cert-manager PKI

Let's setup our quick and dirty PKI using cert-manager.

  1. Install cert-manager:

    helm repo add jetstack https://charts.jetstack.io
    kubectl create namespace cert-manager
    helm install --namespace cert-manager cert-manager \
        --version v1.11.0 \
        --set installCRDs=true \
        --wait \
        jetstack/cert-manager
    
  2. Create a SelfSigned ClusterIssuer:

    cat <<EOF |kubectl apply -f -
    apiVersion: cert-manager.io/v1alpha2
    kind: ClusterIssuer
    metadata:
      name: selfsigned
    spec:
      selfSigned: {}
    EOF
    
  3. Create the CA root certificate:

    cat <<EOF |kubectl apply -f -
    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: ca
      namespace: cert-manager
    spec:
      secretName: ca
      subject:
        organizations:
          - lazybit.ch
      isCA: true
      issuerRef:
        name: selfsigned
        kind: ClusterIssuer
        group: cert-manager.io
      commonName: "lazybit.ch"
      dnsNames:
      - lazybit.ch
    EOF
    
  4. Create the CA issuer:

    cat <<EOF |kubectl apply -f -
    apiVersion: cert-manager.io/v1
    kind: ClusterIssuer
    metadata:
      name: ca-issuer
      namespace: cert-manager
    spec:
      ca:
        secretName: ca
    EOF
    
  5. Create the server certificate:

    cat <<EOF |kubectl apply -f -
    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: tls-server
      namespace: default
    spec:
      secretName: tls-server
      subject:
        organizations:
          - lazybit.ch
      issuerRef:
        name: ca-issuer
        kind: ClusterIssuer
        group: cert-manager.io
      commonName: "server.lazybit.ch"
      dnsNames:
      - server.lazybit.ch
      privateKey:
        rotationPolicy: Always
    EOF
    
  6. Create the client certificate:

    cat <<EOF |kubectl apply -f -
    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: tls-client
      namespace: default
    spec:
      secretName: tls-client
      subject:
        organizations:
          - lazybit.ch
      commonName: server.lazybit.ch
      usages:
        - client auth
      issuerRef:
        name: ca-issuer
        kind: ClusterIssuer
        group: cert-manager.io
      privateKey:
        rotationPolicy: Always
    EOF