Introduction
cert-manager provides X.509 certificate management on Kubernetes.
Setup
Install
Install cert-manager on your cluster by following the instruction in the link below.
You can use following command: kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.11.0/cert-manager.yaml
Once started you should see the following 3 pods running:
$ kubectl get pods -n cert-manager NAME READY STATUS RESTARTS AGE cert-manager-5b65cb968c-d2zbv 1/1 Running 0 5h46m cert-manager-cainjector-56b88bcdf7-7gbj6 1/1 Running 0 5h46m cert-manager-webhook-c784c79c7-6d57m 1/1 Running 0 5h46m
Create Issuer
Create a cluster-issuer and a certificate/secret for the self signed root CA
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: selfsigned-rootca-cluster-issuer
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: selfsigned-rootca
namespace: default
spec:
isCA: true
duration: 2160h # 90d
renewBefore: 360h # 15d
commonName: selfsigned-rootca
subject:
organizations:
- oran
organizationalUnits:
- oran
countries:
- Ireland
localities:
- Dublin
streetAddresses:
- Main Street
secretName: cm-cluster-issuer-rootca-secret
privateKey:
rotationPolicy: Always
algorithm: RSA
encoding: PKCS1
size: 2048
issuerRef:
name: selfsigned-rootca-cluster-issuer
kind: ClusterIssuer
group: cert-manager.io
dnsNames:
- localhost
- minikube
ipAddresses:
- 127.0.0.1
- 192.168.49.2
emailAddresses:
- ca@mail.com
Create an issuer for the self signed root CA
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: cm-ca-issuer
namespace: default
spec:
ca:
secretName: cm-cluster-issuer-rootca-secret
Create Certificate
Create a server key/certificate/keystore/truststore
apiVersion: v1
kind: Secret
metadata:
name: cm-keycloak-jwk-pw
namespace: default
type: Opaque
data:
password: Y2hhbmdlaXQ=
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: keycloak-server-cert
namespace: default
spec:
secretName: cm-keycloak-server-certs
duration: 2160h # 90d
renewBefore: 360h # 15d
subject:
organizations:
- oran
organizationalUnits:
- oran
countries:
- IE
localities:
- Dublin
streetAddresses:
- Main Street
commonName: keycloak
isCA: false
keystores:
jks:
create: true
passwordSecretRef:
name: cm-keycloak-jwk-pw
key: password
privateKey:
algorithm: RSA
encoding: PKCS1
size: 2048
usages:
- server auth
dnsNames:
- keycloak.default
- keycloak
- keycloak.est.tech
emailAddresses:
- server@mail.com
issuerRef:
name: cm-ca-issuer
kind: Issuer
group: cert-manager.io
This certificate creates a secret "cm-keycloak-server-certs" containing 5 data items: tls.key (private key), tls.crt (Corresponding certificate), ca.crt (CA certificate), keystore.jks (keystore) and truststore.jks (truststore)
The keystore and truststore can be used to start keycloak over https.
Create a client key/certificate
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: keycloak-client-cert
namespace: default
spec:
secretName:
duration: 2160h # 90d
renewBefore: 360h # 15d
subject:
organizations:
- oran
organizationalUnits:
- oran
countries:
- IE
localities:
- Dublin
streetAddresses:
- Main Street
commonName: keycloak
isCA: false
privateKey:
algorithm: RSA
encoding: PKCS1
size: 2048
usages:
- client auth
dnsNames:
- keycloak.default
- keycloak
- keycloak.est.tech
emailAddresses:
- client@mail.com
issuerRef:
name: cm-ca-issuer
kind: Issuer
group: cert-manager.io
This certificate creates a secret "cm-keycloak-client-certs" containing 3 data items: tls.key (private key), tls.crt (Corresponding certificate) and ca.crt (CA certificate)
These certs can be used to communicate with the keycloak server over https.
Note: email addresses appear in the subject's alternative name rather than the distinguished name
CA injector
cainjector is used to configure the CA certificates for Mutating Webhooks - see link below.