.key (private key), tls.crt (Corresponding certificate), ca.crt (CA certificate), keystore.jks (keystore) and truststore.jks (truststore)
The keystore and truststore can be used to start keycloak over https.
Create a client key/certificate
apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: keycloak-client-cert namespace: default spec: secretName: duration: 2160h # 90d renewBefore: 360h # 15d subject: organizations: - oran organizationalUnits: - oran countries: - IE localities: - Dublin streetAddresses: - Main Street commonName: keycloak isCA: false privateKey: algorithm: RSA encoding: PKCS1 size: 2048 usages: - client auth dnsNames: - keycloak.default - keycloak - keycloak.est.tech emailAddresses: - client@mail.com issuerRef: name: cm-ca-issuer kind: Issuer group: cert-manager.io
This certificate creates a secret "cm-keycloak-client-certs" containing 3 data items: tls.key (private key), tls.crt (Corresponding certificate) and ca.crt (CA certificate)
These certs can be used to communicate with the keycloak server over https.
CA injector
cainjector is used to configure the CA certificates for Mutating Webhooks - see link below.