You can have cert-manager deployed in a cluster and use Akeyless Certificate Automation to generate certificates.
To do so, you first need to install cert-manager custom resource definitions for your cluster to support using cert-manager.
Once cert-manager is installed and running in your K8s cluster, you’ll need to create the following three K8s objects to work with the producer:
Secret - The credentials to your Akeyless account.
Issuer - The name of your Certificate Automation producer.
Certificate(s) - Certificates created based on your previously created Issuer.
The following Authentication Methods are supported:
The Secret object allows cert-manager to connect to Akeyless:
apiVersion: v1 kind: Secret type: Opaque metadata: name: my-secret data: token: "cC04Y2l0eelfkjsfijlskjfklsflfskdfjlkfkzRVk9"
The token in the Secret object is expected to be a base64 encoding of an API KEY used to access Akeyless in the following format:
access_id..acces_key | base64 # e.g echo p-ab1234567890..abc************xyz | base64 -w 0 # => cC1hYjEyMzQ1Njc4OTAuLmFiYyoqKioqKioqKioqKnh5ego=
The API Key token should be a concatenation of your
access_keywith double dots as a delimiter.
Make sure this Authentication method is set with the appropriate RBAC in Akeyless, to grant access to your dynamic secret.
The path in the yaml should always start with the prefix
pki/sign/prior to the item path in Akeyless
The Issuer object is what allows cert-manager call Akeyless with the appropriate producer.
apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: my-issuer spec: vault: path: pki/sign/my-cert-automation-producer server: http://my-akeyless-gw.example.company.com:8200 auth: tokenSecretRef: name: my-secret key: token
my-cert-automation-producer under the Path field is the name of the producer in Akeyless (it can also be a full path, where the producer is inside a folder, i.e.,
The Server key holds the target Akeyless GW in your local environment where the Certificate Automation producer has been created, port 8200 is required.
The tokenSecretRef key is a reference to the previously created secret for credentials.
Now that these 2 have been created you can start issuing certificate requests to Akeyless.
The Certificate object is a certificate request to send to Akeyless.
apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: my-certificate spec: commonName: cert-man.example.company.com dnsNames: - cert-man.example.company.com secretName: secret-my-certificate issuerRef: name: my-issuer
The keys are cert-manager related and there are no special keys required by Akeyless at this point. For more information see here.
When finished, validate your Certificate has been issued via
kubectl get my-certificate
$ kubectl get my-certificate NAME READY SECRET AGE my-certificate True secret-my-certificate 1m
Your certificate information can be found at
Updated about 2 months ago