Cert Manager
Using cert-manager with Akeyless Certificate Automation
You can have cert-manager deployed in a cluster and use Akeyless Certificate Automation to generate certificates.
To do so, you first need to install cert-manager custom resource definitions for your cluster to support using cert-manager.
Once cert-manager is installed and running in your cluster, you’ll need to create at least 3 objects to work with the producer:
Secret - The credentials to your Akeyless account.
Issuer- The name of your Certificate Automation producer.
Certificate(s) - Certificates created based on your previously created Issuer.
The Secret object allows cert-manager to connect to Akeyless:
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: my-secret
data:
token: "cC04Y2l0eelfkjsfijlskjfklsflfskdfjlkfkzRVk9"
The token in the Secret object is expected to be a base64 encoding of an API KEY used to access Akeyless in the following format:
access_id..acces_key | base64
# e.g
echo p-ab1234567890..abc************xyz | base64 -w 0 # => cC1hYjEyMzQ1Njc4OTAuLmFiYyoqKioqKioqKioqKnh5ego=
Note:
The API Key token should be a concatenation of your
access_id
and youraccess_key
with double dots as a delimiter.Make sure this Authentication method is set with the appropriate RBAC in Akeyless, to grant access to your dynamic secret.
The path should always start with pki/sign before the real path inside Akeyless
The Issuer object is what allows cert-manager call Akeyless with the appropriate producer.
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: my-issuer
spec:
vault:
path: pki/sign/my-cert-automation-producer
server: http://my-akeyless-gw.example.company.com:8200
auth:
tokenSecretRef:
name: my-secret
key: token
The my-cert-automation-producer
under the Path key is the name of the producer (it can also be a name inside a folder (folder/my-cert-automation-producer
).
The Server key holds the target Akeyless GW in your local environment where the Certificate Automation producer has been created, port 8200 is required.
The tokenSecretRef key is a reference to the previously created secret for credentials.
Now that these 2 have been created you can start issuing certificate requests to Akeyless.
The Certificate object is a certificate request to send to akeyless.
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: my-certificate
spec:
commonName: cert-man.example.company.com
dnsNames:
- cert-man.example.company.com
secretName: secret-my-certificate
issuerRef:
name: my-issuer
The keys are cert-manager related and there are no special keys required by Akeyless at this point. For more information see here - https://cert-manager.io/docs/concepts/certificate/
When finished, validate your Certificate has been issued via kubectl get my-certificate
$ kubectl get my-certificate
NAME READY SECRET AGE
my-certificate True secret-my-certificate 1m
Your certificate information can be found at secret-my-certificate
.
Updated 6 months ago