cert-manager PKI
Let's setup our quick and dirty PKI using cert-manager
.
-
Install
cert-manager
:helm repo add jetstack https://charts.jetstack.io kubectl create namespace cert-manager helm install --namespace cert-manager cert-manager \ --version v1.11.0 \ --set installCRDs=true \ --wait \ jetstack/cert-manager
-
Create a
SelfSigned
ClusterIssuer
:cat <<EOF |kubectl apply -f - apiVersion: cert-manager.io/v1alpha2 kind: ClusterIssuer metadata: name: selfsigned spec: selfSigned: {} EOF
-
Create the CA root certificate:
cat <<EOF |kubectl apply -f - apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: ca namespace: cert-manager spec: secretName: ca subject: organizations: - lazybit.ch isCA: true issuerRef: name: selfsigned kind: ClusterIssuer group: cert-manager.io commonName: "lazybit.ch" dnsNames: - lazybit.ch EOF
-
Create the CA issuer:
cat <<EOF |kubectl apply -f - apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: ca-issuer namespace: cert-manager spec: ca: secretName: ca EOF
-
Create the server certificate:
cat <<EOF |kubectl apply -f - apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: tls-server namespace: default spec: secretName: tls-server subject: organizations: - lazybit.ch issuerRef: name: ca-issuer kind: ClusterIssuer group: cert-manager.io commonName: "server.lazybit.ch" dnsNames: - server.lazybit.ch privateKey: rotationPolicy: Always EOF
-
Create the client certificate:
cat <<EOF |kubectl apply -f - apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: tls-client namespace: default spec: secretName: tls-client subject: organizations: - lazybit.ch commonName: server.lazybit.ch usages: - client auth issuerRef: name: ca-issuer kind: ClusterIssuer group: cert-manager.io privateKey: rotationPolicy: Always EOF